cia-2010-covert-communication-websites.bigb
= CIA 2010 covert communication websites
{c}
{title2=Iran, China}
{tag=Ciro Santilli's naughty projects}
{tag=Ciro Santilli's data projects}
{tag=Open-source intelligence}
{tag=Digital preservation}
{scope}
This article is about <cutout (espionage)>[covert agent communication channel] websites used by the <CIA> in many countries from the late 2000s until the early 2010s, when they were uncovered by <counter Intelligence> of the targeted countries circa 2011-2013. This discovery led to the imprisonment and execution of several assets in <Iran> and <China>, and subsequent shutdown of the channel.
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/CIA_Star_Wars_website_promo.jpg]
{height=700}
\Video[https://www.youtube.com/watch?v=QWL7l-5r1a4]
{title=How I found a <Star Wars> website made by the <CIA> by <Ciro Santilli>}
{description=Slightly edited VOD of the talk <Aratu Week 2024 Talk by Ciro Santilli>.}
{height=600}
The existence of such websites was first reported in November 2018 by Yahoo News: https://www.yahoo.com/video/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html[].
Previous whispers had been heard in 2017 but without clear mention of websites: https://www.nytimes.com/2017/05/20/world/asia/china-cia-spies-espionage.html[]:
> Some were convinced that a mole within the C.I.A. had betrayed the United States. Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. Years later, that debate remains unresolved.
\[...\]
From the final weeks of 2010 through the end of 2012, \[...\] the Chinese killed at least a dozen of the <CIA>[C.I.A.]’s sources. \[...\] One was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/Yahoo_CIA_website_article.png]
{height=900}
Then in September 2022 a few specific websites were finally reported by Reuters: https://www.reuters.com/investigates/special-report/usa-spies-iran/[], henceforth known only as "the <Reuters article>" in this article.
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/Reuters_CIA_website_article_banner.jpg]
{height=800}
{title=Banner of the <Reuters article>}
{source=https://www.reuters.com/investigates/special-report/usa-spies-iran/}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/www.reuters.com_investigates_special-report_usa-spies-iran_applet_reconstruction.jpg]
{title=Reuters reconstruction of what the applet would have looked like}
{height=850}
{source=https://www.reuters.com/investigates/special-report/usa-spies-iran/}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/Reuters_CIA_website_article_image_urls_arrow.jpg]
{title=Inspecting the <Reuters article> HTML source code}
{description=The <Reuters article> only gave one URL explicitly: <iraniangoals.com>. But most others could be found by inspecting the HTML of the screenshots provided, except for <Searching for Carson>[the Carson website].}
{source=https://www.reuters.com/investigates/special-report/usa-spies-iran/}
{height=600}
<Ciro Santilli> heard about the 2018 article at around 2020 while <Ciro Santilli's campaign for freedom of speech in China>[studying for his China campaign] because the websites had been used to take down the Chinese CIA network in China. He even asked on <Quora>: https://www.quora.com/What-were-some-examples-of-the-websites-that-the-CIA-used-around-2010-as-a-communication-mechanism-for-its-spies-in-China-and-Iran-but-were-later-found-and-used-to-take-down-their-spy-networks[] but there were no publicly known domains at the time to serve as a starting point. https://www.quora.com/profile/Chris-2110[Chris, Electrical Engineer and former Avionics Tech in the US Navy], even replied suggesting that obviously the <CIA> is so competent that it would never ever have its sites leaked like that:
\Q[Seriously a dumb question.]
So when <Ciro Santilli> heard about the 2022 article almost a year after publication, and being a <ourbigbook.com>[half-arsed web developer himself], he <Ciro Santilli's naughty projects>[knew he had to try] and find some of the domains himself using the newly available information! It was an irresistible real-life <capture the flag (cybersecurity)>. The thing is, everyone who has ever developed a website knows that its <attack surface> is about the <Size of Texas meme>[size of Texas], and the potential for <fingerprinting (cybersecurity)> is off the charts with so many bits and pieces sticking out. Chris, get fucked.
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/CIA_2010_site_Quora_question_and_Chris_answer.png]
{title="Seriously a dumb question" <Quora> answer by Chris from the <US Navy>}
{height=550}
{source=https://www.quora.com/What-were-some-examples-of-the-websites-that-the-CIA-used-around-2010-as-a-communication-mechanism-for-its-spies-in-China-and-Iran-but-were-later-found-and-used-to-take-down-their-spy-networks/answer/Chris-2110}
In particular, it is fun to have such a clear and visible to anyone examples of the <USA spying on its own allies> in the form of <Wayback Machine> archives.
Given that it was reported that there were "more than 350" such websites, it would be really cool if we could uncover more of those websites ourselves beyond the 9 domains reported by Reuters!
This article documents the list of extremely likely candidates Ciro has found so far, mostly using:
* rudimentary IP range search on https://viewdns.info[] starting from the websites reported by Reuters
* heuristic search for keywords in domains of the <2013 DNS Census> plus <Wayback Machine CDX scanning>
more details on methods also follow. It is still far from the https://citizenlab.ca/2022/09/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/[885 websites reported by citizenlabs], so there must be key techniques missing. But the fact that there are no <Google Search> hits for the domains or IPs (except in bulk e.g. in <expired domain trackers>) indicates that these might not have been previously clearly publicly disclosed.
If anyone can find others, or has better techniques: <contact>{full}. The techniques used so far have been very heuristic, and that added to the limited amount of data makes it almost certain that several <IP range search>[IP ranges] have been missed. There are two types of contributions that would be possible:
* finding new IP ranges: harder more exiting, and potentially requires more intelligence
* better IP to domain name databases to <Find missing hits in IP ranges>[fill in known gaps in existing IP ranges]
Perhaps the current heuristically obtained data can serve as a good starting for a more data-oriented search that will eventually find a valuable fingerprint which brings the entire network out.
Disclaimer: the network fell in 2013, followed by fully public disclosures in 2018 and 2022, so we believe it is now more than safe for the public to know what can still be uncovered about the events that took place. The main author's political bias is <Ciro Santilli's campaign for freedom of speech in China>[strongly pro-democracy and anti-dictatorship].
May this list serve as a tribute to those who spent their days making, using, and uncovering these websites under the shadows.
If you want to go into one of the best <OSINT> <capture the flag (cybersecurity)>[CTFs] of your life, stop reading now and see how many Web Archives you can find starting only from the <Reuters article> as Ciro did. Some guidelines:
* there was no ultra-clean fingerprint found yet. Some intuitive and somewhat guessy data analysis was needed. But when you clean the data correctly and make good guesses, many hits follow, it feels so good
* nothing was paid for data. But using cybercafe <Wifi>'s for a few extra IPs may help.
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/viewdns.info_activegameinfo.com_domain_to_IP_arrow.png]
{title=<viewdns.info> `activegameinfo.com` domain to IP}
{source=https://viewdns.info/iphistory/?domain=activegaminginfo.com}
{height=550}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/viewdns.info_aroundthemiddleeast.com_IP_to_domain_arrow.png]
{title=<viewdns.info> `aroundthemiddleeast.com` IP to domain}
{source=https://viewdns.info/reverseip/?host=66.175.106.140&t=1}
{height=550}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/dnscensus2013.neocities.org.png]
{title=<DNS Census 2013> website}
{description=This source provided valuable historical domain to IP data. It was likely extracted with an illegal <botnet>. Data excerpt from the CSVs:
``
amazon.com,2012-02-01T21:33:36,72.21.194.1
amazon.com,2012-02-01T21:33:36,72.21.211.176
amazon.com,2013-10-02T19:03:39,72.21.194.212
amazon.com,2013-10-02T19:03:39,72.21.215.232
amazon.com.au,2012-02-10T08:03:38,207.171.166.22
amazon.com.au,2012-02-10T08:03:38,72.21.206.80
google.com,2012-01-28T05:33:40,74.125.159.103
google.com,2012-01-28T05:33:40,74.125.159.104
google.com,2013-10-02T19:02:35,74.125.239.41
google.com,2013-10-02T19:02:35,74.125.239.46
``
}
{source=https://dnscensus2013.neocities.org/}
{height=574}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-website-comms-methods.png]
{title=The four <communication mechanisms> used by the CIA websites}
{description=<Java> Applets, <Adobe Flash>, <JavaScript> and <HTTPS>}
{height=800}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/github.com_cirosantilli_expired-domain-names-by-day-2011.png]
{title=Expired domain names by day 2011}
{description=The scraping of <expired domain trackers> to Github was one of the positive outcomes of this project.}
{source=https://github.com/cirosantilli/expired-domain-names-by-day-2011}
{height=850}
\Video[https://www.youtube.com/watch?v=uh_q02eefFM]
{title=Compromised Comms by Darknet Diaries (2023)}
{description=
It was the <YouTube> suggestion for this video that made <Ciro Santilli> aware of the <Reuters article> almost one year after its publication, which kickstarted his research on the topic.
Full podcast transcript: https://darknetdiaries.com/transcript/75/
}
= Results
{parent=CIA 2010 covert communication websites}
= Selected screenshots
{parent=Results}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/starwarsweb.net.jpg]
{title=2010 <Wayback Machine> archive of https://web.archive.org/web/20101230033220/http://starwarsweb.net/[starwarsweb.net]}
{description=
The <Star Wars> one. Clearly branded websites like this are rare, which makes finding them all the much more fun. The <Reuters article> had two of them (<Searching for Carson>[Carson] and rastadirect.net), so these were probably manually selected from the full hit dataset, and did not serve specifically as entry points. Most of the websites are quite boring and forgetful as you'd expect.
The subtitle "Beyond The Unknown" may be a reference to the https://starwars.fandom.com/wiki/Unknown_Regions[Unknown Regions] in the Star Wars fictional universe.
}
{height=1400}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/iranfootballsource.com.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20110202091611/http://iranfootballsource.com/[iranfootballsource.com]}
{description=The third Iranian football on top of the two other <The Reuters websites>[published by Reuters]: iraniangoalkicks.com and iraniangoals.com! Admittedly, this one is the most generic and less well designed one. But still. They pushed the theme too far!}
{height=1400}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/www.dedrickonline.com.jpg]
{title=2010 <Wayback Machine> archive of https://web.archive.org/web/20101211095158/http://www.dedrickonline.com/[dedrickonline.com]}
{description=
The <German> one.
The CIA has had a few Germany espionage scandals in the 2010s:
* 2014 https://www.bbc.co.uk/news/world-europe-28243933[]: a German Intelligence Agency agent was arrested for spying for the CIA
* 2021 https://www.reuters.com/world/europe/us-security-agency-spied-merkel-other-top-european-officials-through-danish-2021-05-30/ U.S. spied on Merkel and other Europeans through Danish cables
* 2020 https://www.dw.com/en/how-the-uss-cia-and-germanys-bnd-spied-on-world-leaders/a-52358527 it was revealed that Germany and the USA had an agreement to spy on world leaders, notably via compromised Swiss company Crypto AG
}
{height=1600}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/lesummumdelafinance.com.jpg]
{title=2010 <Wayback Machine> archive of https://web.archive.org/web/20100514032916/http://lesummumdelafinance.com[lesummumdelafinance.com]}
{description=A <French> one. Because it mentions VTT (Mountain Biking in French), it must focus France.}
{height=1400}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/attivitaestremi.com.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20110128162039/http://attivitaestremi.com/[attivitaestremi.com]}
{description=An <Italian> one about extreme sports.}
{height=1400}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/noticiasmusica.net.jpg]
{title=2010 <Wayback Machine> archive of https://web.archive.org/web/20101230165001/http://noticiasmusica.net/[noticiasmusica.net]}
{description=
The <Brazilian> one.
In 2013 https://en.wikipedia.org/wiki/Glenn_Greenwald[Glen Greenwald] claimed that https://g1.globo.com/mundo/noticia/2013/07/vigilancia-dos-eua-ao-brasil-e-ponte-para-outros-paises-diz-jornalista.html[the espionage in Brazil was merely a bridge to other countries of interest such as China and Iran]
}
{height=1400}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/economicnewsbuzz.com.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20110207210053/http://economicnewsbuzz.com/[economicnewsbuzz.com]}
{description=The Korean one. Love the https://en.wikipedia.org/wiki/Kawaii[kawaii] style!}
{height=1400}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/snapnewsfront.net.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20110107022935/http://snapnewsfront.net/[snapnewsfront.net]}
{description=The <Japanese> one.}
{height=1400}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/philippinenewsonline.net.jpg]
{title=2010 <Wayback Machine> archive of https://web.archive.org/web/20101230191405/http://philippinenewsonline.net/[philippinenewsonline.net]}
{description=The Philippine one one.}
{height=1400}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/feedsdemexicoyelmundo.com.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20110202190838/http://feedsdemexicoyelmundo.com/[feedsdemexicoyelmundo.com]}
{description=The Mexican one.}
{height=800}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/www.easytraveleurope.com.jpg]
{title=2012 <Wayback Machine> archive of https://web.archive.org/web/20120218052121/http://www.easytraveleurope.com/[easytraveleurope.com]}
{height=800}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/tee-shot.net.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20110107045521/http://tee-shot.net[tee-shot.net]}
{description=One of the many golf-themed sites. Golf appears to be quite popular over in Langley. It's exactly what you'd expect for a mid-level spook to do in their free time!}
{height=900}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/nouvellesetdesrapports.com.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20110128173433/http://nouvellesetdesrapports.com/[nouvellesetdesrapports.com]}
{height=900}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/pangawana.com.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20110203201604/http://pangawana.com/[pangawana.com]}
{height=800}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/recuerdosdeviajeonline.com.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20110202124633/http://recuerdosdeviajeonline.com/[recuerdosdeviajeonline.com]}
{height=1000}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/theworld-news.net.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20101226182928/http://theworld-news.net/[theworld-news.net]}
{height=800}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/www.kessingerssportsnews.com.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20100520013854/http://www.kessingerssportsnews.com/[kessingerssportsnews.com]}
{height=800}
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/negativeaperture.com.jpg]
{title=2011 <Wayback Machine> archive of https://web.archive.org/web/20110207202401/http://negativeaperture.com/[negativeaperture.com]}
{height=1300}
= USA spying on its own allies
{c}
{parent=Results}
Being <Brazilian>, <Ciro Santilli> is particularly curious about the existence of a Brazilian-focused website one mentioned in the article, as well as in other <democracies>.
WTF the <CIA> was doing in Brazil in the early 2010s! Wasn't helping to install the <Military dictatorship in Brazil> enough!
Here are the democracies found so far, defining a democracy as a country with score 7.0 or more in the https://graphics.eiu.com/PDF/Democracy_Index_2010_web.pdf[Democracy index 2010]. In native language:
* <Germany>(2: https://web.archive.org/web/20101211095158/http://www.dedrickonline.com/[dedrickonline.com], https://web.archive.org/web/20100109023107/http://www.neighbour-news.com/[neighbour-news.com])
* <France> (4: https://web.archive.org/web/20110203080503/http://guide-daventure.com/[guide-daventure.com], https://web.archive.org/web/20100514032916/http://lesummumdelafinance.com/[lesummumdelafinance.com], https://web.archive.org/web/20101015050644/http://football-de-luxe.com/[football-de-luxe.com], https://web.archive.org/web/20110128111638/http://suparakuvi.com/[suparakuvi.com])
* <Italy> (2: https://web.archive.org/web/20110128162039/http://attivitaestremi.com/[attivitaestremi.com], https://web.archive.org/web/20101009032531/http://podisticamondiale.com/[podisticamondiale.com])
* <Spain> (2: https://web.archive.org/web/20110210112553/http://armashoy.com/[armashoy.com], https://web.archive.org/web/20120429042725/http://montanismoaventura.com/[montanismoaventura.com])
* <Brazil> (1: https://web.archive.org/web/20101230165001/http://noticiasmusica.net/[noticiasmusica.net])
* South Korea (1: https://web.archive.org/web/20110207210053/http://economicnewsbuzz.com/[economicnewsbuzz.com])
* Poland (1: https://web.archive.org/web/20101229154411/http://boxingstop.net[boxingstop.net])
In English, so more deniable:
* <Japan> (1: https://web.archive.org/web/20110107022935/http://snapnewsfront.net/[snapnewsfront.net])
* <Canada> (2: https://web.archive.org/web/20100512125752/http://kanata-news.com/[kanata-news.com], https://web.archive.org/web/20110208211139/http://mynewscheck.com/[mynewscheck.com])
* Philippines (1: https://web.archive.org/web/20101229100006/http://half-court.net/[half-court.net])
* <India> (1: https://web.archive.org/web/20110208032707/http://amishkanews.com/[amishkanews.com])
"Almost democracies":
* Croatia (1: https://web.archive.org/web/20110207151935/http://stara-turistick.com/[stara-turistick.com])
* Thailand (1: https://web.archive.org/web/20110202143130/http://thefairwaysaregreen.com/[thefairwaysaregreen.com])
* Peru (1: https://web.archive.org/web/20110207112452/http://todosperuahora.com/[todosperuahora.com])
Ciro couldn't help but feel as if looking through the Eyes of <Sauron> himself!
It is worth noting that democracies represent just a small minority of the websites found. The Middle East, and Spanish language sites (presumably for Venezuela + war on drugs countries?) where the huge majority. But <Americans> have to understand that https://cirosantilli.com/china-dictatorship/dictatorships-tend-to-work-together[democracies have to work together and build mutual trust, and not spy on one another]. Even some of the enlightened people from <Hacker News> seem https://news.ycombinator.com/item?id=36279768[to not grasp this point]. The <USA> cannot single handedly maintain world order as it once could. Collaboration based on trust is the only way.
<Snowden>'s 2013 revelations particularly shocked USA allies with the fact that they were being spied upon, and as of the 2020's, everybody knows this and has "stopped caring", and or moved to <end-to-end encryption> by default. This is beautifully illustrated in the <Snowden (film)> when Snowden talks about his time in <Japan> working for <Dell> as an undercover <NSA> operative:
\Q[
<NSA> wanted to impress the <Japanese>. Show them our reach. They loved the live video from drones. This is <Pakistan> right now \[video shows CIA agents demonstrating drone footage to Japanese officials\]. They were not as excited about that we wanted their help to spy on the Japanese population. They said it was against their laws.
We bugged the country anyway, of course.
And we did not stop there. Once we had their communications we continued with the physical infrastructure. We sneaked into small programs in their power grids, dams, hospitals. The idea was that if Japan one day was not our allies we could turn off the lights.
And it was not just Japan. We planted software in <Mexico>, <Germany>, <Brazil>, Austria.
<China>, I can understand. Or <Russia> or <Iran>. Venezuela, okay.
But Austria? \[shows footage of <cow> on an idyllic <Alpine> mountain grazing field, suggesting that there is nothing in Austria to spy on\]
]
Another noteworthy scene from that movie is <video Aptitude test scene from the Snowden 2016 film>, where a bunch of new <CIA> recruits are told that:
\Q[Each of you is going to build a covert communications network in your home city \[i.e. their fictitious foreign target location written on each person's desk, not necessarily where they were actually born\], you're going to deploy it, backup your site, destroy it, and restore it again.]
= List of websites
{parent=Results}
As a <JSON>: https://github.com/cirosantilli/media/blob/master/cia-2010-covert-communication-websites/hits.json[]. <OurBigBook Markup> to <JSON> conversion helper \a[cia-2010-covert-communication-websites/bigb-to-json]:
``
cia-2010-covert-communication-websites/bigb-to-json cia-2010-covert-communication-websites.bigb
``
Hit criteria: has <Wayback Machine> archive, and clear indication of a known <communication mechanism>. The mechanism itself doesn't need to be archived however, a link to it is enough given other supporting elements: IP range, site style, date, web archive date pattern. JS commons are always quickly visually inspected, other mechanisms we look only at filename patterns. Commented edge cases that didn't make the cut can be found mostly under <IP range search>{full} and <2013 DNS Census virtual host cleanup heuristic keyword searches>{full}.
|| ip
|| domain
|| <Wayback Machine>
|| language
|| country mentions
|| comms
|| theme
|| notes
| <Hits without nearby IP hits>[?]
| all-sport-headlines.com
| https://web.archive.org/web/20110207144440/http://all-sport-headlines.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110207144821/http://all-sport-headlines.com/birdie.jar[JAR]
| news
| split imageshttps://web.archive.org/web/20110207144942/http://all-sport-headlines.com/images/banner1.jpg{ref}https://web.archive.org/web/20110207144620/http://all-sport-headlines.com/images/banner2.jpg{ref}Arabic-looking alphabet, image only so can't Google translate easily.
| <Hits without nearby IP hits>[?]
| firstnewssource.com
| https://web.archive.org/web/20110203072201/http://firstnewssource.com/[2011]
| Farsi
| Iran
| http://web.archive.org/web/20110203072529/http://firstnewssource.com/btools.jar[JAR]
| news
| Copyright 2009. Split images. `rss-items`.
| <Hits without nearby IP hits>[?]
| global-view-news.com
| https://web.archive.org/web/20110201100028/http://global-view-news.com/[2011]
| English
|
| https://web.archive.org/web/20110201100059/http://global-view-news.com/ticker.jar[JAR]
| news
| split imageshttps://web.archive.org/web/20110201100034/http://global-view-news.com/images/banner_01.jpg{ref}https://web.archive.org/web/20110201100045/http://global-view-news.com/images/banner_02.jpg{ref}
| <Hits without nearby IP hits>[?]
| globaltourist.net
| https://web.archive.org/web/20101024140137/http://globaltourist.net/[2010]
| English
|
| https://web.archive.org/web/20101229090929/http://globaltourist.net/speed.jar[JAR]
| travel
| split imageshttps://web.archive.org/web/20101229090818/http://globaltourist.net/images/index_01.jpg{ref}https://web.archive.org/web/20101229090840/http://globaltourist.net/images/index_04.jpg{ref}, `rss-items`. speed.jar "speed test" JAR pattern. Seems to have been legit both before.
| <Hits without nearby IP hits>[?]
| hassannews.net
| https://web.archive.org/web/20101230175152/http://www.hassannews.net/[2010]
| Arabic
|
| https://web.archive.org/web/20101230175424/http://www.hassannews.net/hassannews.swf[SWF]
| news
| CSS or archive quite broken. Split imageshttps://web.archive.org/web/20101230175417/http://www.hassannews.net/images/aa_05.jpg{ref}https://web.archive.org/web/20101230175337/http://www.hassannews.net/images/aa_09.jpg{ref}. `rss-items`.
| <Hits without nearby IP hits>[?]
| health-men-today.com
| https://web.archive.org/web/20110207232317/http://health-men-today.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110207232346/http://health-men-today.com/cardio.jar[JAR]
| news
| `rss-items`. Encoding broken.
| <Hits without nearby IP hits>[?]
| intlnewsdaily.com
| https://web.archive.org/web/20110202053416/http://intlnewsdaily.com/[2011]
| English
|
| https://web.archive.org/web/20110202053458/http://intlnewsdaily.com/region.jar[JAR]
| news
| `rss-items`
| <Hits without nearby IP hits>[?]
| newdaynewsonline.com
| https://web.archive.org/web/20110208031757/http://newdaynewsonline.com/[2011]
| English
|
| https://web.archive.org/web/20110208031828/http://newdaynewsonline.com/latesttools.jar[JAR]
| news
|
| <Hits without nearby IP hits>[?]
| newsincirculation.com
| https://web.archive.org/web/20110208064836/http://newsincirculation.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110208064944/http://newsincirculation.com/affairs.jar[JAR]
| news
|
| <Hits without nearby IP hits>[?]
| newsworldsite.com
| https://web.archive.org/web/20110208071937/http://newsworldsite.com/[2011]
| Pashto
| Afghanistan
| https://web.archive.org/web/20110208071946/http://newsworldsite.com/steps.jar[JAR]
| news
|
| <Hits without nearby IP hits>[?]
| pars-technews.com
| https://web.archive.org/web/20110204140004/http://pars-technews.com/[2011]
| Farsi
| Iran
| https://web.archive.org/web/20110204140004oe_/http://pars-technews.com/cellphones.jar[JAR]
| news
| "pars" presumably means "Parsi" or something of the same root
| <Hits without nearby IP hits>[?]
| sportsnewsfinder.com
| https://web.archive.org/web/20110210133439/http://sportsnewsfinder.com/[2011]
| Chinese
| China
| https://web.archive.org/web/20110210133446/http://sportsnewsfinder.com/scores.jar[JAR]
| news
| 体育新闻发现者 (sports news finder)
| <Hits without nearby IP hits>[?]
| terrain-news.com
| https://web.archive.org/web/20110202060336/http://terrain-news.com/[2011]
| Pashto
| Afghanistan
| https://web.archive.org/web/20110202060511/http://terrain-news.com/internetspeed.jar[JAR]
| news
|
| <Hits without nearby IP hits>[?]
| theworldnewsfeeds.com
| https://web.archive.org/web/20110209183352/http://theworldnewsfeeds.com/[2011]
| English
|
| https://web.archive.org/web/20110209183426/http://theworldnewsfeeds.com/feeds.jar[JAR]
| news
| `rss-items`. Split imageshttps://web.archive.org/web/20110209183352im_/http://theworldnewsfeeds.com/images/index_01.jpg{ref}https://web.archive.org/web/20110209183352im_/http://theworldnewsfeeds.com/images/index_02.jpg{ref}
| <Hits without nearby IP hits>[?]
| todayoutdoors.com
| https://web.archive.org/web/20110228050804/http://todayoutdoors.com/[2011]
| English
|
| https://web.archive.org/web/20110228050838/http://todayoutdoors.com/fires.jar[JAR]
| sports, travel
| split imageshttps://web.archive.org/web/20110228050927/http://todayoutdoors.com/images/index_01.jpg{ref}https://web.archive.org/web/20110228050935/http://todayoutdoors.com/images/index_02.jpg{ref}
| <Hits without nearby IP hits>[?]
| todaysnewsreports.net
| https://web.archive.org/web/20100930172518/http://www.todaysnewsreports.net/[2010]
| Arabic
|
| https://web.archive.org/web/20101230050102/http://todaysnewsreports.net/communicate.jar[JAR]
| news
|
| <Hits without nearby IP hits>[?]
| weblognewsinfo.com
| https://web.archive.org/web/20110207145305/http://weblognewsinfo.com/[2011]
| English
|
| https://web.archive.org/web/20110207145431/http://weblognewsinfo.com/global.jar[JAR]
| news
| Split images, `rss-items`.
| <Hits without nearby IP hits>[?]
| opensourcenewstoday.com
| https://web.archive.org/web/20100930152116/http://www.opensourcenewstoday.com/[2010]
| Arabic
|
| https://web.archive.org/web/20110202050322/http://opensourcenewstoday.com/breaking.jar[JAR]
| news
| copyright 2010
| <Hits without nearby IP hits>[?]
| techwatchtoday.com
| https://web.archive.org/web/20110127113203/http://techwatchtoday.com/[2011]
| English
|
| https://web.archive.org/web/20110201220252/http://techwatchtoday.com/Meter.jar[JAR]
| tech, news
| Marked copyright 2008. Split imageshttps://web.archive.org/web/20110201220125/http://techwatchtoday.com/images/index_01.jpg{ref}https://web.archive.org/web/20110201220207/http://techwatchtoday.com/images/index_02.jpg{ref}. https://web.archive.org/web/20180118191109/http://techwatchtoday.com/[Later legit].
| <Hits without nearby IP hits>[?]
| cyhiraeth-intlnews.com
| https://web.archive.org/web/20110129052403/http://www.cyhiraeth-intlnews.com/[2011]
| English
|
| https://web.archive.org/web/20110129052501/http://www.cyhiraeth-intlnews.com/cyber.jar[JAR]
| news
| https://en.wikipedia.org/wiki/Cyhyraeth "The cyhyraeth is a ghostly spirit in Welsh mythology, a disembodied moaning voice that sounds before a person's death." WTF! So the serious looking black actress lady is meant to represent the voice of death?. Split imageshttps://web.archive.org/web/20110129052434/http://www.cyhiraeth-intlnews.com/images/index_02.jpg{ref}https://web.archive.org/web/20110129052457/http://www.cyhiraeth-intlnews.com/images/index_03.jpg{ref}. `rss-items`
| <Hits without nearby IP hits>[?]
| 24hoursprimenews.com
| https://web.archive.org/web/20090628052814/http://www.24hoursprimenews.com/[2009]
| English
|
| https://web.archive.org/web/20110128180323/http://24hoursprimenews.com/stories.jar[JAR]
| news
| split imageshttps://web.archive.org/web/20110128180410/http://24hoursprimenews.com/images/index_01.jpg{ref}https://web.archive.org/web/20110128180311/http://24hoursprimenews.com/images/index_02.jpg{ref}
| <Hits without nearby IP hits>[?]
| dailynewsandsports.com
| https://web.archive.org/web/20130526130749/http://dailynewsandsports.com/[2013]
| English
|
| https://web.archive.org/web/20130823154922/http://dailynewsandsports.com/testmeter.jar[JAR]
| sports
|
| <Hits without nearby IP hits>[?]
| europeannewsflash.com
| https://web.archive.org/web/20110201191814/http://europeannewsflash.com/[2011]
| English
|
| https://web.archive.org/web/20110201192135/http://europeannewsflash.com/users.jar[JAR]
| news
| Split imageshttps://web.archive.org/web/20110201192154/http://europeannewsflash.com/images/index_01.jpg{ref}https://web.archive.org/web/20110201192122/http://europeannewsflash.com/images/index_02.jpg{ref}
| <Hits without nearby IP hits>[?]
| farsi-newsandweather.com
| https://web.archive.org/web/20110202122304/http://farsi-newsandweather.com/[2011]
| Farsi
| Iran
| https://web.archive.org/web/20110202122354/http://farsi-newsandweather.com/steps.jar[JAR]
| news
| split imageshttps://web.archive.org/web/20110202122343/http://farsi-newsandweather.com/images/banner_01.jpg{ref}https://web.archive.org/web/20110202122347/http://farsi-newsandweather.com/images/banner_02.jpg{ref}
| <Hits without nearby IP hits>[?]
| iranfootballsource.com
| https://web.archive.org/web/20110202091611/http://iranfootballsource.com/[2011]
| Farsi
|
| https://web.archive.org/web/20110202091901/http://iranfootballsource.com/futbol.js[JS]
| sports, <football>
|
| <Hits without nearby IP hits>[?]
| iraniangoalkicks.com
| https://web.archive.org/web/20080211111124/http://iraniangoalkicks.com/[2008]
| Farsi
| <Iran>
| https://web.archive.org/web/20110202091917/http://iraniangoalkicks.com/clamping.jar[JAR]
| sports, <football>
|
| <Hits without nearby IP hits>[?]
| iraniangoals.com
| https://web.archive.org/web/20090411072857/http://iraniangoals.com/[2009]
| Farsi
| <Iran>
| https://web.archive.org/web/20110202091909/http://iraniangoals.com/journal.js[JS]
| sports, <football>
|
| <Hits without nearby IP hits>[?]
| mywebofnews.com
| https://web.archive.org/web/20110210130458/http://mywebofnews.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110210130707/http://mywebofnews.com/tools.jar[JAR]
| news
| Split imageshttps://web.archive.org/web/20110210130611/http://mywebofnews.com/images/web_01.jpg{ref}https://web.archive.org/web/20110210130506/http://mywebofnews.com/images/web_02.jpg{ref}. `rss-items`.
| <Hits without nearby IP hits>[?]
| news-latina.com
| https://web.archive.org/web/20110208065123/http://news-latina.com/[2011]
| English
|
| https://web.archive.org/web/20110208065133/http://news-latina.com/news.jar[JAR]
| news
| copyright 2007
| <Hits without nearby IP hits>[?]
| outlooknewscast.com
| https://web.archive.org/web/20110202115620/http://outlooknewscast.com/[2011]
| Farsi
| Iran
| https://web.archive.org/web/20110202115733/http://outlooknewscast.com/members.jar[JAR]
| news
|
| <Hits without nearby IP hits>[?]
| rastadirect.net
| https://web.archive.org/web/20100429002010/http://rastadirect.net/[2010]
| <English (language)>
|
| https://web.archive.org/web/20110106225504/http://rastadirect.net/africa.jar[JAR]
| fansite
|
| <Hits without nearby IP hits>[?]
| todaysengineering.com
| https://web.archive.org/web/20110228051404/http://todaysengineering.com/[2011]
| English
|
| https://web.archive.org/web/20110228051404/https://secure.todaysengineering.com/cgi-bin/engineer.cgi[CGI]
| engineering
|
| <Hits without nearby IP hits>[?]
| worldofonlinenews.com
| https://web.archive.org/web/20110210051430/http://worldofonlinenews.com/[2011]
| English
|
| https://web.archive.org/web/20110210051552/http://worldofonlinenews.com/world.jar[JAR]
| news
| split imageshttps://web.archive.org/web/20110210051523/http://worldofonlinenews.com/images/index_01.jpg{ref}https://web.archive.org/web/20110210051531/http://worldofonlinenews.com/images/index_02.jpg{ref}. https://web.archive.org/web/20151220182815/http://www.worldofonlinenews.com:80/[Later legit].
| 62.22.60.42
| newsupdatesite.com
| https://web.archive.org/web/20110208071716/http://newsupdatesite.com/[2011]
| English
|
| https://web.archive.org/web/20110208072027/http://newsupdatesite.com/update.jar[JAR]
| news
| https://dnshistory.org/historical-dns-records/a/newsupdatesite.com[rdns source]
| 62.22.60.46
| flyingtimeline.com
| https://web.archive.org/web/20110207204610/http://flyingtimeline.com/[2011]
| English
|
| https://web.archive.org/web/20110207204640/http://flyingtimeline.com/aircraft.jar[JAR]
| airplanes
|
| 62.22.60.48
| currentcommunique.com
| https://web.archive.org/web/20110130162455/http://currentcommunique.com/[2011]
| English
| Egypt
| https://web.archive.org/web/20110130162717/http://currentcommunique.com/outdoor-activities-guide.swf[SWF]
| news
|
| 62.22.60.49
| telecom-headlines.com
| https://web.archive.org/web/20110202010914/http://telecom-headlines.com/[2011]
| English
|
| https://web.archive.org/web/20110202011432/http://telecom-headlines.com/situation.js[JS]
| tech
|
| 62.22.60.52
| collectedmedias.com
| https://web.archive.org/web/20110208064948/http://collectedmedias.com/[2011]
| French
|
| https://web.archive.org/web/20110208065035/http://collectedmedias.com/livestory.js[JS]
| news
| Marked copyright 2008
| 62.22.60.55
| thefilmcentre.com
| https://web.archive.org/web/20110202144854/http://thefilmcentre.com/[2011]
| English
|
| https://web.archive.org/web/20110202144926/http://thefilmcentre.com/modernfilm.js[JS]
| films
|
| 62.22.60.56
| traveltimenews.com
| https://web.archive.org/web/20110208063719/http://traveltimenews.com/[2011]
| English
|
| https://web.archive.org/web/20110208063737/http://traveltimenews.com/programa.js[JS]
| news
|
| 62.22.61.193
| awfaoi.org
| https://web.archive.org/web/20100607225131/http://www.awfaoi.org/[2010]
| <Arabic>
| Iraq
| https://web.archive.org/web/20110624203548/http://awfaoi.org/hand.jar[JAR]
| not-for-profit
| This was the first clear <.org hit> with comms we've been able to find. Title translation: "Arab women to help Iraq", so perhaps "awfaoi" stands for "Arab Women For A O? Iraq". This fits well into the .org theme. Marked copyright 2008.
| 62.22.61.197
| rc5sports.com
| https://web.archive.org/web/20110202093316/http://rc5sports.com/[2011]
| English
|
| https://web.archive.org/web/20110202093627/http://rc5sports.com/slides.jar[JAR]
| sports
| 62.22.61.198
| inside-vc.com
| https://web.archive.org/web/20110602073616/http://inside-vc.com/[2011]
| English
|
| https://web.archive.org/web/20110602073616/https://www.inside-vc.com/cgi-bin/capital.cgi[CGI]
| finance
| "vc" is a standard abbreviation for <venture capital>
| 62.22.61.202
| bailsnboots.com
| https://web.archive.org/web/20110201234149/http://bailsnboots.com/[2011]
| English
|
| https://web.archive.org/web/20110201234514/http://bailsnboots.com/bailsnboots.swf[SWF]
| sports, cricket
| "Bail" is one part of the thing your're supposed to hit with th eball in cricket.https://en.wikipedia.org/wiki/Bail_(cricket){ref}
| 62.22.61.203
| the-cricketer-online.com
| https://web.archive.org/web/20110202124357/http://the-cricketer-online.com/[2011]
| English
|
| https://web.archive.org/web/20110202124706/http://the-cricketer-online.com/cricketer.jar[JAR]
| sports, cricket
| marked copyright 2009.
| 62.22.61.204
| hollywoodscreen.net
| https://web.archive.org/web/20110106082200/http://hollywoodscreen.net/[2011]
| English
|
| https://web.archive.org/web/20110106082232/http://hollywoodscreen.net/current.js[JS]
| films
|
| 62.22.61.206
| worldnewsnetworking.com
| https://web.archive.org/web/20110210043738/http://worldnewsnetworking.com/[2011]
| <Arabic>
|
| https://web.archive.org/web/20110210043750/http://worldnewsnetworking.com/wnn.jar[JAR]
| news
|
| 62.22.61.212
| nuestrasfinanzas.com
| https://web.archive.org/web/20110128201657/http://nuestrasfinanzas.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110128201702/http://nuestrasfinanzas.com/ads.jar[JAR]
| finance
|
| 62.22.61.217
| court-masters.com
| https://web.archive.org/web/20110128080659/http://court-masters.com/[2011]
| English
|
| https://web.archive.org/web/20110129003221*/http://court-masters.com/rumors.jar[JAR]
| sports, tennis
|
| 62.22.61.219
| allworldstatistics.com
| https://web.archive.org/web/20110207151749/http://allworldstatistics.com/[2011]
| English
|
| https://web.archive.org/web/20110207151920/http://allworldstatistics.com/international.js[JS]
| statistics
|
| 62.22.61.220
| newsjaka.com
| https://web.archive.org/web/20110208065006/http://newsjaka.com/[2011]
| English
| Indonesia
| https://web.archive.org/web/20110208065144/http://newsjaka.com/journals.js[JS]
| news
| "jaka" presumably means https://en.wikipedia.org/wiki/Jakarta[Jakarta], the capital of Indonesia. There is a Indonesia section on the left sidebar. But the news are quite global however.
| 63.131.229.2
| fightskillsresource.com
| https://web.archive.org/web/20110203021154/http://fightskillsresource.com/[2011]
| English
|
| https://web.archive.org/web/20110203021205js_/http://fightskillsresource.com/tapout.js[JS]
| sports, martial arts
|
| 63.131.229.4
| unitedterritorynews.com
| https://web.archive.org/web/20110131154421/http://unitedterritorynews.com/[2011]
| English
|
| https://web.archive.org/web/20110131154504js_/http://unitedterritorynews.com/newsterritory.js[JS]
| news
|
| 63.131.229.9
| show-dustry.com
| https://web.archive.org/web/20110202124350/http://show-dustry.com/[2011]
| English
|
| https://web.archive.org/web/20110202124350/https://secure.show-dustry.com/cgi-bin/login.cgi[CGI]
| entertainment
| The website name is a <neologism> with "show" and "industry".
