DCLeaky

Updated 18th Feb 2018

It seems I was lucky, and caught the site in a state where it was showing it’s innards, so some of the below links now don’t resolve. So I’ll share the files and screenshots I do have. I downloaded the mailserver software that was on the landing page (they were publicly accessible) and they are available here as a .zip HERE  (17Mb).

Here’s some additional screenshots:

Here’s a port scan:

Nmap scan report for server13.yettamail.com (111.90.158.105)
Host is up (0.29s latency).
Not shown: 247 closed protocols
PROTOCOL STATE SERVICE
0 open|filtered hopopt
1 open icmp
2 open|filtered igmp
6 open|filtered tcp
17 open udp
47 open|filtered gre
103 open|filtered pim
136 open|filtered udplite
255 open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 324.97 seconds

Result from the ssh port:

Connecting to 111.90.158.105:38400… failed: Connection refused.
PASS WWW enabled INFO SSL enabled
http://www.dcleaks.com. | 111.90.158.105 | 38400

Nameservers point to THCServers Romania:

Note DATE of changes to Piradius.net nameserver:

ns1.piradius.net

“Last-Modified”: “Tue, 22 Mar 2016 15:10:38 GMT”,

“remoteIPAddress”: “124.217.224.2”,
“remotePort”: 80,
“encodedDataLength”: 180,

—————————————————————————————————————————————-

Original Article Below:


dcleaks.com was claimed to be a Russian front by the Americans, a wikileaks front by Guccifer2.0, and a political front by themselves.

  • They published leaks seemingly obtained by email phishing. Republicans & Democrats
  • Registered to it’s current IP on 19th April 2016,  the name dates to 2010.
  • dcleaks.com nameservers are in Romania. The original Guccifer is Romanian.
  • In 2012 (also an election year) it was transferred 3 times but not activated.
  • Edit: h/t Steve McIntyre: Registered 2012 to Ronald Vanyur, Huntington Beach, California.
  • As was Electionleaks.com. Mr Vanyur’s ownership of both expired 2013. But both were re-registered April 2016 to new owners.
  • Their 2016 activity correspond well with the Russian Collusion narrative
  • In fact dcleaks.com 111.90.158.105 is a spam server and phishing setup in Malaysia

According to the US Intelligence Community Guccifer2.0 was not the only Hacker doing Putin’s bidding, they also fingered the website dcleaks.com (archived here) as an agent of Putin.

There does seem to have been an interaction of some sort between G2.0 and dcleaks. According to The Smoking Gun G2.0 provided them with a password to a secured part of dcleaks.com which contained files phished from Sarah Hamilton’s (a Clinton Volunteer) Gmail three months previously:

Email from G2.0 and thesmokinggun.com

dcleaks itself is now offline, and the IP given by whois is now links to what seems to be a phishing setup in Kuala Lumpur . Originally registered way back in December 2010,likely just a name registration without hosting. Then, if you notice in 2012 (a US election year folks!) it came back into life and changed name-servers three times. Was it planning leaks in the 2012 election? Were some of the leaks in the 2016 election from stuff they’d been working on for a while…?

It’s had many different name-servers, and the current registered user has been scrubbed by the whois servers. “PrivacyProtect.org” leads to “publicdomainregistry.com” back to “PrivacyProtect.org”, back to … etc. Eventually reading the small print we find that publicdomainregistry.com is acting on behalf of thcservers.com in Romania. Who take payment in bitcoins:

Somewhere along the line it was registered to “feehan.europe.com”, and has an obfuscated owner listed in most who-is as “Registry Domain ID: 2022687325_DOMAIN_COM-VRSN”

A quick scan reveals that various ports are open including Apache servers, and Maria-db Database , but it seems clear that the DCLeaks bird has flown the nest. The IP/port listed for ‘WWW’ is 111.90.158.105 | 38400 rejects all connections even though both ‘WWW’ and SSL are enabled on it. The site renders to port 80 as previously where you’ll find the screenshot above. To save you the time I flicked through the publicly available files: all dull PHP files that a spam-phishing-emailserver would need. No personal identifying data.

Notably; nothing Russian.

Via domainwhitepages.com we find a breakthrough: an alternative NS name for their email server. Searches on sites associated with

ns1.piradius.net 
& 
ns2.piradius.net

bring up a whole host of extremely dodgy phishing sites. Have a look at urlscan.io’s page on their AS. Every link is a phish trap. I think we may have found our guys. Or at least their mates.

They aren’t just targeting Hillary Clinton. They are targeting everyone:

 

Conclusion

We have Phishers. The Leaks on DCLeaks.com were from Phishing. Podesta Emails were from Phishing. Many of G2.0’s documents were from the Podesta Phishing trip. We have an organised group. We have people assuming they are Russians. What we don’t have is actual proof that they are Russians. They are more likely, in my opinion, to be simply criminal a-holes.

There’s some obvious questions that remain:

  • If Guccifer2.0 was in contact with these guys what is the connection between them, if any?
  • Curious that the main dcleaks.com nameservers company is in Romania. The original Guccifer is Romanian.
  • The CEO of the company that found “Russians” in the DNC servers ran agents in “the Netherlands, Romania, Ukraine and Estonia. ” where he helped catch Guccifer1.0.
  • Why was dcleaks not activated for the 2012 election?
  • Were these phishers acting just for giggles, for cash, or on behalf of anyone?
  • Why blame the Russians? CyberCaliphate attacks have originated in Malaysia (but no evidence to link the two here..)

12 thoughts on “DCLeaky

  1. David, you mentioned Cyber Caliphate. TV5 Monde attack originally attributed to Islamist CyberCaliphate, but later attribution changed to APT28. I’ve researched but was unable to locate convincing reason for change.

    Like

  2. Attractive section of content. I just stumbled upon your web site and in accession capital to assert that I acquire in fact enjoyed account your blog posts.
    Anyway I will be subscribing to your feeds and even I
    achievement you access consistently quickly.

    Like

  3. Thanks for the marvelous posting! I certainly enjoyed reading it, you may be a great author.I will be sure to bookmark your blog and will eventually come back in the future.
    I want to encourage you to definitely continue your great job, have a nice weekend!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s