Tuesday, January 12, 2010

Iranian Cyber Army returns - target: Baidu.com

Many Americans are not familiar with Baidu, but in China its the word people say when we would say Google. Baidu is a Chinese search engine that commands a powerful 60% of the marketplace. And this morning, their website looked liked this:



The white line of Persian text on the website is a statement that reads:

« ارتش سایبری ایران در اعتراض به دخالت های سايتهاي بيگانه و صهیونیستی در امور داخلی کشورمان و پخش اخبار دروغ و تفرقه برانگیز راه اندازي شده است


Google Translate tells us that that says:

Army of cyber-sites has been established to protest intervention in the internal affairs of our country and broadcast of false and divisive news by Foreigners and Israel.


(with a little word-re-ordering to preserve meaning)


We first heard of the Iranian Cyber Army on December 18th when they attacked Twitter with an almost identical attack. We documented the attack here in our story Who Is the Iranian Cyber Army?.

In today's attack, the nameservers for Baidu were redirected to a small network that caters to "warez" and various piracy and pornography servers. The computer 188.95.49.6 became the address for ns1.baidu.com, ns2.baidu.com, and ns3.baidu.com, and these new "unofficial" nameservers did a wild-card resolution for everything at baidu, pointing it to the same IP address 188.95.49.6.

Later in the morning, that IP address shifted to 188.95.49.19, which is the address which is currently live as of this writing.

Click the image below to see the full unedited version of the original graphic that was posted on the server:


(the original file was named "-1-2.jpg")
(The EXIF data indicates that the file was saved using Adobe Photoshop CS4 Windows on December 27, 2009 at 1:41:44 PM.)

There were also two VERY interesting email addresses on the page:

Soldier@CyberArmyOfIran.com
and
Soldier@IRCArmy.com

The website "cyberarmyofiran.com" is hosted on the Canadian IP address 70.35.29.162, which belongs to "Netfirms Inc".

Registrant:
Domain Privacy Group, Inc.
c/o cyberarmyofiran.com,
7030 Woodbine Ave. Suite 800
Markham, ON L3R 6G2
CA

Domain name: cyberarmyofiran.com

Administrative Contact:
Domain Privacy Group, Inc. privacy635948@domainprivacygroup.com
c/o cyberarmyofiran.com,
7030 Woodbine Ave. Suite 800
Markham, ON L3R 6G2
CA
Fax:

Technical Contact:
Domain Privacy Group, Inc. privacy635948@domainprivacygroup.com
c/o cyberarmyofiran.com,
7030 Woodbine Ave. Suite 800
Markham, ON L3R 6G2
CA
Fax:

Registrar of Record: Netfirms Inc.
Record expires on 2010-12-31.
Record created on 2009-12-31.
Database last updated on 2010-01-12 06:51:32.

The website "ircarmy.com" is hosted on US IP address 98.136.50.138, which belongs to Yahoo! (and is currently using a Yahoo! Nameserver)

Domain Name.......... ircarmy.com
Creation Date........ 2009-12-31
Registration Date.... 2009-12-31
Expiry Date.......... 2010-12-31
Organisation Name.... Iranian Army
Organisation Address. PO Box 61359
Organisation Address.
Organisation Address. Sunnyvale
Organisation Address. 94088
Organisation Address. CA
Organisation Address. US

Admin Name........... Admin PrivateRegContact
Admin Address........ PO Box 61359
Admin Address........
Admin Address........ Sunnyvale
Admin Address........ 94088
Admin Address........ CA
Admin Address........ US
Admin Email.......... contact@myprivateregistration.com
Admin Phone.......... +1.5105952002
Admin Fax............

That first IP address for today's redirect, 188.95.49.6, resolved such names as:

www.baidu.com
proxy.baidu.com
news.baidu.com
passport.baidu.com
post.baidu.com
utility.baidu.com
video.baidu.com
cpro.baidu.com
map.baidu.com
spaces.baidu.com
zhidao.baidu.com

well, actually, EVERYTHING.baidu.com resolved temporarily to this IP address.

What is that IP address normally used for? When I try a reverse resolution on that IP it tells me the server's name is "pink2.warez-host.com"

The site normally hosts such webservers as:

wamboload.org
greateamwarez.pl
xtrem-360.com
shugalclub.com
xtreme-load.com
thewarezlife.com
ddlhentai.com
ewddl.com
warezdream.com
dxdforum.com
warez-host.com
blue.warez-host.com
linkpex.com
housebeats.in
scriptzsector.ws
pirate-club.net
wawa-mania.eu
demon-board.eu
iklotz.ru
0daymusic.biz

So what do we know about WarezHost? Here's what their website says about themselves:



Warez-Host is a privately-owned organization located in Dubai, UAE. At Warez-Host, we understand that our customers' web sites are important and they require reliable services to ensure that service is not interrupted. We have established a solid foundation to offer a reliable, easy to use and low cost web hosting solution for small-to-large sized businesses and helping thousands of customers get their web sites online.