| 63.131.229.11
| mythriftytrip.com
| https://web.archive.org/web/20110202124350/https://secure.show-dustry.com/cgi-bin/login.cgi[2011]
| English
|
| https://web.archive.org/web/20101101072007/https://secure.mythriftytrip.com/cgi-bin/deals.cgi[CGI]
| travel
| thrifty means: "using money and other resources carefully and not wastefully"
| 63.131.229.12
| cyberreportagenews.com
| https://web.archive.org/web/20110131005047/http://cyberreportagenews.com/[2011]
| English
|
| https://web.archive.org/web/20110131005209/http://cyberreportagenews.com/newsline.jar[JAR]
| news
| https://viewdns.info/iphistory/?domain=cyberreportagenews.com[rdns source]
| 63.131.229.13
| sunrise-news.com
| https://web.archive.org/web/20110128104113/http://sunrise-news.com/[2011]
| English
|
| https://web.archive.org/web/20110128104153/http://sunrise-news.com/news.jar[JAR]
| news
| https://viewdns.info/iphistory/?domain=sunrise-news.com[rdns source]
| 63.131.229.15
| cricketnewsforindia.com
| https://web.archive.org/web/20130422163848/http://cricketnewsforindia.com/[2013]
| English
| India
| https://web.archive.org/web/20130422163848js_/http://cricketnewsforindia.com/ball.js[JS]
| sports, cricket
| archive quite broken, lots of missing files, including the JS
| 63.131.229.16
| nutricion-saludable.net
| https://web.archive.org/web/20101230170013/http://nutricion-saludable.net/[2010]
| Spanish
|
| https://web.archive.org/web/20101230170013/https://secure.nutricion-saludable.info/cgi-bin/healthy.cgi[CGI]
| health
|
| 63.131.229.20
| fixashion.net
| https://web.archive.org/web/20110106042731/http://fixashion.net/[2011]
| English
|
| https://web.archive.org/web/20110106042808js_/http://fixashion.net/cotton.js[JS]
| fashion
|
| 63.130.160.50
| theglobalheadlines.com
| https://web.archive.org/web/20100323000936/http://theglobalheadlines.com/[2010]
| English
|
| https://web.archive.org/web/20110202161018/http://theglobalheadlines.com/anchorage.jar[JAR]
| news
| this has several archives from 2013, marked as Live Web Proxy Crawls and explained "mostly by the Save Page Now", so presumably by <counter-intelligence> or amateurs
| 63.130.160.51
| hai-pow.com
| https://web.archive.org/web/20110204045740/http://hai-pow.com/[2011]
| English
|
| https://web.archive.org/web/20110204050101/http://hai-pow.com/haipow.jar[JAR]
| sports, martial arts
|
| 63.130.160.53
| echessnews.com
| https://web.archive.org/web/20110207193351/http://echessnews.com/[2011]
| Chinese
| China
| https://web.archive.org/web/20110207193421/http://echessnews.com/ad.jar[JAR]
| sports, boxing
| Chinese title: 我的象棋世界 (My Chinese Chess world). https://dnshistory.org/historical-dns-records/a/echessnews.com[rdns source]. Split imageshttps://web.archive.org/web/20110207193442/http://echessnews.com/images/title_01.jpg{ref}https://web.archive.org/web/20110207193535/http://echessnews.com/images/title_02.jpg{ref}
| 63.130.160.60
| boxingstop.net
| https://web.archive.org/web/20101229154411/http://boxingstop.net/[2010]
| Polish
| Poland
| https://web.archive.org/web/20101229154458/http://boxingstop.net/championship.jar[JAR]
| sports, boxing
|
| 63.130.160.62
| azerinews.org
| https://web.archive.org/web/20090730030548/http://azerinews.org/[2009]
| Azerbaijani
| Azerbaijan
| https://web.archive.org/web/20110624214047/http://azerinews.org/cable.jar[JAR]
| news
| https://dnshistory.org/historical-dns-records/a/azerinews.org[rdns source]. Split images, `rss-items`.
| 64.16.204.55
| holein1news.com
| https://web.archive.org/web/20101007201100/http://holein1news.com/[2010]
| English
|
| https://web.archive.org/web/20110207142541/http://holein1news.com/standings.jar[JAR]
| sports, golf
|
| 64.16.204.58
| tech-topix.com
| https://web.archive.org/web/20130620211952/http://tech-topix.com/[2013]
| English
|
| https://web.archive.org/web/20130620211952/https://ssl.tech-topix.com/cgi-bin/tech.cgi[CGI]
| tech
| Archive quite broken, but link to <CGI comms>.
| 65.61.127.163
| capture-nature.com
| https://web.archive.org/web/20110201104659/http://capture-nature.com/[2011]
| <English (language)>
|
| https://web.archive.org/web/20110201104851/http://capture-nature.com/Scenes.jar[JAR]
| <photography>
| <Reuters example>. Since became legitimate, Ciro contacted the owner, and he was unaware of the domain's history.
| 65.61.127.166
| globalnewsbulletin.com
| https://web.archive.org/web/20110129013701/http://globalnewsbulletin.com/[2013]
| <English (language)>
| Tunisia, <Afghanistan>, <Iran>, Egypt
| https://web.archive.org/web/20110129013701/https://secure.globalnewsbulletin.com/cgi-bin/index.cgi[CGI]
| news
| PHP pages, images `/images/index_01.jpg`
| 65.61.127.169
| crossovernews.net
| https://web.archive.org/web/20111014003640/http://www.crossovernews.net/[2011]
| <English (language)>
|
| https://web.archive.org/web/20111014003646/http://www.crossovernews.net/basketball.jar[JAR]
| sports, basketball
|
| 65.61.127.174
| dedrickonline.com
| https://web.archive.org/web/20101211095158/http://www.dedrickonline.com/[2010]
| <German (language)>
|
| https://web.archive.org/web/20130909110245/http://dedrickonline.com/newsflash.js[JS]
| sports
|
| 65.61.127.175
| altworldnews.com
| https://web.archive.org/web/20130501234310/http://altworldnews.com:80/[2013]
| <English (language)>
|
| https://web.archive.org/web/20130501234310/https://secure.altworldnews.com/cgi-bin/desk.cgi[CGI]
| news
| <Epoch Times> link, PHP pages
| 65.61.127.178
| tee-shot.net
| https://web.archive.org/web/20110107045521/http://tee-shot.net/[2011]
| <English (language)>
|
| https://web.archive.org/web/20110107045740/http://tee-shot.net/tee-shot.swf[SWF]
| sports, golf
| nice domain name
| 65.61.127.182
| pangawana.com
| https://web.archive.org/web/20110203201604/http://pangawana.com/[2011]
| <Arabic>
| <Afghanistan>
| https://web.archive.org/web/20110203201745/http://pangawana.com/communication.js[JS]
| news
|
| 65.61.127.183
| cutabovenews.com
| https://web.archive.org/web/20110130195721/http://cutabovenews.com/[2011]
| <English (language)>
| Algeria, various others
| https://web.archive.org/web/20110130195813/http://cutabovenews.com/images.js[JS]
| sports, basketball
|
| 65.61.127.184
| worldwildlifeadventure.com
| https://web.archive.org/web/20110210092954/http://worldwildlifeadventure.com/[2011]
| <English (language)>
|
| https://web.archive.org/web/20110210093209/http://worldwildlifeadventure.com/webspeed.jar[JAR]
| travel
|
| 65.61.127.186
| explorealtmeds.com
| https://web.archive.org/web/20130703034015/http://explorealtmeds.com/[2013]
| <English (language)>
|
| https://web.archive.org/web/20130703034015oe_/http://explorealtmeds.com/med.jar[JAR]
| health
| the JAR was not archived, but there's a link to it
| 65.218.91.9
| welcometonyc.net
| https://web.archive.org/web/20101230071028/http://welcometonyc.net/[2010]
| English
|
| https://web.archive.org/web/20110226074139/http://www.welcometonyc.net/login.html[CGI]
| travel
|
| 65.218.91.17
| alljohnny.com
| https://web.archive.org/web/20040113025122/http://alljohnny.com/[2004]
| English
|
| https://secure.alljohnny.com/cgi-bin/memlog.cgi[CGI]
| fansite
| mega early hit from 2004 to 2005. Then a gap, then they redid the domain: https://web.archive.org/web/20110207134126/http://alljohnny.com/[2011]. Same authors given content similarities e.g. "Submit Your Favorite Carson Moment". Reusing the domain after all these years, the lack of OPSEC is just mind blowing! New website marked Copyright 2003. Part of <Oleg Shakirov's findings>. One of <the Reuters websites>. Search documented at: <Searching for Carson>.
| 66.45.179.192
| thegraceofislam.com
| https://web.archive.org/web/20110202163201/http://thegraceofislam.com/[2011]
| English
|
| https://web.archive.org/web/20110202163201/https://secure.thegraceofislam.com/cgi-bin/history.cgi[CGI]
| religion, Islam
|
| 66.45.179.193
| arabicnewsunfiltered.com
| https://web.archive.org/web/20110210072414/http://arabicnewsunfiltered.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110210072506/http://arabicnewsunfiltered.com/news.jar[JAR]
| news
| https://viewdns.info/iphistory/?domain=arabicnewsunfiltered.com[rdns source]
| 66.45.179.194
| raulsonsglobalnews.com
| https://web.archive.org/web/20110202135422/http://raulsonsglobalnews.com/[2011]
| English
|
| https://web.archive.org/web/20110202135451/http://raulsonsglobalnews.com/Current.jar[JAR]
| news
|
| 66.45.179.195
| aryannews.net
| https://web.archive.org/web/20101229122706/http://aryannews.net/[2010]
| Pashto
| Afghanistan
| https://web.archive.org/web/20101229122727/http://aryannews.net/headlines.jar[JAR]
| news
| https://viewdns.info/iphistory/?domain=aryannews.net[rdns source]. <Heil>.
| 66.45.179.199
| attivitaestremi.com
| https://web.archive.org/web/20110128162039/http://attivitaestremi.com/[2011]
| Italian
|
| https://web.archive.org/web/20110128162039/https://secure.attivitaestremi.com/cgi-bin/windsurfing.cgi[CGI]
| sports
|
| 66.45.179.201
| hitthepavementnow.com
| https://web.archive.org/web/20110208151258/http://hitthepavementnow.com/[2011]
| English
|
| https://web.archive.org/web/20110208151258/https://secure.hitthepavementnow.com/cgi-bin/running.cgi[CGI]
| sports, running
|
| 66.45.179.202
| newimages.org
| https://web.archive.org/web/20110921014639/http://www.newimages.org/[2011]
| Turkish
| Turkey
| https://web.archive.org/web/20110921014639oe_/http://www.newimages.org/bmeter.jar[JAR]
| <photography>
| JAR unarchived
| 66.45.179.203
| noticiascontinental.com
| https://web.archive.org/web/20110128170145/http://noticiascontinental.com/[2011]
| Spanish
| South America
| https://web.archive.org/web/20110128170145/https://secure.noticiascontinental.com/cgi-bin/bra.cgi[CGI]
| news
|
| 66.45.179.205
| noticiasporjanua.com
| https://web.archive.org/web/20110128170452/http://noticiasporjanua.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110128170510/http://noticiasporjanua.com/noticias.jar[JAR]
| news
|
| 66.45.179.206
| podisticamondiale.com
| https://web.archive.org/web/20101009032531/http://podisticamondiale.com/[2010]
| Italian
| <Italy>
| https://web.archive.org/web/20110208042318/http://podisticamondiale.com/running.jar[JAR]
| sports, running
| marked copyright 2010
| 66.45.179.207
| reflectordenoticias.com
| https://web.archive.org/web/20110202151317/http://reflectordenoticias.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110202151532/http://reflectordenoticias.com/globe.jar[JAR]
| news
|
| 66.45.179.208
| havenofgamerz.com
| https://web.archive.org/web/20110207193330/http://havenofgamerz.com/[2011]
| English
|
| https://web.archive.org/web/20110207193352/https://secure.havenofgamerz.com/cgi-bin/top.cgi[CGI]
| gaming
| marked copyright 2009
| 66.45.179.210
| sa-michigan.com
| https://web.archive.org/web/20110208053653/http://sa-michigan.com/[2011]
| English
|
| https://web.archive.org/web/20110208053935/http://sa-michigan.com/speed.jar[JAR]
| sports
| "sa" is an abbreviation for the site title "Sports Alive"
| 66.45.179.211
| absolutebearing.net
| https://web.archive.org/web/20101229102258/http://absolutebearing.net/[2010]
| English
|
| https://web.archive.org/web/20101229102258/https://aboard.absolutebearing.net/cgi-bin/board.cgi[CGI]
| travel, sports, boats
|
| 66.45.179.213
| myportaltonews.com
| https://web.archive.org/web/20110209072318/http://myportaltonews.com/[2011]
| English
|
| https://web.archive.org/web/20110209072349/http://myportaltonews.com/mp2news.js[JS]
| news
|
| 66.45.179.214
| investmentintellect.com
| https://web.archive.org/web/20110202083352/http://investmentintellect.com/[2011]
| English
|
| https://web.archive.org/web/20110202083452/http://investmentintellect.com/funds.jar[JAR]
| finance
|
| 66.45.179.215
| nigeriastar.net
| https://web.archive.org/web/20110106181451/http://nigeriastar.net/[2011]
| English
| Nigeria
| https://web.archive.org//web/20110106181451oe_/http://nigeriastar.net/star.jar[JAR]
| news
| Contains link to unarchived JAR
| 66.104.169.163
| doctorsoncallsite.com
| https://web.archive.org/web/20110207142515/http://doctorsoncallsite.com/[2011]
| English
|
| https://web.archive.org/web/20110207142832/http://doctorsoncallsite.com/nutrition.jar[JAR]
| health
|
| 66.104.169.164
| lightandshadowonline.com
| https://web.archive.org/web/20100514072333/http://lightandshadowonline.com/[2010]
| English
|
| https://web.archive.org/web/20110202131218/http://lightandshadowonline.com/quotes.jar[JAR]
| <photography>
|
| 66.104.169.168
| plugged-into-news.net
| https://web.archive.org/web/20101229222144/http://plugged-into-news.net/[2010]
| English
|
| https://web.archive.org/web/20131101104829*/http://plugged-into-news.net/weatherbug.zip[JAR]
| news
| JAR uses .zip extension! First instance, wow
| 66.104.169.171
| golf-on-holiday.com
| https://web.archive.org/web/20110201200208/http://golf-on-holiday.com/[2011]
| English
|
| https://web.archive.org/web/20110201200242/http://golf-on-holiday.com/golf.jar[JAR]
| sports, golf
|
| 66.104.169.172
| perspectiva-noticias.com
| https://web.archive.org/web/20110207221904/http://perspectiva-noticias.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110207221952js_/http://perspectiva-noticias.com/musica.js[JS]
| news
|
| 66.104.169.175
| aquaswimming.com
| https://web.archive.org/web/20091023041107/http://aquaswimming.com/[2009]
| English
|
| https://web.archive.org/web/20110210065153/http://aquaswimming.com/workout.jar[JAR]
| sports, swimming
|
| 66.104.169.177
| dojo-temple.com
| https://web.archive.org/web/20110207095057/http://dojo-temple.com/[2011]
| English
|
| https://web.archive.org/web/20110207095057/https://disciples.dojo-temple.com/cgi-bin/kama.cgi[CGI]
| sports, martial arts
| TODO meaning of "kama"? https://en.wikipedia.org/wiki/Kama[Kama] lol?
| 66.104.169.179
| neighbour-news.com
| https://web.archive.org/web/20100109023107/http://www.neighbour-news.com/[2010]
| English
| Germany
| https://web.archive.org/web/20100109023107oe_/http://www.neighbour-news.com/bwmeter.jar[JAR]
| news
| Mentions of Goethe-Institut and Germany all over. JAR unarchived
| 66.104.169.180
| medicatechinfo.com
| https://web.archive.org/web/20100516142339/http://medicatechinfo.com/[2010]
| English
|
| https://web.archive.org/web/20100516142353/http://medicatechinfo.com/healthnow.js[JS]
| health
|
| 66.104.169.181
| brickmanfinancialnews.com
| https://web.archive.org/web/20110208004818/http://brickmanfinancialnews.com/[2011]
| English
|
| https://web.archive.org/web/20110208004900/http://brickmanfinancialnews.com/moneymaker.js[JS]
| finance
|
| 66.104.169.182
| casanewsnow.com
| https://web.archive.org/web/20110201184819/http://casanewsnow.com/[2011]
| English
|
| https://web.archive.org/web/20110201184819oe_/http://casanewsnow.com/casanews.jar[JAR]
| JAR unarchived. TODO why "casa"? Doesn't seem to have any link to Spanish or Portuguese.
|
| 66.104.169.184
| bcenews.com
| https://web.archive.org/web/20110202210126/http://bcenews.com/[2011]
| Albanian
| Albania
| https://web.archive.org/web/20110202210331/http://bcenews.com/plan.jar[JAR]
| news
|
| 66.104.173.163
| runakonews.com
| https://web.archive.org/web/20110207154526/http://runakonews.com/[2011]
| English
| Africa
| https://web.archive.org/web/20110207154526/https://travel.runakonews.com/cgi-bin/health.cgi[CGI]
| news
| "Runako" is an African given name.
| 66.104.173.164
| shoppingadventure.net
| https://web.archive.org/web/20101230020837/http://shoppingadventure.net/[2010]
| English
|
| https://web.archive.org/web/20101230020837oe_/http://shoppingadventure.net/shopping.jar[JAR]
| travel, shopping
| JAR unarchived
| 66.104.173.165
| entertaining-ly.com
| https://web.archive.org/web/20110128210953/http://entertaining-ly.com/[2011]
| English
|
| https://web.archive.org/web/20110128211117/http://entertaining-ly.com/bmeter.jar[JAR]
| entertainment
|
| 66.104.173.166
| zubeenews.com
| https://web.archive.org/web/20110209230242/http://zubeenews.com/[2011]
| English
|
| https://web.archive.org/web/20110209230317js_/http://zubeenews.com/library.js[JS]
| news
| "Zubee" is a Muslim name: https://muslimnames.com/zubee[].
| 66.104.173.169
| smart-financeology.com
| https://web.archive.org/web/20110202205120/http://smart-financeology.com/[2011]
| English
|
| https://web.archive.org/web/20110202205132/http://smart-financeology.com/clrbar.jar[JAR]
| finance
|
| 66.104.173.175
| media-coverage-now.com
| https://web.archive.org/web/20100516132048/http://media-coverage-now.com/[2010]
| English
|
| https://web.archive.org/web/20110128144135/http://media-coverage-now.com/media-coverage-now.swf[SWF]
| news
|
| 66.104.173.176
| jbc-online-news.com
| https://web.archive.org/web/20110202222044/http://jbc-online-news.com/[2011]
| English
|
| https://web.archive.org/web/20110202222044js_/http://jbc-online-news.com/travel.js[JS]
| news
| TODO meaning of "JCB". JS unarchived.
| 66.104.173.177
| webscooper.com
| https://web.archive.org/web/20110207153241/http://webscooper.com/[2011]
| English
|
| https://web.archive.org/web/20110306225148*/http://webscooper.com/World.jar[JAR]
| news
|
| 66.104.173.178
| dk-dcinvestment.com
| https://web.archive.org/web/20100415220544/http://dk-dcinvestment.com/[2010]
| English
|
| https://web.archive.org/web/20110207113033/http://dk-dcinvestment.com/gears.jar[JAR]
| finance
| TODO meaning of "dk;dc".
| 66.104.173.180
| stara-turistick.com
| https://web.archive.org/web/20110207151935/http://stara-turistick.com/[2011]
| Croatian
|
| https://web.archive.org/web/20110207152017/http://stara-turistick.com/svijeta.jar[JAR]
| tourism
|
| 66.104.173.181
| playbackpolitics.com
| https://web.archive.org/web/20110207234643/http://playbackpolitics.com/[2011]
| English
|
| https://web.archive.org/web/20110207234719/http://playbackpolitics.com/politics.js[JS]
| news
|
| 66.104.173.182
| snapnewsfront.net
| https://web.archive.org/web/20110107022935/http://snapnewsfront.net/[2011]
| English
| <Japan>
| https://web.archive.org/web/20110107023058/http://snapnewsfront.net/column.js[JS]
| news
|
| 66.104.173.183
| ingenuitytrendz.com
| https://web.archive.org/web/20110201170354/http://ingenuitytrendz.com/[2011]
| English
|
| https://web.archive.org/web/20110201170409/http://ingenuitytrendz.com/chemistry.jar[JAR]
| tech
|
| 66.104.173.184
| armashoy.com
| https://web.archive.org/web/20110210112553/http://armashoy.com/[2011]
| Spanish
| Spain
| https://web.archive.org/web/20110210114225/http://armashoy.com/armashoy.swf[SWF]
| guns
| meaning: "Weapons Today". In <First World> countries the <CIA> felt it would be safe to touch edgier subjects like guns
| 66.104.173.185
| baocontact.com
|
| English
|
| https://web.archive.org/web/20110202095555/http://baocontact.com/business.jar[JAR]
|
| HTML archive almost empty, but JAR was archived. One wonders what "bao" refers to, could be Chinese, but the small snippet of visible website is in English.
| 66.104.173.186
| myworldlymusic.com
| https://web.archive.org/web/20110210153136/http://myworldlymusic.com/[2011]
| English
| Pakistan
| https://web.archive.org/web/20110210153136oe_/http://myworldlymusic.com/WorldMusic.jar[JAR]
| music
| JAR unarchived
| 66.104.173.189
| hitpoint-gaming.com
| https://web.archive.org/web/20110208151030/http://hitpoint-gaming.com/[2011]
| English
|
| https://web.archive.org/web/20110208151033/http://hitpoint-gaming.com/hitpoint.js[JS]
| gaming
| Marked copyright 2010
| 66.104.175.34
| itwebtoday.com
| https://web.archive.org/web/20110202141204/http://itwebtoday.com/[2011]
| English
|
| https://web.archive.org/web/20110202141215/http://itwebtoday.com/itweb.js[JS]
| tech
|
| 66.104.175.35
| drglobalnews.com
| https://web.archive.org/web/20110208121753/http://drglobalnews.com/[2011]
| English
|
| https://web.archive.org/web/20110208121830/http://drglobalnews.com/globalnews.jar[JAR]
| news
| TODO meaning of "dr"? https://dnshistory.org/historical-dns-records/a/drglobalnews.com[rdns source].
| 66.104.175.36
| adilnews.net
| https://web.archive.org/web/20101222095305/http://adilnews.net/[2010]
| <Arabic>
|
| https://web.archive.org/web/20101222095511/http://adilnews.net/adilnews.swf[SWF]
| news
| https://en.wikipedia.org/wiki/Adil[Adil] is an <arabic> masculine name
| 66.104.175.40
| beyondnetworknews.com
| https://web.archive.org/web/20110202205659/http://beyondnetworknews.com/[2011]
| <English (language)>
| Egypt
| https://web.archive.org/web/20110202205659/https://ssl.beyondnetworknews.com/cgi-bin/local.cgi[CGI]
| news
|
| 66.104.175.41
| grubbersworldrugbynews.com
| https://web.archive.org/web/20110202191712/http://grubbersworldrugbynews.com/[2011]
| <English (language)>
|
| https://web.archive.org/web/20110202191728/http://grubbersworldrugbynews.com/team.js[JS]
| sports, rugby
|
| 66.104.175.44
| yourtripfinder.net
| https://web.archive.org/web/20101227002235/http://yourtripfinder.net/[2010]
| <English (language)>
|
| <CGI>
| travel
| comms not found, <CGI> from unarchived subpage assumed
| 66.104.175.45
| rollinsnetwork.com
| https://web.archive.org/web/20111129013633/http://rollinsnetwork.com/[2011]
| English
|
| https://web.archive.org/web/20111129013633/https://sslrollins.rollinsnetwork.com/cgi-bin/network.cgi[CGI]
| tech
| <CGI> linked to but not archived
| 66.104.175.46
| infosharenews.com
| https://web.archive.org/web/20110201161254/http://infosharenews.com/[2011]
| English
|
| https://web.archive.org/web/20110201161313/http://infosharenews.com/livenews.jar[JAR]
| news
|
| 66.104.175.47
| southasiaheadlines.com
| https://web.archive.org/web/20110208202345/http://southasiaheadlines.com/[2011]
| English
| Bangladesh, Bhutan, India, Maldives, Nepal, Pakistan, Sri Lanka Tibet
| https://web.archive.org/web/20110208202345oe_/http://southasiaheadlines.com/news.jar[JAR]
| travel
| JAR linked to but missing from archive
| 66.104.175.48
| worlddispatch.net
| https://web.archive.org/web/20101231111512/http://worlddispatch.net/[2010]
| <Arabic>
|
| https://web.archive.org/web/20101231111653/http://worlddispatch.net/worlddispatch.swf[SWF]
| news
|
| 66.104.175.49
| webworldsports.com
| https://web.archive.org/web/20110207164105/http://webworldsports.com/[2011]
| <Arabic>
|
| https://web.archive.org/web/20110207164115/http://webworldsports.com/espeed.jar[JAR]
| sports
|
| 66.104.175.50
| fly-bybirdies.com
| https://web.archive.org/web/20110207201748/http://fly-bybirdies.com/[2011]
| English
|
| https://web.archive.org/web/20110207201833/http://fly-bybirdies.com/bwMeter.jar[JAR]
| travel
|
| 66.104.175.51
| businessexchangetoday.com
| https://web.archive.org/web/20110128095141/http://businessexchangetoday.com/[2011]
| English
|
| https://web.archive.org/web/20130904185542/https://www.businessexchangetoday.com/cgi-bin/business.cgi[CGI]
| news, finance
| PHP pages
| 66.104.175.52
| mensajeradenoticias.com
| https://web.archive.org/web/20110128210532/http://mensajeradenoticias.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110128210532/https://secure.mensajeradenoticias.com/cgi-bin/noticias.cgi[CGI]
| news
| <CGI> unarchived
| 66.104.175.53
| info-ology.net
| https://web.archive.org/web/20101225180538/http://info-ology.net/[2010]
| English
|
| https://web.archive.org/web/20101225180654/http://info-ology.net/dynamic.jar[JAR]
| news
|
| 66.104.175.54
| marketflows.net
| https://web.archive.org/web/20110106142526/http://marketflows.net/[2011]
| English
|
| https://web.archive.org/web/20110106142544/http://marketflows.net/forecast.jar[JAR]
| finance
|
| 66.104.175.57
| metanewsdaily.com
| https://web.archive.org/web/20100516234310/http://metanewsdaily.com/[2010]
| English
|
| https://web.archive.org/web/20100516234310/https://members.metanewsdaily.com/cgi-bin/ABC.cgi[CGI]
| news
|
| 66.175.106.134
| paddlescoop.com
| https://web.archive.org/web/20110203030231/http://paddlescoop.com/[2011]
| <English (language)>
| Bangladesh, Pakistan, India, England
| https://web.archive.org/web/20110203030313/http://paddlescoop.com/scoopmeter.jar[JAR]
| sports, cricket
|
| 66.175.106.137
| kessingerssportsnews.com
| https://web.archive.org/web/20100520013854/http://www.kessingerssportsnews.com/[2010]
| <English (language)>
|
| https://web.archive.org/web/20110208111125/http://kessingerssportsnews.com/football.js[JS]
| sports
|
| 66.175.106.138
| factorforcenews.com
| https://web.archive.org/web/20090622075311/http://factorforcenews.com/[2009]
| <English (language)>
|
| https://web.archive.org/web/20110202125321/http://factorforcenews.com/factorspeed.jar[JAR]
| news
|
| 66.175.106.142
| kanata-news.com
| https://web.archive.org/web/20100512125752/http://kanata-news.com/[2010]
| <English (language)>
| <Canada>
| https://web.archive.org/web/20100512125808/http://kanata-news.com/feeds.js[JS]
| news
| "Kanata" is https://en.wikipedia.org/wiki/Kanata,_Ontario[a place in Ottawa, Canada]. The name is likely of Indigenous origin.
| 66.175.106.143
| thecricketfan.com
| https://web.archive.org/web/20110202124357/http://thecricketfan.com/[2011]
| <English (language)>
|
| https://web.archive.org/web/20110202124437/http://thecricketfan.com/Sports.jar[JAR]
| news
|
| 66.175.106.146
| inews-today.com
| https://web.archive.org/web/20110125190345/http://inews-today.com/[2011]
| English
| Egypt
| https://web.archive.org/web/20110201140115/http://inews-today.com/headlines.jar[JAR]
| news
| Marked copyright 2008
| 66.175.106.147
| starwarsweb.net
| https://web.archive.org/web/20101230033220/http://starwarsweb.net/[2010]
| <English (language)>
|
| https://web.archive.org/web/20101230033642/http://starwarsweb.net/starwarsweb.swf[SWF]
| fansite
| well, not even the <CIA> can escape <Star Wars>. TODO identify boy.
| 66.175.106.148
| activegaminginfo.com
| https://web.archive.org/web/20110208113503/http://activegaminginfo.com/[2011]
| <Chinese (language)>
|
| https://web.archive.org/web/20110202130304/http://activegaminginfo.com/gaming.jar[JAR]
| gaming
| the website is entitled "活跃游戏" which means "Lively games", or "active games" as in the domain name itself
| 66.175.106.149
| feedsdemexicoyelmundo.com
| https://web.archive.org/web/20110202190838/http://feedsdemexicoyelmundo.com/[2011]
| <Spanish (language)>
| <Mexico>
| https://web.archive.org/web/20110202190932/http://feedsdemexicoyelmundo.com/mundo.js[JS]
| news
|
| 66.175.106.150
| noticiasmusica.net
| https://web.archive.org/web/20101230165001/http://noticiasmusica.net/[2010]
| <Brazilian Portuguese>
| <Brazil>
| https://web.archive.org/web/20111018000000*/http://noticiasmusica.net/musica.jar[JAR]
| music
|
| 66.175.106.155
| atomworldnews.com
| https://web.archive.org/web/20110128153629/http://atomworldnews.com/[2011]
| <English (language)>
| Egypt
| https://web.archive.org/web/20110128153721/http://atomworldnews.com/world.jar[JAR]
| news
|
| 66.175.106.158
| nouvellesetdesrapports.com
| https://web.archive.org/web/20110128173433/http://nouvellesetdesrapports.com/[2011]
| <French (language)>
| Egypt, Tunisia
| https://web.archive.org/web/20110128173448/http://nouvellesetdesrapports.com/nouvelles.jar[JAR]
| news
|
| 66.237.236.227
| newsandmusicminute.com
| https://web.archive.org/web/20110208063145/http://newsandmusicminute.com/[2011]
| Pashto
|
| https://web.archive.org/web/20110208063319/http://newsandmusicminute.com/sonybmg.js[JS]
| music
|
| 66.237.236.229
| pearls-playlist.com
| https://web.archive.org/web/20110207154832/http://pearls-playlist.com/[2011]
| English
|
| https://web.archive.org/web/20110207155014/http://pearls-playlist.com/pearls-playlist.swf[SWF]
| music
|
| 66.237.236.230
| beyondthefringe.info
| https://web.archive.org/web/20120713013325/http://beyondthefringe.info/[2012]
| English
|
| https://web.archive.org/web/20120713013325oe_/http://beyondthefringe.info/bandwidth.jar[JAR]
| rugs
| JAR unarchived
| 66.237.236.231
| primetimemovies.net
| https://web.archive.org/web/20090830175246/http://www.primetimemovies.net/[2009]
| English
|
| https://web.archive.org//web/20090830175246js_/http://www.primetimemovies.net/primetime.js[JS]
| films
| JS unarchived
| 66.237.236.235
| persephneintl.com
| https://web.archive.org/web/20130620032026/http://persephneintl.com/[2013]
|
|
| https://web.archive.org//web/20130620032026oe_/http://persephneintl.com/business.jar[JAR]
|
| archive very broken, JAR unarchived. Full title: "https://en.wikipedia.org/wiki/Persephone[Persephne] International", reference to Greek Goddess of "spring, the dead, the underworld, grain, and nature"
| 66.237.236.236
| directoalgrano.net
| https://web.archive.org/web/20101222141002/http://directoalgrano.net/[2010]
| Spanish
|
| https://web.archive.org/web/20101222141101js_/http://directoalgrano.net/protect.js[JAR]
| news
|
| 66.237.236.240
| actualizaciondebeisbol.com
| https://web.archive.org/web/20110202133754/http://actualizaciondebeisbol.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110202135654/http://actualizaciondebeisbol.com/baseball.js[JS]
| sports, baseball
|
| 66.237.236.243
| mygadgettech.com
| https://web.archive.org/web/20091229181141/http://www.mygadgettech.com/[2009]
| Chinese
|
| https://web.archive.org/web/20091229181141/https://secure.mygadgettech.com/cgi-bin/hurry.cgi[CGI]
| tech
| Archive very broken
| 66.237.236.247
| comunidaddenoticias.com
| https://web.archive.org/web/20110207183409/http://comunidaddenoticias.com/[2011]
| Spanish
| Ecuador
| https://web.archive.org/web/20110207183421/http://comunidaddenoticias.com/quito.jar[JAR]
| news
|
| 66.237.236.249
| sumerjaseahora.com
| https://web.archive.org/web/20110128091410/http://sumerjaseahora.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110128091410/https://buceo.sumerjaseahora.com/cgi-bin/oceano.cgi[CGI]
| sports, SCUBA diving
| submerge yourself now
| 69.84.156.69
| al-ashak-news-me.com
| https://web.archive.org/web/20110203003800/http://al-ashak-news-me.com/[2011]
| <Arabic>
|
| https://web.archive.org/web/20110203003835/http://al-ashak-news-me.com/ashak.js[JS]
| news
|
| 69.84.156.71
| worldfinancetoday.net
| https://web.archive.org/web/20110107091638/http://worldfinancetoday.net/[2011]
| English
|
| https://web.archive.org/web/20131126235054*/http://worldfinancetoday.net/slides.jar[JAR]
| finance
|
| 69.84.156.72
| autonewsarabia.com
| https://web.archive.org/web/20110128213808/http://autonewsarabia.com/[2011]
| <Arabic>
|
| https://web.archive.org/web/20110128213858/http://autonewsarabia.com/vehicle.jar[JAR]
| cars
|
| 69.84.156.74
| blue-moon-news.com
| https://web.archive.org/web/20110208031050/http://blue-moon-news.com/[2011]
| <Arabic>
|
| https://web.archive.org/web/20110208031127js_/http://blue-moon-news.com/video.js[JS]
| news
|
| 69.84.156.76
| tnc-urdu.com
| https://web.archive.org/web/20110211230208/http://tnc-urdu.com/[2011]
| Urdu
|
| https://web.archive.org/web/20110211230248/http://tnc-urdu.com/bmeterplus.jar[JAR]
| tech
| TODO meaning of "tnc"?
| 69.84.156.82
| arabicnewsonline.com
| https://web.archive.org/web/20110210072414/http://arabicnewsonline.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110210072451/http://arabicnewsonline.com/news.jar[JAR]
| news
| https://viewdns.info/iphistory/?domain=arabicnewsonline.com[rdns source]. Some very similar domains: modernarabicnews.com, arabicnewsource.com. Needed more creativity here! https://web.archive.org/web/20150801011018/http://arabicnewsonline.com/[Later legit].
| 69.84.156.83
| unganadormundial.com
| https://web.archive.org/web/20101216065827/http://www.unganadormundial.com/[2010]
| Spanish
|
| https://web.archive.org/web/20101216065827/https://ssl.unganadormundial.com/cgi-bin/login.cgi[CGI]
| sports, fitness
|
| 69.84.156.88
| diariodeelmundo.com
| https://web.archive.org/web/20110202172126/http://diariodeelmundo.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110202172130/http://diariodeelmundo.com/latin.jar[JAR]
| news
|
| 69.84.156.89
| todaysarabnews.com
| https://web.archive.org/web/20110208225630/http://www.todaysarabnews.com/[2011]
| Arabic
|
| https://web.archive.org//web/20110208225630oe_/http://www.todaysarabnews.com/news.jar[JAR]
| news
| JAR unarchived.
| 69.84.156.90
| stickshiftnews.com
| https://web.archive.org/web/20110207232048/http://stickshiftnews.com/[2011]
| English
|
| https://web.archive.org/web/20110207232246/http://stickshiftnews.com/news.jar[JAR]
| cars
|
| 69.84.156.91
| theinternationalgoal.com
| https://web.archive.org/web/20110202183050/http://theinternationalgoal.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110202183050/https://secure.theinternationalgoal.com/cgi-bin/history.cgi[CGI]
| news
|
| 72.34.53.174
| electronictechreviews.com
| https://web.archive.org/web/20110128093921/http://electronictechreviews.com/[2011]
| English
|
| https://web.archive.org/web/20110128093921oe_/http://electronictechreviews.com/application.jar[JAR]
| tech
| JAR unarchived. Split images, `rss-items`. Present at <"Mass Deface III" pastebin>.
| 72.34.53.174
| just-the-news.com
| https://web.archive.org/web/20110207141715/http://just-the-news.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110207141715oe_/http://just-the-news.com/trade.jar[JAR]
| news
| copyright 2009. Present at <"Mass Deface III" pastebin>. JAR unarchived.
| 72.34.53.174
| kickitnews.com
| https://web.archive.org/web/20100512232528/http://kickitnews.com/[2010]
| Arabic
|
| https://web.archive.org/web/20100512232633/http://kickitnews.com/team.jar[JAR]
| sports, football
| copyright 2009. Present at <"Mass Deface III" pastebin>.
| 72.34.53.174
| moyistochnikonlaynovykhigr.com
| https://web.archive.org/web/20110203002455/http://moyistochnikonlaynovykhigr.com/[2011]
| Russian
| Russia
|
| fansite
| copy of myonlinegamesource.com, but on a Russian transliterated domain rather than the English one, very interesting
| 72.34.53.174
| myhealthlibrary.net
| https://web.archive.org/web/20111015023508/http://www.myhealthlibrary.net/[2011]
| English
|
| https://web.archive.org/web/20111015023541/http://www.myhealthlibrary.net/dose.jar[JAR]
| health
| present at: <"Mass Deface III" pastebin>.
| 72.34.53.174
| myonlinegamesource.com
| https://web.archive.org/web/20110209004241/http://myonlinegamesource.com/[2011]
| Russian
| Russia
|
| gaming
| Can't find comms, but stylistically perfect. `rss-items`. Present at <"Mass Deface III" pastebin>.
| 72.34.53.174
| mytravelopian.com
| https://web.archive.org/web/20110210072929/http://mytravelopian.com/[2011]
| English
|
| https://web.archive.org/web/20110210073221/http://mytravelopian.com/explore.jar[JAR]
| travel
|
| 72.34.53.174
| recursosdenoticias.com
| https://web.archive.org/web/20110202124725/http://recursosdenoticias.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110202124753/http://recursosdenoticias.com/banco.jar[JAR]
| news
| Split images, `rss-items`. Present at <"Mass Deface III" pastebin>.
| 72.34.53.174
| sayaara-auto.com
| https://web.archive.org/web/20100802040339/http://www.sayaara-auto.com/[2010]
| Arabic
|
| https://web.archive.org/web/20110128163016/http://sayaara-auto.com/ferrari.jar[JAR]
| cars
|
| 72.34.53.174
| technologytodayandtomorrow.com
| https://web.archive.org/web/20110201213000/http://technologytodayandtomorrow.com/[2011]
| English
|
| https://web.archive.org/web/20110201213207/http://technologytodayandtomorrow.com/bluray.jar[JAR]
| tech
| `rss-items`. Present at <"Mass Deface III" pastebin>.
