Anti-Abuse Working Group

"*DDoS-Guard*, a dodgy Russian firm that also hosts the official site 
for the terrorist group*Hamas"*

https://krebsonsecurity.com/2021/01/hamas-may-be-threat-to-8chan-qanon-online/#more-53893

hamas.ps seems to be hosted on Sucuri ... a doggy US based firm?


On Wed, Jan 13, 2021 at 10:12 AM PP <phishphucker _at_ storey _dot_ ovh> wrote:

> "*DDoS-Guard*, a dodgy Russian firm that also hosts the official site for
> the terrorist group *Hamas"*
>
>
> https://krebsonsecurity.com/2021/01/hamas-may-be-threat-to-8chan-qanon-online/#more-53893
>
>
>
>

In message ZbnDA0qZZGQ _at_ mail.gmail _dot_ com>, you wrote:

>hamas.ps seems to be hosted on Sucuri ... a doggy US based firm?

According to data provided by Farsight Security, Inc. the site was
formerly located at 190.115.18.139, which is indeed DDos-Guard,
up until 2020-11-12, and it was then moved to its current location,
192.124.249.13, which is indeed, Securi.


----------------------------------------------------------
;;  bailiwick: hamas.ps.
;;      count: 70144
;; first seen: 2019-05-14 23:18:11 -0000
;;  last seen: 2020-11-12 13:40:58 -0000
hamas.ps. IN A 190.115.18.139

;;  bailiwick: hamas.ps.
;;      count: 11017
;; first seen: 2020-11-12 13:45:02 -0000
;;  last seen: 2021-01-12 14:21:11 -0000
hamas.ps. IN A 192.124.249.13

Looks like Parler is now using them as well:


parler.com has address 190.115.31.151


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845


From: anti-abuse-wg <anti-abuse-wg-bounces _at_ ripe _dot_ net> on behalf of Ronald F. Guilmette <rfg _at_ tristatelogic _dot_ com>
Date: Wednesday, 13 January 2021 at 02:59
To: Siyuan Miao <siyuan _at_ misaka _dot_ io>
Cc: anti-abuse-wg _at_ ripe _dot_ net <anti-abuse-wg _at_ ripe _dot_ net>
Subject: Re: [anti-abuse-wg] DDoS-Guard, a dodgy Russian firm that also hosts the official site for the terrorist group Hamas
In message ZbnDA0qZZGQ _at_ mail.gmail _dot_ com>, you wrote:

>hamas.ps seems to be hosted on Sucuri ... a doggy US based firm?

According to data provided by Farsight Security, Inc. the site was
formerly located at 190.115.18.139, which is indeed DDos-Guard,
up until 2020-11-12, and it was then moved to its current location,
192.124.249.13, which is indeed, Securi.


----------------------------------------------------------
;;  bailiwick: hamas.ps.
;;      count: 70144
;; first seen: 2019-05-14 23:18:11 -0000
;;  last seen: 2020-11-12 13:40:58 -0000
hamas.ps. IN A 190.115.18.139

;;  bailiwick: hamas.ps.
;;      count: 11017
;; first seen: 2020-11-12 13:45:02 -0000
;;  last seen: 2021-01-12 14:21:11 -0000
hamas.ps. IN A 192.124.249.13

[image: image.png]


*Rui A. S. Esteves*


On Sun, Jan 17, 2021 at 2:17 PM Michele Neylon - Blacknight via
anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net> wrote:

