Updated 18th Feb 2018
It seems I was lucky, and caught the site in a state where it was showing it’s innards, so some of the below links now don’t resolve. So I’ll share the files and screenshots I do have. I downloaded the mailserver software that was on the landing page (they were publicly accessible) and they are available here as a .zip HERE (17Mb).
Here’s some additional screenshots:
Here’s a port scan:
Nmap scan report for server13.yettamail.com (18.104.22.168)
Host is up (0.29s latency).
Not shown: 247 closed protocols
PROTOCOL STATE SERVICE
0 open|filtered hopopt
1 open icmp
2 open|filtered igmp
6 open|filtered tcp
17 open udp
47 open|filtered gre
103 open|filtered pim
136 open|filtered udplite
255 open|filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 324.97 seconds
Result from the ssh port:
Connecting to 22.214.171.124:38400… failed: Connection refused.
PASS WWW enabled INFO SSL enabled
http://www.dcleaks.com. | 126.96.36.199 | 38400
Nameservers point to THCServers Romania:
Note DATE of changes to Piradius.net nameserver:
“Last-Modified”: “Tue, 22 Mar 2016 15:10:38 GMT”,
Original Article Below:
dcleaks.com was claimed to be a Russian front by the Americans, a wikileaks front by Guccifer2.0, and a political front by themselves.
- They published leaks seemingly obtained by email phishing. Republicans & Democrats
- Registered to it’s current IP on 19th April 2016, the name dates to 2010.
- dcleaks.com nameservers are in Romania. The original Guccifer is Romanian.
- In 2012 (also an election year) it was transferred 3 times but not activated.
- Edit: h/t Steve McIntyre: Registered 2012 to Ronald Vanyur, Huntington Beach, California.
- As was Electionleaks.com. Mr Vanyur’s ownership of both expired 2013. But both were re-registered April 2016 to new owners.
- Their 2016 activity correspond well with the Russian Collusion narrative
- In fact dcleaks.com 188.8.131.52 is a spam server and phishing setup in Malaysia
According to the US Intelligence Community Guccifer2.0 was not the only Hacker doing Putin’s bidding, they also fingered the website dcleaks.com (archived here) as an agent of Putin.
There does seem to have been an interaction of some sort between G2.0 and dcleaks. According to The Smoking Gun G2.0 provided them with a password to a secured part of dcleaks.com which contained files phished from Sarah Hamilton’s (a Clinton Volunteer) Gmail three months previously:
dcleaks itself is now offline, and the IP given by whois is now links to what seems to be a phishing setup in Kuala Lumpur . Originally registered way back in December 2010,likely just a name registration without hosting. Then, if you notice in 2012 (a US election year folks!) it came back into life and changed name-servers three times. Was it planning leaks in the 2012 election? Were some of the leaks in the 2016 election from stuff they’d been working on for a while…?
It’s had many different name-servers, and the current registered user has been scrubbed by the whois servers. “PrivacyProtect.org” leads to “publicdomainregistry.com” back to “PrivacyProtect.org”, back to … etc. Eventually reading the small print we find that publicdomainregistry.com is acting on behalf of thcservers.com in Romania. Who take payment in bitcoins:
Somewhere along the line it was registered to “feehan.europe.com”, and has an obfuscated owner listed in most who-is as “Registry Domain ID: 2022687325_DOMAIN_COM-VRSN”
A quick scan reveals that various ports are open including Apache servers, and Maria-db Database , but it seems clear that the DCLeaks bird has flown the nest. The IP/port listed for ‘WWW’ is 184.108.40.206 | 38400 rejects all connections even though both ‘WWW’ and SSL are enabled on it. The site renders to port 80 as previously where you’ll find the screenshot above. To save you the time I flicked through the publicly available files: all dull PHP files that a spam-phishing-emailserver would need. No personal identifying data.
Notably; nothing Russian.
Via domainwhitepages.com we find a breakthrough: an alternative NS name for their email server. Searches on sites associated with
ns1.piradius.net & ns2.piradius.net
bring up a whole host of extremely dodgy phishing sites. Have a look at urlscan.io’s page on their AS. Every link is a phish trap. I think we may have found our guys. Or at least their mates.
They aren’t just targeting Hillary Clinton. They are targeting everyone:
My wife just got the text message come through saying she had £180 refund due and to click a link. It was under the same number Argos send her reservation numbers from. Luckily that’s my job IT Security. A lot of people will be caught. Please reshare https://t.co/Ff6eNFEcTH
— Ned (@GrumpyOldNed) January 31, 2018
We have Phishers. The Leaks on DCLeaks.com were from Phishing. Podesta Emails were from Phishing. Many of G2.0’s documents were from the Podesta Phishing trip. We have an organised group. We have people assuming they are Russians. What we don’t have is actual proof that they are Russians. They are more likely, in my opinion, to be simply criminal a-holes.
There’s some obvious questions that remain:
- If Guccifer2.0 was in contact with these guys what is the connection between them, if any?
- Curious that the main dcleaks.com nameservers company is in Romania. The original Guccifer is Romanian.
- The CEO of the company that found “Russians” in the DNC servers ran agents in “the Netherlands, Romania, Ukraine and Estonia. ” where he helped catch Guccifer1.0.
- Why was dcleaks not activated for the 2012 election?
- Were these phishers acting just for giggles, for cash, or on behalf of anyone?
- Why blame the Russians? CyberCaliphate attacks have originated in Malaysia (but no evidence to link the two here..)