| 72.34.53.174
| todaysnewsandweather-ru.com
| https://web.archive.org/web/20110207094714/http://todaysnewsandweather-ru.com/[2011]
| Russian
| Russia
| https://web.archive.org/web/20110207094735/http://todaysnewsandweather-ru.com/blacksea.js[JS]
| news
| <JavaScript with SHAs>
| 74.116.72.227
| dayenews.com
| https://web.archive.org/web/20110202024036/http://dayenews.com/[2011]
| English
|
| https://web.archive.org/web/20110202024052/http://dayenews.com/global.jar[JAR]
| news
| https://web.archive.org/web/20141216225008/http://dayenews.com/[rdns source]. Previously 69.74.45.67.
| 74.116.72.229
| guide-daventure.com
| https://web.archive.org/web/20110203080503/http://guide-daventure.com/[2011]
| French
| France
| https://web.archive.org/web/20110203080532/http://guide-daventure.com/touristiques.jar[JAR]
| travel
|
| 74.116.72.231
| bleachersfootballnews.com
| https://web.archive.org/web/20110207225452/http://bleachersfootballnews.com/[2011]
| English
|
| https://web.archive.org/web/20110207225524/http://bleachersfootballnews.com/football.jar[JAR]
| sports, football
| TODO meaning of "Bleacher"? Possible reference to https://en.wikipedia.org/wiki/Bleacher_Report[Bleacher Report].
| 74.116.72.232
| indirectfreekick.com
| https://web.archive.org/web/20110201123025/http://indirectfreekick.com/[2011]
| English
|
| https://web.archive.org/web/20110201123244/http://indirectfreekick.com/soccer.jar[JAR]
| sports, <football>
|
| 74.116.72.233
| wwiichronicles.net
| https://web.archive.org/web/20110107092233/http://wwiichronicles.net/[2011]
| English
|
| https://web.archive.org/web/20110107092233/https://alliedforces.wwiichronicles.net/cgi-bin/honor.cgi[CGI]
| history
|
| 74.116.72.234
| petroleumagenews.com
| https://web.archive.org/web/20110119001925/http://petroleumagenews.com/[2011]
| English
|
| https://web.archive.org/web/20110208043653/http://petroleumagenews.com/metered.jar[JAR]
| oil
|
| 74.116.72.235
| the-open-book-online.com
| https://web.archive.org/web/20110202225251/http://the-open-book-online.com/[2011]
| English
|
| https://web.archive.org/web/20110202225254js_/http://the-open-book-online.com/breaking.js[JS]
| literature
|
| 74.116.72.236
| techtopnews.com
| https://web.archive.org/web/20110201215658/http://techtopnews.com/[2011]
| English
|
| https://web.archive.org/web/20110201215739/http://techtopnews.com/spam.jar[JAR]
| tech
|
| 74.116.72.239
| crickettoday.info
| https://web.archive.org/web/20130530183606/http://crickettoday.info/[2013]
| Pashto
|
| https://web.archive.org/web/20130530183606js_/http://crickettoday.info/cricket.js[JS]
| sports, cricket
| JS unarchived. The requested URL /cricket.js was not found on this server
| 74.116.72.240
| zafernews.com
| https://web.archive.org/web/20110209030855/http://zafernews.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110209030931/http://zafernews.com/banner.jar[JAR]
| news
|
| 74.116.72.242
| gdgtsource.com
| https://web.archive.org/web/20110128095039/http://gdgtsource.com/[2011]
| English
|
| https://web.archive.org/web/20110128095039/https://secure.gdgtsource.com/cgi-bin/hd.cgi[CGI]
| tech
| Presumably "gdgt" stands for "GaDGeT", which is mentioned on subtitle
| 74.116.72.246
| vuvuzelanews.com
| https://web.archive.org/web/20110202193351/http://vuvuzelanews.com/[2011]
| English
|
| https://web.archive.org/web/20110202193354/http://vuvuzelanews.com/vuvuzela.jar[JAR]
| sports, football
| Vuvuzela is https://en.wikipedia.org/wiki/Vuvuzela[this plastic horn], popular in football stadiums. The term is of African origin. https://web.archive.org/web/20160112194950/http://vuvuzelanews.com/[Later legit]. https://viewdns.info/iphistory/?domain=vuvuzelanews.com[rdns source]. Previously at 69.74.45.86.
| 74.116.72.247
| ballbatstumpsandbails.com
| https://web.archive.org/web/20110202032813/http://ballbatstumpsandbails.com/[2011]
| English
|
| https://web.archive.org/web/20130807082401*/http://ballbatstumpsandbails.com/bails.jar[JAR]
| sports, cricket
|
| 74.116.72.249
| round-trip-travel.com
| https://web.archive.org/web/20100925201848/http://www.round-trip-travel.com/[2010]
| English
|
| https://web.archive.org/web/20100925201848/https://trip.round-trip-travel.com/cgi-bin/hotels.cgi[CGI]
| travel
| this got archived a lot of times, though all seem to be Alexa crawls.
| 74.116.72.250
| arabicnewsource.com
| https://web.archive.org/web/20110210072414/http://arabicnewsource.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110210072414/https://ssl.arabicnewsource.com/cgi-bin/face.cgi[CGI]
| news
|
| 74.254.12.163
| half-court.net
| https://web.archive.org/web/20101229100006/http://half-court.net/[2010]
| English
| Philippines
| https://web.archive.org/web/20101229100220/http://half-court.net/basket.jar[JAR]
| sports, basketball
|
| 74.254.12.164
| dailywellnessnews.com
| https://web.archive.org/web/20110201114414/http://dailywellnessnews.com/[2011]
| English
|
| https://web.archive.org/web/20110201114454/http://dailywellnessnews.com/wellness.jar[JAR]
| health
| https://dnshistory.org/historical-dns-records/a/dailywellnessnews.com[rdns source]. split imageshttps://web.archive.org/web/20110201114616/http://dailywellnessnews.com/images/bann-1.jpg{ref}https://web.archive.org/web/20110201114656/http://dailywellnessnews.com/images/bann-2.jpg{ref}.
| 74.254.12.165
| dylandon.net
| https://web.archive.org/web/20110106021052/http://dylandon.net/[2011]
| Chinese
|
| https://web.archive.org/web/20110106023855/http://dylandon.net/dylandon.swf[SWF]
| music
| "Dylan" presumably a reference to https://en.wikipedia.org/wiki/Bob_Dylan[Bob Dylan]? "Don" unclear. Maybe https://en.wikipedia.org/wiki/Don_McLean[Don McLean]?
| 74.254.12.166
| afghanpoetry.net
| https://web.archive.org/web/20101229104343/http://afghanpoetry.net/[2010]
| English
| Afghanistan
| https://web.archive.org/web/20111014012657*/http://afghanpoetry.net/afghanpoetry.swf[SWF]
| poetry
| Also at 63.131.229.10https://viewdns.info/iphistory/?domain=afghanpoetry.net{ref} in a range.
| 74.254.12.168
| non-stop-news.net
| https://web.archive.org/web/20101229190923/http://non-stop-news.net/[2010]
| Farsi
|
| https://web.archive.org/web/20111024200944*/http://non-stop-news.net/world.jar[JAR]
| news
|
| 74.254.12.169
| soldiersofsouthasia.com
| https://web.archive.org/web/20110207203640/http://soldiersofsouthasia.com/[2011]
| English
|
| https://web.archive.org/web/20110207203807/http://soldiersofsouthasia.com/war.jar[JAR]
| history
|
| 74.254.12.171
| autism-news.org
| https://web.archive.org/web/20110624175332/http://autism-news.org/[2011]
| English
|
| https://web.archive.org/web/20110624175425/http://autism-news.org/autism-news.swf[SWF]
| health
| copyright 2007. Split images. `rss-items`. Previously at 69.74.45.67.
| 74.254.12.176
| pakcricketgrd.com
| https://web.archive.org/web/20110203101410/http://pakcricketgrd.com/[2011]
| Urdu
|
| https://web.archive.org/web/20110203101539/http://pakcricketgrd.com/places.jar[JAR]
| sports, cricket
| TODO meaning of "grd"
| 74.254.12.177
| networkofnews.com
| https://web.archive.org/web/20110208005050/http://networkofnews.com/[2011]
| English
|
| https://web.archive.org/web/20110208005302/http://networkofnews.com/nework.jar[JAR]
| news
| https://dnshistory.org/historical-dns-records/a/networkofnews.com[rdns source]. https://web.archive.org/web/20140517163244/http://networkofnews.com/[Later legit].
| 74.254.12.179
| wineconnaisseur.net
| https://web.archive.org/web/20101230072458/http://wineconnaisseur.net/[2010]
| English
|
| https://web.archive.org/web/20101230072512/http://wineconnaisseur.net/catavino.js[JS]
| wine
|
| 74.254.12.180
| helpinghandssite.com
| https://web.archive.org/web/20110208042144/http://helpinghandssite.com/[2011]
| English
|
| https://web.archive.org/web/20110208042200/http://helpinghandssite.com/globalization.jar[JAR]
| news
|
| 74.254.12.188
| first-tee-golf.com
| https://web.archive.org/web/20110203073359/http://first-tee-golf.com/[2011]
| English
|
| https://web.archive.org/web/20110203073503/http://first-tee-golf.com/golf.jar[JAR]
| sports, golf
|
| 74.254.12.189
| fabu-foto.com
| https://web.archive.org/web/20110203073359/http://first-tee-golf.com/[2011]
| English
|
| https://web.archive.org/web/20110202114501/https://secure.fabu-foto.com/cgi-bin/photos.cgi[CGI]
| <photography>
|
| 74.254.12.190
| viptravelabroad.com
| https://web.archive.org/web/20110202122211/http://viptravelabroad.com/[2011]
| English
|
| https://web.archive.org/web/20110202122218/http://viptravelabroad.com/getaway.js[JS]
| travel
|
| 199.85.212.105
| mide-news.com
| https://web.archive.org/web/20100517071454/http://mide-news.com/[2010]
| English
|
| https://web.archive.org/web/20100517071454/http://mide-news.com/login.html[CGI]
| news
| "MIDE" stands for "Middle East". Comms not archived, presumably <CGI comms variant>.
| 199.85.212.111
| newsandsportscentral.com
| https://web.archive.org/web/20091209022552/http://newsandsportscentral.com/[2009]
| English
|
| https://web.archive.org/web/20110208063333/http://newsandsportscentral.com/International.jar[JAR]
| news
| https://dnshistory.org/historical-dns-records/a/newsandsportscentral.com[rdns source]
| 199.85.212.118
| just-kidding-news.com
| https://web.archive.org/web/20110207134507/http://just-kidding-news.com/[2011]
| English
|
| https://web.archive.org/web/20120126091116*/http://just-kidding-news.com/jokes.jar[JAR]
| news
| epic name
| 204.176.38.130
| i-pressnews.com
| https://web.archive.org/web/20110202090103/http://i-pressnews.com/[2011]
| English
|
| https://web.archive.org/web/20110202090114/http://i-pressnews.com/news.jar[JAR]
| news
|
| 204.176.38.132
| turkishnewslinks.com
| https://web.archive.org/web/20110129021514/http://turkishnewslinks.com/[2011]
| English
| Turkey
| https://web.archive.org/web/20110129021654/http://turkishnewslinks.com/feeds.jar[JAR]
| news
|
| 204.176.38.134
| photographyarecord.com
| https://web.archive.org/web/20110209013705/http://photographyarecord.com/[2011]
| English
|
| https://web.archive.org/web/20110209013705/https://ssl.photographyarecord.com/cgi-bin/front.cgi[CGI]
| <photography>
| Cute
| 204.176.38.135
| breakingthewicket.com
| https://web.archive.org/web/20110207221841/http://breakingthewicket.com/[2011]
| English
|
| https://web.archive.org/web/20110207221841/https://ssl.breakingthewicket.com/cgi-bin/cricket.cgi[CGI]
| sports, cricket
|
| 204.176.38.136
| politicalworldtoday.com
| https://web.archive.org/web/20110208065647/http://politicalworldtoday.com/[2011]
| English
| Egypt
| https://web.archive.org/web/20110208065808/http://politicalworldtoday.com/meterbw.jar[JAR]
| news
|
| 204.176.38.137
| hi-tech-today.com
| https://web.archive.org/web/20110208145755/http://hi-tech-today.com/[2011]
| English
|
| https://web.archive.org/web/20110208145850/http://hi-tech-today.com/technews.jar[JAR]
| tech
|
| 204.176.38.139
| bigscreenbattles.com
| https://web.archive.org/web/20110207105312/http://bigscreenbattles.com/[2011]
| English
|
| https://web.archive.org/web/20110207105537/http://bigscreenbattles.com/film.js[JAR]
| films
|
| 204.176.38.141
| rakotafootball.com
| https://web.archive.org/web/20110202083336/http://rakotafootball.com/[2011]
| English
|
| https://web.archive.org/web/20110202083428/http://rakotafootball.com/ball.jar[JAR]
| sports, <football>
| "Rakota" is an Indian family name
| 204.176.38.143
| noticiassofisticadas.com
| https://web.archive.org/web/20110128170459/http://noticiassofisticadas.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110128170459/https://secure.noticiassofisticadas.com/cgi-bin/login.cgi[CGI]
| news
|
| 204.176.38.142
| senderosdemontana.com
| https://web.archive.org/web/20110201100157/http://senderosdemontana.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110201100157js_/http://senderosdemontana.com/biking.js[JS]
| sports, cycling
| Talks about mountain biking and https://en.wikipedia.org/wiki/Eurobike[Eurobike 2010], so likely <Spain> focused, but it is not direct enough to be certain. JS unarchived.
| 204.176.38.144
| techno-today.com
| https://web.archive.org/web/20110201213703/http://techno-today.com/[2011]
| English
|
| https://web.archive.org/web/20110201213839/http://techno-today.com/bmeter.jar[JAR]
| tech
| was legit previously.
| 204.176.38.145
| tickettonews.com
| https://web.archive.org/web/20110210205230/http://tickettonews.com/[2011]
| English
|
| https://web.archive.org/web/20110210205447/http://tickettonews.com/ticket.jar[JAR]
| news
| https://viewdns.info/iphistory/?domain=tickettonews.com[rdns source]. <Epoch Times> link.
| 204.176.38.146
| dps-digitalphotosharing.com
| https://web.archive.org/web/20110207233359/http://dps-digitalphotosharing.com/[2011]
| English
|
| https://web.archive.org/web/20110207233427/http://dps-digitalphotosharing.com/photography.jar[JAR]
| <photography>
|
| 204.176.38.147
| theputtingreen.com
| https://web.archive.org/web/20110207104535/http://theputtingreen.com/[2011]
| English
|
| https://web.archive.org/web/20110207104855/http://theputtingreen.com/tee.jar[JAR]
| sports, golf
|
| 204.176.38.149
| sportsnewstodayar.com
| https://web.archive.org/web/20110210131921/http://sportsnewstodayar.com/2011[2011]
| Arabic
| Lebanon, others
| https://web.archive.org/web/20110210132114/http://sportsnewstodayar.com/news.jar[JAR]
| sports
| "ar" on domain name presumably means "Arabic"
| 204.176.38.159
| kairuafricanews.com
| https://web.archive.org/web/20110207183512/http://kairuafricanews.com/[2011]
| English
| Africa
| https://web.archive.org/web/20110207183707/http://kairuafricanews.com/health.jar[JAR]
| news
| what is "Kairu"? https://en.wikipedia.org/wiki/Kairu a place in India? https://en.wiktionary.org/wiki/kairu "frog" in Japanese? https://viewdns.info/iphistory/?domain=kairuafricanews.com[rdns source]
| 204.176.39.97
| beamingnews.com
| https://web.archive.org/web/20110202092126/http://beamingnews.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110202092214/http://beamingnews.com/beamingnews.jar[JAR]
| news
| Nice design. https://viewdns.info/iphistory/?domain=beamingnews.com[rdns source]
| 204.176.39.98
| cubriendonoticias.com
| https://web.archive.org/web/20110930125207/http://www.cubriendonoticias.com/[2011]
| Spanish
|
| https://web.archive.org/web/20120627023603oe_/http://www.cubriendonoticias.com/cubriendo.jar[JAR]
| news
| archive quite broken. JAR unarchived.
| 204.176.39.100
| rowleyworldpost.com
| https://web.archive.org/web/20110207112009/http://rowleyworldpost.com/[2011]
| English
| Egypt, others
| https://web.archive.org/web/20110207112131/http://rowleyworldpost.com/news.jar[JAR]
| news
|
| 204.176.39.103
| economicnewsbuzz.com
| https://web.archive.org/web/20110207210053/http://economicnewsbuzz.com/[2011]
| Korean
|
| https://web.archive.org/web/20110207210053/https://securessl.economicnewsbuzz.com/cgi-bin/economy.cgi[CGI]
| finance
| Love the https://en.wikipedia.org/wiki/Kawaii[kawaii] style
| 204.176.39.104
| spectranewsonline.com
| https://web.archive.org/web/20110209191424/http://spectranewsonline.com/[2011]
| English
|
| https://web.archive.org/web/20110209191424/https://secure.spectranewsonline.com/cgi-bin/health.cgi[CGI]
| news
| marked copyright 2010.
| 204.176.39.105
| entertainmentnewscompany.com
| https://web.archive.org/web/20110128211352/http://entertainmentnewscompany.com/[2011]
| Chinese
|
| https://web.archive.org/web/20110128211745/http://entertainmentnewscompany.com/entertainmentnewscompany.swf[SWF]
| films, music
| Title: "娱乐新闻公司", lit. Entertainment News Company
| 204.176.39.110
| arabnewsatdawn.com
| https://web.archive.org/web/20110210072653/http://arabnewsatdawn.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110210072653/https://secure.arabnewsatdawn.com/cgi-bin/economy.cgi[CGI]
| news
| cute, the Arab chick's drink actually has a https://en.wikipedia.org/wiki/Cocktail_umbrella[cocktail umbrella] on it. Marked copyright 2010.
| 204.176.39.115
| globalprovincesnews.com
| https://web.archive.org/web/20100922120314/http://globalprovincesnews.com/[2010]
| <Arabic>
|
| https://web.archive.org/web/20110129014709/http://globalprovincesnews.com/stories.js[JS]
| news
|
| 204.176.39.116
| mahparah-news.com
| https://web.archive.org/web/20110207110845/http://mahparah-news.com/[2011]
| Farsi
|
| https://web.archive.org/web/20110207111012/http://mahparah-news.com/mahparah.js[JS]
| news
|
| 204.176.39.119
| commercialspacedesign.com
| https://web.archive.org/web/20130601124159/http://commercialspacedesign.com/[2013]
| Farsi
|
| https://web.archive.org/web/20130601124159/https://secure.commercialspacedesign.com/cgi-bin/login.cgi[CGI]
| architecture
| C O N C E P T U A L design. A rare example of a fake company website.
| 207.210.250.131
| starrynightnews.com
| https://web.archive.org/web/20110207161542/http://starrynightnews.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110207161737/http://starrynightnews.com/snn.js[JS]
| news
| interesting design
| 207.210.250.132
| aeronet-news.com
| https://web.archive.org/web/20110202122448/http://aeronet-news.com/[2011]
| English
|
| https://web.archive.org/web/20110202122601/http://aeronet-news.com/aeronet.jar[JAR]
| airplanes
|
| 207.210.250.133
| bakaribulletin.com
| https://web.archive.org/web/20110202002749/http://bakaribulletin.com/[2011]
| English
| Africa
| https://web.archive.org/web/20110202003037/http://bakaribulletin.com/africa.js[JS]
| news
| Bakari could either be a https://en.wikipedia.org/wiki/Bakari_(name)[given name], or a https://en.wikipedia.org/wiki/Bakari,_Togo[village in Togo]
| 207.210.250.134
| deprensaenlarevisiondehoy.com
| https://web.archive.org/web/20110202101620/http://deprensaenlarevisiondehoy.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110202101825/http://deprensaenlarevisiondehoy.com/deprensaen.jar[JAR]
| news
|
| 207.210.250.135
| icwb-news.com
| https://web.archive.org/web/20110129161937/http://icwb-news.com/[2011]
| English
|
| https://web.archive.org/web/20110129162009/http://icwb-news.com/ad.jar[JAR]
| news
| ICWB stands for "Inner Circle Worldwide Business (News)", the title of the website
| 207.210.250.136
| sportsreelhighlights.com
| https://web.archive.org/web/20110210140913/http://sportsreelhighlights.com/[2011]
| English
|
| https://web.archive.org/web/20110210141405/http://sportsreelhighlights.com/fanmeter.jar[JAR]
| sports
|
| 207.210.250.138
| inquiry-human-past.com
| https://web.archive.org/web/20110201203700/http://inquiry-human-past.com/[2011]
| English
|
| https://web.archive.org/web/20110201203856/http://inquiry-human-past.com/meter.jar[JAR]
| history
|
| 207.210.250.139
| thefairwaysaregreen.com
| https://web.archive.org/web/20110202143130/http://thefairwaysaregreen.com/[2011]
| Thai
|
| https://web.archive.org/web/20110202143230/http://thefairwaysaregreen.com/fairway.jar[JAR]
| sports, golf
|
| 207.210.250.143
| archaeologyreview.net
| https://web.archive.org/web/20101229120831/http://archaeologyreview.net/[2010]
| English
|
| https://web.archive.org/web/20101229120902/http://archaeologyreview.net/archaeology.jar[JAR]
| history, archeology
|
| 207.210.250.146
| noticias-caracas.com
| https://web.archive.org/web/20110617150828/http://www.noticias-caracas.com/[2011]
| Spanish
| Venezuela
| https://web.archive.org/web/20110617150828/https://secure.noticias-caracas.com/cgi-bin/internacional.cgi[CGI]
| news
| Caracas is the capital of Venezuela. But you knew that, right?
| 207.210.250.147
| bailandstump.com
| https://web.archive.org/web/20110201231706/http://bailandstump.com/[2011]
| English
|
| https://web.archive.org/web/20110201231805/http://bailandstump.com/stump.js[JS]
| sports, cricket
| "Bail" and "Stump" are the two parts of the thing your're supposed to hit with the ball in cricket.https://en.wikipedia.org/wiki/Bail_(cricket){ref}
| 207.210.250.149
| globalventurestat.com
| https://web.archive.org/web/20080801075335/http://globalventurestat.com/[2008]
| English
|
| https://web.archive.org/web/20110201100307/http://globalventurestat.com/globalventuresfi.swf[SWF]
| news
|
| 207.210.250.152
| al-rashidrealestate.com
| https://web.archive.org/web/20101030144531/http://www.al-rashidrealestate.com/[2010]
| Arabic
| Egypt
| https://web.archive.org/web/20101030144531/https://secure.al-rashidrealestate.com/cgi-bin/realestate.cgi[CGI]
| finance, real-estate
|
| 207.210.250.153
| newsintheworld-ru.com
| https://web.archive.org/web/20110208064919/http://newsintheworld-ru.com/[2011]
| Russian
|
| https://web.archive.org/web/20110208065108/http://newsintheworld-ru.com/elections.jar[JAR]
| news
|
| 208.254.40.96
| sixty2media.com
| https://web.archive.org/web/20110202142712/http://sixty2media.com/[2011]
| <English (language)>
| Various
| https://web.archive.org/web/20110202142719/http://sixty2media.com/media.jar[JAR]
| news
| <Epoch Times> link
| 208.254.40.99
| newspoliticssource.com
| https://web.archive.org/web/20130614081953/http://newspoliticssource.com/[2013]
| <Arabic>
|
| http://wew.archive.org/web/20110208070613/http://newspoliticssource.com/stories.jar[JAR]
| news
| One of the news mentions <Snowden>
| 208.254.40.110
| musical-fortune.net
| https://web.archive.org/web/20101230150750/http://musical-fortune.net/[2010]
| <English (language)>
|
| https://web.archive.org/web/20101230150750/https://backstage.musical-fortune.net/cgi-bin/backstage.cgi[CGI]
| music
| images `/images/banner-02.jpg`
| 208.254.40.113
| ashoka-gemstones.com
| https://web.archive.org/web/20100416203320/http://ashoka-gemstones.com/[2010]
| <English (language)>
|
| https://web.archive.org/web/20110128094545/http://ashoka-gemstones.com/gemstones.jar[JAR]
| jewelry
|
| 208.254.40.117
| worldnewsandent.com
| https://web.archive.org/web/20100508150250/http://www.worldnewsandent.com/[2010]
| <Arabic>
| Egypt
| https://web.archive.org/web/20100508150250/https://secure.worldnewsandent.com/cgi-bin/news.cgi[CGI]
| mews
|
| 208.254.40.124
| riskandrewardnews.com
| https://web.archive.org/web/20130517005958/http://riskandrewardnews.com/[2013]
| <English (language)>
|
| https://web.archive.org/web/20130517005958/https://secure.riskandrewardnews.com/cgi-bin/worldwide.cgi[CGI]
| finance
|
| 208.254.42.194
| it-proonline.com
| https://web.archive.org/web/20110202132621/http://it-proonline.com/[2011]
| English
|
| https://web.archive.org/web/20110202132621/https://members.it-proonline.com/cgi-bin/members.cgi[CGI]
| tech
| images `/images/header_01.jpg`
| 208.254.42.205
| driversinternationalgolf.com
| https://web.archive.org/web/20110208161107/http://driversinternationalgolf.com/[2011]
| English
|
| https://web.archive.org/web/20110208161107/https://secure.driversinternationalgolf.com/cgi-bin/drivers.cgi[CGI]
| sports, golf
|
| 208.254.42.209
| mardelsurnoticias.com
| https://web.archive.org/web/20110207222816/http://mardelsurnoticias.com/[2011]
| Spanish
|
| https://web.archive.org/web/20100515194953/http://mardelsurnoticias.com/imgrotate.jar[JAR]
| news
| weird mixture of Portuguese and Spanish language external links
| 208.254.42.215
| nowfreshfinances.com
| https://web.archive.org/web/20110128181923/http://nowfreshfinances.com/[2011]
| English
|
| https://web.archive.org/web/20110128181923/https://secure.nowfreshfinances.com/cgi-bin/finances.cgi[CGI]
| finance
| <CGI> unarchived
| 208.254.42.216
| circulatingnews.net
| https://web.archive.org/web/20101222125807/http://circulatingnews.net/[2010]
| English
|
| https://web.archive.org/web/20110108103025*/http://circulatingnews.net/weather.jar[JAR]
| travel
|
| 208.254.42.219
| westingtonpassnews.com
| https://web.archive.org/web/20110207225054/http://westingtonpassnews.com/[2011]
| English
|
| https://web.archive.org/web/20110207225119/http://westingtonpassnews.com/meter.jar[JAR]
| news
|
| 210.80.75.36
| e-commodities.net
| https://web.archive.org/web/20110106021312/http://e-commodities.net/[2011]
| English
|
| https://web.archive.org/web/20110106021407/http://e-commodities.net/Trading.jar[JAR]
| finance
|
| 210.80.75.37
| trekkingtoday.com
| https://web.archive.org/web/20110208080402/http://trekkingtoday.com/[2011]
| English
|
| https://web.archive.org/web/20110208080839/http://trekkingtoday.com/compass.jar[JAR]
| sports, running
| split imageshttps://web.archive.org/web/20110208080555/http://trekkingtoday.com/images/banner_02.jpg{ref}https://web.archive.org/web/20110208080715/http://trekkingtoday.com/images/banner_03.jpg{ref}. https://viewdns.info/iphistory/?domain=trekkingtoday.com[rdns source].
| 210.80.75.41
| multinews-33.com
|
|
|
| https://web.archive.org/web/20110203051151/http://multinews-33.com/MultiNews.jar[JAR]
| news
| No archives of the HTML, but the JAR was archived
| 210.80.75.43
| gulfandmiddleeastnews.com
| https://web.archive.org/web/20110203100459/http://gulfandmiddleeastnews.com/[2011]
| Arabic
|
| https://web.archive.org/web/20110203100519/http://gulfandmiddleeastnews.com/gulfnews.js[JS]
| news
|
| 210.80.75.44
| whirlybirdinflight.com
| https://web.archive.org/web/20110208030733/http://whirlybirdinflight.com/[2011]
| English
|
| https://web.archive.org/web/20110208030848/http://whirlybirdinflight.com/fly.jar[JAR]
| helicopters
|
| 210.80.75.45
| kings-game.net
| https://web.archive.org/web/20111014203149/http://www.kings-game.net/[2011]
| English
|
| https://web.archive.org/web/20111014203149oe_/http://www.kings-game.net/internet.jar[JAR]
| gaming, chess
| JAR unarchived
| 210.80.75.46
| topglobalnewsdaily.com
| https://web.archive.org/web/20110207163105/http://topglobalnewsdaily.com/[2011]
| English
|
| https://web.archive.org/web/20110207163828js_/http://topglobalnewsdaily.com/cooking.js[JS]
| news
|
| 210.80.75.49
| recipe-dujour.com
| https://web.archive.org/web/20110202122028/http://recipe-dujour.com/[2011]
| English
|
| https://web.archive.org/web/20110202122522/http://recipe-dujour.com/recipes.jar[JAR]
| cooking
| nice design
| 210.80.75.55
| philippinenewsonline.net
| https://web.archive.org/web/20101230191405/http://philippinenewsonline.net/[2010]
| Philippines
|
| https://web.archive.org/web/20101230191531/http://philippinenewsonline.net/middleweight.jar[JAR]
| news
|
| 210.80.75.56
| technewsforme.com
| https://web.archive.org/web/20110201205935/http://technewsforme.com/[2011]
| Farsi
|
| https://web.archive.org/web/20110201211509/http://technewsforme.com/meter.jar[JAR]
| tech
|
| 212.4.16.224
| lanoticiasdehoyelinforme.com
| https://web.archive.org/web/20100513162927/http://lanoticiasdehoyelinforme.com/[2010]
| Spanish
|
| https://web.archive.org/web/20110201000000*/http://lanoticiasdehoyelinforme.com/mynews.jar[JAR]
| news
|
| 212.4.16.232
| mynewscheck.com
| https://web.archive.org/web/20110208211139/http://mynewscheck.com/[2011]
| English
| <Canada>
| https://web.archive.org/web/20110208211158/http://mynewscheck.com/world.jar[JAR]
| news
| https://dnshistory.org/historical-dns-records/a/mynewscheck.com[rdns source]
| 212.4.16.245
| financial-crisis-news.com
| https://web.archive.org/web/20110203042021/http://financial-crisis-news.com/[2011]
| Russian
| Russia
| https://web.archive.org/web/20110203042212/http://financial-crisis-news.com/dolls.jar[JAR]
| news
| https://dnshistory.org/historical-dns-records/a/financial-crisis-news.com[rdns source]
| 212.4.16.252
| minutosdenoticias.com
| https://web.archive.org/web/20100517151612/http://minutosdenoticias.com/[2010]
| Spanish
|
| https://web.archive.org/web/20100517151612/https://foro.minutosdenoticias.com/cgi-bin/menu.cgi[CGI]
| news
| https://web.archive.org/web/20100517151619/http://minutosdenoticias.com/images/Minutos.css[CSS]
| 212.4.17.38
| fightwithoutrules.com
| https://web.archive.org/web/20110203021315/http://fightwithoutrules.com/[2011]
| Russian
|
| https://web.archive.org/web/20110203021403/http://fightwithoutrules.com/boxing.jar[JAR]
| sports, combat sports
|
| 212.4.17.41
| newtechfrontier.com
| https://web.archive.org/web/20110208072235/http://newtechfrontier.com/[2010]
| <English (language)>
|
| https://web.archive.org/web/20110208072235/https://ssl.newtechfrontier.com/cgi-bin/tech.cgi[CGI]
| tech
| since became legit: https://newtechfrontier.com/[]
| 212.4.17.43
| smart-travel-consultant.com
| https://web.archive.org/web/20110202212415/http://smart-travel-consultant.com/[2011]
| <Chinese (language)>
|
| https://web.archive.org/web/20110202212415/https://clients.smart-travel-consultant.com/cgi-bin/clients.cgi[CGI]
| travel
| https://web.archive.org/web/20110202212436/http://smart-travel-consultant.com/ajaxtabs.js[ajaxtax.js] may be of interest for fingerprinting. Title: "智能旅行顾问", lit. Smart Travel Consultant
| 212.4.17.46
| atentlaloc.com
| https://web.archive.org/web/20091117073653/http://atentlaloc.com/[2009]
| English
| Quatar, Lebanon, <Israel>, <Iran>
| https://web.archive.org/web/20110128134809/http://atentlaloc.com/jewelry.js[JS]
| jewelry
| https://en.wikipedia.org/wiki/Tl%C4%81loc[Tlaloc] is an Aztec deity, and https://en.wikipedia.org/wiki/Aten[Aten] is an Egyptian deity. Both appear to be somewhat linked to gold, thus their usage in a jewelry website. Creative domain name.
| 212.4.17.53
| newsresolution.net
| https://web.archive.org/web/20101229193800/http://newsresolution.net/[2010]
| English
| Côte d'Ivoire, Lebanon, Sudan
| https://web.archive.org/web/20101229194102/http://newsresolution.net/bulletin.jar[JAR]
| news, UN Peacekeeping
|
| 212.4.17.56
| lesummumdelafinance.com
| https://web.archive.org/web/20100514032916/http://lesummumdelafinance.com/[2010]
| <French (language)>
| <France>
| https://web.archive.org/web/20100514033238/http://lesummumdelafinance.com/finance.jar[JAR]
| finance
|
| 212.4.17.98
| topbillingsite.com
| https://web.archive.org/web/20110207155424/http://topbillingsite.com[2011]
| <English (language)>
|
| https://web.archive.org/web/20110207155424/https://secure.topbillingsite.com/cgi-bin/main.cgi[CGI]
| films
| 212.4.17.122
| b2bworldglobal.com
| https://web.archive.org/web/20110201150849/http://b2bworldglobal.com/[2011]
| English
|
| https://web.archive.org/web/20110201150849/https://global.b2bworldglobal.com/cgi-bin/information.cgi[CGI]
| news
|
| 212.4.18.14
| football-enthusiast.com
| https://web.archive.org/web/20110208004807/http://football-enthusiast.com/[2011]
| English
| Europe
| https://web.archive.org/web/20110208004818/http://football-enthusiast.com/img.js[JS]
| sports, <football>
|
| 212.4.18.129
| sightseeingnews.com
| https://web.archive.org/web/20100425054804/http://www.sightseeingnews.com/[2010]
| English
|
| https://web.archive.org/web/20110202094530/http://sightseeingnews.com/testbandwidth.jar[JAR]
| travel
|
| 212.209.74.105
| globalbaseballnews.com
| https://web.archive.org/web/20110129004926/http://globalbaseballnews.com/[2011]
| English
|
| https://web.archive.org/web/20110129005017/http://globalbaseballnews.com/baseball.js[JS]
| sports, baseball
|
| 212.209.74.106
| football-de-luxe.com
| https://web.archive.org/web/20101015050644/http://football-de-luxe.com/[2010]
| French
| France
| https://web.archive.org/web/20110208004858/http://football-de-luxe.com/soccer.jar[JAR]
| sports, football
|
| 212.209.74.112
| developmental-league.com
| https://web.archive.org/web/20100507132004/http://www.developmental-league.com/[2010]
| English
|
| https://web.archive.org/web/20100507132004/https://secure.developmental-league.com/login.html[CGI]
| sports, American football
| <CGI comms variant>?
| 212.209.74.115
| mediocampodefutbol.com
| https://web.archive.org/web/20100516144838/http://mediocampodefutbol.com/[2010]
| Spanish
|
| https://web.archive.org/web/20110128163307*/http://mediocampodefutbol.com/futbol.jar[JAR]
| sports, football
|
| 212.209.74.117
| myengineeringaffinity.com
| https://web.archive.org/web/20110207184615/http://myengineeringaffinity.com/[2011]
| English
|
| https://web.archive.org/web/20110207184905/http://myengineeringaffinity.com/affinity.jar[JAR]
| tech
|
| 212.209.74.123
| worldfinancialexchangenews.com
| https://web.archive.org/web/20100509204702/http://www.worldfinancialexchangenews.com/[2010]
| English
|
| https://web.archive.org/web/20100511045813oe_/http://www.worldfinancialexchangenews.com/worldfinancialexchangenews.swf[SWF]
| finance
| SWF unarchived.
| 212.209.74.125
| avoilurefixe.com
| https://web.archive.org/web/20110129003724/http://avoilurefixe.com/[2011]
| French
| Tunisia
| https://web.archive.org/web/20130820134721*/http://avoilurefixe.com/aircraft.jar[JAR]
| airplanes
| "à voilure fixe" is French for "with fixed wing", i.e. https://en.wikipedia.org/wiki/Fixed-wing_aircraft[fixed wing aircraft]
| 212.209.74.126
| headlines2day.com
| https://web.archive.org/web/20110201164741/https://www.headlines2day.com/[2011]
| Farsi
|
| https://web.archive.org/web/20110201165347/http://www.headlines2day.com/today.jar[JAR]
| news
| marked copyright 2009
| 212.209.79.34
| fgnl.net
| https://web.archive.org/web/20110106041020/http://fgnl.net/[2011]
| English
| Iran
| https://web.archive.org/web/20110106041020/https://global.fgnl.net/cgi-bin/index.cgi[CGI]
| news
| four letter domain! FGNL stands for "Farsi Global News Links" Marked copyright 2009.
| 212.209.79.37
| fitness-sources.com
| https://web.archive.org/web/20100927194013/http://fitness-sources.com/[2010]
| English
|
| https://web.archive.org/web/20110207104914/http://fitness-sources.com/library.js[JS]
| sports, fitness
|
| 212.209.79.40
| hydradraco.com
| https://web.archive.org/web/20110201232641/http://www.hydradraco.com/[2011]
| English
|
| https://web.archive.org/web/20110205175600*/http://www.hydradraco.com/Acc.jar[JAR]
| sports, American football
| TODO meaning of the name?
| 212.209.79.41
| noticiasdelmundolatino.com
| https://web.archive.org/web/20110128170204/http://noticiasdelmundolatino.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110128170609/http://noticiasdelmundolatino.com/News.jar[JAR]
| news
|
| 212.209.79.42
| suparakuvi.com
| https://web.archive.org/web/20110128111638/http://suparakuvi.com/[2011]
| French
| France
| https://web.archive.org/web/20110128111829/http://suparakuvi.com/bandwidth.jar[JAR]
| news
| a Tour Eiffel image, and young people stuff, i.e. first world stuff. It's for France alright. But TODO meaning of domain name? Ciro's second language French didn't cut it this time.
| 212.209.79.46
| cetusdelph.com
| https://web.archive.org/web/20110202093406/http://cetusdelph.com/[2011]
| English
|
| https://web.archive.org/web/20110202093433/http://cetusdelph.com/library.js[JS]
| sports, scuba
|
| 212.209.79.47
| willtoworship.com
| https://web.archive.org/web/20110208022209/http://willtoworship.com/[2011]
| English
|
| https://web.archive.org/web/20110208022458/http://willtoworship.com/slideshow.jar[JAR]
| religion, Christianity
| marked copyright 2007 (!)