> Looks like Parler is now using them as well:
>
>
>
> parler.com has address 190.115.31.151
>
>
>
>
>
> --
>
> Mr Michele Neylon
>
> Blacknight Solutions
>
> Hosting, Colocation & Domains
>
> https://www.blacknight.com/
>
> https://blacknight.blog/
>
> Intl. +353 (0) 59  9183072
>
> Direct Dial: +353 (0)59 9183090
>
> Personal blog: https://michele.blog/
>
> Some thoughts: https://ceo.hosting/
>
> -------------------------------
>
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>
> Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
>
>
>
>
>
> *From: *anti-abuse-wg <anti-abuse-wg-bounces _at_ ripe _dot_ net> on behalf of
> Ronald F. Guilmette <rfg _at_ tristatelogic _dot_ com>
> *Date: *Wednesday, 13 January 2021 at 02:59
> *To: *Siyuan Miao <siyuan _at_ misaka _dot_ io>
> *Cc: *anti-abuse-wg _at_ ripe _dot_ net <anti-abuse-wg _at_ ripe _dot_ net>
> *Subject: *Re: [anti-abuse-wg] DDoS-Guard, a dodgy Russian firm that also
> hosts the official site for the terrorist group Hamas
>
> In message  ZbnDA0qZZGQ _at_ mail.gmail _dot_ com>, you wrote:
>
> >hamas.ps seems to be hosted on Sucuri ... a doggy US based firm?
>
> According to data provided by Farsight Security, Inc. the site was
> formerly located at 190.115.18.139, which is indeed DDos-Guard,
> up until 2020-11-12, and it was then moved to its current location,
> 192.124.249.13, which is indeed, Securi.
>
>
> ----------------------------------------------------------
> ;;  bailiwick: hamas.ps.
> ;;      count: 70144
> ;; first seen: 2019-05-14 23:18:11 -0000
> ;;  last seen: 2020-11-12 13:40:58 -0000
> hamas.ps. IN A 190.115.18.139
>
> ;;  bailiwick: hamas.ps.
> ;;      count: 11017
> ;; first seen: 2020-11-12 13:45:02 -0000
> ;;  last seen: 2021-01-12 14:21:11 -0000
> hamas.ps. IN A 192.124.249.13
>
>

In message ZbnDA0qZZGQ _at_ mail.gmail _dot_ com>, 
Siyuan Miao <siyuan _at_ misaka _dot_ io> wrote:

>hamas.ps seems to be hosted on Sucuri ... a doggy US based firm?

I bitched about this to Sucuri.  They ignored me for a few days but then
kicked the site from their reverse proxy service and now it is now back
on a Russian network again:

# ORG: (RU) ORG-FG2-RIPE "OOO FREEnet Group"
#------------------------------------------------------------------------
193.233.15.207 hamas.ps

The entire 193.233.0.0/16 block is registered to this "FREEnet Group"
thing, whose contact info includes this:

address:        FREEnet NOC
address:        Institute of Organic Chemistry RAS
address:        47, Leninsky prospect
address:        119991 GSP-1, Moscow
address:        Russia

(I can only speculate that the Institute of Organic Chemistry is probably
as good a source as any for DIY homemade rocket fuel formulas.)

Meanwhile the 193.233.15.0/24 sub-block is being routed by AS42745
aka "Safe Value Limited"... allegedly of the Seychelles Islands. 

I'm a bit slow on the uptake, so if someone would be so kind as to
explain to me again why RIPE is in the habit of giving out AS numbers
to companies located in tax & corporate secrecy havens which are
themselves located the Indian Ocean, I'd appreciate it.

Well, anyway. this outfit does have a very impressive web site. :-)

http://safevalue.pro/


Regards,
rfg

Peace,

On Thu, Jan 21, 2021, 10:39 AM Ronald F. Guilmette <rfg _at_ tristatelogic _dot_ com>
wrote:

> now it is now back
> on a Russian network again:
>
> # ORG: (RU) ORG-FG2-RIPE "OOO FREEnet Group"
>

Ronald, as you correctly mention later in the message, the 15.0/24 block
was probably leased away _long_ ago (as we assume that a research institute
hardly needs /16 IPv4 to operate).


Meanwhile the 193.233.15.0/24 sub-block is being routed by AS42745
> aka "Safe Value Limited"
>

The only provider for the latter being Voxility Inc., California, USA.

https://radar.qrator.net/as42745/providers#startDate=2020-10-21&endDate=2021-01-21&tab=current

I guess you'd need to repeat your feat once again, now again with an
American company :-)

>
--
Töma

>

Peace,

On Thu, Jan 21, 2021, 11:07 AM Töma Gavrichenkov <ximaera _at_ gmail _dot_ com> wrote:

> Meanwhile the 193.233.15.0/24 sub-block is being routed by AS42745
>> aka "Safe Value Limited"
>>
>
> The only provider for the latter being Voxility Inc., California, USA.
>
>
> https://radar.qrator.net/as42745/providers#startDate=2020-10-21&endDate=2021-01-21&tab=current
>

Correcting myself: on the second thought, the AS in question also maintains
a complicated relationship with Stormwall s.r.o. (Slovakia) and may also
get Internet access from there.

https://radar.qrator.net/as42745/unspecified#startDate=2020-10-21&endDate=2021-01-21&tab=current

--
Töma

>