Our goal is to provide a low-cost web hosting solution that is easy-to-use, and is customer service oriented. At Warez-Host, we value our customers and recognize their need for quality service and outstanding customer service.

Warez-Host web hosting is the perfect choice for all of your web hosting needs, our datacenters located in Netherlands, IRAN and Germany.




The Dedicated Server pages for each data center explain what types of content you can host on their servers. For example, its ok to host stolen software and movies ("warez") in all three locations, but the Iranian Data Center list (shown below) makes it clear you can't host pornography in Iran - although you can in their German and Netherlands based data centers.



So, if someone wants to get to the bottom of who hacked Baidu, all they have to do is slap a subpoena on the UAE-based company's Iranian data center manager to see who owns this dedicated server and get logs from it.

Yeah. Good luck with that.

More badness from "warez-host.com" servers:

0daymusic.biz
3rabwarez.com
70sshowonline.com
A1source.us
Alibablog.com
Allokamas.com
Allo-kamas.net
Alternatedown.com
Appfuzion.com
Aspecialtimetoremember.com
Bdwarez.info
Bestindo.us
Blogfigo.com
Bloodordie.com
Brif.net
Cumsafaci.com
Darkantiviruses.org
Ddlfree.com
Ddlhentai.com
Demon-board.eu
Devilstreaming.com
Diplomworld.com
Diplomworld.ru
Dll-404.com
D-moviez.com
Downloaderz.net
Dragon91.com
Dreadfulappz.com
Dxdforum.com
Dzson.com
Endees.com
Enjoywarez.org
Enz.ir
Ewddl.com
Extreme-load.com
Fbghana.com
Figyelo.net
Firstwarez.pl
Freefile.ir
Freemoviewizard.com
Ftaonline.org
Futurewarez.com
Gamehaxerz.com
Geejee.us
Geewee.eu
Get-connection.info
Gormiz.com
Gp-studios.info
Gstonerz.com
Hdppv.net
Hotfilmvn.net
Hot-uploads.com
Housebeats.in
Iklotz.com
Iklotz.ru
Indianddl.info
Insidernet.com
Italywarez.net
Linkbucks.in
Linkpex.com
Linkxpic.com
Live-desi.com
Magazinesbay.com
Marvisatechnology.com
Mastworld.net
Mediaanime.info
Megauploadparadise.com
Mexicowarez.com
Minitech.ws
Mobile1.ir
Montamela.net
Morehtamilsangam.com
Movie-at-home.com
Neopetstuff.com
Neopetstuff.net
Netspond.com
New-connection.info
No2pc.com
Nop-licite.us
Now-connection.info
Operationwolf.net
Parsikade.ir
Pejaforum.net
Persianmember.com
Persianmember.ir
Pirate-club.net
Piratemonster.com
Porn-down.com
Projectannihilation.org
Qpv8.ir
Rapid4all.org
Resell-host.biz
Rivea.org
Sataplu.com
Scriptzsector.ws
Search-ddl.com
Secured-webhosting.com
Seekwarez.com
Seheri-bb.com
Seo-shop.info
Sharing-rapidshare.com
Sharing-rapidshares.com
Shugalclub.com
Simoali.com
Sonicviewbrasil.net
Sportzkrieg.com
Streamdvd.net
Superpartage.com
Tagmite.com
Tamilsangammoreh.com
Tehwarez.com
Tensaibux.com
Tensaidownloader.com
Theentertainmentcore.com
Theforcestrikes.com
Thewarezlife.com
Tsontakias.org
Ultimate-porn.us
Ultrafull.com
Untiempopararecordar.com
Upload4u.ir
Uptaze.com
Wamboload.org
Warez.ir
Warez-design.com
Warezdream.com
Warezground.org
Warez-help.org
Warez-host.com
Warez-host.net
Warezisland.com
Warezlegacy.com
Warez-life.com
Warezmarket.net
Warezs.net
Warez-share.net
Warez-zz.com
Warwealth.com
Watch-free-episodes-online.org
Wawa-mania.eu
Whatsupearl.com
Woodbumgfx.com
Xfresh.us
Xtreme-load.com
You-down.com
Zojesalem.com

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.