| 212.209.79.48
| themvconnection.com
| https://web.archive.org/web/20110202215241/http://themvconnection.com/[2011]
| English
|
| https://web.archive.org/web/20110223163251*/http://themvconnection.com/Music.jar[JAR]
| music
|
| 212.209.79.51
| pi-resources.net
| https://web.archive.org/web/20101229210704/http://pi-resources.net/[2010]
| English
|
| https://web.archive.org/web/20101229210817/http://pi-resources.net/library.js[JS]
| private investigators
| "pi" stands for Private Investigators. The <CIA> must have had some fun making this one.
| 212.209.79.53
| ourscubaworld.com
| https://web.archive.org/web/20110202112552/http://ourscubaworld.com/[2011]
| English
|
| https://web.archive.org/web/20110202112756/http://ourscubaworld.com/content.js[JS]
| sports, scuba
|
| 212.209.79.58
| tech-love-home.com
| https://web.archive.org/web/20110201205421/http://tech-love-home.com/[2011]
| <Chinese (language)>
|
| https://web.archive.org/web/20110201205505js_/http://tech-love-home.com/ads.js[JS]
| tech
| Title: "消费类电子产品", lit. Consummer Electronics
| 212.209.79.60
| first-solo-aviation.com
| https://web.archive.org/web/20100408194930/http://www.first-solo-aviation.com/[2010]
| English
|
| https://web.archive.org/web/20110203073222/http://first-solo-aviation.com/abb.jar[JAR]
| airplanes
|
| 212.209.79.61
| china-destinations.org
| https://web.archive.org/web/20110626214916/http://china-destinations.org/[2011]
| Chinese
|
| https://web.archive.org/web/20110626215456/http://china-destinations.org/dynamic.js[JS]
| travel
| title: "中国目的地指南", lit. "China Destination Guide"
| 212.209.90.69
| worldedgenews.com
| https://web.archive.org/web/20110210021859/http://worldedgenews.com/[2011]
| English
|
| https://web.archive.org/web/20110210022316/http://worldedgenews.com/WENUpdater.jar[JAR]
| news
|
| 212.209.90.80
| nsmovies.net
| https://web.archive.org/web/20101229192002/http://nsmovies.net/[2010]
| English
|
| https://web.archive.org/web/20101229192155/http://nsmovies.net/reel.jar[JAR]
| films
| "ns" stands for "Nirguna Saguna", two separate Hindu names/deities. But there are no other Indian references beyond those.
| 212.209.90.82
| middleeastjournal.net
| https://web.archive.org/web/20101229174821/http://middleeastjournal.net/[2010]
| <Arabic>
|
| https://web.archive.org/web/20101229175017js_/http://middleeastjournal.net/dynamic.js[JS]
| news
|
| 212.209.90.84
| thenewseditor.com
| https://web.archive.org/web/20110202221253/http://thenewseditor.com/[2011]
| English
|
| https://web.archive.org/web/20110202221435/http://thenewseditor.com/jobs.jar[JAR]
| news
|
| 212.209.90.87
| newsandweathersource.com
| https://web.archive.org/web/20091212105838/http://www.newsandweathersource.com/[2009]
| English
|
| https://web.archive.org/web/20110208063333/http://newsandweathersource.com/news.jar[JAR]
| news
| marked copyright 2009.
| 212.209.90.89
| pakisports.com
| https://web.archive.org/web/20100327094021/http://pakisports.com/[2010]
| English
| Pakistan
| https://web.archive.org/web/20110203103200/http://pakisports.com/pakisports.swf[SWF]
| sports
|
| 212.209.90.90
| vriha-aesthetics.com
| https://web.archive.org/web/20110202184808/http://vriha-aesthetics.com/[2011]
| <Arabic>
|
| https://web.archive.org/web/20110202184833/http://vriha-aesthetics.com/dynamic.js[JS]
| news
|
| 212.209.90.92
| amishkanews.com
| https://web.archive.org/web/20110208032707/http://amishkanews.com/[2011]
| English
| India
| https://web.archive.org/web/20110208032713/http://amishkanews.com/amishkanewss.js[JS]
| news
| Amishka is an Indian name, plus some prominent mentions of Bollywood both point to India specifically
| 212.209.90.93
| theentertainbiz.com
| https://web.archive.org/web/20110202141531/http://theentertainbiz.com/[2011]
| English
|
| https://web.archive.org/web/20110202141603/http://theentertainbiz.com/entertain.jar[JAR]
| entertainment
|
| 212.209.90.94
| eurosportssummary.com
| https://web.archive.org/web/20110201194602/http://eurosportssummary.com/[2011]
| English
|
| https://web.archive.org/web/20110201194913/http://eurosportssummary.com/sports.jar[JAR]
| sports
|
| 216.93.248.194
| esmundonoticias.com
| https://web.archive.org/web/20110201124007/http://esmundonoticias.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110201124235/http://esmundonoticias.com/anuncios.jar[JAR]
| news
| `rss-items`. Shares IP with kukrinews.com.
| 216.93.248.194
| kukrinews.com
| https://web.archive.org/web/20100513094901/http://kukrinews.com/[2010]
| English
|
| https://web.archive.org/web/20100513094909/http://kukrinews.com/news.js[JS]
| News
| <JavaScript with SHAs>. Talks to `/cgi-bin/news.cgi`. A https://en.wikipedia.org/wiki/Kukri[Kukri] is the national weapon of Nepal. Slogan: "Nepal's Sharp Edge", thus matching the website name. Split image header. Copyright 2009. Shares IP with esmundonoticias.com.
| 216.105.98.139
| cultura-digital.net
| https://web.archive.org/web/20080907112020/http://www.cultura-digital.net/[2008]
| Spanish
|
| https://web.archive.org/web/20101229034928/https://digital.cultura-digital.net/cgi-bin/gadgets.cgi[CGI]
| news
| Marked copyright 2008. https://web.archive.org/web/20050326040602/http://www.cultura-digital.net/[Previously legit].
| 216.105.98.140
| uaeshoppingspree.com
| https://web.archive.org/web/20130521064536/http://www.uaeshoppingspree.com/[2013]
| English
| UAE
| https://web.archive.org//web/20130521064536oe_/http://www.uaeshoppingspree.com/shop.jar[JAR]
| shopping
| Archive quite broken, but has link to unarchived JAR. Has an unusually personal touch "As you can probably tell from the title of my website, shopping is my very favorite pastime."
| 216.105.98.145
| montanismoaventura.com
| https://web.archive.org/web/20120429042725/http://montanismoaventura.com/[2012]
| Spanish
| Spain
| https://web.archive.org/web/20120429042725js_/http://montanismoaventura.com/path.js[JS]
| sports, mountaineering
| JS unarchived. Marked copyright 2010.
| 216.105.98.147
| nepalnewsbrief.com
| https://web.archive.org/web/20081119135346/http://nepalnewsbrief.com/[2008]
| English
| Nepal
| https://web.archive.org/web/20110207221911/http://nepalnewsbrief.com/regionweather.jar[JAR]
| news
| Marked copyright 2006 (!) If true this would be the earliest known reference to a date in the websites.
| 216.105.98.152
| modernarabicnews.com
| https://web.archive.org/web/20130620020250/http://modernarabicnews.com/[2013]
| Arabic
|
| http://modernarabicnews.com/news.jar[JAR]
| news
| HTML archive quite broken, but JAR was archived thankfully.
| 216.105.98.154
| everythingcricket.org
| https://web.archive.org/web/20110704090110/http://everythingcricket.org[2011]
| English
|
| https://web.archive.org/web/20110704090136/http://www.everythingcricket.org/cricket.jar[JAR]
| sports, cricket
| Also has archives from 2009, but they were a bit broken. The 2011 one is marked copyright 2011, so they actually bothered to updated that.
| 216.105.98.156
| familyhealthonline.net
| https://web.archive.org/web/20110106035241/http://familyhealthonline.net/[2011]
| English
|
| https://web.archive.org/web/20130729093000/https://secure.familyhealthonline.net/cgi-bin/health.cgi[CGI]
| health
|
| 219.90.61.110
| surya-brahma.com
| https://web.archive.org/web/20110128142444/http://surya-brahma.com/[2011]
| Spanish
|
| https://web.archive.org/web/20110128142511/http://surya-brahma.com/surya.jar[JAR]
| news
| https://en.wikipedia.org/wiki/Surya[Surya] and https://en.wikipedia.org/wiki/Brahman[Brahman] are Hindu concepts, but the website appears to have nothing to do with India or Hinduism. Interesting.
| 219.90.61.111
| classicalmusicboxonline.com
| https://web.archive.org/web/20101028135047/http://classicalmusicboxonline.com/[2010]
| English
|
| https://web.archive.org/web/20101028135047/https://cello.classicalmusicboxonline.com/cgi-bin/musicbox.cgi[CGI]
| music
|
| 219.90.61.116
| athletepro.net
| https://web.archive.org/web/20101229003425/http://athletepro.net/[2010]
| English
|
| https://web.archive.org/web/20101229003434/http://athletepro.net/athletes.jar[JAR]
| sports
|
| 219.90.61.117
| lajornadanow.com
| https://web.archive.org/web/20100513135348/http://lajornadanow.com/[2010]
| Spanish
|
| https://web.archive.org/web/20100513135549/http://lajornadanow.com/noticias.jar[JAR]
| news
|
| 219.90.61.120
| theinternationalworld.com
| https://web.archive.org/web/20110202183115/http://theinternationalworld.com/[2011]
| English
|
| https://web.archive.org/web/20110202183357/http://theinternationalworld.com/font.jar[JAR]
| news
| https://viewdns.info/iphistory/?domain=theinternationalworld.com[rdns source]. `rss-items`.
| 219.90.61.121
| thepyramidnews.com
| https://web.archive.org/web/20110207105027/http://thepyramidnews.com/[2011]
| Farsi
| Iran
| https://web.archive.org/web/20110207105046/http://thepyramidnews.com/news.jar[JAR]
| news
|
| 219.90.61.122
| iran-newslink-today.com
| https://web.archive.org/web/20110202092016/http://iran-newslink-today.com/[2011]
| Farsi
| Iran
| https://web.archive.org/web/20110202092053/http://iran-newslink-today.com/today.jar[JAR]
| news
|
| 219.90.61.123
| journeystravelled.com
| https://web.archive.org/web/20110208052713/http://journeystravelled.com/[2011]
| English
|
| https://web.archive.org/web/20110208052755/http://journeystravelled.com/time.jar[JAR]
| travel
|
| 219.90.62.229
| information-junky.com
| https://web.archive.org/web/20110201155443/http://information-junky.com/[2011]
| <English (language)>
| Ghana
| https://web.archive.org/web/20110201160020/http://information-junky.com/infoweather.jar[JAR]
| news
|
| 219.90.62.231
| todosperuahora.com
| https://web.archive.org/web/20110207112452/http://todosperuahora.com/[2011]
| <Spanish (language)>
| Peru
| https://web.archive.org/web/20110207112452/https://miembros.todosperuahora.com/cgi-bin/business.cgi[CGI]
| news
|
| 219.90.62.233
| theworld-news.net
| https://web.archive.org/web/20101226182928/http://theworld-news.net/[2010]
| Urdu
|
| https://web.archive.org/web/20101226182928/https://secure.theworld-news.net/cgi-bin/news.cgi[CGI]
| news
|
| 219.90.62.234
| recuerdosdeviajeonline.com
| https://web.archive.org/web/20110202124633/http://recuerdosdeviajeonline.com/[2011]
| <Spanish (language)>
|
| https://web.archive.org/web/20110202125023/http://recuerdosdeviajeonline.com/recuerdosdeviajeonline.swf[SWF]
| travel
| marked "Copyright 2009"
| 219.90.62.237
| elcorreodenoticias.com
| https://web.archive.org/web/20110128085335/http://elcorreodenoticias.com/[2011]
| <Spanish (language)>
| Venezuela
| https://web.archive.org/web/20110128085530/http://elcorreodenoticias.com/notices.jar[JAR]
| news
|
| 219.90.62.237
| ride-captain.com
| https://web.archive.org/web/20110208140240/http://ride-captain.com/[2011]
| <English (language)>
|
| https://web.archive.org/web/20110208140405/http://ride-captain.com/model.jar[JAR]
| sports, motorcyles
|
| 219.90.62.238
| freshtechonline.com
| https://web.archive.org/web/20110207161832/http://freshtechonline.com/[2011]
| <English (language)>
|
| https://web.archive.org/web/20110207161832/https://secure.freshtechonline.com/cgi-bin/tech.cgi[CGI]
| tech
|
| 219.90.62.241
| newscentertoday.com
| https://web.archive.org/web/20110208063554/http://newscentertoday.com/[2011]
| English
|
| https://web.archive.org/web/20110208064052/http://newscentertoday.com/economy.jar[JAR]
| news
| Copyright 2008. https://dnshistory.org/historical-dns-records/a/newscentertoday.com[rdns source]. `rss-items`. https://web.archive.org/web/20180606122214/http://newscentertoday.com:80/[Later legit], with a pause https://web.archive.org/web/20161008072958/http://newscentertoday.com/[The domain name you have entered is not available. It has been taken down because the email address of the domain holder (Registrant) has not been verified.].
| 219.90.62.243
| fitness-dawg.com
| https://web.archive.org/web/20110207104044/http://fitness-dawg.com/[2021]
| <English (language)>
|
| https://web.archive.org/web/20110207104457/http://fitness-dawg.com/Routines.jar[JAR]
| sports, fitness
|
| 219.90.62.244
| easytraveleurope.com
| https://web.archive.org/web/20120218052121/http://www.easytraveleurope.com/[2012]
| <English (language)>
|
| https://web.archive.org/web/20110207173731/http://easytraveleurope.com/TravelApp.jar[JAR]
| travel
| nice design
| 219.90.62.245
| world-news-now.net
| https://web.archive.org/web/20110107091601/http://world-news-now.net/[2011]
| English
|
| https://web.archive.org/web/20110107091609/http://world-news-now.net/bwmeter.jar[JAR]
| news
|
| 219.90.62.246
| negativeaperture.com
| https://web.archive.org/web/20110207202401/http://negativeaperture.com/[2011]
| <English (language)>
|
| https://web.archive.org/web/20110207202401/https://secure.negativeaperture.com/cgi-bin/canon.cgi[CGI]
| <photography>
| nice domain name
| 219.90.62.247
| conquermstoday.com
| https://web.archive.org/web/20110207220642/http://conquermstoday.com/[2011]
| <English (language)>
|
| <CGI>
| health
| MS means https://en.wikipedia.org/wiki/Multiple_sclerosis[multiple sclerosis]. Comms not found, <CGI> from unarchived subpage assumed. Has a subdomain "heal.conquermstoday.com" according to <2013 DNS Census>, but no links to it in the archive.
= Methodology
{parent=CIA 2010 covert communication websites}
= Gathering key points from the articles
{parent=Methodology}
https://citizenlab.ca/2022/09/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/[] did an investigation and found 885 such websites, but decided not to disclose the list or methods:
\Q[
Using only a single website, as well as publicly available material such as historical internet scanning results and the <Internet Archive>'s <Wayback Machine>, we identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (<CIA>) used these sites for covert communication.
The websites included similar <Java>, <JavaScript>, <Adobe Flash>, and <CGI> artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties.
The websites, which purported to be news, weather, sports, healthcare, and other legitimate websites, appeared to be localized to at least 29 languages and geared towards at least 36 countries.
]
The question is which website. E.g. at https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ they used data from Censys.
\Q[We searched historical data from Censys]
https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ mentions https://scans.io/[]. https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/ mentions: https://www.shodan.io/[], Censys really seems to be their thing.
Another critical excerpt is:
\Q[
The bulk of the websites that we discovered were active at various periods between 2004 and 2013. We do not believe that the CIA has recently used this communications infrastructure. Nevertheless, a subset of the websites are linked to individuals who may be former and possibly still active intelligence community employees or assets:
* Several are currently abroad
* Another left mainland China in the time frame of the Chinese crackdown
* Another was subsequently employed by the US State Department
* Another now works at a foreign intelligence contractor
Given that we cannot rule out ongoing risks to CIA employees or assets, we are not publishing full technical details regarding our process of mapping out the network at this time. As a first step, we intend to conduct a limited disclosure to <US government> oversight bodies.
]
This basically implies that they must have found some communication layer level identifier, e.g. <IP> registration, <domain name> registration, or certificate because it is impossible to believe that real agent names would have been present on the website content itself!
The websites were used from at least as early as August 2008, as per Gholamreza Hosseini's account, and the system was only shutdown in 2013 apparently. https://citizenlab.ca/2022/09/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/ however claims that they were used since as early as 2004.
Notably, so as to be less suspicious the websites are often in the language of the country for which they were intended, so we can often guess which country they were intended for!
= The Reuters websites
{parent=Methodology}
= Reuters example
{c}
{synonym}
The <Reuters article> directly reported only two domains in writing:
* http://iraniangoals.com[]. Iranian language <football> website. As of 2023, the domain had been bought by Reuters and redirects to their website.
2009 archive: https://web.archive.org/web/20090411072857/http://iraniangoals.com/
<JavaScript> file: https://web.archive.org/web/20110202091909/http://iraniangoals.com/journal.js[] <Reverse engineering> information: <iraniangoals.com JavaScript reverse engineering>.
* http://iraniangoalkicks.com[]. Iranian language <football> website. Available in GoDaddy as of 2023.
2008 archive: https://web.archive.org/web/20080211111124/http://iraniangoalkicks.com/
<Java> <JAR (file format)> file: https://web.archive.org/web/20110202091917/http://iraniangoalkicks.com/clamping.jar
But by looking at the URLs of the screenshots they provided from other websites we can easily uncover all others that had screenshots, <Searching for Carson>[except for the Johnny Carson one], which is just generically named. E.g. the image for the Chinese one is https://www.reuters.com/investigates/special-report/assets/usa-spies-iran/screencap-activegaminginfo.com.jpg?v=192516290922 which leads us to domain http://activegaminginfo.com[].
Also none of those extra ones have any <Google> hits except for huge domain dumps such has <Expired domain trackers>, so maybe this counts as little bit of novel public research.
The full list of domains from screenshots is:
* `activegaminginfo.com`: <Chinese (language)> gaming information website.
2011 archive: https://web.archive.org/web/20110208113503/http://activegaminginfo.com/[]. Contains mentions of 2010.
Domain available in GoDaddy as of 2023.
<Java> JAR file: https://web.archive.org/web/20110202130304/http://activegaminginfo.com/gaming.jar
* `capture-nature.com`: <English (language)> <photography> website.
2011 archive: https://web.archive.org/web/20110201104659/http://capture-nature.com/[].
As of 2023, it seemed to be an actual legit <photography> website by German (amateur?) photographer Klaus Wägele. Archive: https://web.archive.org/web/20230323102504/https://www.capture-nature.com/
<Ciro Santilli> actually sent him a message to let him know about the <CIA> thing in case he didn't, and he replied that he wasn't aware of it.
<Java> JAR file: https://web.archive.org/web/20110201104851/http://capture-nature.com/Scenes.jar[].
* `www.headlines2day.com`: Iranian language news website.
2011 archive: https://web.archive.org/web/20110201164741/https://www.headlines2day.com/[]. Dated "Copyright 2009".
As of 2023, this was a completly broken-looking news website but in English entitled:
\Q[Today's Headlines]
2023 archive: https://web.archive.org/web/20230121191348/https://www.headlines2day.com/[]. It makes one wonder if the <CIA> still operates it!
<Java> JAR file: https://web.archive.org/web/20110201165347/http://www.headlines2day.com/today.jar[].
* `fitness-dawg.com`: English fitness website.
2021 archive: https://web.archive.org/web/20110207104044/http://fitness-dawg.com/[].
Domain available as of 2023.
<Java> JAR file: https://web.archive.org/web/20110207104457/http://fitness-dawg.com/Routines.jar[].
* `rastadirect.net`: English Rastafari culture website.
2010 archive: https://web.archive.org/web/20100429002010/http://rastadirect.net/ dated as "Copyright 2008".
Domain available as of 2023.
<Java> JAR file: https://web.archive.org/web/20110106225504/http://rastadirect.net/africa.jar[].
* `fightwithoutrules.com`: <Russian> fighting website.
2011 archive: https://web.archive.org/web/20110203021315/http://fightwithoutrules.com/[]. Contains mentions of 2009 news.
Domain available as of 2023.
<Java> JAR file: https://web.archive.org/web/20110203021403/http://fightwithoutrules.com/boxing.jar[].
* `alljohnny.com`: <#Johnny Carson> fansite
2004 archive: https://web.archive.org/web/20110203021315/http://fightwithoutrules.com/[].
Domain available as of 2023.
<CGI comms>: https://secure.alljohnny.com/cgi-bin/memlog.cgi[].
This brings up to 8 known <domain names> with <Wayback Machine> archives, plus the yet unidentified Johnny Carlson one, see also: <Searching for Carson>{full}, which is also almost certainly is on Wayback Machine somewhere given that they have a screenshot of it.
= Fingerprints
{parent=Methodology}
= Fingerprint
{synonym}
From <The Reuters websites> and others we've found, we can establish see some clear stylistic trends across the websites which would allow us to find other likely candidates upon inspection:
* natural sounding, sometimes long-ish, <domain names> generally with 2 or 3 full words. Most in English language, but a few in Spanish, and very few in other languages like French.
* shallow websites with a few tabs, many external links, sometimes many images, and few internal pages
* lots of rectangular images make up the top bar banner image. Stock images are often used to make the full image, and then the full image is split. An example
* http://classicalmusicboxonline.com/images/banner_01.jpg
* http://classicalmusicboxonline.com/images/banner_02.jpg
* ...
* http://classicalmusicboxonline.com/images/banner_19.jpg
* http://classicalmusicboxonline.com/images/banner_20.jpg
* common themes include:
* news
* hobbies, notably sports, travel and <photography>. Golf seems overrepresented. Must be a thing over there in Langley.
* .com and .net <top-level domains>, plus a few other very rare <non .com .net TLDs>, notably .info and .org
* each one has one "communication mechanism file": <communication mechanisms>
* narrow page width like in the days of old, lots of images
* each hit domain is the only domain for its IP, i.e. the websites are all private hosted, no https://en.wikipedia.org/wiki/Shared_web_hosting_service[shared web hosting service] examples have been found so far
* split images images: many of the website banners are composed of several images cut up. Stock images were first assembled into the banner, and then the resulting image was cut. Possibly this was done to make reverse image search to their stock image provider harder. But it somewhat backfired and serves as a good marker that confirms authorship. Maybe it is some kind of outdated web design thing, which they took much further in time than the average website, like the JAR. It would be fun to actually reverse search into one of their stock image provider's original images. Their websites do appear to follow common style guidelines form earlier eras, around the early 2000s notably, some legit sites that look a lot like hits:
* https://web.archive.org/web/20031002010827/http://www.ausiranstudy.com/
* many of the websites use the following pattern in their news summaries: `ul.rss-items > li.rss-item`, e.g.: https://web.archive.org/web/20110202092126/http://beamingnews.com/
The most notable dissonance from the rest of the web is that there are no commercial looking website of companies, presumably because it was felt that it would be possible to verify the existence of such companies.
= IP range search
{parent=Methodology}
One promising way to find more of those would be with <IP> searches, since it was stated in the <Reuters article> that the <CIA> made the terrible mistake of using several contiguous IP blocks for those website. What a phenomenal <OPSEC> failure!!!
The easiest way would be if <Wayback Machine> itself had an IP search function, but we couldn't find one: <Search Wayback Machine by IP>.
https://viewdns.info was the first easily accessible website that <Ciro Santilli> could find that contained such information.
Our current results indicate that the typical IP range is about 30 IPs wide.
E.g. searching: https://viewdns.info/iphistory[] and considering only hits from 2011 or earlier we obtain:
* capture-nature.com
* 65.61.127.163 - Greenacres - United States - TierPoint - 2013-10-19
* activegaminginfo.com
* 66.175.106.148 - United States - Verizon Business - 2012-03-03
* iraniangoals.com
* 68.178.232.100 - United States - GoDaddy.com - 2011-11-13
* 69.65.33.21 - Flushing - United States - GigeNET - 2011-09-08
* rastadirect.net
* 68.178.232.100 - United States - GoDaddy.com - 2011-05-02
* iraniangoalkicks.com
* 68.178.232.100 - United States - GoDaddy.com - 2011-04-04
* headlines2day.com
* 118.139.174.1 - Singapore - Web Hosting Service - 2013-06-30. Source: viewdns.info
* 184.168.221.91 2013-08-12T06:17:39. Source: <2013 DNS Census> grep
* fightwithoutrules.com
* 204.11.56.25 - British Virgin Islands - Confluence Networks Inc - 2013-09-26
* 208.91.197.19 - British Virgin Islands - Confluence Networks Inc - 2013-05-20
* 212.4.17.38 - Milan - Italy - MCI Worldcom Italy Spa - 2012-03-03
* fitness-dawg.com
* 219.90.62.243 - Taiwan - Verizon Taiwan Co. Limited - 2012-01-11
Neither of these seem to be in the same ranges, the only common nearby hit amongst these ranges is the exact `68.178.232.100`, and doing reverse IP search at https://viewdns.info/reverseip/?host=68.178.232.100&t=1 states that it has 2.5 million hostnames associated to it, so it must be some kind of https://en.wikipedia.org/wiki/Shared_web_hosting_service[Shared web hosting service], see also: https://superuser.com/questions/577070/is-it-possible-for-many-domain-names-to-share-one-ip-address[], which makes search hard.
Ciro then tried some of the other IPs, and soon hit gold.
Initially, Ciro started by doing manual queries to viewdns.info/reversip until his IP was blocked. Then he created an account and used his 250 free queries with the following helper script: \a[cia-2010-covert-communication-websites/viewdns-info.sh]. The output of that script can be seen at: https://github.com/cirosantilli/media/blob/master/cia-2010-covert-communication-websites/viewdns-info.sh[].
Ciro then found <2013 DNS Census> which contained data highly disjoint form the viewdns-info one!
Summaries of the IP range exploration done so far follows, combined data from all databases above.
= Hits without nearby IP hits
{parent=IP range search}
{tag=TODO}
Here we list domains for which the correct IP was apparently not found since there are no neighbouring hits.
These are suspicious, and suggest either that we didn't obtain the correct reverse IP, or a change in CIA methodology from an older time at which they were not yet using the obscene IP ranges.
For example, in the case of inews-today.com, <2013 DNS Census> gave one IP 193.203.49.212, but then <viewdns.info> gave another one 66.175.106.146 which fit into an existing IP range, and which assumed to be the correct IP of interest.
A similar case happened when we found IP 212.209.74.126 for headlines2day.com with <dnshistory.org>: https://dnshistory.org/historical-dns-records/a/headlines2day.com.
It is interesting to note that Reuters seems to have featured disproportionately many hits from that range, one wonders why that happened. It is possible that they chose these because they actually didn't have any nearby hits to give away less obvious information, though they did pick some from the ranges as wel.
In what follows we list the domains with possible reverse IPs and what was explored so far for each. We consider IPs not in a range to be uncertain, and that instead their domains might have been previously in a range which we
dailynewsandsports.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>
* 216.119.129.94. rdns source: <viewdns.info> "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2012-04-13". Tested viewdns.info range: 216.119.129.85 - 216.119.129.86, 216.119.129.89 - 216.119.129.99, ran out of queries for 87 and 88
* 216.119.129.90: eastdairies.com 2011-04-04. Promising name and date, but no archives alas.
* 216.119.129.97: miideaco.com 2016-02-01
* 216.119.129.114 Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>, also present on viewdns.info but at a later date from previous "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2013-11-29". Tested viewdns.info range: 216.119.129.109 - 216.119.129.119
* 216.119.129.110: dommoejmechty.com.ua. Legit.
* 216.119.129.111: dailybeatz.com: Legit
* 216.119.129.113:
* audreygeneve.com
* reyzheng.com
* jacintorey.com
* 216.119.129.114: dailynewsandsports.com. hit.
* 216.119.129.115: afxchange.com legit/broken
* 216.119.129.116: danafunkfinancial.com: legit
* 208.73.33.194 on <securitytrails.com>
iranfootballsource.com:
* 34.98.99.30 Kansas City - United States Google LLC 2021-05-24
* 184.168.221.94 United States GoDaddy.com 2020-07-21
* 50.63.202.66 United States GoDaddy.com 2020-07-07
* 50.63.202.86 United States GoDaddy.com 2020-05-28
* 184.168.221.94 United States GoDaddy.com 2020-05-13
* 50.63.202.74 United States GoDaddy.com 2020-04-29
* 50.18.223.191 San Jose - United States Amazon.com 2015-03-23. Sources: <2013 DNS Census> and <viewdns.info>
* no viewdns.info hits +- 10
* 85.13.200.108 United Kingdom Coreix Dedicated Customer Allocation 2013-06-30. Source: <viewdns.info>
* 85.13.200.108: 1000 hits, so unlikely to be the one
iraniangoalkicks.com:
* 68.178.232.100: treverse IP source: <viewdns.info>. see rastadirect.net.
* 208.71.138.130 2010-02-22 -> 2010-08-06, QWK.net Hosting, L.L.C.. source: https://dnshistory.org/historical-dns-records/a/iraniangoalkicks.com. Large shared hosting domain, no good nearby hits, several legit sites.
iraniangoals.com:
* 68.178.232.100: see rastadirect.net
* 69.65.33.21 - Flushing - United States - GigeNET - 2011-09-08. Also at: https://dnshistory.org/historical-dns-records/a/iraniangoals.com 2009-08-03 -> 2011-01-12 69.65.33.21
* 69.65.33.2: onemincustomerservice.com. https://web.archive.org/web/20091015044922/http://www.onemincustomerservice.com/[]. Doesn't feel like a hit.
* 69.65.33.5: 400+ domains
* 69.65.33.6: 4 domains but recent resolutions only
* similar status for everything else withing +-20. A couple of domains, no easy hits
football-enthusiast.com:
* 212.4.18.14: Tested viewdns.info range: 212.4.18.1 - 212.4.18.29. This is a curious case, rather close to 212.4.18.129 sightseeingnews.com, but not quite in the same range apparently. Viewdns.info also agrees on its history with only "212.4.18.14", "location" : "Milan - Italy", "owner" : "MCI Worldcom Italy Spa", "lastseen" : "2013-06-30" of interest.
rastadirect.net:
* 68.178.232.100 - United States - GoDaddy.com - 2011-05-02. Reverse IP source: <viewdns.info>
* +-20 range: several domains on each IP, but can't find any hits easily
There are actualy talk pages about this IP
* https://community.spiceworks.com/
* https://talk.plesk.com/threads/warning-the-domain-resolves-to-another-ip-address.77764/
* https://support.google.com/cloudidentity/answer/2579934?hl=en actually used as an example here?
* 209.162.192.49: source: <securitytrails.com>
todaysengineering.com:
* 208.254.38.39. rdns source: both <viewdns.info> and <2013 DNS Census>. Tested viewdns.info range: 208.254.38.34 - 208.254.38.44. Weirdly empty, doesn't even show the domain iteslf!
* 68.178.232.100: source: <securitytrails.com>. 2009-11-24 - 2009-12-11, GoDaddy.com, LLC
worldofonlinenews.com:
* https://dnshistory.org/historical-dns-records/a/worldofonlinenews.com 2015-12-15 -> 2016-04-21 108.167.161.90 presumably from the legit era
* https://viewdns.info/iphistory/?domain=worldofonlinenews.com
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-02 virtual
* 207.150.191.68 Saudi Arabia Saudi Telecom Company JSC 2011-04-04 virtual
mywebofnews.com:
* https://dnshistory.org/historical-dns-records/a/mywebofnews.com 2010-03-09 -> 2010-08-14 207.150.191.68 But this has several hits for the same IP on <DNS Census 2013> which is unusual:
``
3xhunter.com|2012-04-12T07:53:24|207.150.191.68
dreamersoul.net|2012-04-11T22:06:18|207.150.191.68
exdump.com|2012-02-03T11:42:44|207.150.191.68
``
* https://viewdns.info/iphistory/?domain=mywebofnews.com no hits
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-27 virtual
* 207.150.191.68 Saudi Arabia Saudi Telecom Company JSC 2011-06-22 virtual
cyhiraeth-intlnews.com:
* https://dnshistory.org/historical-dns-records/a/cyhiraeth-intlnews.com 2009-07-31 -> 2011-01-05 0.0.0.0 WTF?
* https://viewdns.info/iphistory/?domain=cyhiraeth-intlnews.com
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-27 virtual
* 0.0.0.0 Unknown Unknown 2011-07-02. Hmm also the 0.0.0.0. Weird!
news-latina.com:
* https://dnshistory.org/historical-dns-records/a/news-latina.com 2010-03-11 -> 2010-08-16 64.92.111.3. this has several hits for the same IP on <DNS Census 2013> which is unusual. Tested viewdns.info range: 64.92.111.1 - 64.92.111.13
* 64.92.111.2 virtual
* 64.92.111.3 virtual
* https://viewdns.info/iphistory/?domain=news-latina.com
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-08-11 virtual
* 64.92.111.3 United States MASSIVE-NETWORKS 2011-07-27 virtual
europeannewsflash.com:
* https://viewdns.info/iphistory/?domain=europeannewsflash.com
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-10-09 virtual
* 216.131.66.209 San Francisco - United States STRTEC 2011-09-08. Tested viewdns.info range: 216.131.66.201 216.131.66.219
* https://dnshistory.org/historical-dns-records/a/europeannewsflash.com 2010-02-06 -> 2010-08-02 216.131.66.209. Tested.
outlooknewscast.com:
* https://dnshistory.org/historical-dns-records/a/outlooknewscast.com
* 2009-08-08 -> 2011-02-11 74.53.159.130. Tested viewdns.info range: 74.53.159.120 - 74.53.159.140
* 74.53.159.130: aeromedhistory.org 2014-11-29
* 74.53.159.130: mariposahorticultural.com 2022-11-28
* 74.53.159.130: thewritestuffresume.com 2011-04-04. Legit.
* https://viewdns.info/iphistory/?domain=outlooknewscast.com
* 204.93.178.121 Chicago - United States SERVERCENTRAL 2011-09-08. Tested viewdns.info range: 204.93.178.111 - 204.93.178.131. Skimmed through, nothing of great interest.
* 74.53.159.130 United States SOFTLAYER 2011-04-04. Tested.
24hoursprimenews.com:
* https://dnshistory.org/historical-dns-records/a/24hoursprimenews.com 2009-12-14 -> 2011-10-04 216.9.68.24. Virtual.
* https://viewdns.info/iphistory/?domain=24hoursprimenews.com 216.9.68.24 United States VONAGE-BUSINESS 2012-01-11. Tested.
farsi-newsandweather.com:
* https://dnshistory.org/historical-dns-records/a/farsi-newsandweather.com 2010-02-07 -> 2010-08-03 69.49.101.19. Tested viewdns.info range: 69.49.101.9 - 69.49.101.19
* https://viewdns.info/iphistory/?domain=farsi-newsandweather.com
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-01-11 virtual
* 69.49.101.19 Canada INFB-AS 2011-11-13. Tested.
global-view-news.com:
* https://dnshistory.org/historical-dns-records/a/global-view-news.com 2010-02-13 -> 2010-08-04 67.220.228.130. Tested viewdns.info range: 67.220.228.120 - 67.220.228.160:
* 67.220.228.150: investfromhome.co.uk 2011-09-05. No archives.
* https://viewdns.info/iphistory/?domain=global-view-news.com
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-01-11 virtual
* 69.90.161.195 Canada COGECO-PEER1 2011-09-08. Unknown. Tested viewdns.info range: 69.90.161.185 69.90.161.205. Some virtual misses.
health-men-today.com:
* https://dnshistory.org/historical-dns-records/a/health-men-today.com
* 2009-11-30 -> 2010-05-27 67.220.228.224. New range with global-view-news.com? Tested viewdns.info range: 67.220.228.214 67.220.228.234
* 67.220.228.223: stagedwithdistinction.com 2011-10-09. One archive of godaddy only.
* 2009-08-01 -> 2009-09-19 69.42.58.50. Tested viewdns.info range: 69.42.58.40 - 69.42.58.60. Virtuals, canada.
* 2011-01-07 -> 2011-01-07 69.90.162.165. Tested viewdns.info range: 69.90.162.155 - 69.90.162.175. Virtuals.
* https://viewdns.info/iphistory/?domain=health-men-today.com
* 204.11.56.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2014-04-19. Virtuals.
* 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20. Unknown range.
* 69.90.162.165 Canada COGECO-PEER1 2012-06-29. Tested.
firstnewssource.com:
* https://dnshistory.org/historical-dns-records/a/firstnewssource.com
2010-02-09 -> 2010-02-09 67.220.228.150 TODO new range with global-view-news.com? Tested.
2010-08-03 -> 2010-08-03 69.90.162.70 TODO new range with global-view-news.com?
theworldnewsfeeds.com:
* https://dnshistory.org/historical-dns-records/a/theworldnewsfeeds.com no hits
* https://viewdns.info/iphistory/?domain=theworldnewsfeeds.com
* 199.19.110.7 Los Angeles - United States FIBER-LOGIC 2012-01-11 unknown range
* 74.200.252.212 United States RACKSPACE 2011-11-13 unknown range
pars-technews.com:
* https://dnshistory.org/historical-dns-records/a/pars-technews.com 2009-08-08 -> 2011-02-13 74.220.219.104 Tested viewdns.info range: 74.220.219.94 74.220.219.114. Virtuals.
* https://viewdns.info/iphistory/?domain=pars-technews.com 74.220.219.104 United States UNIFIEDLAYER-AS-1 2012-11-12. Tested.
newdaynewsonline.com:
* https://dnshistory.org/historical-dns-records/a/newdaynewsonline.com 2010-03-10 -> 2010-08-15 76.163.54.16. Tested viewdns.info range: 76.163.54.6 76.163.54.26
* 76.163.54.23: leewoodwork.com 2014-07-05
* https://viewdns.info/iphistory/?domain=newdaynewsonline.com
* 74.91.154.56 United States INTERNAP-BLOCK-4 2012-11-12 unknown range. Tested viewdns.info range: 74.91.154.46 74.91.154.66
* 74.91.154.61: benefitsla.com 2013-04-21. Legit.
* 76.163.54.16 United States WINDSTREAM 2011-09-08 unknown range. Tested.
sportsnewsfinder.com:
* https://dnshistory.org/historical-dns-records/a/sportsnewsfinder.com 2009-08-11 -> 2011-02-24 66.113.196.128. Tested viewdns.info range: 66.113.196.118 66.113.196.138.
* https://viewdns.info/iphistory/?domain=sportsnewsfinder.com
* 50.63.202.58 United States AS-26496-GO-DADDY-COM-LLC 2013-03-23 some similar hits on other sites, possibly all flukes
* 207.150.219.159 United States AFFINITY-INTER 2013-03-02
* 66.113.196.128 United States NETNATION 2012-01-11. Tested.
newsworldsite.com:
* https://viewdns.info/iphistory/?domain=newsworldsite.com
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2013-05-20 big virtual
* 204.93.159.80 Chicago - United States SERVERCENTRAL 2013-04-21. Tested viewdns.info range: 204.93.159.70 204.93.159.90
* 204.93.159.84: team-merk.com 2011-08-11. No archives.
todaysnewsreports.net:
* https://viewdns.info/iphistory/?domain=todaysnewsreports.net
* 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-07-01
* 205.178.189.129 United States NETWORK-SOLUTIONS-HOSTING 2013-05-20 likely virtual
* 173.255.131.72 Reno - United States UK-2 Limited 2012-08-27. Tested viewdns.info range: 173.255.131.62 173.255.131.82. Virtual and modern hits only.
