Tuesday 21 May 2013

Off-sho.re and Darkode


In April i got a DDoS attack (lol, good luck to take down google)
Nothing really high on my site, temari.fr suffered a bit, and i grabbed alot of weird referrers.
Fun things: some pointed to winlocks system like Multi Locker 3 on 212.2.227.88 and some other shits i've hacked the same day)
Brian have do an article recently about his DDoS http://krebsonsecurity.com/2013/05/conversations-with-a-bulletproof-hoster/
And because i'm concerned, many asked me explanations or sent me Brian article link via mail.
I've also entered in contact with off-sho.re.
Not directly, i told someone to talk him and see where he can go on the conversation,  i was just intrigued by the price off-sho.re can do.
Here is the chat log:
Jorik  4/10/2013 6:36 PM
 sup

Off-sho.re Hosting  4/10/2013 6:36 PM
 Away message: Away

Jorik  4/10/2013 6:37 PM  
 Code: "STOPHAUS"

Off-sho.re Hosting  4/10/2013 6:42 PM 
 hello, your nickname on DK?            

Jorik  4/10/2013 6:43 PM 
 gofuck

Jorik  4/10/2013 9:20 PM 
 hi there now

Off-sho.re Hosting  4/10/2013 9:20 PM 
 hi

Off-sho.re Hosting  4/10/2013 9:20 PM 
 please name the domain you want

Jorik  4/10/2013 9:20 PM 
 so what i need to give for domain reg

Jorik  4/10/2013 9:20 PM 
 ok wait

Off-sho.re Hosting  4/10/2013 9:20 PM 
 it in .ru zone

Jorik  4/10/2013 9:21 PM 
 .ru domains?

Jorik  4/10/2013 9:21 PM 
 ok

Jorik  4/10/2013 10:15 PM 
 madtrade.ru

Off-sho.re Hosting  4/10/2013 10:15 PM 
 Away message: Away

Jorik  4/10/2013 10:15 PM 
 or h4cky0u

Off-sho.re Hosting  4/10/2013 10:16 PM 
 and NS or IP?

Jorik  4/10/2013 10:16 PM 
 wait

Jorik  4/10/2013 10:16 PM 
 i will not get domain panel etc?

Jorik  4/10/2013 10:16 PM 
 to change ns/ip

Off-sho.re Hosting  4/10/2013 10:17 PM 
 no, its a BP registrar

Off-sho.re Hosting  4/10/2013 10:17 PM 
 you can give me NS and manage the domain yourself

Jorik  4/10/2013 10:18 PM 
 ok ns2.he.net , ns3.he.net , ns4.he.net ns5.he.net

Jorik  4/10/2013 10:27 PM 
 also need to ask, if i buy hosting, how to configure it for tor site

Off-sho.re Hosting  4/10/2013 10:27 PM 
 done

Off-sho.re Hosting  4/10/2013 10:27 PM 
 i do that for you for free when you buy a server

Jorik  4/10/2013 10:27 PM 
 ok

Jorik  4/10/2013 10:28 PM 
 btw domain done and which one?

Off-sho.re Hosting  4/10/2013 10:28 PM 
 madtrade.ru

Jorik  4/10/2013 10:28 PM 
 ok

Jorik  4/10/2013 10:31 PM 
 price of server?

Off-sho.re Hosting  4/10/2013 10:31 PM 
 Away message: Away

Jorik  4/10/2013 10:31 PM 
 just need to run carding forum, blackmarket type

Off-sho.re Hosting  4/10/2013 10:32 PM 
 that is likely to get abuses

Off-sho.re Hosting  4/10/2013 10:33 PM 
 and what server specs do you look for?

Jorik  4/10/2013 10:33 PM  
 don't know, any kind of server or vps, just no logs and secure

Off-sho.re Hosting  4/10/2013 10:34 PM 
 my dedicated ones start from 100

Off-sho.re Hosting  4/10/2013 10:34 PM 
 that means the server is only yours and you can even encrypt the /var partition with your web data

Jorik  4/10/2013 10:35 PM 
 ah great, i'll contact you soon

Off-sho.re Hosting  4/10/2013 10:35 PM 
 great, thanks for contacting

Now about the madtrade.ru domain, the weird things come from the whois.
http://who.is/whois/madtrade.ru
Off-sho.re is probably selling his bulletproof domains via webnames.ru and i think he's not reseller.
He just buy domains via his webnames.ru account and sell them by setting up customers nameservers.
He don't give them domain panel or anything, so he can do changes anytime.
For information, webnames reseller list is available here: http://www.webnames.ru/en/scripts/resellers_list.pl
I was little bit confuse as domains registered with webnames doesn't show reseller name, but off-sho.re's name is not in reseller list so likely he's not reseller.
He also sells domain via naunet.ru probably
Naunet is the actual domain provider for darkode and naunet is also famous for bulletproof domains.

