DDoS-Guard, a dodgy Russian firm that also hosts the official site for the terrorist group Hamas
"*DDoS-Guard*, a dodgy Russian firm that also hosts the official site for the terrorist group*Hamas"* https://krebsonsecurity.com/2021/01/hamas-may-be-threat-to-8chan-qanon-onlin...
hamas.ps seems to be hosted on Sucuri ... a doggy US based firm? On Wed, Jan 13, 2021 at 10:12 AM PP <phishphucker@storey.ovh> wrote:
"*DDoS-Guard*, a dodgy Russian firm that also hosts the official site for the terrorist group *Hamas"*
https://krebsonsecurity.com/2021/01/hamas-may-be-threat-to-8chan-qanon-onlin...
In message <CAO3CAMr15ZzKzEqvObchLUZ9Q8F5Xqts+9WGJy=ZbnDA0qZZGQ@mail.gmail.com>, you wrote:
hamas.ps seems to be hosted on Sucuri ... a doggy US based firm?
According to data provided by Farsight Security, Inc. the site was formerly located at 190.115.18.139, which is indeed DDos-Guard, up until 2020-11-12, and it was then moved to its current location, 192.124.249.13, which is indeed, Securi. ---------------------------------------------------------- ;; bailiwick: hamas.ps. ;; count: 70144 ;; first seen: 2019-05-14 23:18:11 -0000 ;; last seen: 2020-11-12 13:40:58 -0000 hamas.ps. IN A 190.115.18.139 ;; bailiwick: hamas.ps. ;; count: 11017 ;; first seen: 2020-11-12 13:45:02 -0000 ;; last seen: 2021-01-12 14:21:11 -0000 hamas.ps. IN A 192.124.249.13
Looks like Parler is now using them as well: parler.com has address 190.115.31.151 -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Ronald F. Guilmette <rfg@tristatelogic.com> Date: Wednesday, 13 January 2021 at 02:59 To: Siyuan Miao <siyuan@misaka.io> Cc: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] DDoS-Guard, a dodgy Russian firm that also hosts the official site for the terrorist group Hamas In message <CAO3CAMr15ZzKzEqvObchLUZ9Q8F5Xqts+9WGJy=ZbnDA0qZZGQ@mail.gmail.com>, you wrote:
hamas.ps seems to be hosted on Sucuri ... a doggy US based firm?
According to data provided by Farsight Security, Inc. the site was formerly located at 190.115.18.139, which is indeed DDos-Guard, up until 2020-11-12, and it was then moved to its current location, 192.124.249.13, which is indeed, Securi. ---------------------------------------------------------- ;; bailiwick: hamas.ps. ;; count: 70144 ;; first seen: 2019-05-14 23:18:11 -0000 ;; last seen: 2020-11-12 13:40:58 -0000 hamas.ps. IN A 190.115.18.139 ;; bailiwick: hamas.ps. ;; count: 11017 ;; first seen: 2020-11-12 13:45:02 -0000 ;; last seen: 2021-01-12 14:21:11 -0000 hamas.ps. IN A 192.124.249.13
[image: image.png] *Rui A. S. Esteves* On Sun, Jan 17, 2021 at 2:17 PM Michele Neylon - Blacknight via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Looks like Parler is now using them as well:
parler.com has address 190.115.31.151
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
*From: *anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Ronald F. Guilmette <rfg@tristatelogic.com> *Date: *Wednesday, 13 January 2021 at 02:59 *To: *Siyuan Miao <siyuan@misaka.io> *Cc: *anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> *Subject: *Re: [anti-abuse-wg] DDoS-Guard, a dodgy Russian firm that also hosts the official site for the terrorist group Hamas
In message <CAO3CAMr15ZzKzEqvObchLUZ9Q8F5Xqts+9WGJy= ZbnDA0qZZGQ@mail.gmail.com>, you wrote:
hamas.ps seems to be hosted on Sucuri ... a doggy US based firm?
According to data provided by Farsight Security, Inc. the site was formerly located at 190.115.18.139, which is indeed DDos-Guard, up until 2020-11-12, and it was then moved to its current location, 192.124.249.13, which is indeed, Securi.
---------------------------------------------------------- ;; bailiwick: hamas.ps. ;; count: 70144 ;; first seen: 2019-05-14 23:18:11 -0000 ;; last seen: 2020-11-12 13:40:58 -0000 hamas.ps. IN A 190.115.18.139
;; bailiwick: hamas.ps. ;; count: 11017 ;; first seen: 2020-11-12 13:45:02 -0000 ;; last seen: 2021-01-12 14:21:11 -0000 hamas.ps. IN A 192.124.249.13
In message <CAO3CAMr15ZzKzEqvObchLUZ9Q8F5Xqts+9WGJy=ZbnDA0qZZGQ@mail.gmail.com>, Siyuan Miao <siyuan@misaka.io> wrote:
hamas.ps seems to be hosted on Sucuri ... a doggy US based firm?
I bitched about this to Sucuri. They ignored me for a few days but then kicked the site from their reverse proxy service and now it is now back on a Russian network again: # ORG: (RU) ORG-FG2-RIPE "OOO FREEnet Group" #------------------------------------------------------------------------ 193.233.15.207 hamas.ps The entire 193.233.0.0/16 block is registered to this "FREEnet Group" thing, whose contact info includes this: address: FREEnet NOC address: Institute of Organic Chemistry RAS address: 47, Leninsky prospect address: 119991 GSP-1, Moscow address: Russia (I can only speculate that the Institute of Organic Chemistry is probably as good a source as any for DIY homemade rocket fuel formulas.) Meanwhile the 193.233.15.0/24 sub-block is being routed by AS42745 aka "Safe Value Limited"... allegedly of the Seychelles Islands. I'm a bit slow on the uptake, so if someone would be so kind as to explain to me again why RIPE is in the habit of giving out AS numbers to companies located in tax & corporate secrecy havens which are themselves located the Indian Ocean, I'd appreciate it. Well, anyway. this outfit does have a very impressive web site. :-) http://safevalue.pro/ Regards, rfg
Peace, On Thu, Jan 21, 2021, 10:39 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
now it is now back on a Russian network again:
# ORG: (RU) ORG-FG2-RIPE "OOO FREEnet Group"
Ronald, as you correctly mention later in the message, the 15.0/24 block was probably leased away _long_ ago (as we assume that a research institute hardly needs /16 IPv4 to operate). Meanwhile the 193.233.15.0/24 sub-block is being routed by AS42745
aka "Safe Value Limited"
The only provider for the latter being Voxility Inc., California, USA. https://radar.qrator.net/as42745/providers#startDate=2020-10-21&endDate=2021-01-21&tab=current I guess you'd need to repeat your feat once again, now again with an American company :-)
-- Töma
Peace, On Thu, Jan 21, 2021, 11:07 AM Töma Gavrichenkov <ximaera@gmail.com> wrote:
Meanwhile the 193.233.15.0/24 sub-block is being routed by AS42745
aka "Safe Value Limited"
The only provider for the latter being Voxility Inc., California, USA.
https://radar.qrator.net/as42745/providers#startDate=2020-10-21&endDate=2021-01-21&tab=current
Correcting myself: on the second thought, the AS in question also maintains a complicated relationship with Stormwall s.r.o. (Slovakia) and may also get Internet access from there. https://radar.qrator.net/as42745/unspecified#startDate=2020-10-21&endDate=2021-01-21&tab=current -- Töma
participants (6)
-
Michele Neylon - Blacknight -
PP -
Ronald F. Guilmette -
Rui André -
Siyuan Miao -
Töma Gavrichenkov