* 67.213.211.232 United States UK-2 Limited 2011-09-07 unknown. Tested viewdns.info range: 67.213.211.222 67.213.211.242
* 67.213.211.236: icf-finan.com 2015-01-20
* 67.213.211.237: playinside.me 2016-02-04. Nice domain hack, but no.
* 67.213.211.239: reality-sexxx.com 2011-09-08
hassannews.net:
* https://viewdns.info/iphistory/?domain=hassannews.net
* 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-07-08
* 205.178.189.131 United States NETWORK-SOLUTIONS-HOSTING 2013-07-01. Likely virtual.
weblognewsinfo.com:
* https://dnshistory.org/historical-dns-records/a/weblognewsinfo.com 2010-05-10 -> 2010-10-07 64.120.20.234
* https://viewdns.info/iphistory/?domain=weblognewsinfo.com
* 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-09-26 virtual
* 173.208.81.2 Lombard - United States LEASEWEB-USA-CHI 2013-06-30 virtual with newsincirculation.com
newsincirculation.com
* https://dnshistory.org/historical-dns-records/a/newsincirculation.com
* 2010-03-10 -> 2010-08-15 64.120.20.234 virtual with weblognewsinfo.com
* 2013-11-26 -> 2013-11-26 70.32.43.226
* https://viewdns.info/iphistory/?domain=newsincirculation.com
* 70.32.43.226 Lombard - United States LEASEWEB-USA-CHI 2014-01-31
* 50.63.202.77 United States AS-26496-GO-DADDY-COM-LLC 2013-10-19. virutal?
* 70.32.43.226 Lombard - United States LEASEWEB-USA-CHI 2013-09-26 virtual?
* 69.147.228.5 Chicago - United States LEASEWEB-USA-CHI 2012-11-12 unknown. Tested viewdns.info range: 69.147.228.1 69.147.228.15. Nope.
* 173.208.81.2 Lombard - United States LEASEWEB-USA-CHI 2011-04-04 virtual
todayoutdoors.com:
* https://dnshistory.org/historical-dns-records/a/todayoutdoors.com
* 2009-08-11 -> 2010-07-07 174.133.44.90. Tested viewdns.info range: 174.133.44.80 174.133.44.100. Virtual and modern.
* 2011-03-01 -> 2011-03-01 174.123.172.82 unknown. Tested viewdns.info range: 174.123.172.72 174.123.172.92. Virtuals.
* https://viewdns.info/iphistory/?domain=todayoutdoors.com
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-02 virtual
* 174.123.172.82 United States SOFTLAYER 2011-04-04. Tested.
esmundonoticias.com:
* https://dnshistory.org/historical-dns-records/a/esmundonoticias.com 2010-02-05 -> 2010-08-02 216.93.248.194. Tested viewdns.info range: 216.93.248.184 216.93.248.204
* 216.93.248.194: coxsackielive.com 2012-06-29. No archives.
* 216.93.248.194: datapakassociates.org 2012-04-27. No rachives.
* 216.93.248.194: easywebworld.net 2012-02-27. Broken: https://web.archive.org/web/20101229051406/http://easywebworld.net/
* 216.93.248.194: esmundonoticias.com 2012-01-11
* 216.93.248.194: kukrinews.com 2011-06-22. Hit.
* https://dnshistory.org/historical-dns-records/a/kukrinews.com 2010-02-26 -> 2010-08-07 216.93.248.194
* https://viewdns.info/iphistory/?domain=kukrinews.com 216.93.248.194 Malden - United States TWDX 2011-06-22
* 216.93.248.194: librarianhelper.com 2013-06-30. <Parked domain girl>
* 216.93.248.194: tech-geek-news.com 2012-01-11. Very broken, Arabic script, but seems legit,
* 216.93.248.194: ualbanycornerstone.org 2012-04-13. Legit.
* https://viewdns.info/iphistory/?domain=esmundonoticias.com 216.93.248.194 Malden - United States TWDX 2012-01-11. Tested.
globaltourist.net:
* https://dnshistory.org/historical-dns-records/a/ 2009-07-30 -> 2011-01-01 69.59.20.215 unknown. Tested viewdns.info range: 69.59.20.205 69.59.20.225. Virtuals.
* https://viewdns.info/iphistory/?domain=globaltourist.net
* 216.172.170.14 United States NETWORK-SOLUTIONS-HOSTING 2013-07-08
* 216.21.239.197 United States NETWORK-SOLUTIONS-HOSTING 2012-06-25
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-04-09 big virtual
* 174.136.34.154 United States IHNET 2012-03-12 unknown. Tested viewdns.info range: 174.136.34.144 174.136.34.164
* 74.119.145.101 Frankfurt am Main - Germany PERFORMIVE 2011-09-07. Tested viewdns.info range: 74.119.145.91 74.119.145.111. One virtual.
* 69.59.20.215 United States ATLRETAIL 2011-06-22. Tested
all-sport-headlines.com:
* https://viewdns.info/iphistory/?domain=all-sport-headlines.com
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-11-12 virtual
* 216.104.38.114 United States SINGLEHOP-LLC 2012-09-21. Tested viewdns.info range: 216.104.38.104 216.104.38.124
* 216.104.38.110: afterawhilecrocodile.info 2011-07-26. Legit.
technologytodayandtomorrow.com:
* https://viewdns.info/iphistory/?domain=technologytodayandtomorrow.com
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-11-13 virtual
* 72.34.53.174 United States IHNET 2011-09-08. Tested viewdns.info range: 72.34.53.164 72.34.53.184
* 72.34.53.166: bjellaagency.com 2023-03-07
* 72.34.53.174: businesscardprinternyc.info 2012-04-18
* 72.34.53.174: dermozamsoe106.com 2011-07-02
* 72.34.53.174: electronictechreviews.com 2011-09-08. Hit.
* 72.34.53.174: glialcells2009paris.com 2012-11-12
* 72.34.53.174: hysfreedom.net 2013-07-08. Legit.
* 72.34.53.174: integrativetherapiesec.com 2013-06-30
* 72.34.53.174: intloil.org 2012-04-27. Possible hit, a bit off style, but possibly because too broken. Copyright 2005. Present at https://pastebin.com/CTXnhjeSp[].
* 72.34.53.174: islamicnewsonline.com 2013-03-23. No archives in date range.
* 72.34.53.174: larumbaknox.com 2012-01-11. <Parked domain girl>
* 72.34.53.174: myonlinegamesource.com 2012-01-11
* 72.34.53.174: mytravelopian.com 2011-04-04. Feels legit, but there's some chance.
* 72.34.53.174: recursosdenoticias.com 2012-06-29. Hit.
* 72.34.53.174: todaysnewsandweather-ru.com 2012-01-11. Hit.
* 72.34.53.181: theebizguy.com 2022-12-26
* 72.34.53.183: nofatchics.com 2012-01-11
terrain-news.com:
* https://web.archive.org/web/20110202060511/http://terrain-news.com/internetspeed.jar[JAR]
* https://viewdns.info/iphistory/?domain=terrain-news.com None in simple ranges.
* 204.11.56.25 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-11-08. Virtuals.
* 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20>. Virtual 167. https://viewdns.info/reverseip/?host=208.91.197.19&t=1 not very promising.
* 208.187.167.20 United States DATANOC 2012-01-11. Tested viewdns.info range: 208.187.167.10 208.187.167.30. Newer domains.
intlnewsdaily.com
* https://dnshistory.org/historical-dns-records/a/intlnewsdaily.com 2010-02-21 -> 2010-08-06 75.126.136.179. unknown range.
* https://viewdns.info/iphistory/?domain=intlnewsdaily.com
* 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20. Virtual. Tested.
* 63.247.95.50 Austell - United States NTHL 2012-06-29 unknown. Tested viewdns.info range: 63.247.95.40 63.247.95.60
* 63.247.95.50: 2b-sports.com 2013-04-21
* 63.247.95.50: caldentalinsurance.com 2014-07-05
* 63.247.95.50: cameronbal-photography.com 2012-06-29
* 63.247.95.50: congbetham.com 2014-07-05
* 63.247.95.50: essentialintelligenceagency.com 2023-03-07
* 63.247.95.50: isabellavalentina.com 2014-07-05
* 63.247.95.50: jhraccounting.com.au 2021-05-03
* 63.247.95.50: missouribreaks294.com 2012-06-29
* 63.247.95.50: startorganize.com 2011-08-11
* 63.247.95.50: tifocus.net 2011-08-11
* 63.247.95.50: tifocus.org 2011-08-10
* 63.247.95.50: whitepartyorlando.com 2012-01-11
* 204.11.56.25 (<ipinf.ru>)
opensourcenewstoday.com:
* https://viewdns.info/iphistory/?domain=opensourcenewstoday.com
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-11-13 virtual
* 64.16.193.48 Riyadh - Saudi Arabia Saudi Telecom Company JSC 2011-09-08. Tested viewdns.info range: 64.16.193.38 64.16.193.41. Ran out.
techwatchtoday.com:
* https://dnshistory.org/historical-dns-records/a/techwatchtoday.com 2009-08-11 -> 2011-02-26 66.11.225.226 big shared host
* https://viewdns.info/iphistory/?domain=techwatchtoday.com
* 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-11-29 virtual
* 66.11.225.226 United States TNWEB-LEW-001 2012-01-11 unknown
= Possible hits that are too broken to be sure
{parent=Hits without nearby IP hits}
Likely hits possible but whose archives is too broken to be easily certain. If:
* <Hits without nearby IP hits>[nearby IP hits]
* proper reverse engineering of their comms if any, or any other page fingerprints
were to ever be found, these would be considered hits.
* 216.97.231.56 nouvelles-d-aujourdhuis.com. https://web.archive.org/web/20110128173431/http://nouvelles-d-aujourdhuis.com/[2011]. Stylistically perfect, but no nearby IP hits. Maybe looking into HTML would help confirm:
* `rss-items`
But wrong IP? likely <CGI comms variant> under the signup page: https://web.archive.org/web/20090405045548/http://nouvelles-d-aujourdhuis.com/members.html[].
Tested <viewdns.info> range: 216.97.231.46 - 216.97.231.66. Not a single reverse IP hit in there.
<viewdns.info> also assigns it 50.63.202.46, GoDaddy.com, LLC, 2013-11-08 in addition to 216.97.231.56, Canada, IPXO LLC, 2013-09-06. This is very near other iranfootballsource.com flukes, so likely useless.
<securitytrails.com> also gives it one earlier IP 209.200.240.250 last seen 2008-09-20: https://securitytrails.com/domain/nouvelles-d-aujourdhuis.com/history/a Hydra Communications Ltd before 216.97.231.56 "ASU doctor" first seen 2008-09-20 (15 years)> Tested viewdns.info range: 209.200.240.240 - 209.200.240.260 empty at the time of interest.
Marked copyright 2006, so mega early.
africainnews.com
* no archives of the HTML
* https://web.archive.org/web/20110202135525/http://africainnews.com/africainnews.swf[SWF]. A reverse engineering of the SWF should be able to confirm.
* https://web.archive.org/web/20111007194814/http://africainnews.com/robots.txt
* https://dnshistory.org/historical-dns-records/a/africainnews.com
* 2009-12-29 -> 2010-07-28 72.167.232.43. Tested viewdns.info range: 72.167.232.33 - 72.167.232.53. Several virtual hosts there.
* 2011-10-14 -> 2011-10-14 68.178.232.100 virtual
* 2012-08-12 -> 2012-08-12 97.74.42.79. Tested viewdns.info range: 97.74.42.69 - 97.74.42.89
* 97.74.42.74: landtex.net 2023-03-22
* 97.74.42.76: solidasshonky.com 2023-03-07
* 97.74.42.77: solidasshonky.com 2023-03-07
* 97.74.42.78: blakebrothers.co 2018-05-05
* 97.74.42.78: learningjbe.com 2023-02-02
* 97.74.42.78: solidasshonky.com 2023-03-07
* 97.74.42.78: sourceuae.com 2023-03-07
* 97.74.42.78: superiorfoodservicesales.com 2017-09-10
* 97.74.42.79: large virtual
* 97.74.42.80: waiasialtd.com 2016-10-17
* https://viewdns.info/iphistory/?domain=africainnews.com
* 50.63.202.92 United States AS-26496-GO-DADDY-COM-LLC 2013-06-30. Likely large virtual.
* 97.74.42.79 United States AS-26496-GO-DADDY-COM-LLC 2013-05-20. tested.
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-06-29 virtual
* 68.178.232.99 United States AS-26496-GO-DADDY-COM-LLC 2011-11-13
* 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-10-09 virtual
* 72.167.232.43 United States GO-DADDY-COM-LLC 2011-09-08. Tested.
globalsentinelsite.com
* https://dnshistory.org/historical-dns-records/a/globalsentinelsite.com 2010-02-13 -> 2010-08-04 74.124.210.249 unknown
* https://viewdns.info/iphistory/?domain=globalsentinelsite.com 74.124.210.249 United States INMOTION 2011-11-13 unknown
https://viewdns.info/reverseip/?host=74.124.210.249&t=1 has 347 hits
| <Hits without nearby IP hits>[?]
| globalsentinelsite.com
| https://web.archive.org/web/20110201094751/http://globalsentinelsite.com/[2011]
| English
|
| https://web.archive.org/web/20110201094846/http://globalsentinelsite.com/steps.jar[JAR]
| news
| wide, has a few sections, but somewhat shallow. Copyright 2008.
todaysolar.com. This might just be legit, but keeping it around just in case.
| https://web.archive.org/web/20110207094740/http://todaysolar.com/[2011]
| https://web.archive.org/web/20110207094748/http://todaysolar.com/AdBannerDeploy.jar[JAR]
| https://dnshistory.org/historical-dns-records/a/todaysolar.com 2009-08-11 -> 2011-03-01 74.208.62.112 unknown
| https://viewdns.info/iphistory/?domain=todaysolar.com 74.208.62.112 United States PROFITBRICKS-USA 2012-11-12
= Hits with nearby IP hits
{parent=IP range search}
alljohnny.com: one of <the Reuters websites>.
* 208.91.197.132: rdns source: <viewdns.info>. Big virtual.
* 65.218.91.17: rdns source? : <viewdns.info>. Tested viewdns.info range: 65.218.91.13 - 65.218.91. 17
* 65.218.91.9: welcometonyc.net. Hit. rdns source: <ipinf.ru>. Later also at 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-10-21 by <viewdns.info>
* also on: 65.218.91.17,
* international-smallbusiness.com. Stylitsic match, but some uncommon features like the country seelctor dropdown.
* Archives:
* https://web.archive.org/web/20110202031627/http://international-smallbusiness.com/
* https://web.archive.org/web/20120114080103/http://www.international-smallbusiness.com:80/sa.html
* https://web.archive.org/web/20110202031657/http://international-smallbusiness.com/style.css
Also a potential unarchived <CGI comms>: https://web.archive.org/web/20110202031627/https://ssl.international-smallbusiness.com/cgi-bin/starting.cgi Perhaps with some better HTML reversing we could confirm a hit.
* 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-10-19. Big virtual.
* 65.218.91.17 United States UUNET 2013-09-06
* 216.168.229.50: whoisxmlapi 2008-09-01 (15 years) 2010-04-17. Checked viewdns.info range: 216.168.229.45 - 216.168.229.55
62.22.60.49: telecom-headlines.com. Found with: visual inspection of full <2013 DNS Census virtual host cleanup> list just before worldnewsnetworking.com. Tested viewdns.info range: 62.22.60.34 - 62.22.60.66
* 62.22.60.33: newsperk.com. Unclear. Stylistically perfect, but no comms not found. https://web.archive.org/web/20110208070523/http://newsperk.com/[2011]. English. Egypt. news.
* 62.22.60.34: freeslideshow.net. Legit? Attempting to open any HTML archives leads to an infinite page load loop, e.g. https://web.archive.org/web/20101230001635/http://www.freeslideshow.net/[2010]. A subpage however exists: https://web.archive.org/web/20101230001640/http://freeslideshow.net/index_files/a.htm[] and appears legit.
* 62.22.60.40: travel-passage.com. Unclear. No archives of toplevel, only subpage: https://web.archive.org/web/20091118013330/http://travel-passage.com:80/service-flights.htm[2009]. No clear comms. Chinese.
* 62.22.60.42: newsupdatesite.com. Hit.
* 62.22.60.46: flyingtimeline.com. Hit.
* 62.22.60.47: globalemergenceadvisorsbkserver.com. Legit.
* 62.22.60.48: currentcommunique.com. Hit.
* 62.22.60.49: telecom-headlines.com. Hit.
* 62.22.60.52: collectedmedias.com. Hit.
* 62.22.60.54: romulusactualites.com. No archives.
* 62.22.60.55: thefilmcentre.com. Hit.
* 62.22.60.56: traveltimenews.com. Hit.
62.22.61.206 worldnewsnetworking.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 62.22.61.188 - 62.22.61.224
* 62.22.61.193: awfaoi.org. Hit.
* 62.22.61.197: rc5sports.com. Hit.
* 62.22.61.198: inside-vc.com. Hit.
* 62.22.61.202: bailsnboots.com. Hit.
* 62.22.61.203: the-cricketer-online.com. Hit.
* 62.22.61.204: hollywoodscreen.net. Hit.
* 62.22.61.206: worldnewsnetworking.com. Hit.
* 62.22.61.212: nuestrasfinanzas.com. Hit.
* 62.22.61.215: the-tech-mind.com. Welcome to the US Petabox
* 62.22.61.217: court-masters.com. Hit.
* 62.22.61.219: allworldstatistics.com. Hit.
* 62.22.61.220: newsjaka.com. Hit.
* 62.22.61.221: biochemresource.com. Archive broken/empty. One archive: contains an epically long URL that might shed light into something: https://web.archive.org/web/20120529121245/http://www.biochemresource.com/?fp=iboHtuxnjLG66y52DkK1xCFuZDBnVC8wovQepLt2Tk%2Bo1JIgIdVb6WL8kv6sSOEtxwcq4EbiJ0GxFY9N6HSWlg%3D%3D&prvtof=97vgfKVqt1Sd68qgNDPXB0o7Rwo%2FO3GKiiMG7fane6A%3D&poru=Zd9DHFaHFZ6ZrRLm8SW3egagqvdpzHhWb%2FoulRGeEYIUSVATB5gwTIDhluetONjG7xovtb%2FrvDStoqiAF1O8wA%3D%3D&[]. Asked at: https://stackoverflow.com/questions/47310661/any-idea-what-are-fp-prvtof-poru-in-a-url but no reply so far. One day my friend, one day.
* 62.22.61.222: www.news-blitz-ar.com (<ipinf.ru>). No archives. Perfect theme match.
63.131.229.12 cyberreportagenews.com. Tested viewdns.info range: 63.131.228.248 - 63.131.229.30
* 63.131.229.2: fightskillsresource.com. Hit
* 63.131.229.4: unitedterritorynews.com. Hit
* 63.131.229.9: show-dustry.com. Hit
* 63.131.229.10: afghanpoetry.net. Hit. Also at 74.254.12.166 in another range.
* 63.131.229.11: mythriftytrip.com. Hit
* 63.131.229.12: cyberreportagenews.com. Hit.
* 63.131.229.13: sunrise-news.com. Hit.
* 63.131.229.15: cricketnewsforindia.com. Archive quite broken, likely hit.
* 63.131.229.16:
* nutricion-saludable.info. No archives.
* nutricion-saludable.net. Hit.
* 63.131.229.18: itnl-xchange.com. Hit.
* 63.131.229.20:
* fixashion.net. Hit.
* a few others
63.130.160.50 theglobalheadlines.com. Found with: <2013 DNS census secureserver.net MX records intersection 2013 DNS Census virtual host cleanup>. Tested viewdns.info range: 63.130.160.35 - 63.130.160.75
* 63.130.160.50: theglobalheadlines.com. Hit.
* 63.130.160.51:
* hai-pow.com. Hit.
* secudenetworksecurity.com. No archives.
* 63.130.160.53: echessnews.com. Hit.
* 63.130.160.59: technologiewissen.com. No archives from the time. Would be Technology knowledge in German, so another likely German hit. Shame.
* 63.130.160.60: boxingstop.net. Hit.
* 63.130.160.61: bookmarksthis.com. No archives.
* 63.130.160.62: azerinews.org. Hit.
64.16.204.55 holein1news.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 64.16.204.50 - 64.16.204.63. With did Wayback Machine have so few archives here? TODO stopping viewdns.info exploration a bit short due to that.
* 64.16.204.35: ironcityfootball.com. Legit/broke.
* 64.16.204.51: africannewsandsports.com. No archives. rdns source: <viewdns.info>
* 64.16.204.53: bosniakbusinessnews.com. No archives. A https://en.wikipedia.org/wiki/Bosniaks[Bosniak] is someone from an ethnicity from Bosnia.
* 64.16.204.54: affairesdumonde.com. No archives. rdns source: <viewdns.info>
* 64.16.204.55: holein1news.com. Hit.
* 64.16.204.56: fightorgohome.com. No archives. rdns source: <viewdns.info>
* 64.16.204.58: tech-topix.com. Hit.
* 64.16.204.60: pakpoldaily.com. No archives. rdns source: <viewdns.info>. TODO meaning? Might be Indonesian, maybe linked to police: https://www.facebook.com/watch/?v=880204266271955
65.61.127.163 capture-nature.com. https://whois.arin.net/rest/net/NET-65-61-96-0-1/pft?s=65.61.127.163: Net Range: 65.61.96.0 - 65.61.127.255. Organization. Name: TierPoint, LLC. Tested viewdns.info range: 65.61.127.149 -
* 65.61.127.46: anahuacchamber.com 2012-12-22T14:59:01
* 65.61.127.117: medicaresupplementalinsurance.com, 2013-08-21T09:49:41. Legit.
* 65.61.127.121: counter-images.com 2013-08-22T11:14:44: https://web.archive.org/web/20110208173132/http://www.counter-images.com/
* 65.61.127.125 zaphound.com 2013-08-21T02:25:40. Legit.
* 65.61.127.130: ambitions.org 2013-08-22T01:43:40. Legit.
* 65.61.127.161: european-footballer.com. 2011 archive. https://web.archive.org/web/20110319111233/http://european-footballer.com/[]. The website is quite broken so it is hard to say, but possible hit.
* 65.61.127.163: capture-nature.com. Hit.
* 65.61.127.164: futbolistico.net. 2012-02-20T03:25:33. Legit. https://web.archive.org/web/20130509004058/http://futbolistico.net/
* 65.61.127.165: travelconnectionsonline.com. Ciro initially though this might be a hit. But upon Googling it, there's now a mirror at: https://travelconn.tripod.com/[]. Combined with the lack of a standard communications mechanism and the 2001 copyright, maybe it isn't a hit after all
* 65.61.127.166: globalnewsbulletin.com: Hit.
* 65.61.127.167: internationalwhiskylounge.com. No <Wayback Machine> archives.
* 65.61.127.168: the-golden-rule.info 2013-09-20T02:13:52. Website error archived: https://web.archive.org/web/20131011012026/http://the-golden-rule.info/
* 65.61.127.169: crossovernews.net. Hit.
* 65.61.127.170: newsidori.com. Very broken 2013 archive: https://web.archive.org/web/20130714134510/http://www.newsidori.com/[2013]. "Idori" sounds Japanese, but the meaning is unclear.
* 65.61.127.171: nrgconsultingandnews.com. 2013-08-13T18:45:05. No archives.
* 65.61.127.172: premierstriker.com. No <Wayback Machine> archives from the time, and has been since parked by something apparently as of 2022 onwards. Last resolved: 2012-01-11.
* 65.61.127.174: dedrickonline.com. Hit.
* 65.61.127.175: altworldnews.com. Hit.
* 65.61.127.176: american-historyonline.com. No <Wayback Machine> archives. Last resolved: 2011-09-08.
* 65.61.127.177: material-science.org https://web.archive.org/web/20091213032538/http://material-science.org/[2009]. Shallow, narrow. No comms found. <.org hit>?
* 65.61.127.178: tee-shot.net. Hit.
* 65.61.127.180: screencentral.info. Buggy <Wayback Machine> archive from 2013: https://web.archive.org/web/20130713224951/http://screencentral.info/[]. Last resolved: 2013-05-08.
* 65.61.127.181: worldnewsandtravel.com. No <Wayback Machine> archives. Last resolved: 2011-11-13.
* 65.61.127.182: pangawana.com. Hit.
* 65.61.127.183: cutabovenews.com. Hit.
* 65.61.127.184: worldwildlifeadventure.com. Hit.
* 65.61.127.186: explorealtmeds.com. Hit.
* 65.61.127.194: 16 domains, so unclear.
* about-video-games.com: https://web.archive.org/web/20121013013710/http://about-video-games.com/
* aboutfaceonline.com: https://web.archive.org/web/20120701000000*/aboutfaceonline.com
* 65.61.127.200: cdl-link.com (<ipinf.ru>). Legit.
* 65.61.127.222: asianwhitecoffee.com 2012-07-16T09:21:05 https://web.archive.org/web/20110903080036/http://asianwhitecoffee.com/[]. Could be legit.
66.45.179.205 noticiasporjanua.com. Found with: <2013 DNS Census virtual host cleanup>. Tested viewdns.info range: 66.45.179.187 - 66.45.179.223
* 66.45.179.187: mail03.gatesfoundation.org. Legit.
* 66.45.179.192: thegraceofislam.com. Hit.
* 66.45.179.193: arabicnewsunfiltered.com. Hit.
* 66.45.179.194: raulsonsglobalnews.com. Hit.
* 66.45.179.195: aryannews.net. Hit.
* 66.45.179.199: attivitaestremi.com. Hit.
* 66.45.179.200: foodwineandsuch.com. No archives.
* 66.45.179.201: hitthepavementnow.com. Hit.
* 66.45.179.203: noticiascontinental.com. Hit.
* 66.45.179.205: noticiasporjanua.com. Hit.
* 66.45.179.206: podisticamondiale.com. Hit.
* 66.45.179.207: reflectordenoticias.com. Hit.
* 66.45.179.208: havenofgamerz.com. Hit.
* 66.45.179.209: vejaaeuropa.com. https://web.archive.org/web/20130810131440/http://www.vejaaeuropa.com/[]: Welcome to the US Petabox. Shame, could be another <Brazil> hit since "veja" (look in Brazilian Portuguese) would be "mira" in Spanish, not "veja".
* 66.45.179.210: sa-michigan.com. Hit.
* 66.45.179.211: absolutebearing.net. Hit.
* 66.45.179.212: grandretirement.net. No archives.
* 66.45.179.213: myportaltonews.com. Hit.
* 66.45.179.214: investmentintellect.com. Hit.
* 66.45.179.215: nigeriastar.net 2012-03-12. Hit.
66.104.169.184 bcenews.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 66.104.169.158 - 66.104.169.189
* 66.104.169.162: bestsportsnews.net. Archive broken.
* 66.104.169.163: doctorsoncallsite.com. Hit.
* 66.104.169.164: lightandshadowonline.com. Hit.
* 66.104.169.168: plugged-into-news.net. Hit.
* 66.104.169.169: worldsportsite.com. Likely hit, but comms not found. https://web.archive.org/web/20110210071421/http://worldsportsite.com/[2011]. <Arabic>. . sports. has some apparently unrelated archives from 2008.
* 66.104.169.171: golf-on-holiday.com. Hit.
* 66.104.169.172: perspectiva-noticias.com. Hit.
* 66.104.169.175: aquaswimming.com. Hit.
* 66.104.169.177: dojo-temple.com. Hit.
* 66.104.169.179: neighbour-news.com. Hit.
* 66.104.169.180: medicatechinfo.com. Hit.
* 205.178.189.131: <securitytrails.com> 2009-06-25 - 2009-07-02 Network Solutions, LLC., "ip_count": 726755. Moved to new one 2009-07-02 - 2010-11-03
* 66.104.169.181: brickmanfinancialnews.com. Hit.
* 66.104.169.182: casanewsnow.com. Hit.
* 66.104.169.183: aworldofnews.com. No archives.
* 66.104.169.184: bcenews.com. Hit.
* 66.104.169.197: teamshula.com. Legit.
66.104.173.186 myworldlymusic.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 66.104.173.158 - 66.104.173.194
* 66.104.173.161: fanatic-pc-gamers.com. https://web.archive.org/web/20130714014620/http://fanatic-pc-gamers.com/[2013]: Welcome to the US Petabox
* 66.104.173.163: runakonews.com. Hit.
* 66.104.173.164: shoppingadventure.net. Hit.
* 66.104.173.165: entertaining-ly.com. Hit.
* 66.104.173.166: zubeenews.com. Hit.
* 66.104.173.169: smart-financeology.com. Hit.
* 66.104.173.173: remarkably has two potential hits, both shown in <viewdns.info>, and one of them was also in the <2013 DNS Census>.
* worldfeedstoday.com. No main page archives. Subpage archive: https://web.archive.org/web/20110210024325/http://worldfeedstoday.com/sports.htm[2011]. English. news.
* world-newsfeeds.com. No archives.
* 66.104.173.175: media-coverage-now.com. Hit.
* 66.104.173.176: jbc-online-news.com. Hit.
* 66.104.173.177: webscooper.com. Hit.
* 66.104.173.178: dk-dcinvestment.com. Hit.
* 66.104.173.179: newsforthetech.com. Welcome to the US Petabox.
* 66.104.173.180: stara-turistick.com. Hit.
* 66.104.173.181: playbackpolitics.com. Hit.
* 66.104.173.182: snapnewsfront.net. Hit.
* 66.104.173.183: ingenuitytrendz.com. Hit.
* 66.104.173.184: armashoy.com. Hit.
* 66.104.173.185: baocontact.com. Hit.
* 66.104.173.186: myworldlymusic.com. Hit.
* 66.104.173.189: hitpoint-gaming.com. Hit.
66.104.175.40 beyondnetworknews.com. https://whois.arin.net/rest/net/NET-66-104-0-0-1/pft?s=66.104.175.40. Net Range:66.104.0.0 - 66.107.255.255. <2012 Internet Census> puts most/all hits in this range under ip66-104-175-34.z175-104-66.customer.algx.net, `algx.net` redirects to verizon.com as of 2023. Related: https://superuser.com/questions/956568/why-are-my-pings-going-to-customer-algx-net[]. Tested <viewdns.info> range: 66.104.175.24 - unknown
* 66.104.175.34: itwebtoday.com. Hit.
* 66.104.175.35: drglobalnews.com. Hit.
* 66.104.175.36: adilnews.net. Hit.
* 66.104.175.37: technewstogo.com. https://web.archive.org/web/20110201205946/http://technewstogo.com/ "UNDER CONSTRUCTION"
* 66.104.175.40: beyondnetworknews.com. Hit.
* 66.104.175.41: grubbersworldrugbynews.com. Hit.
* 66.104.175.44: yourtripfinder.net. Hit.
* 66.104.175.45: rollinsnetwork.com. Hit.
* 66.104.175.46: infosharenews.com. Hit.
* 66.104.175.47: southasiaheadlines.com. Hit.
* 66.104.175.48: worlddispatch.net. Hit.
* 66.104.175.49: webworldsports.com. Hit.
* 66.104.175.50: fly-bybirdies.com. Hit.
* 66.104.175.51: businessexchangetoday.com. Hit.
* 66.104.175.52: mensajeradenoticias.com. Hit.
* 66.104.175.53: info-ology.net. Hit.
* 66.104.175.54: marketflows.net. Hit.
* 66.104.175.57: metanewsdaily.com. Hit.
* 66.104.175.218: remote.taxconsultantsgroup.com. No archives.
66.175.106.148 activegaminginfo.com. https://whois.arin.net/rest/net/NET-66-175-106-128-1/pft?s=66.175.106.148[]: Net Range: 66.175.106.128 - 66.175.106.159. Customer Name: DIAMOND-COLESON. Tested <viewdns.info> range: 66.175.106.131 - 66.175.106.178
* 66.175.106.10: nationalchecktrust.com. Legit?
* 66.175.106.134: paddlescoop.com. Hit.
* 66.175.106.137: kessingerssportsnews.com. Hit.
* 66.175.106.138: factorforcenews.com. Hit.
* 66.175.106.140: aroundthemiddleeast.com. No <Wayback Machine> hits. Last resolved: 2012-06-29.
* 66.175.106.142: kanata-news.com. Hit.
* 66.175.106.143: thecricketfan.com. Hit.
* 66.175.106.146: inews-today.com. Initially found with <2013 DNS Census virtual host cleanup heuristic keyword searches> which gave IP address 193.203.49.212. But that has no nearby hits. 66.175.106.146 was later found on <viewdns.info>, and slotted into this other existing IP range.
* 193.203.49.211 datingso.com: legit? Russian dating website
* 193.203.49.212 inews-today.com. Hit.
* 193.203.49.223 zatysi.net: legit
* 193.203.49.226 kinotopik.com: legit? Russian
* 193.203.49.229 rotor-volgograd.com. Legit.
* 193.203.49.233 ordercytotec.com. Broken.
* 66.175.106.147: starwarsweb.net. Hit.
* 66.175.106.149: feedsdemexicoyelmundo.com. Hit.
* 66.175.106.150: noticiasmusica.net. Hit.
* 66.175.106.155: atomworldnews.com. Hit.
* 66.175.106.158: nouvellesetdesrapports.com. Hit.
* 66.175.106.166: exchange.katzbarron.com. Legit. Reverse IP source: <2012 Internet Census>
* 66.175.106.183: mail.lfdatacenter.com. No archives.
66.237.236.247 comunidaddenoticias.com. Tested viewdns.info range: 66.237.236.222 - 66.237.236.254
* 66.237.236.227: newsandmusicminute.com. Hit.
* 66.237.236.229: pearls-playlist.com 2011-11-13. Hit.
* 66.237.236.230: beyondthefringe.info 2013-01-02. Hit.
* 66.237.236.231: primetimemovies.net 2011-06-22. Hit.
* 66.237.236.235: persephneintl.com. Hit.
* 66.237.236.236: directoalgrano.net 2012-01-23. Hit.
* 66.237.236.240: actualizaciondebeisbol.com. Hit.
* 66.237.236.243: mygadgettech.com. Hit.
* 66.237.236.247: comunidaddenoticias.com. Hit.
* 66.237.236.249: sumerjaseahora.com. Hit.
69.84.156.90 stickshiftnews.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 69.84.156.64 - 69.84.156.95
* 69.84.156.69: al-ashak-news-me.com. Hit.
* 69.84.156.70: theventurenews.info. No archives. business.
* 69.84.156.71: worldfinancetoday.net. Hit.
* 69.84.156.72: autonewsarabia.com. Hit.
* 69.84.156.74: blue-moon-news.com. Hit.
* 69.84.156.75: theoutergreen.com. No archives. Might have been another golf hit.
* 69.84.156.76: tnc-urdu.com. Hit.
* 69.84.156.79: jassimnews.com. No archives/broken.
* 69.84.156.80: noticiasdenuestromundo.com. No archives. Spanish. news.
* 69.84.156.82: arabicnewsonline.com. Hit.
* 69.84.156.83: unganadormundial.com. Hit.
* 69.84.156.84: focusonbokeh.com. No archives/broken. Only a "Sony" logo remains: https://web.archive.org/web/20110207222330/http://focusonbokeh.com/images/logo_014.jpg
* 69.84.156.85: classic-rocktopia.com. No archives. Presumably rock climbing.
* 69.84.156.87: i7diver.com. No archives.
* 69.84.156.88: diariodeelmundo.com. Hit.
* 69.84.156.89: todaysarabnews.com. Hit.
* 69.84.156.90: stickshiftnews.com. Hit.
* 69.84.156.91: theinternationalgoal.com. Hit.
74.116.72.236 techtopnews.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 74.116.72.215 - 74.116.72.254
* 74.116.72.199: newsungraphics.com. Legit.
* 74.116.72.209: newsung.com. Legit/broken.
* 74.116.72.214: ofinancialinc.com. Legit.
* 74.116.72.219: stockpromoters.com. Legit.
* 74.116.72.227: dayenews.com. hit.
* 74.116.72.229: guide-daventure.com. Hit.
* 74.116.72.230: spaceage-exchange.com. No archives.
* 74.116.72.231: bleachersfootballnews.com. Hit.
* 74.116.72.232: indirectfreekick.com. Hit.
* 74.116.72.233: wwiichronicles.net. Hit.
* 74.116.72.234: petroleumagenews.com. Hit.
* 74.116.72.235: the-open-book-online.com. Hit.
* 74.116.72.236: techtopnews.com. Hit.
* 74.116.72.237: noticiasdiariasdedeportes.com. No archives. Sad, another potential <Brazil> hit.
* 74.116.72.238: pohandakhbar.com. No archives. TODO meaning. "akhbar" is https://en.wikipedia.org/wiki/Akhbar[news in Arabic]. But what is "Poh"? Sounds like a South Asian name.
* 74.116.72.239: crickettoday.info. Hit.
* 74.116.72.240: zafernews.com. Hit.
* 74.116.72.241: itechnewstoday.com. Broken/GoDaddy takeover
* 74.116.72.242: gdgtsource.com. Hit.
* 74.116.72.243: waronfilmonline.com. No archives.
* 74.116.72.244: arborstribune.org. No archives.
* 74.116.72.245: wineenthusiastonline.com. Welcome to the US Petabox.
* 74.116.72.246: vuvuzelanews.com. Hit.
* 74.116.72.247: ballbatstumpsandbails.com. Hit.
* 74.116.72.248: kioni-sailing.com. No archives.
* 74.116.72.249: round-trip-travel.com. Hit.
* 74.116.72.250: arabicnewsource.com. Hit.
74.254.12.168 non-stop-news.net. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 74.254.12.158 - 74.254.12.195. This domain exceptionally also has a second IP also with multihits: 207.239.196.230. The fact that the range has rdns sources with hits from both <2013 DNS Census> and <viewdns.info> suggests this range is correct.
* 74.254.12.163: half-court.net. Hit.
* 74.254.12.163: dailywellnessnews.com. Hit.
* 74.254.12.165: dylandon.net. Hit. rdns source: <viewdns.info>.
* 74.254.12.166: afghanpoetry.net. Hit.
* 74.254.12.168: non-stop-news.net. Hit.
* 74.254.12.169: soldiersofsouthasia.com. Hit.
* 74.254.12.170: greek-news.info. https://web.archive.org/web/20130714231117/http://greek-news.info/[2013]. Welcome to the US Petabox. rdns source: <viewdns.info>
* 74.254.12.171: autism-news.org. Hit.
* 74.254.12.172: thesportsguidebook.com. rdns source: <2013 DNS Census>. Only has archive of one subpage: https://web.archive.org/web/20091124114840/http://thesportsguidebook.com:80/swimming_clubs2.html[2009]. English. sports.
* 74.254.12.174: reliefline.info. https://web.archive.org/web/20090416064302/http://www.reliefline.info:80/ Archive too broken.
* 74.254.12.176: pakcricketgrd.com. Hit.