When 'gofuck' got darkode domain suspended, they contacted naunet and naunet contacted pdr (PublicDomainRegistry) and told them to unsuspend domain:

Turnaround situation:

darkode 'suspended' NS:

Fun datas, darkode belong to briankrebson@gmail.com:

gofuck got their domain suspended by giving them screenshots of posts in darkode, the mywot scoreboard also helped according to him. (http://www.mywot.com/en/scorecard/darkode.com)

They cleaned it now, it was red before and off-sho.re helped them to make it in yellow zone he provided fake ratings and stuff.
darkode got suspended on 15th april and they got it fixed on 17th.


off-sho.re is also obviously listed on SpamHaus (http://www.spamhaus.org/sbl/query/SBL182932)
And member of the StopHaus project but i don't need to explain that.
off-sho.re seem to use mainly the e-mail "admin@off-sho.re" as contact, a simple search in Google and you will find alot of information regarding whois and domains details
You can even find his Webmoney, Liberty Reserve, email addresses, ICQ, forum profiles etc...
Some examples:
http://passport.webmoney.ru/asp/CertView.asp?wmid=180676440296
 http://www.icq.com/people/10444/

Some whois:

Also congrats for your level 2.

And about darkode, here we go...
hotcoffeecup@jaim.at Acidcoffee
s3x@neko.im specialist
Arcore@jabber.org Arcore
sana@thesecure.biz Sana
silic0n@jabber.org  Craig
split@thesecure.biz SpliT
ihack@thesecure.biz  hen
systro@jabber.org systro
mafioso@xmpp.jp Mafi
zer0day@xmpp.jp  zer0
c4rl0s@jabber.ru  Carlos
ipwn@cih.ms  ipwn
h0tsh0t@jodo.im h0tsh0t
jumbie@jabber.ru  Jumbie
off-sho.re@jabber.vc off-sho.re
x0x@jabba.biz nibo
bestkrypt@rkquery.de bestkrypt
elzig@exploit.im elzig
na@exploit.im specialist
m3gatr0n@jabber.ru  m3gatr0n
nassef@thesecure.biz  nassef
teardrop@swissjabber.ch  g0dlike
gamoonty@xmpp.jp yegor  (carder) new non accepted
mojitka@jabber.org  Mojikta
the_bond@jabber.org   thebond
rzor@jabber.org rzor
x47@xmpp.jp  x47
mrborisb@xmpp.jp borisb
RG.JR9@thesecure.biz J.P MORGAN
zigma@jabber.org zigma
propack@neko.im propack
dilibau@qip.ru dilibau
r3vproxy@jabber.org  r3vproxy
synthetic@exploit.im  synthetic
ling0@jabber.ru  K!NG
Here are some jabbers, of course just a small part, my listing is more long than that.
And i don't see the point to release my lists of icq/jabber/lr/wmz/aliases etc...

For me, darkode is just another wannabe private forum i've exposed, and when i do re-post like this, i don't do it because i care of this forum but due to an answer (on this case: off-sho.re).
That will annoy some people listed here to re-create a new address, but who gave me the stick to be beaten with ?

And about bulletproof hosting, here is an old conversation between GrandHost and Nassef, may that can interest someone.

As usual there is a lot of things to say, but i will stop here.



6 comments:

  1. -Good Job Steven-
    I really like the first conversation that you provided. Keep Up man.

    ReplyDelete
  2. I was waiting for your revenge. A DDoS service on darkode? Thanks God I'm not invited there. Great post as always.

    ReplyDelete
    Replies
    1. well that not really a revenge, just an answer

      Delete
  3. Interesting stuff...

    ReplyDelete
  4. Off topic, but can I ask, why do you like Temari? :L

    ReplyDelete
  5. Can't read that last conversation. Picture is tiny. :(

    ReplyDelete