* 74.254.12.177: networkofnews.com. Hit.
* 74.254.12.179: wineconnaisseur.net. Hit.
* 74.254.12.180: helpinghandssite.com. Hit.
* 74.254.12.185: newskwest.com. No archives.
* 74.254.12.187: efiinvestment.com. No archives.
* 74.254.12.188: first-tee-golf.com. Hit.
* 74.254.12.189: fabu-foto.com. Hit.
* 74.254.12.190: viptravelabroad.com. Hit.
199.85.212.118 just-kidding-news.com
* 199.85.212.118 rdns source: <2013 DNS Census virtual host cleanup heuristic keyword searches>, <dnshistory.org> (2009-09-23 -> 2011-01-25) and <viewdns.info>: "location": "United States", "owner": "VIMRO, LLC", "lastseen": "2012-01-11". Tested viewdns.info range: 199.85.212.95 - 199.85.212.128. Not sure worth it given the many <2013 DNS Census> misses surrounding.
* 199.85.212.98: colorsxpress.com. Legit
* 199.85.212.104:
* jobindons.com 2013-10-19.
* piogroup.org 2012-12-29.
* 199.85.212.105: mide-news.com. Hit.
* 199.85.212.109: game2be.com. Infinite load loop: https://web.archive.org/web/20080102074404/http://www.game2be.com/
* 199.85.212.111:
* newsandsportscentral.com. Hit.
* and many many others, not bothering with it
* 199.85.212.115: veryperi.com. Legit? https://web.archive.org/web/20110202094958/http://veryperi.com/[2011]. Style is similar.
* 199.85.212.116: approselect.com. Legit?
* 199.85.212.117: innovative-software-solutions.com. broken/legit
* 199.85.212.118: just-kidding-news.com. Hit.
* 199.85.212.119: invisus.com. Legit
* 199.85.212.120: allurebyjustine.com. Legit?
* 199.85.212.121: stockprouniversity.com
* 199.85.212.122: stjosephswoodshop.com Legit?
* 199.85.212.125: time-spacer.net. Welcome to the US Petabox.
* 199.85.212.132: qualitytrans.net. Legit?
* 199.85.212.134: mywellnessminder.com. Legit?
* 199.85.212.138: crystalglassinc.com
* 199.85.212.140: davistech-llc.com
* 68.178.232.100: see rastadirect.net. rdns source: <viewdns.info>: "location": "United States", "owner": "GoDaddy.com, LLC", "lastseen": "2012-06-29"
* 209.85.45.84. Tested <viewdns.info> range: 209.85.45.74 - 209.85.45.94.
* 209.85.45.2: dz8.dailyrazor.com
* 209.85.45.2: jr4consulting.com
* 209.85.45.41: guitarzza.com. No archives of time.
* 209.85.45.46: evergraindecking.com. No archives of time.
* 209.85.45.114: mauritiuspropertyconsultant.com. Legit/ broken.
* 209.85.45.160: bieltvedt.net. No archives of time.
* 209.85.45.160: golfstats.dk. No archives.
* 209.85.45.225: infokus.ca
* 209.85.45.225: mail.tomlatham.net
* 209.85.45.225: mail.tomlatham.org
* 209.85.45.239: flavacationcenter.com
204.176.38.143 noticiassofisticadas.com. Found with: <2013 DNS Census virtual host cleanup>. Tested viewdns.info range: 204.176.38.125 - 204.176.38.154
* 204.176.38.130: i-pressnews.com. Hit.
* 204.176.38.132: turkishnewslinks.com. Hit.
* 204.176.38.134: photographyarecord.com. Hit.
* 204.176.38.135: breakingthewicket.com. Hit.
* 204.176.38.136: politicalworldtoday.com. Hit.
* 204.176.38.137: hi-tech-today.com. Hit.
* 204.176.38.138: continental-business-news.com. TODO. https://web.archive.org/web/20110208003809/http://continental-business-news.com/[2011]. Cannot find comms. Also header and footer are not limited width which is unusual. Further HTML similarity reversing would be needed.
* 204.176.38.139: bigscreenbattles.com. Hit.
* 204.176.38.141: rakotafootball.com. Hit.
* 204.176.38.142: senderosdemontana.com. Hit.
* 204.176.38.143: noticiassofisticadas.com. Hit.
* 204.176.38.144: techno-today.com. Hit.
* 204.176.38.145: tickettonews.com. Hit.
* 204.176.38.146: dps-digitalphotosharing.com. Hit.
* 204.176.38.147: theputtingreen.com. Hit.
* 204.176.38.149: sportsnewstodayar.com. Hit.
* 204.176.38.150: kairuafricanews.com. Hit.
204.176.39.115 globalprovincesnews.com. Tested viewdns.info range: 204.176.39.93 - 204.176.39.124
* 204.176.39.97: beamingnews.com. Hit.
* 204.176.39.98: cubriendonoticias.com. Hit.
* 204.176.39.100: rowleyworldpost.com. Hit.
* 204.176.39.101: noticiastopicas.com. No archives.
* 204.176.39.103: economicnewsbuzz.com. Hit.
* 204.176.39.104: spectranewsonline.com. Hit.
* 204.176.39.105: entertainmentnewscompany.com. Hit.
* 204.176.39.107: guidetoelectronics.net. Uncertain. https://web.archive.org/web/20101230025246/http://guidetoelectronics.net/[2010]. English. tech, electronics. Possible <CGI comms variant>.
* 204.176.39.110: arabnewsatdawn.com. Hit.
* 204.176.39.114: messengergalaxy.com. Uncertain. https://web.archive.org/web/20110128234749/http://messengergalaxy.com/[2011]. Would be the first example of something more commercial/service offering we've seen so far. Possible <CGI comms variant>.
* 204.176.39.115: globalprovincesnews.com. Hit.
* 204.176.39.116: mahparah-news.com. Hit.
* 204.176.39.119: commercialspacedesign.com. Hit.
207.210.250.132 aeronet-news.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 207.210.250.126 - 207.210.250.157
* 207.210.250.131: starrynightnews.com. Hit.
* 207.210.250.132: aeronet-news.com. Hit.
* 207.210.250.133: bakaribulletin.com. Hit.
* 207.210.250.134: deprensaenlarevisiondehoy.com. Hit.
* 207.210.250.135: icwb-news.com. Hit.
* 207.210.250.136: sportsreelhighlights.com. Hit.
* 207.210.250.137: fashionforward.info. No archives.
* 207.210.250.138: inquiry-human-past.com. Hit.
* 207.210.250.139: thefairwaysaregreen.com. Hit.
* 207.210.250.142: russiaupdate.com 2011-11-13. No archives of the time, only older unrelated archives: https://web.archive.org/web/20010429003443/http://russiaupdate.com/[].
* 207.210.250.143: archaeologyreview.net. Hit.
* 207.210.250.144: highspeed-news.com. No archives.
* 207.210.250.146: noticias-caracas.com. Hit.
* 207.210.250.147: bailandstump.com. Hit.
* 207.210.250.148: classicalmusic4arab.com. No archives.
* 207.210.250.149: globalventurestat.com. Hit.
* 207.210.250.152: al-rashidrealestate.com. Hit.
* 207.210.250.153: newsintheworld-ru.com. Hit.
* 207.210.250.154: news-unlimited.info. No archives. Shame, as perfect theme, and has per https://ipinf.ru/domains/207.210.250.154/
208.254.40.117 worldnewsandent.com. https://whois.arin.net/rest/net/NET-208-192-0-0-1/pft?s=208.254.40.117[]: Net Range 208.192.0.0 - 208.255.255.255. Tested viewdns.info range: 208.254.40.92 - 208.254.40.135
* 208.254.40.96: sixty2media.com. Hit.
* 208.254.40.99: newspoliticssource.com. Hit.
* 208.254.40.110 musical-fortune.net. Hit.
* 208.254.40.113: ashoka-gemstones.com. Hit.
* 208.254.40.117: worldnewsandent.com. Hit.
* 208.254.40.124: riskandrewardnews.com. Hit.
* 208.254.40.129: mailb.casella.com. Legit.
208.254.42.205 driversinternationalgolf.com. Not too far from 208.254.40.117 right? Tested viewdns.info range: 208.254.42.178 - 208.254.42.233.
* 208.254.42.35: mystorytimefriends.com. Broken/legit.
* 208.254.42.194: it-proonline.com. Hit.
* 208.254.42.200: riccs.mwcog.org. Legit. Reverse IP source: <2012 Internet Census>, 2012-05-14.
* 208.254.42.205: driversinternationalgolf.com. Hit.
* 208.254.42.209: mardelsurnoticias.com. Hit. Reverse IP source: viewdns.info
* 208.254.42.215: nowfreshfinances.com. Hit.
* 208.254.42.216: circulatingnews.net. Hit.
* 208.254.42.219: westingtonpassnews.com. Hit. Reverse IP source: <2013 DNS Census>
* 208.254.44.155: brandimpact.com. Legit/broken: https://web.archive.org/web/20070801000000*/brandimpact.com
* 208.254.45.105: operatorenum.com. Legit/broken: https://web.archive.org/web/20100301000000*/operatorenum.com
210.80.75.55 philippinenewsonline.net. Tested viewdns.info range: 210.80.75.30 - 210.80.75.67
* 210.80.75.35: aroundtheworldnews.net. No archives. https://ipinf.ru/domains/210.80.75.33/ disagrees and places it at .33.
* 210.80.75.36: e-commodities.net. Hit.
* 210.80.75.37: trekkingtoday.com. Hit.
* 210.80.75.41: multinews-33.com. Hit.
* 210.80.75.42: movimientodenticias.com. No archives.
* 210.80.75.43: gulfandmiddleeastnews.com. Hit.
* 210.80.75.44: whirlybirdinflight.com. Hit.
* 210.80.75.45: kings-game.net. Hit.
* 210.80.75.46: topglobalnewsdaily.com. Hit.
* 210.80.75.49: recipe-dujour.com. Hit.
* 210.80.75.53: sportsman-elite.com. No archives.
* 210.80.75.55: philippinenewsonline.net. Hit.
* 210.80.75.56: technewsforme.com. Hit.
* 210.80.75.59: goldeportesnoticias.com. No archives.
* 210.80.75.68: gigabyte-usa.com. Legit.
212.4.16.232 mynewscheck.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 212.4.16.214 - 212.4.17.10.
* 212.4.16.224: lanoticiasdehoyelinforme.com. Hit.
* 212.4.16.232: mynewscheck.com. Hit.
* 212.4.16.239: saktimarsgolf.com 2012-06-29. Broken/legit/no archives of relevant date: https://web.archive.org/web/20081031060207/http://saktimarsgolf.com/
* 212.4.16.245: financial-crisis-news.com. Hit.
* 212.4.16.252: minutosdenoticias.com. Hit. https://web.archive.org/web/20100517151612/http://minutosdenoticias.com/
Other hits:
* 208.91.197.132. rdns source: viewdns.info: "location" : "British Virgin Islands", "owner" : "Confluence Networks Inc", "lastseen" : "2013-09-26". So this is after the previous one, unlikely to be correct.
* 205.178.189.131. source: <securitytrails.com>
212.4.17.38 fightwithoutrules.com. https://whois.arin.net/rest/net/NET-208-192-0-0-1/pft?s=208.254.40.117[]. Net Range: 208.192.0.0 - 208.255.255.255. Organization: Name: Verizon Business. Tested viewdns.info range: 212.4.17.8 - 212.4.17.79
* 212.4.17.41: newtechfrontier.com. Hit.
* 212.4.17.43: smart-travel-consultant.com. Hit.
* 212.4.17.46: atentlaloc.com. Hit.
* 212.4.17.53: newsresolution.net. Hit.
* 212.4.17.56: lesummumdelafinance.com. Hit.
* 212.4.17.56: thepinnacleoffinance.com. No Wayback machine archives.
* 212.4.17.61: tech-stop.org. Archive: https://web.archive.org/web/20110905182141/http://tech-stop.org/[2011]. Feels likely. No commons found. <.org hit>? Has subdomain "gear.tech-stop.org" according to <2013 DNS Census>, which suggests <CGI comms>, but no links to it
* 212.4.17.98: topbillingsite.com. Hit.
* 212.4.17.122: b2bworldglobal.com. Hit.
There were also some other reverse IP hits for fightwithoutrules.com, but no CIA websites there:
* 204.11.56.25 - British Virgin Islands - Confluence Networks Inc - 2013-09-26. Many domains.
* 208.91.197.19 - British Virgin Islands - Confluence Networks Inc - 2013-05-20. Many domains.
212.4.18.129 sightseeingnews.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 212.4.18.115 - 212.4.18.148. TODO expand. Interesting wide/sparse range? Or perhaps it's two separate ranges?
* 212.4.18.129: sightseeingnews.com. Hit. Presumably also present under fgnl.net on its second IP range, since this is near 212.4.18.133? viewdns.info gives this as the only IP for the domain.
* 212.4.30.210: iprintitaly.com. Legit: https://web.archive.org/web/20230000000000*/http://www.iprintitaly.com/
212.209.74.105 globalbaseballnews.com. Tested <viewdns.info> range: 212.209.74.100 - 212.209.74.132. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>
* 212.209.74.105: globalbaseballnews.com. Hit.
* 212.209.74.106: football-de-luxe.com. Hit.
* 212.209.74.111: worldconcerns.info. No archives.
* 212.209.74.112: developmental-league.com. Unclear. <CGI comms variant>? https://web.archive.org/web/20100507132004/http://www.developmental-league.com/[2010]. English. https://web.archive.org/web/20100507132004/https://secure.developmental-league.com/login.html[CGI]. American football.
* 212.209.74.115: mediocampodefutbol.com. Hit.
* 212.209.74.117: myengineeringaffinity.com. Hit.
* 212.209.74.122: atthemovies.biz. Archive very broken. Has link to unarchived JAR: https://web.archive.org/web/20110809232811oe_/http://www.atthemovies.biz/movieslides.jar[]. Would have been the fist .biz hit found: <Non .com .net TLDs>
* 212.209.74.123: worldfinancialexchangenews.com. Hit.
* 212.209.74.124: urouttahere.com. No archives. Meaning presumably "you're out of here"? One wonders what the theme would have been!
* 212.209.74.125: avoilurefixe.com. Hit.
* 212.209.74.126: headlines2day.com. Hit.
* 118.139.174.11. Reverse IP source: viewdns.info
* 118.139.174.11: 712 domain hits on it
* 118.139.174.21: theargentineanwineco.com 2013-09-26. No Wayback machine archive.
* nothing else on the +-20 range
* 184.168.221.91. Reverse IP source: <2013 DNS Census>
* 184.168.221.91: 40k hits on <2013 DNS Census>
* 212.209.74.127: construction-zones.com. Unclear. <CGI comms variant>? https://web.archive.org/web/20091001211418/http://www.construction-zones.com/[2009]. No known comms found. English. construction. Has a login page: https://web.archive.org/web/20091130144158/http://construction-zones.com/login.html[] so maybe <CGI comms variant>
212.209.79.40 hydradraco.com. Found with: visual inspection of full <2013 DNS Census virtual host cleanup> list just after globalbaseballnews.com. Tested viewdns.info range: 212.209.79.35 - 212.209.79.63
* 212.209.79.34: fgnl.net. Hit. <securitytrails.com> provides IP history:
* 212.209.79.34: 2008-09-01 - 2010-04-19.
* 212.4.18.133: 2010-04-19 - 2019-06-19. Tested viewdns.info range: 212.4.18.122 - 212.4.18.148
both under MCI Communications Services, Inc. d/b/a Verizon Business.
* 212.209.79.37: fitness-sources.com. Hit.
* 212.209.79.40: hydradraco.com. Hit.
* 212.209.79.41: noticiasdelmundolatino.com. Hit.
* 212.209.79.42: suparakuvi.com. Hit.
* 212.209.79.44: myigadgets.net. Unclear. https://web.archive.org/web/20101005140629/http://www.myigadgets.net/[2010]. tech. Contains some helpers to: https://en.wikipedia.org/wiki/IGoogle[iGoogle]. This page is very interesting. and quite different from the others, as it contains highly specialized functionality. No known comms found. The choice of homepage languages is also very suspicious: Arabic, Farsi, French, Chinese and Spanish.
* 212.209.79.46: cetusdelph.com. Hit.
* 212.209.79.47: willtoworship.com. Hit.
* 212.209.79.48: themvconnection.com. Hit.
* 212.209.79.51: pi-resources.net. Hit.
* 212.209.79.52: newel-adserver.com. Redirects to newel.com which is legit.
* 212.209.79.53: ourscubaworld.com. Hit.
* 212.209.79.58: tech-love-home.com. Hit.
* 212.209.79.60: first-solo-aviation.com. Hit.
* 212.209.79.61: china-destinations.org. Hit.
212.209.90.84 thenewseditor.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 212.209.90.64 - 212.209.90.99
* 212.209.90.69: worldedgenews.com. Hit.
* 212.209.90.72: talkingpointnews.info. No archives.
* 212.209.90.75: prebitinvestment.com. No archives.
* 212.209.90.77: energy-bulb.com https://web.archive.org/web/20110128182345/http://energy-bulb.com/[2011]. English. energy. Comms not found, but has unarchived link to: https://web.archive.org/web/20110128182345/https://webmail.energy-bulb.com/login.html[]. <CGI comms variant>?
* 212.209.90.79: freeblink.com. No archives for timerange, then legit.
* 212.209.90.80: nsmovies.net. Hit.
* 212.209.90.82: middleeastjournal.net. Hit.
* 212.209.90.84: thenewseditor.com. Hit.
* 212.209.90.87: newsandweathersource.com. Hit.
* 212.209.90.89: pakisports.com. Hit.
* 212.209.90.90: vriha-aesthetics.com. Hit.
* 212.209.90.92: amishkanews.com. Hit.
* 212.209.90.93: theentertainbiz.com. Hit.
* 212.209.90.94: eurosportssummary.com. Hit.
* 212.209.91.14: teracom.net. Legit
216.105.98.152: modernarabicnews.com. Found with: <2013 DNS Census virtual host cleanup heuristic keyword searches>. Tested viewdns.info range: 216.105.98.125 - 216.105.98.167
* 216.105.98.118:
* estudashboard.com: broken
* fintrade.us: legit
* 216.105.98.132: europeantravelcafe.com. Likely a hit, but comms not found. https://web.archive.org/web/20100724024623/http://www.europeantravelcafe.com/[2010]. English. Europe. travel. Marked copyright 2009. There's a currency converter at: https://web.archive.org/web/20100724024644/http://www.europeantravelcafe.com/tools.html which could be suspicious.
* 216.105.98.134: fuenteneta.com. No archives.
* 216.105.98.135: ilat-news.com. No archives.
* 216.105.98.136: etherealinspirations.net. No archives.
* 216.105.98.137: the-news-zone.com. Archive very broken: https://web.archive.org/web/20130814194744/http://the-news-zone.com/
* 216.105.98.138: photozoomnews.com. No archives.
* 216.105.98.139: cultura-digital.net. Hit.
* 216.105.98.140: uaeshoppingspree.com. Hit.
* 216.105.98.141: jabarifootball.com. No archives. "Jabari" is a Swahili/Arabic namehttps://en.wikipedia.org/wiki/Jabari{ref}
* 216.105.98.142: globalreview-ar.com. No archives. Shame, could have been our first Argentinian site.
* 216.105.98.144: garanziadellasicurezza.com. Archives quite broken: https://web.archive.org/web/20110424044637/http://www.garanziadellasicurezza.com:80/ Unarchived JAR: `/web/20110424044637oe_/http://www.garanziadellasicurezza.com/garanzia.jar` Would be another precious Italy hit...
* 216.105.98.145: montanismoaventura.com. Hit.
* 216.105.98.146: large-format-news.com. No archives.
* 216.105.98.147: nepalnewsbrief.com. Hit. <dnshistory.org> marks it as having IP 2010-03-10 -> 2010-08-15 216.169.148.94 https://dnshistory.org/historical-dns-records/a/nepalnewsbrief.com{ref}. This range does feel a bit different from the others, too many broken archives, and relatively early ones too. Explored <viewdns.info> range: 216.169.148.84 - 216.169.148.104, empty for period.
* 216.105.98.148: teclafinance.com. No archives. One wonders what "tecla" would have stood for. It is Portuguese for "keyboard key", but finance is English so.
* 216.105.98.149: entreman.com: legit? https://web.archive.org/web/20110128212738/http://entreman.com/
* 216.105.98.152: modernarabicnews.com. Hit.
* 216.105.98.153: global-headlines.com. No archives of the period, then was a legitimate WordPress website for a while.
* 216.105.98.154: everythingcricket.org. Hit.
* 216.105.98.156: familyhealthonline.net. Hit.
* 216.105.98.157: delacorne.com. No archives.
* 216.105.98.158: econfutures.com. No archives.
* 216.105.98.161: kstcloud.com. No archives.
219.90.61.123 journeystravelled.com Tested viewdns.info range: 219.90.61.100 - 219.90.61.133
* 219.90.61.100: pressstory.com: "Under construction". https://web.archive.org/web/20110128124548/http://pressstory.com/
* 219.90.61.103: bet2plays.com. "Under construction". Unlikely thematic, too spicy.
* 219.90.61.110: surya-brahma.com. Hit
* 219.90.61.111: classicalmusicboxonline.com. Hit.
* 219.90.61.116: athletepro.net. Hit.
* 219.90.61.117: lajornadanow.com. Hit.
* 219.90.61.119: aviation-navigation.com. No archives.
* 219.90.61.120: theinternationalworld.com. Hit.
* 219.90.61.121: thepyramidnews.com. Hit.
* 219.90.61.122: iran-newslink-today.com. Hit.
* 219.90.61.123: journeystravelled.com. Hit.
219.90.62.243 fitness-dawg.com. https://whois.arin.net/rest/net/NET-219-0-0-0-1/pft?s=219.90.62.243[]. Net Type: Allocated to https://en.wikipedia.org/wiki/APNIC[APNIC]. Tested viewdns.info range: unknown - 219.90.62.255
* 219.90.62.173:
* dominatingduos.com: 2013-08-12T17:53:09. No archive
* has other domains
* 219.90.62.193: centralnewsreleasers.com. Only a 2018 of the robots.txt: https://web.archive.org/web/*/http://centralnewsreleasers.com/* so likely not a hit
* 219.90.62.209: penniesbythemillions.com. No archives.
* 219.90.62.229: information-junky.com. Hit.
* 219.90.62.231: todosperuahora.com. Hit.
* 219.90.62.232: race26point2.com. Hit. No archives, but has subdomain: secure.race26point2.com, so likely <CGI comms>.
* 219.90.62.233: theworld-news.net. Hit.
* 219.90.62.234: recuerdosdeviajeonline.com. Hit
* 219.90.62.235: ordenpolicial.com. No <Wayback Machine> archives. Last resolved: 2012-01-11.
* 219.90.62.237: elcorreodenoticias.com. Hit.
* 219.90.62.238: freshtechonline.com. Hit.
* 219.90.62.240: cityworldnewsnow.com. Hit. No archives but has subdomain: secure.cityworldnewsnow.com so likely <CGI comms>.
* 219.90.62.241: newscentertoday.com. Hit.
* 219.90.62.242: ride-captain.com. Hit.
* 219.90.62.244: easytraveleurope.com. Hit.
* 219.90.62.245: world-news-now.net. Hit.
* 219.90.62.246: negativeaperture.com. Hit.
* 219.90.62.247: conquermstoday.com. Hit
* 219.90.62.249: forensic-exchange.com. 2013 archive: https://web.archive.org/web/20130714094026/http://forensic-exchange.com/[]. Appears to be a buggy <Wayback Machine> archive somehow, so inconclusive.
= TODO
{parent=Methodology}
= Find missing hits in IP ranges
{parent=TODO}
All IP ranges have some holes in them for which we don't have a domain name.
It is because there was nothing there, or just because we don't have a good enough reverse IP database?
= How did Alexa find the domains?
{parent=TODO}
It can't be <HTML> crawl because presumably there wouldn't have been links to those websites? Presumably this is why <Common Crawl> doesn't seem to have any hits.
So they must have had some kind of DNS A record database?
Or would IPv4 sweep have worked, without the `Host` header with the CIA's setup?
The same question also applies to the <2013 DNS Census>. It has less hits, but still has many.
Whatever they did, we are so so glad that they did!
= Non .com .net TLDs
{parent=TODO}
.com and .net are very dominant. Here we list other choices made:
* `.info`: has a few hits:
* archived <comms>:
* beyondthefringe.info
* unarchived <comms>:
* crickettoday.info
* unarchived:
* talkingpointnews.info
* theventurenews.info
* worldconcerns.info
Did a full <Wayback machine CDX scanning> on .info after:
``
grep -e news -e noticias -e nouvelles -e world -e global
``
That makes about 10k domains, so it's about the right size.
* `.org`: has a least one hit, see: <Are there .org hits?>
* `.biz`:
* unarchived <comms>:
* atthemovies.biz
= Are there .org hits?
{parent=Non .com .net TLDs}
= .org hit
{synonym}
Previously it was unclear if there were any .org hits, until we found the first one with clear <comms>: https://web.archive.org/web/20110624203548/http://awfaoi.org/hand.jar
Later on, two more clear ones were found with <expired domain trackers>:
* azerinews.org
* autism-news.org
further settling their existence. Later on newimages.org also came to light.
Others that had been previously found in IP ranges but without clear comms:
* 65.61.127.177: material-science.org
* 212.4.17.61: tech-stop.org
Others in IP ranges by unarchived:
* 74.116.72.244 arborstribune.org
.org is very rare, and has been excluded from some of our search heuristics. That was a shame, but likely not much was missed.
= Data sources
{parent=Methodology}
This is a dark art, and many of the sources are shady as fuck! We often have no idea of their methodology. Also no source is fully complete. We just piece up as best we can.
Some links of interest:
* https://bushart.org/topic/ip
* https://archive.org/details/internet-mapping
* https://stackoverflow.com/questions/307553/possible-to-download-entire-whois-database-list-of-registered-domains (deleted question, see archives)
* https://www.reversedns.ch/en/ has some OK reverse IPs, but you have to do them one by one with CAPTCHA, and we were already past that point when that source was found, so nothing new was found on it yet
* https://www.zone-h.org/archive/ip=208.76.80.93/page=11?hz=1 mentions `newsupdatesite.com` and mentions "defacement", the <"Mass Deface III" pastebin> comes to mind. No other nearby hits on quick inspection.
= Reuters article
{parent=Data sources}
{title2=2022-09-29}
https://www.reuters.com/investigates/special-report/usa-spies-iran
This is our primary data source, the first article that pointed out <The Reuters websites>[a few specific CIA websites] which then served as the basis for all of our research.
We take the truth of this article as an <axiom>. And then all we claim is that all other websites found were made by the same people due to strong <Fingerprints>[shared design principles] of the such websites.
= Wayback Machine
{parent=Data sources}
D'oh.
But to be serious. The </Wayback Machine> contains a very large proportion of all sites. It is the most complete database we have found so far. Some archives are very broken. But those are rares.
The only problem with the </Wayback Machine> is that there is no known efficient way to query its archives across domains. You have to have a domain in hand for CDX queries: <Wayback machine CDX scanning>.
The <Common Crawl> project attempts in part to address this lack of querriability, but we haven't managed to extract any hits from it.
CDX + <2013 DNS Census> + heuristics however has been fruitful however.
= Wayback Machine CDX scanning
{parent=Wayback Machine}
The Wayback Machine has an endpoint to query cralwed pages called the CDX server. It is documented at: https://github.com/internetarchive/wayback/blob/master/wayback-cdx-server/README.md[].
This allows to filter down 10 thousands of possible domains in a few hours. But 100s of thousands would be too much. This is because you have to query exactly one URL at a time, and they possibly rate limit IPs. But no IP blacklisting so far after several hours, so it's not that bad.
Once you have a heuristic to narrow down some domains, you can use this helper: \a[cia-2010-covert-communication-websites/cdx.sh] to drill them down from 10s of thousands down to hundreds or thousands.
We then post process the results of cdx.sh with \a[cia-2010-covert-communication-websites/cdx-post.sh] to drill them down from from thousands to dozens, and manually inspect everything.
From then on, you can just manually inspect for hist on your browser.
= Wayback Machine CDX scanning with Tor parallelization
{parent=Wayback Machine CDX scanning}
Dire times require dire methods: \a[cia-2010-covert-communication-websites/cdx-tor.sh].
First we must start the tor servers with the `tor-army` command from: https://stackoverflow.com/questions/14321214/how-to-run-multiple-tor-processes-at-once-with-different-exit-ips/76749983#76749983
``
tor-army 100
``
and then use it on a newline separated domain name list to check;
``
./cdx-tor.sh infile.txt
``
This creates a directory `infile.txt.cdx/` containing:
* `infile.txt.cdx/out00`, `out01`, etc.: the suspected CDX lines from domains from each tor instance based on the simple criteria that the CDX can handle directly. We split the input domains into 100 piles, and give one selected pile per tor instance.
* `infile.txt.cdx/out`: the final combined CDX output of `out00`, `out01`, ...
* `infile.txt.cdx/out.post`: the final output containing only domain names that match further CLI criteria that cannot be easily encoded on the CDX query. This is the cleanest domain name list you should look into at the end basically.
Since archive is so abysmal in its data access, e.g. a <Google BigQuery> would solve our issues in seconds, we have to come up with creative ways of getting around their IP throttling.
The <CIA> doesn't play fair. They're actually the exact opposite of fair. So neither shall we.
Distilled into an answer at: https://stackoverflow.com/questions/14321214/how-to-run-multiple-tor-processes-at-once-with-different-exit-ips/76749983#76749983
This should allow a full sweep of the 4.5M records in <2013 DNS Census virtual host cleanup> in a reasonable amount of time. After JAR/SWF/CGI filtering we obtained 5.8k domains, so a reduction factor of about 1 million with likely very few losses. Not bad.
5.8k is still a bit annoying to fully go over however, so we can also try to count CDX hits to the domains and remove anything with too many hits, since the CIA websites basically have very few archives:
``
cd 2013-dns-census-a-novirt-domains.txt.cdx
./cdx-tor.sh -d out.post domain-list.txt
cd out.post.cdx
cut -d' ' -f1 out | uniq -c | sort -k1 -n | awk 'match($2, /([^,]+),([^)]+)/, a) {printf("%s.%s %d\n", a[2], a[1], $1)}' > out.count
``
This gives us something like:
``
12654montana.com 1
aeronet-news.com 1
atohms.com 1
av3net.com 1
beechstreetas400.com 1
``
sorted by increasing hit counts, so we can go down as far as patience allows for!
New results from a full CDX scan of 2013-dns-census-a-novirt.csv:
* 219.90.61.123 journeystravelled.com
= JS CDX scanning
{parent=Wayback Machine CDX scanning}
JAR, SWF and CGI-bin scanning by path only is fine, since there are relatively few of those. But .js scanning by path only is too broad.
One option would be to filter out by size, an information that is contained on the CDX. Let's check typical ones:
``
grep -f <(jq -r '.[]|select(select(.comms)|.comms|test("\\.js"))|.host' ../media/cia-2010-covert-communication-websites/hits.json) out | out.jshits.cdx
sort -n -k7 out.jshits.cdx
``
Ignoring some obvious unrelated non-comms files visually we get a range of about 2732 to 3632:
``
net,hollywoodscreen)/current.js 20110106082232 http://hollywoodscreen.net/current.js text/javascript 200 XY5NHVW7UMFS3WSKPXLOQ5DJA34POXMV 2732
com,amishkanews)/amishkanewss.js 20110208032713 http://amishkanews.com/amishkanewss.js text/javascript 200 S5ZWJ53JFSLUSJVXBBA3NBJXNYLNCI4E 3632
``
This ignores the obviously atypical <JavaScript with SHAs> from iranfootballsource, and the particularly small old menu.js from cutabovenews.com, which we embed into \a[cia-2010-covert-communication-websites/cdx-post-js.sh].
The size helps a bit, but it's not insanely good unfortunately, only about 3x, these are some common JS sizes right there!
= Wayback Machine crawl date search
{parent=Wayback Machine}
Many hits appear to happen on the same days, and per-day data does exist: https://archive.org/details/widecrawl but apparently cannot be publicly downloaded unfortunately. But maybe there's another way? TODO select candidates.
= viewdns.info
{parent=Data sources}
{tag=Data as a service}
Accounts used so far: 6 (1500 reverse IP checks).
Their historic DNS and reverse DNS info was very valuable, and served as Ciro's the initial entry point to finding hits in the IP ranges given by Reuters.
Their data is also quite disjoint from the data of the <2013 DNS Census>. There is some overlap, but clearly their methodology is very different. Some times they slot into one another almost perfectly.
You can only get about 250 queries on the web interface, then 250 queries per free account via API.
Since this source is so scarce and valuable, we have been quite careful to note down all the domain and IP ranges that have been explored.
They check your IP when you signup, and you can't sign in twice from the same IP. They also state that Tor addresses are blacklisted.
At https://news.ycombinator.com/item?id=38496244[], the creator of the viewdns.info, "Hughesey", also stated that he'd able to give some free credits for public research projects such as this one. This would have saved up going to quite a few Cafes to get those sweet extra IPs! But it was more fun in hardmode, no doubt.
They also normalize dots in gmail addresses, so you need more diverse email accounts. But they haven't covered the `.gmail` vs `.googlemail` trick.
We do API access to IP ranges with this simple helper: \a[cia-2010-covert-communication-websites/viewdns-info.sh], usage:
``
./viewdns-info.sh <apikey> <start-ipv-address> <end-ipv-address>
``
e.g.:
``
./viewdns-info.sh 8b890b00b17ed2d66bbed878d51200b58d43d014 66.45.179.187 66.45.179.210
``
For domain to IP queries from the API you should use "iphistory" https://viewdns.info/api/docs/ip-history.php[]:
``
curl 'https://api.viewdns.info/iphistory/?domain=todaysengineering.com&apikey=$APIKEY&output=json'
``
Very curiously, their reverse IP search appears to be somewhat broken, or not to be historic, e.g.
* https://viewdns.info/iphistory/?domain=vuvuzelanews.com hits 74.116.72.246 in 2011, later moved to others
* https://viewdns.info/reverseip/?host=74.116.72.246&t=1 however does not contain `vuvuzelanews.com`
We've contacted viewdns.info support and they replied:
\Q[The reverse IP tool will only show a domain if that is it's current IP address.]
This is likely not accurate, more precisely it likely only works if it was the last IP address, not necessarily a current one.
= DNS Census 2013
{parent=Data sources}
= 2013 DNS Census
{synonym}
Main article: </DNS Census 2013>.
This data source was very valuable, and led to many hits, and to finding the first non Reuters ranges with <secure subdomain search on 2013 DNS Census>{full}.
Hit overlap:
``
jq -r '.[].host' ../media/cia-2010-covert-communication-websites/hits.json ) | xargs -I{} sqlite3 aiddcu.sqlite "select * from t where d = '{}'"
``
Domain hit count when we were at 279 hits: 142 hits, so about half of the hits were present.
The timing of the database is perfect for this project, it is as if the CIA had planted it themselves!
= 2013 DNS Census virtual host cleanup
{parent=DNS Census 2013}
We've noticed that often when there is a hit range:
* there is only one IP for each domain
* there is a range of about 20-30 of those
and that this does not seem to be that common. Let's see if that is a reasonable fingerprint or not.
Note that although this is the most common case, we have found multiple hits that <viewdns.info> maps to the same IP.
First we create a table `u` (`unique`) that only have domains which are the only domain for an IP, let's see by how much that lowers the 191 M total unique domains:
``
time sqlite3 u.sqlite 'create table t (d text, i text)'
time sqlite3 av.sqlite -cmd "attach 'u.sqlite' as u" "insert into u.t select min(d) as d, min(i) as i from t where d not like '%.%.%' group by i having count(distinct d) = 1"
``
The `not like '%.%.%'` removes subdomains from the counts so that <CGI comms> are still included, and `distinct` in `count(distinct` is because we have multiple entries at different timestamps for some of the hits.
Let's start with the 208 subset to see how it goes:
``
time sqlite3 av.sqlite -cmd "attach 'u.sqlite' as u" "insert into u.t select min(d) as d, min(i) as i from t where i glob '208.*' and d not like '%.%.%' and (d like '%.com' or d like '%.net') group by i having count(distinct d) = 1"
``
OK, after we fixed bugs with the above we are down to 4 million lines with unique domain/IP pairs and which contains all of the original hits! Almost certainly more are to be found!
This data is so valuable that we've decided to upload it to: https://archive.org/details/2013-dns-census-a-novirt.csv Format:
``
8,chrisjmcgregor.com
11,80end.com
28,fine5.net
38,bestarabictv.com
49,xy005.com
50,cmsasoccer.com
80,museemontpellier.net
100,newtiger.com
108,lps-promptservice.com
111,bridesmaiddressesshow.com
``
The numbers of the first column are the IPs as a 32-bit integer representation, which is more useful to search for ranges in.
To make a <histogram> with the distribution of the single hostname IPs:
``
#!/usr/bin/env bash
bin=$((2**24))
sqlite3 2013-dns-census-a-novirt.sqlite -cmd '.mode csv' >2013-dns-census-a-novirt-hist.csv <<EOF
select i, sum(cnt) from (
select floor(i/${bin}) as i,
count(*) as cnt
from t
group by 1
union
select *, 0 as cnt from generate_series(0, 255)
)
group by i
EOF
gnuplot \
-e 'set terminal svg size 1200, 800' \
-e 'set output "2013-dns-census-a-novirt-hist.svg"' \
-e 'set datafile separator ","' \
-e 'set tics scale 0' \
-e 'unset key' \
-e 'set xrange[0:255]' \
-e 'set title "Counts of IPs with a single hostname"' \
-e 'set xlabel "IPv4 first byte"' \
-e 'set ylabel "count"' \
-e 'plot "2013-dns-census-a-novirt-hist.csv" using 1:2:1 with labels' \
;
``
Which gives the following useless noise, there is basically no pattern:
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/2013-dns-census-a-novirt-hist.svg]
= 2013 DNS Census virtual host cleanup heuristic keyword searches
{parent=2013 DNS Census virtual host cleanup}
There are two keywords that are killers: "news" and "world" and their translations or closely related words. Everything else is hard. So a good start is:
``
grep -e news -e noticias -e nouvelles -e world -e global
``
iran + football:
* iranfootballsource.com: the third hit for this area after the two given by Reuters! Epic.
3 easy hits with "noticias" (news in Portuguese or Spanish"), uncovering two brand new ip ranges:
* 66.45.179.205 noticiasporjanua.com
* 66.237.236.247 comunidaddenoticias.com
* 204.176.38.143 noticiassofisticadas.com
Let's see some French "nouvelles/actualites" for those tumultuous Maghrebis:
* 216.97.231.56 nouvelles-d-aujourdhuis.com
news + world:
* 210.80.75.55 philippinenewsonline.net
news + global:
* 204.176.39.115 globalprovincesnews.com
* 212.209.74.105 globalbaseballnews.com
* 212.209.79.40: hydradraco.com
OK, I've decided to do a complete <Wayback Machine CDX scanning> of `news`... Searching for `.JAR` or `https.*cgi-bin.*\.cgi` are killers, particularly the .jar hits, here's what came out:
* 62.22.60.49 telecom-headlines.com
* 62.22.61.206 worldnewsnetworking.com
* 64.16.204.55 holein1news.com
* 66.104.169.184 bcenews.com
* 69.84.156.90 stickshiftnews.com
* 74.116.72.236 techtopnews.com
* 74.254.12.168 non-stop-news.net
* 193.203.49.212 inews-today.com
* 199.85.212.118 just-kidding-news.com
* 207.210.250.132 aeronet-news.com
* 212.4.18.129 sightseeingnews.com
* 212.209.90.84 thenewseditor.com
* 216.105.98.152 modernarabicnews.com
<Wayback Machine CDX scanning> of "world":
* 66.104.173.186 myworldlymusic.com
"headline": only 140 matches in 2013-dns-census-a-novirt.csv and 3 hits out of 269 hits. Full inspection without CDX led to no new hits.
"today": only 3.5k matches in 2013-dns-census-a-novirt.csv and 12 hits out of 269 hits, TODO how many on those on 2013-dns-census-a-novirt? No new hits.
"world", "global", "international", and spanish/portuguese/French versions like "mondo", "mundo", "mondi": 15k matches in 2013-dns-census-a-novirt.csv. No new hits.
= 2013 DNS census MX records
{parent=DNS Census 2013}
Let' see if there's anything in records/mx.xz.
mx.csv is 21GB.
They do have `"` in the files to escape commas so:
mx.py
``
import csv
import sys
writer = csv.writer(sys.stdout)
with open('mx.csv', 'r') as f:
reader = csv.reader(f)
for row in reader:
writer.writerow([row[0], row[3]])
``
Would have been better with csvkit: https://stackoverflow.com/questions/36287982/bash-parse-csv-with-quotes-commas-and-newlines
then:
``
# uniq not amazing as there are often two or three slightly different records repeated on multiple timestamps, but down to 11 GB
python3 mx.py | uniq > mx-uniq.csv
sqlite3 mx.sqlite 'create table t(d text, m text)'
# 13 GB
time sqlite3 mx.sqlite ".import --csv --skip 1 'mx-uniq.csv' t"
# 41 GB
time sqlite3 mx.sqlite 'create index td on t(d)'
time sqlite3 mx.sqlite 'create index tm on t(m)'
time sqlite3 mx.sqlite 'create index tdm on t(d, m)'
# Remove dupes.
# Rows: 150m
time sqlite3 mx.sqlite <<EOF
delete from t
where rowid not in (
select min(rowid)
from t
group by d, m
)
EOF
# 15 GB
time sqlite3 mx.sqlite vacuum
``
Let's see what the hits use:
``
awk -F, 'NR>1{ print $2 }' ../media/cia-2010-covert-communication-websites/hits.csv | xargs -I{} sqlite3 mx.sqlite "select distinct * from t where d = '{}'"
``
At around 267 total hits, only 84 have MX records, and from those that do, almost all of them have exactly:
``
smtp.secureserver.net
mailstore1.secureserver.net
``
with only three exceptions:
``
dailynewsandsports.com|dailynewsandsports.com
inews-today.com|mail.inews-today.com
just-kidding-news.com|just-kidding-news.com
``
We need to count out of the totals!
``
sqlite3 mx.sqlite "select count(*) from t where m = 'mailstore1.secureserver.net'"
``
which gives, ~18M, so nope, it is too much by itself...
Let's try to use that to reduce `av.sqlite` from <2013 DNS Census virtual host cleanup> a bit further:
``
time sqlite3 mx.sqlite '.mode csv' "attach 'aiddcu.sqlite' as 'av'" '.load ./ip' "select ipi2s(av.t.i), av.t.d from av.t inner join t as mx on av.t.d = mx.d and mx.m = 'mailstore1.secureserver.net' order by av.t.i asc" > avm.csv
``
where `avm` stands for `av` with `mx` pruning. This leaves us with only ~500k entries left. With one more figerprint we could do a <Wayback Machine CDX scanning> scan.
Let's check that we still have most our hits in there:
``
grep -f <(awk -F, 'NR>1{print $2}' /home/ciro/bak/git/media/cia-2010-covert-communication-websites/hits.csv) avm.csv
``
At 267 hits we got 81, so all are still present.
secureserver is a hosting provider, we can see their blank page e.g. at: https://web.archive.org/web/20110128152204/http://emmano.com/[]. https://security.stackexchange.com/questions/12610/why-did-secureserver-net-godaddy-access-my-gmail-account/12616#12616 comments:
\Q[secureserver.net is the name GoDaddy use as the reverse DNS for IP addresses used for dedicated/virtual server hosting]
= 2013 DNS census secureserver.net MX records intersection 2013 DNS Census virtual host cleanup
{parent=DNS Census 2013}
We intersect <2013 DNS Census virtual host cleanup> with <2013 DNS census MX records> and that leaves 460k hits. We did lose a third on the the MX records as of 260 hits since secureserver.net is only used in 1/3 of sites, but we also concentrate 9x, so it may be worth it.
Then we <Wayback machine CDX scanning>. it takes about 5 days, but it is manageale.
We did a full <Wayback Machine CDX scanning> for JAR, SWF and cgi-bin in those, but only found a single new hit:
* 63.130.160.50 theglobalheadlines.com. Just barely missed with our <2013 DNS Census virtual host cleanup heuristic keyword searches> as we did think of both "global" and "headlines" in the "news" themes!
= 2013 DNS census NS records
{parent=DNS Census 2013}
ns.csv is 57 GB. This file is too massive, working with it is a pain.
We can also cut down the data a lot with https://stackoverflow.com/questions/1915636/is-there-a-way-to-uniq-by-column/76605540#76605540[] and <Non .com .net TLDs>[tld filtering]:
``
awk -F, 'BEGIN{OFS=","} { if ($1 != last) { print $1, $3; last = $1; } }' ns.csv | grep -E '\.(com|net|info|org|biz),' > nsu.csv
``
This brings us down to a much more manageable 3.0 GB, 83 M rows.
Let's just scan it once real quick to start with, since likely nothing will come of this venue:
``
grep -f <(awk -F, 'NR>1{print $2}' ../media/cia-2010-covert-communication-websites/hits.csv) nsu.csv | tee nsu-hits.csv
cat nsu-hits.csv | csvcut -c 2 | sort | awk -F. '{OFS="."; print $(NF-1), $(NF)}' | sort | uniq -c | sort -k1 -n
``
As of 267 hits we get:
``
1 a2hosting.com
1 amerinoc.com
1 ayns.net
1 dailyrazor.com
1 domainingdepot.com
1 easydns.com
1 frienddns.ru
1 hostgator.com
1 kolmic.com
1 name-services.com
1 namecity.com
1 netnames.net
1 tonsmovies.net
1 webmailer.de
2 cashparking.com
55 worldnic.com
86 domaincontrol.com
``
so yeah, most of those are likely going to be humongous just by looking at the names.
The smallest ones by far from the total are: frienddns.ru with only 487 hits, all others quite large or fake hits due to CSV. Did a quick <Wayback machine CDX scanning> there but no luck alas.
Let's check the smaller ones:
``
inews-today.com,2013-08-12T03:14:01,ns1.frienddns.ru
source-commodities.net,2012-12-13T20:58:28,ns1.namecity.com -> fake hit due to grep e-commodities.net
dailynewsandsports.com,2013-08-13T08:36:28,ns3.a2hosting.com
just-kidding-news.com,2012-02-04T07:40:50,jns3.dailyrazor.com
fightwithoutrules.com,2012-11-09T01:17:40,sk.s2.ns1.ns92.kolmic.com
fightwithoutrules.com,2013-07-01T22:46:23,ns1625.ztomy.com
half-court.net,2012-09-10T09:49:15,sk.s2.ns1.ns92.kolmic.com
half-court.net,2013-07-07T00:31:12,ns1621.ztomy.com
``
Doubt anything will come out of this.
Let's do a bit of counting out of the total:
``
grep domaincontrol.com ns.csv | awk -F, '{print $1}' | uniq | wc
``
gives ~20M domain using `domaincontrol`. Let's see how many domains are in the first place:
``
awk -F, '{print $1}' ns.csv | uniq | wc
``
so it accounts for 1/4 of the total.
= 2013 DNS census SOA records
{parent=DNS Census 2013}
Same as <2013 DNS census NS records> basically, nothing came out.
= dnshistory.org
{parent=Data sources}
dnshistory.org contains historical domain -> mappings.
We have not managed to extract much from this source, they don't have as much data on the range of interest.
But they do have some unique data at least, perhaps we should try them a bit more often, e.g. they were the only source we've seen so far that made the association: headlines2day.com -> 212.209.74.126 which places it in the more plausible globalbaseballnews.com IP range.
TODO can it do IP to domain? Or just domain to IP? Asked on their Discord: https://discord.com/channels/698151879166918727/968586102493552731/1124254204257632377[]. Their banner suggests that yes:
\Q[With our new look website you can now find other domains hosted on the same IP address, your website neighbours and more even quicker than before.]
Owner replied, you can't:
\Q[At the moment you can only do this for current not historical records]
This is a shame, reverse IP here could be quite valuable.
In principle, we could obtain this data from search engines, but Google doesn't track that entire website well, e.g. no hits for `site:dnshistory.org "62.22.60.48"` presumably due to heavy IP throttling.
Homepage https://dnshistory.org/ gives date starting in 2009:
\Q[Here at DNS History we have been crawling DNS records since 2009, our database currently contains over 1 billion domains and over 12 billion DNS records.]
and it is true that they do have some hits from that useful era.
Any data that we have the patience of extracting from this we will dump under https://github.com/cirosantilli/media/blob/master/cia-2010-covert-communication-websites/hits.json[].
= securitytrails.com
{parent=Data sources}
They appear to piece together data from various sources. As a result, they have a very complete domain -> IP history.
TODO reverse IP? The fact that they don't seem to have it suggests that they are just making historical reverse IP requests to a third party via some API.
Account creation blacklists common email providers such as gmail to force users to use a "corporate" email address. But using random domains like `ciro@cirosantilli.com` works fine.
Their data seems to date back to 2008 for our searches.
= Common Crawl
{parent=Data sources}
So far, no new domains have been found with <Common Crawl>, nor have any existing known domains been found to be present in Common Crawl. Our working theory is that Common Crawl never reached the domains <How did Alexa find the domains?>
Let's try and do something with <Common Crawl>.
Unfortunately there's no <IP> data apparently: https://github.com/commoncrawl/cc-index-table/issues/30[], so let's focus on the URLs.
Using their <Common Crawl Athena> method: https://commoncrawl.org/2018/03/index-to-warc-files-and-urls-in-columnar-format/
Hello world:
``
select * from "ccindex"."ccindex" limit 100;
``
Data scanned: 11.75 MB
Sample first output line:
``
# 2
url_surtkey org,whwheelers)/robots.txt
url https://whwheelers.org/robots.txt
url_host_name whwheelers.org
url_host_tld org
url_host_2nd_last_part whwheelers
url_host_3rd_last_part
url_host_4th_last_part
url_host_5th_last_part
url_host_registry_suffix org
url_host_registered_domain whwheelers.org
url_host_private_suffix org
url_host_private_domain whwheelers.org
url_host_name_reversed
url_protocol https
url_port
url_path /robots.txt
url_query
fetch_time 2021-06-22 16:36:50.000
fetch_status 301
fetch_redirect https://www.whwheelers.org/robots.txt
content_digest 3I42H3S6NNFQ2MSVX7XZKYAYSCX5QBYJ
content_mime_type text/html
content_mime_detected text/html
content_charset
content_languages
content_truncated
warc_filename crawl-data/CC-MAIN-2021-25/segments/1623488519183.85/robotstxt/CC-MAIN-20210622155328-20210622185328-00312.warc.gz
warc_record_offset 1854030
warc_record_length 639
warc_segment 1623488519183.85
crawl CC-MAIN-2021-25
subset robotstxt
``
So `url_host_3rd_last_part` might be a winner for <CGI comms> fingerprinting!
Naive one for one index:
``
select * from "ccindex"."ccindex" where url_host_registered_domain = 'conquermstoday.com' limit 100;
``
have no results... data scanned: 5.73 GB
Let's see if they have any of the domain hits. Let's also restrict by date to try and reduce the data scanned:
``
select * from "ccindex"."ccindex" where
fetch_time < TIMESTAMP '2014-01-01 00:00:00' AND
url_host_registered_domain IN (
'activegaminginfo.com',
'altworldnews.com',
...
'topbillingsite.com',
'worldwildlifeadventure.com'
)
``
Humm, data scanned: 60.59 GB and no hits... weird.
Sanity check:
``
select * from "ccindex"."ccindex" WHERE
crawl = 'CC-MAIN-2013-20' AND
subset = 'warc' AND
url_host_registered_domain IN (
'google.com',
'amazon.com'
)
``
has a bunch of hits of course. Also Data scanned: 212.88 MB, `WHERE` `crawl` and `subset` are a must! Should have read the article first.
Let's widen a bit more:
``
select * from "ccindex"."ccindex" WHERE
crawl IN (
'CC-MAIN-2013-20',
'CC-MAIN-2013-48',
'CC-MAIN-2014-10'
) AND
subset = 'warc' AND
url_host_registered_domain IN (
'activegaminginfo.com',
'altworldnews.com',
...
'worldnewsandent.com',
'worldwildlifeadventure.com'
)
``
Still nothing found... they don't seem to have any of the URLs of interest?
= Internet Census 2012
{c}
{parent=Data sources}
= 2012 Internet Census
{synonym}
Does not appear to have any reverse IP hits unfortunately: https://opendata.stackexchange.com/questions/1951/dataset-of-domain-names/21077#21077[]. Likely only has domains that were explicitly advertised.
We could not find anything useful in it so far, but there is great potential to use this tool to find new IP ranges based on properties of existing IP ranges. Part of the problem is that the dataset is huge, and is split by top 256 bytes. But it would be reasonable to at least explore ranges with pre-existing known hits...
We have started looking for patterns on `66.*` and `208.*`, both selected as two relatively far away ranges that have a number of pre-existing hits. 208 should likely have been 212 considering later finds that put several ranges in 212.
tcpip_fp:
* 66.104.
* 66.104.175.41: grubbersworldrugbynews.com: 1346397300 SCAN(V=6.01%E=4%D=1/12%OT=22%CT=443%CU=%PV=N%G=N%TM=387CAB9E%P=mipsel-openwrt-linux-gnu),ECN(R=N),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=N),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
* 66.104.175.48: worlddispatch.net: 1346816700 SCAN(V=6.01%E=4%D=1/2%OT=22%CT=443%CU=%PV=N%DC=I%G=N%TM=1D5EA%P=mipsel-openwrt-linux-gnu),SEQ(SP=F8%GCD=3%ISR=109%TI=Z%TS=A),ECN(R=N),T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
* 66.104.175.49: webworldsports.com: 1346692500 SCAN(V=6.01%E=4%D=9/3%OT=22%CT=443%CU=%PV=N%DC=I%G=N%TM=5044E96E%P=mipsel-openwrt-linux-gnu),SEQ(SP=105%GCD=1%ISR=108%TI=Z%TS=A),OPS(O1=M550ST11NW6%O2=M550ST11NW6%O3=M550NNT11NW6%O4=M550ST11NW6%O5=M550ST11NW6%O6=M550ST11),WIN(W1=1510%W2=1510%W3=1510%W4=1510%W5=1510%W6=1510),ECN(R=N),T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
* 66.104.175.50: fly-bybirdies.com: 1346822100 SCAN(V=6.01%E=4%D=1/1%OT=22%CT=443%CU=%PV=N%DC=I%G=N%TM=14655%P=mipsel-openwrt-linux-gnu),SEQ(TI=Z%TS=A),ECN(R=N),T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
* 66.104.175.53: info-ology.net: 1346712300 SCAN(V=6.01%E=4%D=9/4%OT=22%CT=443%CU=%PV=N%DC=I%G=N%TM=50453230%P=mipsel-openwrt-linux-gnu),SEQ(SP=FB%GCD=1%ISR=FF%TI=Z%TS=A),ECN(R=N),T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
* 66.175.106
* 66.175.106.150: noticiasmusica.net: 1340077500 SCAN(V=5.51%D=1/3%OT=22%CT=443%CU=%PV=N%G=N%TM=38707542%P=mipsel-openwrt-linux-gnu),ECN(R=N),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
* 66.175.106.155: atomworldnews.com: 1345562100 SCAN(V=5.51%D=8/21%OT=22%CT=443%CU=%PV=N%DC=I%G=N%TM=5033A5F2%P=mips-openwrt-linux-gnu),SEQ(SP=FB%GCD=1%ISR=FC%TI=Z%TS=A),ECN(R=Y%DF=Y%TG=40%W=1540%O=M550NNSNW6%CC=N%Q=),T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
= 2012 Internet Census hostprobes
{parent=Internet Census 2012}
Hostprobes quick look on two ranges:
208.254.40:
``
... similar down
208.254.40.95 1334668500 down no-response
208.254.40.95 1338270300 down no-response
208.254.40.95 1338839100 down no-response
208.254.40.95 1339361100 down no-response
208.254.40.95 1346391900 down no-response
208.254.40.96 1335806100 up unknown
208.254.40.96 1336979700 up unknown
208.254.40.96 1338840900 up unknown
208.254.40.96 1339454700 up unknown
208.254.40.96 1346778900 up echo-reply (0.34s latency).
208.254.40.96 1346838300 up echo-reply (0.30s latency).
208.254.40.97 1335840300 up unknown
208.254.40.97 1338446700 up unknown
208.254.40.97 1339334100 up unknown
208.254.40.97 1346658300 up echo-reply (0.26s latency).
... similar up
208.254.40.126 1335708900 up unknown
208.254.40.126 1338446700 up unknown
208.254.40.126 1339330500 up unknown
208.254.40.126 1346494500 up echo-reply (0.24s latency).
208.254.40.127 1335840300 up unknown
208.254.40.127 1337793300 up unknown
208.254.40.127 1338853500 up unknown
208.254.40.127 1346454900 up echo-reply (0.23s latency).
208.254.40.128 1335856500 up unknown
208.254.40.128 1338200100 down no-response
208.254.40.128 1338749100 down no-response
208.254.40.128 1339334100 down no-response
208.254.40.128 1346607900 down net-unreach
208.254.40.129 1335699900 up unknown
... similar down
``
Suggests exactly 127 - 96 + 1 = 31 IPs.
208.254.42:
``
... similar down
208.254.42.191 1334522700 down no-response
208.254.42.191 1335276900 down no-response
208.254.42.191 1335784500 down no-response
208.254.42.191 1337845500 down no-response
208.254.42.191 1338752700 down no-response
208.254.42.191 1339332300 down no-response
208.254.42.191 1346499900 down net-unreach
208.254.42.192 1334668500 up unknown
208.254.42.192 1336808700 up unknown
208.254.42.192 1339334100 up unknown
208.254.42.192 1346766300 up echo-reply (0.40s latency).
208.254.42.193 1335770100 up unknown
208.254.42.193 1338444900 up unknown
208.254.42.193 1339334100 up unknown
... similar up
208.254.42.221 1346517900 up echo-reply (0.19s latency).
208.254.42.222 1335708900 up unknown
208.254.42.222 1335708900 up unknown
208.254.42.222 1338066900 up unknown
208.254.42.222 1338747300 up unknown
208.254.42.222 1346872500 up echo-reply (0.27s latency).
208.254.42.223 1335773700 up unknown
208.254.42.223 1336949100 up unknown
208.254.42.223 1338750900 up unknown
208.254.42.223 1339334100 up unknown
208.254.42.223 1346854500 up echo-reply (0.13s latency).
208.254.42.224 1335665700 down no-response
208.254.42.224 1336567500 down no-response
208.254.42.224 1338840900 down no-response
208.254.42.224 1339425900 down no-response
208.254.42.224 1346494500 down time-exceeded
... similar down
``
Suggests exactly 223 - 192 + 1 = 31 IPs.
Let's have a look at the file `68`: outcome: no clear hits like on 208. One wonders why.
It does appears that long sequences of ranges are a sort of fingerprint. The question is how unique it would be.
First:
``
n=208
time awk '$3=="up"{ print $1 }' $n | uniq -c | sed -r 's/^ +//;s/ /,/' | tee $n-up-uniq
t=$n-up-uniq.sqlite
rm -f $t
time sqlite3 $t 'create table tmp(cnt text, i text)'
time sqlite3 $t ".import --csv $n-up-uniq tmp"
time sqlite3 $t 'create table t (i integer)'
time sqlite3 $t '.load ./ip' 'insert into t select str2ipv4(i) from tmp'
time sqlite3 $t 'drop table tmp'
time sqlite3 $t 'create index ti on t(i)'
``
This reduces us to 2 million IP rows from the total possible 16 million IPs.
OK now just counting hits on fixed windows has way too many results:
``
sqlite3 208-up-uniq.sqlite "\
SELECT * FROM (
SELECT min(i), COUNT(*) OVER (
ORDER BY i RANGE BETWEEN 15 PRECEDING AND 15 FOLLOWING
) as c FROM t
) WHERE c > 20 and c < 30
"
``
Let's try instead consecutive ranges of length exactly 31 instead then:
``
sqlite3 208-up-uniq.sqlite <<EOF
SELECT f, t - f as c FROM (
SELECT min(i) as f, max(i) as t
FROM (SELECT i, ROW_NUMBER() OVER (ORDER BY i) - i as grp FROM t)
GROUP BY grp
ORDER BY i
) where c = 31
EOF
``
271. Hmm. A bit more than we'd like...
Another route is to also count the ups:
``
n=208
time awk '$3=="up"{ print $1 }' $n | uniq -c | sed -r 's/^ +//;s/ /,/' | tee $n-up-uniq-cnt
t=$n-up-uniq-cnt.sqlite
rm -f $t
time sqlite3 $t 'create table tmp(cnt text, i text)'
time sqlite3 $t ".import --csv $n-up-uniq-cnt tmp"
time sqlite3 $t 'create table t (cnt integer, i integer)'
time sqlite3 $t '.load ./ip' 'insert into t select cnt as integer, str2ipv4(i) from tmp'
time sqlite3 $t 'drop table tmp'
time sqlite3 $t 'create index ti on t(i)'
``
Let's see how many consecutives with counts:
``
sqlite3 208-up-uniq-cnt.sqlite <<EOF
SELECT f, t - f as c FROM (
SELECT min(i) as f, max(i) as t
FROM (SELECT i, ROW_NUMBER() OVER (ORDER BY i) - i as grp FROM t WHERE cnt >= 3)
GROUP BY grp
ORDER BY i
) where c > 28 and c < 32
EOF
``
Let's check on 66:
``
grep -e '66.45.179' -e '66.45.179' 66
``
not representative at all... e.g. several convfirmed hits are down:
``
66.45.179.215 1335305700 down no-response
66.45.179.215 1337579100 down no-response
66.45.179.215 1338765300 down no-response
66.45.179.215 1340271900 down no-response
66.45.179.215 1346813100 down no-response
``
= 2012 Internet Census icmp_ping
{parent=Internet Census 2012}
Let's check relevancy of known hits:
``
grep -e '208.254.40' -e '208.254.42' 208 | tee 208hits
``
Output:
``
208.254.40.95 1355564700 unreachable
208.254.40.95 1355622300 unreachable
208.254.40.96 1334537100 alive, 36342
208.254.40.96 1335269700 alive, 17586
..
208.254.40.127 1355562900 alive, 35023
208.254.40.127 1355593500 alive, 59866
208.254.40.128 1334609100 unreachable
208.254.40.128 1334708100 alive from 208.254.32.214, 43358
208.254.40.128 1336596300 unreachable
``
The rest of 208 is mostly unreachable.
``
208.254.42.191 1335294900 unreachable
...
208.254.42.191 1344737700 unreachable
208.254.42.191 1345574700 Icmp Error: 0,ICMP Network Unreachable, from 63.111.123.26
208.254.42.191 1346166900 unreachable
...
208.254.42.191 1355665500 unreachable
208.254.42.192 1334625300 alive, 6672
...
208.254.42.192 1355658300 alive, 57412
208.254.42.193 1334677500 alive, 28985
208.254.42.193 1336524300 unreachable
208.254.42.193 1344447900 alive, 8934
208.254.42.193 1344613500 alive, 24037
208.254.42.193 1344806100 alive, 20410
208.254.42.193 1345162500 alive, 10177
...
208.254.42.223 1336590900 alive, 23284
...
208.254.42.223 1355555700 alive, 58841
208.254.42.224 1334607300 Icmp Type: 11,ICMP Time Exceeded, from 65.214.56.142
208.254.42.224 1334681100 Icmp Type: 11,ICMP Time Exceeded, from 65.214.56.142
208.254.42.224 1336563900 Icmp Type: 11,ICMP Time Exceeded, from 65.214.56.142
208.254.42.224 1344451500 Icmp Type: 11,ICMP Time Exceeded, from 65.214.56.138
208.254.42.224 1344566700 unreachable
208.254.42.224 1344762900 unreachable
``
Let's try with 66. First there way too much data, 9 GB, let's cut it down:
``
n=66
time awk '$3~/^alive,/ { print $1 }' $n | uniq -c | sed -r 's/^ +//;s/ /,/' | tee $n-up-uniq-c
``
OK down to 45 MB, now we can work.
``
grep -e '66.45.179' -e '66.104.169' -e '66.104.173' -e '66.104.175' -e '66.175.106' '66-alive-uniq-c' | tee 66hits
``
Nah, it's full of holes:
``
4,66.45.179.187
12,66.45.179.188
2,66.45.179.197
1,66.45.179.202
2,66.45.179.205
2,66.45.179.206
1,66.45.179.207
``
won't be able to find new ranges here.
= tb0hdan/domains
{parent=Data sources}
Domain list only, no IPs and no dates. We haven't been able to extract anything of interest from this source so far.
Domain hit count when we were at 69 hits: only 9, some of which had been since reused. Likely their data collection did not cover the dates of interest.
= Expired domain trackers
{parent=Data sources}
When you <Google> most of the hit domains, many of them show up on "expired domain trackers", and above all Chinese expired domain trackers for some reason, notably e.g.:
* https://hupo.com[]: e.g. http://static.hupo.com/expdomain_myadmin/2012-03-06(国际域名).txt[]. Heavily IP throttled. Tor hindered more than helped.
Scraping script: \a[cia-2010-covert-communication-websites/hupo.sh]. Scraping does about 1 day every 5 minutes relatively reliably, so about 36 hours / year. Not bad.
Results are stored under `tmp/humo/<day>`.
Check for hit overlap:
``
grep -Fx -f <( jq -r '.[].host' ../media/cia-2010-covert-communication-websites/hits.json ) cia-2010-covert-communication-websites/tmp/hupo/*
``
The hits are very well distributed amongst days and months, at least they did a good job hiding these potential timing fingerprints. This feels very deliberately designed.
There are lots of hits. The data set is very inclusive. Also we understand that it must have been obtains through means other than <Web crawling>, since it contains so many of the hits.
Nice output format for scraping as the HTML is very minimal
They randomly changed their URL format to remove the space before the .com after 2012-02-03:
* http://static.hupo.com/expdomain_myadmin/2012-01-01(国际域名)%20.txt
* http://static.hupo.com/expdomain_myadmin/2013-01-01(国际域名).txt
Some of their files are simply missing however unfortunately, e.g. neither of the following exist:
* http://static.hupo.com/expdomain_myadmin/2012-07-01(国际域名)%20.txt
* http://static.hupo.com/expdomain_myadmin/2012-07-01(国际域名).txt
webmasterhome.cn did contain that one however: http://domain.webmasterhome.cn/com/2012-07-01.asp[]. Hmm. we might have better luck over there then?
2018-11-19 is corrupt in a new and wonderful way, with a bunch of trailing zeros:
``
wget -O hupo-2018-11-19 'http://static.hupo.com/expdomain_myadmin/2018-11-19%EF%BC%88%E5%9B%BD%E9%99%85%E5%9F%9F%E5%90%8D%EF%BC%89.txt
hd hupo-2018-11-19
``
ends in:
``
000ffff0 74 75 64 69 65 73 2e 63 6f 6d 0d 0a 70 31 63 6f |tudies.com..p1co|
00100000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
0018a5e0 00 00 00 00 00 00 00 00 00 |.........|
``
More generally, several files contain invalid domain names with non-ASCII characters, e.g. 2013-01-02 contains `365<D3>л<FA><C2><CC>.com`. Domain names can only contain ASCII charters: https://stackoverflow.com/questions/1133424/what-are-the-valid-characters-that-can-show-up-in-a-url-host Maybe we should get rid of any such lines as noise.
Some files around 2011-09-06 start with an empty line. 2014-01-15 starts with about twenty empty lines. Oh and that last one also has some trash bytes the end `<B7><B5><BB><D8>`. Beauty.
* https://webmasterhome.cn[]: e.g. http://domain.webmasterhome.cn/com/2012-03-06.asp[]. Appears to contain the exact same data as "static.hupo.com"
Also heavily IP throttled, and a bit more than hupo apparently.
Scraper \a[cia-2010-covert-communication-websites/webmastercn.sh].
Also has some randomly missing dates like hupo.com, though different missing ones from hupo, so they complement each other nicely.
Some of the URLs are broken and don't inform that with HTTP status code, they just replace the results with some Chinese text 无法找到该页 (The requested page could not be found):
* https://domain.webmasterhome.cn/com/2012-02-06.asp
* https://domain.webmasterhome.cn/com/2012-02-14.asp
* https://domain.webmasterhome.cn/com/2013-04-30.asp
Several URLs just return length 0 content, e.g.:
``
curl -vvv http://domain.webmasterhome.cn/com/2015-10-31.asp
* Trying 125.90.93.11:80...
* Connected to domain.webmasterhome.cn (125.90.93.11) port 80 (#0)
> GET /com/2015-10-31.asp HTTP/1.1
> Host: domain.webmasterhome.cn
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 21 Oct 2023 15:12:23 GMT
< Server: Microsoft-IIS/6.0
< X-Powered-By: ASP.NET
< Content-Length: 0
< Content-Type: text/html
< Set-Cookie: ASPSESSIONIDCSTTTBAD=BGGPAONBOFKMMFIPMOGGHLMJ; path=/
< Cache-control: private
<
* Connection #0 to host domain.webmasterhome.cn left intact
``
It is not fully clear if this is a throttling mechanism, or if the data is just missing entirely.
Starting around 2018, the IP limiting became very intense, 30 mins / 1 hour per URL, so we just gave up. Therefore, data from 2018 onwards does not contain webmasterhome.cn data.
Starting from `2013-05-10` the format changes randomly. This also shows us that they just have all the HTML pages as static files on their server. E.g. with:
``
grep -a '<pre' * | s
``
we see:
``
2013-05-09:<pre style='font-family:Verdana, Arial, Helvetica, sans-serif; '><strong>2013<C4><EA>05<D4><C2>09<C8>յ<BD><C6>ڹ<FA><BC><CA><D3><F2><C3><FB></strong><br>0-3y.com
2013-05-10:<pre><strong>2013<C4><EA>05<D4><C2>10<C8>յ<BD><C6>ڹ<FA><BC><CA><D3><F2><C3><FB></strong>
``
* https://justdropped.com[]: e.g. https://www.justdropped.com/drops/030612com.html[]
* http://yoid.com[]: e.g.: http://yoid.com/bydate.php?d=2016-06-03&a=a
This suggests that scraping these lists might be a good starting point to obtaining "all expired domains ever".
We've made the following pipelines for hupo.com + webmasterhome.cn merging:
``
./hupo.sh &
./webmastercn.sh &
wait
./hupo-merge.sh
# Export as small Google indexable files in a Git repository.
./hupo-repo.sh
# Export as per year zips for Internet Archive.
./hupo-zip.sh
# Obtain count statistics:
./hupo-wc.sh
``
The extracted data is present at:
* https://archive.org/details/expired-domain-names-by-day
* https://github.com/cirosantilli/expired-domain-names-by-day-* repos:
* https://github.com/cirosantilli/expired-domain-names-by-day-2011 (~11M)
* https://github.com/cirosantilli/expired-domain-names-by-day-2012 (~18M)
* https://github.com/cirosantilli/expired-domain-names-by-day-2013 (~28M)
* https://github.com/cirosantilli/expired-domain-names-by-day-2014 (~29M)
* https://github.com/cirosantilli/expired-domain-names-by-day-2015 (~28M)
* https://github.com/cirosantilli/expired-domain-names-by-day-2016
* https://github.com/cirosantilli/expired-domain-names-by-day-2017
* https://github.com/cirosantilli/expired-domain-names-by-day-2018
* https://github.com/cirosantilli/expired-domain-names-by-day-2019
* https://github.com/cirosantilli/expired-domain-names-by-day-2020
* https://github.com/cirosantilli/expired-domain-names-by-day-2021
* https://github.com/cirosantilli/expired-domain-names-by-day-2022
Soon after uploading, these repos started getting some interesting traffic, presumably started by security trackers going "bling bling" on certain malicious domain names in their databases:
* GitHub trackers:
* admin-monitor.shiyue.com
* anquan.didichuxing.com
* app.cloudsek.com
* app.flare.io
* app.rainforest.tech
* app.shadowmap.com
* bo.serenety.xmco.fr 8 1
* bts.linecorp.com
* burn2give.vercel.app
* cbs.ctm360.com 17 2
* code6.d1m.cn
* code6-ops.juzifenqi.com
* codefend.devops.cndatacom.com
* dlp-code.airudder.com
* easm.atrust.sangfor.com
* ec2-34-248-93-242.eu-west-1.compute.amazonaws.com
* ecall.beygoo.me 2 1
* eos.vip.vip.com 1 1
* foradar.baimaohui.net 2 1
* fty.beygoo.me
* hive.telefonica.com.br 2 1
* hulrud.tistory.com
* kartos.enthec.com
* soc.futuoa.com
* lullar-com-3.appspot.com
* penetration.houtai.io 2 1
* platform.sec.corp.qihoo.net
* plus.k8s.onemt.co 4 1
* pmp.beygoo.me 2 1
* portal.protectorg.com
* qa-boss.amh-group.com
* saicmotor.saas.cubesec.cn
* scan.huoban.com
* sec.welab-inc.com
* security.ctrip.com 10 3
* siem-gs.int.black-unique.com 2 1
* soc-github.daojia-inc.com
* spigotmc.org 2 1
* tcallzgroup.blueliv.com
* tcthreatcompass05.blueliv.com 4 1
* tix.testsite.woa.com 2 1
* toucan.belcy.com 1 1
* turbo.gwmdevops.com 18 2
* urlscan.watcherlab.com
* zelenka.guru. Looks like a Russian hacker forum.
* LinkedIn profile views:
* "Information Security Specialist at Forcepoint"
Check for overlap of the merge:
``
grep -Fx -f <( jq -r '.[].host' ../media/cia-2010-covert-communication-websites/hits.json ) cia-2010-covert-communication-websites/tmp/merge/*
``
Next, we can start searching by keyword with <Wayback Machine CDX scanning with Tor parallelization> with out helper \a[cia-2010-covert-communication-websites/hupo-cdx-tor.sh], e.g. to check domains that contain the term "news":
``
./hupo-cdx-tor.sh mydir 'news|global' 2011 2019
``
produces per-year results for the regex term `news|global` between the years under:
``
tmp/hupo-cdx-tor/mydir/2011
tmp/hupo-cdx-tor/mydir/2012
``
OK lets:
``
./hupo-cdx-tor.sh out 'news|headline|internationali|mondo|mundo|mondi|iran|today'
``
Other searches that are not dense enough for our patience:
``
world|global|[^.]info
``
OMG `news` search might be producing some golden, golden new hits!!! Going full into this. Hits:
* thepyramidnews.com
* echessnews.com
* tickettonews.com
* airuafricanews.com
* vuvuzelanews.com
* dayenews.com
* newsupdatesite.com
* arabicnewsonline.com
* arabicnewsunfiltered.com
* newsandsportscentral.com
* networkofnews.com
* trekkingtoday.com
* financial-crisis-news.com
and a few more. It's amazing.
Related:
* https://webmasters.stackexchange.com/questions/33806/expired-domains-database/143542#143542
* https://stackoverflow.com/questions/928549/how-to-create-a-list-of-recently-expired-domains/77336749#77336749
* https://github.com/spaze/domains
= club.domain.cn
{parent=Expired domain trackers}
TODO what does this Chinese forum track? New registrations? Their focus seems to be <domain name speculation>
Some of the threads contain domain dumps. We haven't yet seen a scrapable URL pattern, but their data goes way back and did have various hits. The forum seems to have started in 2006: https://club.domain.cn/forum.php?mod=forumdisplay&fid=41&page=10127
https://club.domain.cn/forum.php?mod=viewthread&tid=241704 "【国际域名拟删除列表】2007年06月16日" is the earliest list we could find. It is an expired domain list.
Some hits:
* https://club.domain.cn/forum.php?mod=viewthread&tid=709388 contains `alljohnny.com` The thread title is "2009.5.04". The post date 2009-04-30
Breadcrumb nav: 域名论坛 > 域名增值交易区 > 国际域名专栏 (domain name forum > area for domain names increasing in value > international domais)
= "Mass Deface III" pastebin
{parent=Data sources}
https://pastebin.com/CTXnhjeS dated mega early on Sep 30th, 2012 by CYBERTAZIEX.
This source was <found by Oleg Shakirov>.
Holy fuck the type of data source that we get in this area of work!
This pastebin contained a few new hits, in addition to some pre-existing ones. Most of the hits them seem to be linked to the IP 72.34.53.174, which presumably is a major part of the fingerprint found by CYBERTAZIEX, though unsurprisingly methodology is unclear. As documented, the domains appear to be linked to a "Condor hosting" provider, but it is hard to find any information about it online.
<Ciro Santilli> checked every single non-subdomain domain in the list.
Other files under the same account: https://pastebin.com/u/cybertaziex did not seem of interest.
The author's real name appears to be Deni Suwandi: https://twitter.com/denz_999 from #Indonesia[], but all accounts appear to be inactive, otherwise we'd ping him to ask for more info about the list.
= ipinf.ru
{parent=Data sources}
OK, <Oleg Shakirov's findings> inspired <Ciro Santilli> to try <Yandexing> a bit more...
`alljohnny.com` had a hit: https://ipinf.ru/domains/alljohnny.com/[], and so Ciro started looking around... and a good number of other things have hits.
Not all of them, definitely less data than <viewdns.info>.
But they do reverse IP, and they show which nearby reverse IPs have hits on the same page, for free, which is great!
Shame their ordering is purely alphabetical, doesn't properly order the IPs so it is a bit of a pain, but we can handle it.
OMG, <Russians>!!!
The data here had a little bit of non-overlap from other sources. 4 new confirmed hits were found, plus 4 possible others that were left as candidates.
= Reverse engineering
{parent=Methodology}
In this section we document the outcomes of more detailed inspection of both the communication mechanisms (<JavaScript>, <JAR (file format)>, swf) and <HTML> that might help to better fingerprint the websites.
= Communication mechanism
{parent=Reverse engineering}
= Comms
{synonym}
{title2}
There are four main types of communication mechanisms found:
* <Java> <JAR (file format)>
There is also one known instance where a .zip extension was used! https://web.archive.org/web/20131101104829*/http://plugged-into-news.net/weatherbug.zip as:
``
<applet codebase="/web/20101229222144oe_/http://plugged-into-news.net/" archive="/web/20101229222144oe_/http://plugged-into-news.net/weatherbug.zip"
``
JAR is the most common comms, and one of the most distinctive, making it a great <fingerprint>.
Several of the JAR files are named something like either:
* meter.jar
* bandwidth.jar
* speed.jar
as if to pose as Internet speed testing tools? The wonderful subtleties of the late 2000s Internet are a bit over our heads.
All JARs are directly under root, not in subdirectories, and the basename usually consist of one word, though sometimes two camel cased.
* <JavaScript> file. There are two subtypes:
* <JavaScript with SHAs>. Rare. Likely older. Way more fingerprintable.
* JavaScript without SHAs. They have all been obfuscated slightly different and compressed. But the file sizes are all very similar from 8kB to 10kB, and they all look similar, so visually it is very easy to detect a match with good likelyhood.
* <Adobe Flash> swf file. In all instances found so far, the name of the SWF matches the name of the second level domain exactly, e.g.:
``
http://tee-shot.net/tee-shot.swf
``
While this is somewhat of a fingerprint, it is worth noting that is was a relatively commonly used pattern. But it is also the rarest of the mechanisms. This is a at a dissonance with the rest of the web, which circa 2010 already had way more SWF than JAR apparently.
* <CGI comms>
These have short single word names with some meaning linked to their website.
Because the communication mechanisms are so crucial, they tend to be less varied, and serve as very good fingerprints. It is not ludicrous, e.g. identical files, but one look at a few and you will know the others.
= CGI comms
{parent=Communication mechanism}
= CGI
{synonym}
We've come across a few shallow and stylistically similar websites on suspicious ranges with this pattern.
No JS/JAR/SWF comms, but rather a subdomain, and an HTTPS page with .cgi extension that leads to a login page. Some names seen for this subdomain:
* `secure.`: most common
* `ssl.`: also common
* various other more creative ones linked to the website theme itself, e.g.:
* musical-fortune.net has a backstage.musical-fortune.net
The question is, is this part of some legitimate tooling that created such patterns? And if so which? Or are they actual hits with a new comms mechanism not previously seen?
The fact that:
* hits of this type are so dense in the suspicious ranges
* they are so stylistically similar between on another
* citizenlabs specifically mentioned a "CGI" comms method
suggests to Ciro that they are an actual hit.
In particular, the `secure` and `ssl` ones are overused, and together with some heuristics allowed us to find our first two non Reuters ranges! <secure subdomain search on 2013 DNS Census>{full}
Some currently known URLs
* https://backstage.musical-fortune.net/cgi-bin/backstage.cgi
* https://clients.smart-travel-consultant.com/cgi-bin/clients.cgi
* https://members.it-proonline.com/cgi-bin/members.cgi
* https://members.metanewsdaily.com/cgi-bin/ABC.cgi
* https://miembros.todosperuahora.com/cgi-bin/business.cgi
* https://secure.altworldnews.com/cgi-bin/desk.cgi
* https://secure.driversinternationalgolf.com/cgi-bin/drivers.cgi
* https://secure.freshtechonline.com/cgi-bin/tech.cgi
* https://secure.globalnewsbulletin.com/cgi-bin/index.cgi
* https://secure.negativeaperture.com/cgi-bin/canon.cgi
* https://secure.riskandrewardnews.com/cgi-bin/worldwide.cgi
* https://secure.theworld-news.net/cgi-bin/news.cgi
* https://secure.topbillingsite.com/cgi-bin/main.cgi
* https://secure.worldnewsandent.com/cgi-bin/news.cgi
* https://ssl.beyondnetworknews.com/cgi-bin/local.cgi
* https://ssl.newtechfrontier.com/cgi-bin/tech.cgi
* https://www.businessexchangetoday.com/cgi-bin/business.cgi
* https://heal.conquermstoday.com (path unknown)
If we could do a crawl search for `secure.*com/cgi-bin/*.cgi` that might be a good enough fingerprint, maybe even `*.*com/cgi-bin/*.cgi`. Edit: it is not perfect, but we kind of did it: <secure subdomain search on 2013 DNS Census>{full}.
= CGI comms variant
{parent=CGI comms}
Later on, we've also come across some stylistic hits in IP ranges with apparent slight variations of the CGI comms pattern:
* no .cgi, but also http on subdomain:
* dead:
* https://web.archive.org/web/20100507132004/https://secure.developmental-league.com/login.html[]
* https://web.archive.org/web/20110128182345/https://webmail.energy-bulb.com/login.html[]
* https://web.archive.org/web/20110226074139/http://www.welcometonyc.net/login.html[]
* no subdomain, no https, no .cgi
* live
* https://web.archive.org/web/20091130144158/http://construction-zones.com/login.html[]
* https://web.archive.org/web/20090405045548/http://nouvelles-d-aujourdhuis.com/members.html[]
* dead
* https://web.archive.org/web/20101230025246/http://guidetoelectronics.net/login.html[]
* https://web.archive.org/web/20110128234749/http://messengergalaxy.com/login.html[]
* https://web.archive.org/web/20100517071454/http://mide-news.com/login.html[]
Since these are so rare, it is still a bit hard to classify them for sure, but they are of great interest no doubt, as as we start to notice these patterns more tend to come if it is a thing.
= SSL certificate
{c}
{parent=CGI comms}
The <CGI comms> websites contain the only occurrence of HTTPS, so it might open up the door for a certificate fingerprint as proposed by user joelcollinsdc at: https://news.ycombinator.com/item?id=36280801[]!
https://crt.sh appears to be a good way to look into this:
* backstage.musical-fortune.net:
* https://crt.sh/?q=backstage.musical-fortune.net
* https://crt.sh/?id=1412501
* clients.smart-travel-consultant.com
* https://crt.sh/?q=clients.smart-travel-consultant.com
* https://crt.sh/?id=34910476
* members.it-proonline.com
* https://crt.sh/?q=members.it-proonline.com
* https://crt.sh/?id=34166798
* members.metanewsdaily.com
* https://crt.sh/?q=members.metanewsdaily.com
* https://crt.sh/?id=38512637
* miembros.todosperuahora.com
* https://crt.sh/?q=miembros.todosperuahora.com
* https://crt.sh/?id=34584314
* secure.altworldnews.com
* https://crt.sh/?q=secure.altworldnews.com
* https://crt.sh/?id=1326989
* secure.driversinternationalgolf.com
* https://crt.sh/?id=1855125
* https://crt.sh/?id=34240083
* secure.freshtechonline.com
* https://crt.sh/?q=secure.freshtechonline.com
* https://crt.sh/?id=34560115
* secure.globalnewsbulletin.com
* https://crt.sh/?q=secure.globalnewsbulletin.com
* https://crt.sh/?id=774803
* secure.negativeaperture.com
* https://crt.sh/?q=secure.negativeaperture.com
* https://crt.sh/?id=34547778
* secure.riskandrewardnews.com
* https://crt.sh/?id=33737677
* https://crt.sh/?id=1140907
* secure.theworld-news.net
* secure.topbillingsite.com
* secure.worldnewsandent.com
* ssl.beyondnetworknews.com
* ssl.newtechfrontier.com
* www.businessexchangetoday.com
* heal.conquermstoday.com
They all appear to use either of:
* Go Daddy
* Thawte DV SSL CA
* Starfield Technologies, Inc.
https://crt.sh/?q=globalnewsbulletin.com has a hit to: https://crt.sh/?id=774803[]. With login we can see: https://search.censys.io/certificates/5078bce356a8f8590205ae45350b27f58f4ac04478ed47a389a55b539065cee8[]. Issued by https://www.thawte.com/repository/index.html[]. No hits for certificates with same public key: https://search.censys.io/search?resource=certificates&q=parsed.subject_key_info.fingerprint_sha256%3A+714b4a3e8b2f555d230a92c943ced4f34b709b39ed590a6a230e520c273705af[] or any other "same" queries though.
Let's try another one for secure.altworldnews.com: https://search.censys.io/certificates/e88f8db87414401fd00728db39a7698d874dbe1ae9d88b01c675105fabf69b94[]. Nope, no direct mega hits here either.
= JavaScript reverse engineering
{parent=Reverse engineering}
= JavaScript with SHAs
{parent=JavaScript reverse engineering}
There are two types of JavaScript found so far. The ones with SHA and the ones without. There are only 2 examples of JS with SHA:
* iraniangoals.com: https://web.archive.org/web/20110202091909/http://iraniangoals.com/journal.js[] Commented at: <iraniangoals.com JavaScript reverse engineering>
* iranfootballsource.com: https://web.archive.org/web/20110202091901/http://iranfootballsource.com/futbol.js
* kukrinews.com: https://web.archive.org/web/20100513094909/http://kukrinews.com/news.js
* todaysnewsandweather-ru.com: https://web.archive.org/web/20110207094735/http://todaysnewsandweather-ru.com/blacksea.js
Both files start with precisely the same string:
``
var ms="\u062F\u0631\u064A\u0627\u0641\u062A\u06CC",lc="\u062A\u0647\u064A\u0647 \u0645\u062A\u0646",mn="\u0628\u0631\u062F\u0627\u0632\u0634 \u062F\u0631 \u062C\u0631\u064A\u0627\u0646 \u0627\u0633\u062A...\u0644\u0637\u0641\u0627 \u0635\u0628\u0631 \u0643\u0646\u064A\u062F",lt="\u062A\u0647\u064A\u0647 \u0645\u062A\u0646",ne="\u067E\u0627\u0633\u062E",kf="\u062E\u0631\u0648\u062C",mb="\u062D\u0630\u0641",mv="\u062F\u0631\u064A\u0627\u0641\u062A\u06CC",nt="\u0627\u0631\u0633\u0627\u0644",ig="\u062B\u0628\u062A \u063A\u0644\u0637. \u062C\u0647\u062A \u062A\u062C\u062F\u064A\u062F \u062B\u0628\u062A \u0635\u0641\u062D\u0647 \u0631\u0627 \u0628\u0627\u0632\u0622\u0648\u0631\u06CC \u06A9\u0646\u064A\u062F",hs="\u063A\u064A\u0631 \u0642\u0627\u0628\u0644 \u0627\u062C\u0631\u0627. \u062E\u0637\u0627 \u062F\u0631 \u0627\u062A\u0651\u0635\u0627\u0644",ji="\u063A\u064A\u0631 \u0642\u0627\u0628\u0644 \u0627\u062C\u0631\u0627. \u062E\u0637\u0627 \u062F\u0631 \u0627\u062A\u0651\u0635\u0627\u0644",ie="\u063A\u064A\u0631 \u0642\u0627\u0628\u0644 \u0627\u062C\u0631\u0627. \u062E\u0637\u0627 \u062F\u0631 \u0627\u062A\u0651\u0635\u0627\u0644",gc="\u0633\u0648\u0627\u0631 \u06A9\u0631\u062F\u0646 \u062A\u06A9\u0645\u064A\u0644 \u0634\u062F",gz="\u0645\u0637\u0645\u0626\u0646\u064A\u062F \u06A9\u0647 \u0645\u064A\u062E\u0648\u0627\u0647\u064A\u062F \u067E\u064A\u0627\u0645 \u0631\u0627 \u062D\u0630\u0641 \u06A9\u0646\u064A\u062F\u061F"
``
Good fingerprint present in all of them:
``
throw new Error("B64 D.1");};if(at[1]==-1){throw new Error("B64 D.2");};if(at[2]==-1){if(f<ay.length){throw new Error("B64 D.3");};dg=2;}else if(at[3]==-1){if(f<ay.length){throw new Error("B64 D.4")
``
= iraniangoals.com JavaScript reverse engineering
{parent=JavaScript with SHAs}
<JavaScript> file: https://web.archive.org/web/20110202091909/http://iraniangoals.com/journal.js
Some <reverse engineering> was done at: https://twitter.com/hackerfantastic/status/1575505438111571969?lang=en[].
Notably, the password is hardcoded and its <hash> is stored in the JavaScript itself. The result is then submitted back via a POST request to `/cgi-bin/goal.cgi`.
TODO: how is the SHA calculated? Appears to be manual.
= feedsdemexicoyelmundo.com JavaScript reverse engineering
{parent=JavaScript reverse engineering}
The <JavaScript> of each website appears to be quite small and similarly sized. They are all minimized, but have reordered things around a bit.
For example consider: https://web.archive.org/web/20110202190932/http://feedsdemexicoyelmundo.com/mundo.js
First we have to know that the <Wayback Machine> adds some stuff before and after the original code. The actual code there starts at:
``
ap={fg:['MSXML2.XMLHTTP
``
and ends in:
``
ck++;};return fu;};
``
We can use a <JavaScript> beautifier such as https://beautifier.io/ to be abe to better read the code.
It is worth noting that there's a lot of `<script>` tags inline as well, which seem to matter.
Further analysis would be needed.
= Google searches for known domains and IPs
{c}
{parent=Methodology}
Googling most domains gives only very few results, and most of them are just useless lists of expired domains. Skipping those for now.
Googling `"dedrickonline.com"` has a git at https://www.webwiki.de/dedrickonline.com# Furthermore, it also contains the IP address "65.61.127.174" under the "Technik" tab!
Unfortunately that website appears to be split by language? E.g. the English version does not contain it: https://www.webwiki.com/dedrickonline.com[], which would make searching a bit harder, but still doable.
But if we can Google search those IPs there, we might just hit gold.
IP search did work! https://www.webwiki.de/65.61.127.174
But doesn't often/ever work unfortunately for others.
Googling "activegaminginfo.com" has a git at: http://cqcounter.com/whois/site/activegaminginfo.com.html which actually contains the IP 66.175.106.148! But I can't find a reverse IP search method. And perhaps due to having lots of <CAPTCHAs>, Google doesn't seem to index that website very well... it even has a tiny screenshot! And it also shows some more metadata beyond IP, e.g. HTTP response headers, which notably contain stuff like `Server: Apache-Coyote/1.1`.
Forward search of expired domains appears to often work however, and contains correct IPs and the screenshots. Note that direct access as follows does not work for some reason, you have to type them into the search bar manually:
* https://cqcounter.com/siteinfo/?activegaminginfo.com/
* https://cqcounter.com/siteinfo/?capture-nature.com/
* https://cqcounter.com/siteinfo/?conquermstoday.com/
* https://cqcounter.com/siteinfo/?elcorreodenoticias.com/
* https://cqcounter.com/siteinfo/?factorforcenews.com
* https://cqcounter.com/siteinfo/?feedsdemexicoyelmundo.com/
* https://cqcounter.com/siteinfo/?fightwithoutrules.com/
* https://cqcounter.com/siteinfo/?fitness-dawg.com/
* https://cqcounter.com/siteinfo/?information-junky.com/
* https://cqcounter.com/siteinfo/?iraniangoalkicks.com[]
* https://cqcounter.com/siteinfo/?iraniangoals.com[]: not present
* https://cqcounter.com/siteinfo/?kanata-news.com
* https://cqcounter.com/siteinfo/?negativeaperture.com/
* https://cqcounter.com/siteinfo/?nouvellesetdesrapports.com/
* https://cqcounter.com/siteinfo/?pangawana.com/
* https://cqcounter.com/siteinfo/?rastadirect.net
* https://cqcounter.com/siteinfo/?recuerdosdeviajeonline.com/
* https://cqcounter.com/siteinfo/?tee-shot.net/
* https://cqcounter.com/siteinfo/?www.dedrickonline.com/
* https://cqcounter.com/siteinfo/?www.easytraveleurope.com/
* https://cqcounter.com/siteinfo/?www.headlines2day.com/
* https://cqcounter.com/siteinfo/?www.kessingerssportsnews.com/
OMG so close. If only Google would index that website we'd be done!!!
Apparently also mirrored at "dawhois":
* https://dawhois.com/site/currentcommunique.com.html
Searching on github.com: https://github.com/DrWhax/cia-website-comms from September 2022 contains some of the links to some of the ones reported by Reuters.
= Breakthroughs
{parent=Methodology}
Some less-trivial breakthroughs:
* finding <2013 DNS Census>
* <CGI comms> characterization
* <secure subdomain search on 2013 DNS Census> let to a few hits
* <2013 DNS Census virtual host cleanup heuristic keyword searches> was massive and led to many new ranges
= Non Reuters ranges
{parent=Breakthroughs}
= secure subdomain search on 2013 DNS Census
{parent=Non Reuters ranges}
Grepping the <2013 DNS Census> first by overused <CGI comms> subdomains `secure.` and `ssl.` leaves 200k lines. Grepping for the overused "news" led to hits:
* secure.worldnewsandent.com,2012-02-13T21:28:15,208.254.40.117
* ssl.beyondnetworknews.com,2012-02-13T20:10:13,66.104.175.40
Also tried but failed:
* `sports`:
* secure.motorsportdealers.com,2012-04-10T20:19:09,64.73.117.38 https://web.archive.org/web/20110501000000*/motorsportdealers.com[]
OK, after the initial successes in `secure.`, we went a bit more data intensive:
* took all `secure.*` `ssl.*` URLs in the <2013 DNS Census>, 70k entries
* cleaned up a bit, e.g. only `.com` or `.net`. this left only, 30k entries only
* lopped over all of them in archive CDX: <Wayback machine CDX scanning>, searching for those that also end in `.cgi` https://web.archive.org/cdx/search/cdx?url=$domain&matchType=domain&filter=urlkey:.*\.cgi&to=20140101000000[]. Took an afternoon, but no rate limit block.
* this leaves about 1000, so we loop over all of them manually on web archive with a script, and opened any that had the pattern of very vew hits between 2010 and 2013 only, and on those check for visual/thematic style match. Careful not to make more than 15 requests per minute or else 5 min blacklist!
New results: only one...
* 208.254.42.205 secure.driversinternationalgolf.com,2012-02-13T10:42:20,
After <2013 DNS Census virtual host cleanup heuristic keyword searches> we later understood why there were so few hits here: the <2013 DNS Census> didn't capture the `secure.` subdomains of many domains it had for some reason. Shame, because if it had, this method would have yielded many more results.
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/archive-tabs.png]
{title=You can never have enough <Wayback Machine> tabs open}
= Oleg Shakirov's findings
{parent=Breakthroughs}
{title2=Communicated January 15, 2024}
= Oleg Shakirov
{synonym}
= Found by Oleg Shakirov
{synonym}
Starting at https://twitter.com/shakirov2036/status/1746729471778988499[], <Russian> expat https://www.linkedin.com/in/shakirov/[Oleg Shakirov] comments "Let me know if you are still looking for the Carson website".
He then proceeded to <Searching for Carson>[give Carson] and 5 other domains in private communication. His name is given here with his consent. His advances besides not being blind were <Yandexing> for some of the known hits which led to pages that contained other hits:
* moyistochnikonlaynovykhigr.com contains a copy of myonlinegamesource.com, and both are present at https://www.seomastering.com/audit/pefl.ru/[], an SEO tracker, because both have backlinks to `pefl.ru`, which is apparently a niche fantasy football website
* 4 previously unknown hits from: <"Mass Deface III" pastebin>. He missed one which Ciro then found after inspecting all URLs on <Wayback Machine>, so leading to a total of 5 new hits from that source.
Unfortunately, these methods are not very generalizable, and didn't lead to a large number of other hits. But every domain counts!
= Searching for Carson
{parent=Oleg Shakirov's findings}
Edit: Carson was found <Oleg Shakirov's findings>by https://www.linkedin.com/in/shakirov/[Oleg Shakirov]: `alljohnny.com`, communicated at: https://twitter.com/shakirov2036/status/1746729471778988499[], earliest archive from 2004 (!): https://web.archive.org/web/20040113025122/http://alljohnny.com/[], The domain was hidden in plain sight, it was present in a not very visible watermark visible in the <Reuters article> screenshot! The watermark was added to the <CIA> to the background image, it is actually present on the website. In retrospect, it was actually present at on the <expired domain trackers> dataset, but the mega discrete `all` second word made <Ciro Santilli> miss it: https://github.com/cirosantilli/expired-domain-names-by-day-2015/blob/9d504f3b85364a64f7db93311e70011344cff788/07/05/02#L1572
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/screenshots/alljohnny.com.jpg]
{title=2004 <Wayback Machine> archive of https://web.archive.org/web/20040113025122/http://alljohnny.com/[alljohnny.com]}
{height=700}
What follows is the previous
The fact that the <Reuters article> has a screenshot of it, and therefore a <Wayback Machine> link, plus the specificity of the website topic, will likely keep Ciro awake at night for a while until someone finds that domain.
Some text visible on the Reuters screenshot:
* \Q[Johnny Carson and The Tonight Show]
* \Q[Your Favorite Host and Comedic Genius]
* \Q[Submit Your Favorite Carson Moment]
* \Q[Heeere's Johnny!]
Holy crap, the "Here's Johnny" line from The Shining (1980) is a reference to Johnny Carson: https://www.youtube.com/watch?v=WDpipB4yehk[], https://www.youtube.com/watch?v=aYnyPAkgyvc[], Ciro never knew that... but every American would have understood it at the time.
It is unclear however if this text is plaintext or part of a an image.
Some failed attempts, either dry guesses or from DNS grepping dataset searches:
* https://johnnycarson.com[]: official
* https://johnnycarson.net[]: fan site: https://web.archive.org/web/20010501225614/http://johnnycarson.net/
* http://johnnycarsontonight.com
* http://carson-johnny.com[]: legit
* http://johnnycarsonshow.com[]: https://web.archive.org/web/20110208005558/http://johnnycarsonshow.com/captcha/index.php?d=johnnycarsonshow.com[] your IP has been blocked
* http://tributetojohnnycarson.com[]: only one archive https://web.archive.org/web/20180805132430/http://tributetojohnnycarson.com/[]
* bestofjohnnycarson.com: https://web.archive.org/web/20130525035938/http://bestofjohnnycarson.com/ Lived past 2013.
* bestofjohnny.com/: https://web.archive.org/web/20130506011824/http://bestofjohnny.com/ empty
* johnnycarsonvideo.com: dead early 2000s https://web.archive.org/web/20130605152818/http://johnnycarsonvideo.com/
* johnnycarsontv.com: https://web.archive.org/web/20230000000000*/johnnycarsontv.com
* thejohnnycarsonshow.com: https://web.archive.org/web/20230000000000*/thejohnnycarsonshow.com
* carsonsbest.com: https://web.archive.org/web/20230000000000*/carsonsbest.com
* johnnycarsonfans.com: https://web.archive.org/web/20230000000000*/johnnycarsonfans.com
* https://web.archive.org/web/20230000000000*/carsonified.com
* night:
* the-tonight-show.com: https://web.archive.org/web/20230000000000*/the-tonight-show.com
* https://web.archive.org/web/20230000000000*/tonightshowlegends.com
* https://web.archive.org/web/20230000000000*/tonightshow.com
* https://web.archive.org/web/*/http://thetonightshow.net/*
* amazing:
* johnnyamazing.com: broken archives: https://web.archive.org/web/*/http://johnnyamazing.com/*
* carson
* johnneycarson.com: no archives
* johnnycarson.co: no archives
* johnnycarsons.info
* johnnycarsons.com
* johnnycarson.org
* johnnycarsonsdesk.com
* johnny-carson-video.com
* johnnycarsondvd.org
* johnnycarsondvds.org
* johnnycarsondvd.net
* johnnycarsondvd.tv
* johnnycarsondvds.net
* johnnycarsondvds.tv
* johnnycarson.tv
* johnnyguitarcarson.com
* johnnycarsonmovie.com
* hookedonjohnnycarson.com
* johnnycarsonbook.com
* licensingjohnnycarson.com
* johnnnycarson.com
* johnnycarson360.com
* koalajohnnycarson.com
* johnny-carson.com
* johnnycarsonbirthplace.com
* johnnycarsonbirthplace.net
* johnny:
* heres:
* heresjohnnyfilm.com: https://web.archive.org/web/20131011115733/http://www.heresjohnnyfilm.com/ legit
* hereisjohnny.net: no archives
* heresjohnnyradioshow.com: https://web.archive.org/web/20130509042107/http://heresjohnnyradioshow.com/[], Legit most likely: https://web.archive.org/web/20140517103512/http://heresjohnnyradioshow.com/
* wherejohnnylives.net: broken archives
* http://heresjohnny.com[]: squat https://web.archive.org/web/20130607145841/http://heresjohnny.com/ Many other TlD like .net, .co.uk
* heeeeresjohnny.com: http://web.archive.org/web/20130612211448/http://heeeeresjohnny.com/[]: legit
* night:
* johnnylatenight.com: https://web.archive.org/web/20150801132622/http://johnnylatenight.com/ Legit broken
* https://web.archive.org/web/20110208161513/http://www.johnnysnight.com/
* johnnycarson.org: squatted past 2013, nothing before
* carsonshow.com: squat: https://web.archive.org/web/20110224211714/http://carsonshow.com/[]
* tonightshow247.net: https://web.archive.org/web/20101226190209/http://tonightshow247.net/[]: squat
* tonightshow.tv: https://web.archive.org/web/20141221222442/http://www.tonightshow.tv/[]: legit
Searching the <Wayback Machine> proved fruitless. There is no full text search: <Wayback Machine full text search>, and a heuristic https://web.archive.org/web/20230000000000*/Johnny%20Carson search has relevant hits but not the one we want.
Another attempt was to search for "carson" on webmasterhome.cn which lists expired domains in bulk by expiration day, and it search engine friendly. It contains most of the domains we've found so far. <Google> either doesn't support partial word search or requires you to be a <God> to find it
* https://stackoverflow.com/questions/73371842/how-to-run-partial-word-search-on-google-com-and-find-all-words-containing-joh
* https://booleanstrings.com/2021/03/07/how-to-google-for-partial-words-in-urls-osint/
* https://stackoverflow.com/questions/28220652/google-custom-search-engine-and-partial-matching
so we settle for DuckDuckGo which supports it: https://duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22&t=h_&ia=web Adding years also helps: https://duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22+2011&ia=web with this we might be getting all possible results. Ciro went through all in 2011, 2012 and 2013 but no luck. Also fuck https://en.wikipedia.org/wiki/Carson_City,_Nevada[] and https://en.wikipedia.org/wiki/Carson,_California[] :-)
Let's search https://tools.whoisxmlapi.com/reverse-whois-search for "carson" contained in any historic domain name. 10,001 lines. Grepping those, no good Wayback machine hits for those that also contain "johnny" or "show". Data at: https://raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/tools.whoisxmlapi.com_reverse-whois-search_carson.csv in case anyone want to try and dig...
Let's also search the fortuitously timed <2013 DNS Census>.
= Work log
{c}
{parent=CIA 2010 covert communication websites}
= Wakatime redirects
{c}
{parent=Work log}
Summary: this is just a red herring. Wakatime owner likely registered the domains just after this article was published as a <publicity stunt>. Fair play though.
As raised at: https://news.ycombinator.com/item?id=36280666[], many, but not all, of the domains currently redirect to https://wakatime.com/[] as of 2023, and apparently they were taken up in 2013 (TODO how to confirm that). TODO what is the explanation for that? Some examples that do:
* http://dedrickonline.com
* http://tee-shot.net
But some failed resolution examples:
* http://pangawana.com/
* http://kessingerssportsnews.com/
Even more suspiciously, according to his LinkedIn: https://www.linkedin.com/in/alanhamlett/[], the owner of Wakatime, Alan Hamlett, worked at WhiteHat Security, Inc from Aug 2011 - Sep 2013. The company was then acquired by Synopsys in 2022. Holy crap!!! As shown at: https://web.archive.org/web/20131013193406/https://www.whitehatsec.com/ that company made website security tools. Did that dude use the tools to find the vulnerabilty and then just gobble up all the domains??? What a fucking legend if he did!!!
Let's try:
* https://host.io/redirects/wakatime.com[]: failure
* https://www.whatsmydns.net/redirect-checker?q=wakatime.com[]: failure
* https://app.neilpatel.com/en/seo_analyzer/backlinks?domain=wakatime.com&mode=domain[]: failure
Running e.g.
``
curl -vvv dedrickonline.com
``
gives:
``
* Trying 162.255.119.197:80...
* Connected to dedrickonline.com (162.255.119.197) port 80 (#0)
> GET / HTTP/1.1
> Host: dedrickonline.com
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 12 Jun 2023 20:30:19 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 55
< Connection: keep-alive
< Location: https://wakatime.com
< X-Served-By: Namecheap URL Forward
< Server: namecheap-nginx
<
<a href='https://wakatime.com'>Moved Permanently</a>.
* Connection #0 to host dedrickonline.com left intact
``
so we see that he must have setup redirection with Namecheap as mentioned at: https://www.namecheap.com/support/knowledgebase/article.aspx/385/2237/how-to-redirect-a-url-for-a-domain/
Let's also try <DNS> history
* https://whoisrequest.com/history/[]:
* dedrickonline.com: registered: 1 Nov, 2010, dropped: 24 Nov, 2013
* activegaminginfo.com : registered: 1 Feb, 2010, dropped: 1 Apr, 2012
* https://tools.whoisxmlapi.com/whois-history-search
* dedrickonline.com:
* CIA (registrar: Godaddy, registrant name: <DomainsByProxy.com>)
* Created Date: October 27, 2010 00:00:00 UTC
* Updated Date: October 28, 2013 00:00:00 UTC
* Expires Date: October 27, 2014 00:00:00 UTC
* Alan (namecheap):
* Created Date: June 11, 2023 09:59:25 UTC
* Expires Date: June 11, 2024 09:59:25 UTC
* activegaminginfo.com:
* CIA (Network Solutions, registrant name: LLC. Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions)
* Created Date: January 26, 2010 00:00:00 UTC
* Updated Date: November 27, 2010 00:00:00 UTC
* Expires Date: January 26, 2012 00:00:00 UTC
* Alan:
* Created Date: June 11, 2023 09:59:40 UTC
* Expires Date: June 11, 2024 09:59:40 UTC
* iraniangoalkicks.com:
* CIA (registrar: Godaddy, registrant name: <DomainsByProxy.com>)
* Created Date: April 9, 2007 00:00:00 UTC
* Updated Date: March 2, 2011 00:00:00 UTC
* Expires Date: April 9, 2011 00:00:00 UTC
* Alan:
* Created Date: June 11, 2023 09:59:20 UTC
* Expires Date: June 11, 2024 09:59:20 UTC
* iraniangoals.com:
* CIA (registrar: Godaddy, registrant name: <DomainsByProxy.com>):
* Created Date: March 6, 2008 00:00:00 UTC
* Updated Date: March 7, 2011 00:00:00 UTC
* Expires Date: March 6, 2014 00:00:00 UTC
* Reuters:
* Created Date: September 29, 2022 11:16:09 UTC
* Updated Date: September 29, 2022 11:16:09 UTC
* Expires Date: September 29, 2023 11:16:09 UTC
So these suggest Alan might have just come along in 2023 way after the 2022 Reuters article and did the same basic IP range search that Ciro is doing now, so possibly no new tech. Let's ask... https://twitter.com/cirosantilli/status/1668369786865164289
The domain name history presented is however of interest, and could lead to patterns being found.
Searching https://tools.whoisxmlapi.com/reverse-whois-search with term "Corral, Elizabeth" gave no results unfortunately.
Basic search under https://tools.whoisxmlapi.com/reverse-whois-search for "Corral" also empty. They can't see their own data? Ah, need advanced. Marked "Historic" and selected "Corral, Elizabeth", ony one hit, activegaminginfo.com.
= IP and DNS metadata
{c}
{parent=Work log}
Some dumps from us looking for patterns, but could not find any.
= iraniangoals.com
{parent=IP and DNS metadata}
whoisxmlapi WHOIS history April 11, 2011:
* Created Date: March 6, 2008 00:00:00 UTC
* Updated Date: March 7, 2011 00:00:00 UTC
* Expires Date: March 6, 2014 00:00:00 UTC
* Registrant Name: <DomainsByProxy.com>.
* Registrant Organization: Domains by Proxy, Inc.
* Registrant Street: 15111 N. Hayden Rd., Ste 160,
* Registrant City: Scottsdale
* Registrant State/Province: Arizona
* Registrant Postal Code: 85260
* Registrant Country: UNITED STATES
* Name servers: NS29.WORLDNIC.COM|NS30.WORLDNIC.COM
Folowed by reuters registration in 2022.
https://whoisrequest.com/history/ mentions:
* 1 Apr, 2008: Domain created*, nameservers added. Nameservers:
* ns1.webhostingpad.com
* ns2.webhostingpad.com
= iraniangoalkicks.com
{parent=IP and DNS metadata}
whoisxmlapi WHOIS history March 23, 2011:
* Created Date: April 9, 2007 00:00:00 UTC
* Updated Date: March 2, 2011 00:00:00 UTC
* Expires Date: April 9, 2011 00:00:00 UTC
* Registrant Name: <DomainsByProxy.com>
* Name servers: dns1.registrar-servers.com|dns2.registrar-servers.com
https://whoisrequest.com/history/ mentions:
1 May, 2007: Domain created*, nameservers added. Nameservers:
* ns1.qwknetllc.com
* ns2.qwknetllc.com
= activegameinfo.com
{parent=IP and DNS metadata}
{title2=66.175.106.148}
whoisxmlapi WHOIS history March 22, 2011:
* Registrar Name: NETWORK SOLUTIONS, LLC.
* Created Date: January 26, 2010 00:00:00 UTC
* Updated Date: November 27, 2010 00:00:00 UTC
* Expires Date: January 26, 2012 00:00:00 UTC
* Registrant Name: Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions
* Registrant Street: PO Box 459
* Registrant City: PA
* Registrant State/Province: US
* Registrant Postal Code: 18222
* Registrant Country: UNITED STATES
* Administrative Name: Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions
* Administrative Street: PO Box 459
* Administrative City: Drums
* Administrative State/Province: PA
* Administrative Postal Code: 18222
* Administrative Country: UNITED STATES
* Administrative Email: xc2mv7ur8cw@networksolutionsprivateregistration.com
* Administrative Phone: 5707088780
* Name servers: NS23.DOMAINCONTROL.COM|NS24.DOMAINCONTROL.COM
= feedsdemexicoyelmundo.com
{parent=IP and DNS metadata}
{title2=66.175.106.149}
whoisxmlapi WHOIS record on April 28, 2011
* Registrar Name: GODADDY.COM, INC
* Created Date: February 9, 2010 00:00:00 UTC
* Updated Date: February 9, 2010 00:00:00 UTC
* Expires Date: February 9, 2015 00:00:00 UTC
* Registrant Name: <DomainsByProxy.com>
* Name servers: NS55.DOMAINCONTROL.COM|NS56.DOMAINCONTROL.COM
= noticiasmusica.net
{parent=IP and DNS metadata}
{title2=66.175.106.150}
whoisxmlapi WHOIS record on September 13, 2011
* Registrar Name: NETWORK SOLUTIONS, LLC
* Created Date: February 17, 2010 00:00:00 UTC
* Updated Date: February 17, 2010 00:00:00 UTC
* Expires Date: February 17, 2015 00:00:00 UTC
* Registrant Name: See, Megan|ATTN NOTICIASMUSICA.NET|care of Network Solutions
* Registrant Street: PO Box 459
* Registrant City: PA
* Registrant State/Province: US
* Registrant Postal Code: 18222
* Registrant Country: UNITED STATES
* Administrative Contact
* Administrative Name: See, Megan|ATTN NOTICIASMUSICA.NET|care of Network Solutions
* Administrative Street: PO Box 459
* Administrative City: Drums
* Administrative State/Province: PA
* Administrative Postal Code: 18222
* Administrative Country: UNITED STATES
* Administrative Email: hf3eg77c4nn@networksolutionsprivateregistration.com
* Administrative Phone: 5707088780
* Name Servers: NS45.WORLDNIC.COM|NS46.WORLDNIC.COM
2012:
* Registrant Country: PANAMA
= atomworldnews.com
{parent=IP and DNS metadata}
{title2=66.175.106.155}
whoisxmlapi WHOIS record on April 17, 2011
* Created Date: April 9, 2010 00:00:00 UTC
* Updated Date: April 9, 2010 00:00:00 UTC
* Expires Date: April 9, 2012 00:00:00 UTC
* Registrant Name: <DomainsByProxy.com>
* Name servers: NS33.DOMAINCONTROL.COM|NS34.DOMAINCONTROL.COM
= iranfootballsource.com
{parent=IP and DNS metadata}
= Backlinks
{parent=CIA 2010 covert communication websites}
Initial announcements by self on 2023-06-10:
* https://twitter.com/cirosantilli/status/1667532991315230720[]. Follow up when more domains were found: https://twitter.com/cirosantilli/status/1717445686214504830
* https://www.reddit.com/r/OSINT/comments/146185r/i_found_16_new_cia_covert_communication_websites/[]. Marked as SPAM 5 by mods days later. After reaching 92 votes, a very positive reply for that niche sub, and being obviously on topic. Weird. Anyways, did its job and likely kicked off hackernews.
* https://www.facebook.com/cirosantilli/posts/pfbid04KvRbEXghJakcD4AQz4379L5oVjPZ6vrBF1Eak3p81VnqRSXuXdvvYonCWPhGfQXl
Shared by others soo after:
* 2023-06-11:
* https://news.ycombinator.com/item?id=36279375#36280220[] (212 points). Shame that this was published when we only had about 20 websites. As of writing we had 240. Might have been a greater hit then.
\Image[https://raw.githubusercontent.com/cirosantilli/media/master/CIA_websites_hacker_news.png]
{height=600}
{source=https://news.ycombinator.com/item?id=36279375}
* <Google Analytics> backlink from https://lms.fh-wedel.de/[] path unknown. Some shitty German university: https://en.wikipedia.org/wiki/Fachhochschule_Wedel_University_of_Applied_Sciences LMS stands for <Learning Management System>, apparently a <Moodle> instance. Maybe they have some <Open educational resources>, but all in <German (language)> so pointless
* https://www.reddit.com/r/conspiracy/comments/14705gp/cia_2010_covert_communication_websites/ failed attempt with bad link unfortunately
* a few days later:
* 2023-06-19 https://www.reddit.com/r/numberstations/comments/14dexiu/after_numbers_stations_vanished/ (30 points) off topic on that sub, but thankfully was not deleted, interesting sub topic
2023-10-26 https://twitter.com/cirosantilli/status/1717445686214504830[]: announcement by self after finding 75 more sites
Second wave:
* 2023-12-01: https://news.ycombinator.com/item?id=38492304[] (65 points). Second submission but pointing to <OurBigBook.com> rather than cirosantilli.com: https://ourbigbook.com/cirosantilli/cia-2010-covert-communication-websites We take those. Reached only 65 points as of January 2024.
* 2023-12-02: https://buttondown.email/grugq/archive/december-2-2023/[]. "grugq" is the handle of a zero day dealer whose received some scrutiny in 2012 after a Forbes protile was written about him: https://archive.ph/7mUG5[]. He comments:
\Q[I don’t think anyone anticipated that databases leaked by hackers would enable OSINT researchers to conduct counterintelligence investigations that rival the state security services.]
presumably referring to <DNS Census 2013>.
Some more:
* 2024-01-12: https://twitter.com/jeremy_wokka/status/1745657801584656564 (40k followers, mid of thread)
* 2024-01-15: <Oleg Shakirov's findings>, publication announced by <Ciro Santilli> at: https://twitter.com/cirosantilli/status/1747742453778559165[] two days later
* 2024-01-23: <ipinf.ru> gives 4 hits and 4 new suspects, announced at: https://mastodon.social/@cirosantilli/111807480628392615
/ny