‘All too often arrogance accompanies strength, and we must never assume that justice is on the side of the strong. The use of power must always be accompanied by moral choice.’  – Theodore Bikel

As most of us are aware Lulzsec’s webserver (www.lulzsecurity.com) is protected by Cloudflare, and as such when you do a WHOIS the IP you see 199.27.134.62 as the endpoint, which is assigned by CloudFlare, and not the actual IP of the server. On a side note: I am sure BTW that CloudFlare are enjoying the free yet dubious publicity and advertising they garner from Lulzsec using them to hide behind.

So it came to my attention that if you input www.lulzsecurity.com into your browser it redirects to lulzsecurity.com (without the www) – this led me to do some digging, and here is what I found. They are on two different IP’s – if not physical boxes, and the DNS records held by Lulzsec’s CloudFlare account does the work of separating the 2 out.

After a little more digging I found that the 2 actual IP addresses hiding behind Cloudflare  are as follows:

www.lulzsecurity.com (with www – redirects to lulzsecurity.com)

THIS REDIRECTS WITH A 302 TO THE SERVER BELOW.

Actual IP address: 204.197.240.133

Netblock registered to: PrivateSystems Networks 518 Kimberton Road PMB 355 Phoenixville PA US 19460

It’s running Apache/2.2.3 under CentOS and was moved to CloudFlare on the 5-Jun-2011

Here’s the port scan:

25/tcp  filtered smtp
53/tcp  open domain
80/tcp  open   http
443/tcp open  https
465/tcp  filtered   smtps
587/tcp   filtered   submission
2200/tcp  open unknown
3306/tcp   open  mysql
6667/tcp  filtered   irc

lulzsecurity.com (without the www)

THIS IS THE ACTUAL SERVER HOSTING THEIR SITE.

Actual IP address: 111.90.139.155

Netblock registered to: PIRADIUS-NET

It’s running Nginx/1.0.4 under Linux and was moved also to CloudFlare on the 5-Jun-2011

ALL PORTS FILTERED – which stands to reason.

If I am correct – you can expect to see some downtime at http://www.lulzsecurity.com while they scurry around chasing their tails to change host and update their Cloudflare DNS settings before ‘someone’ hits them hard.

Peace.

Tickety Tock Tock.

J

UPDATE 06/26/11

3 Hours after this post was ummm – posted. Lulzsec announced their ‘dibandment’ and said farewell – even tho only hours previously they were hyping up their big release on Monday and will be ‘delivering lulz all calendar year round’.

At the same time…

the truly doxed ‘leader’ of lulzsec (SABU aka @anonymousabu) forgot about his personal domain ‘PRVT.ORG’ and the fact that it was due for renewal, it auto-renewed anyway, but the domain privacy didn’t. – And Abu was to busy trolling the trolls trolling him to remember.

The connection between Sabu and PRVT.ORG is already widely documented:

http://www.google.com/search?q=sabu+prvt.org

Here’s the new WHOIS as of yesterday.

http://t.co/fDZIrtw

and here’s a pastebin just in case: http://t.co/1lmFj0d

And a dump:

Domain ID:D87859570-LROR
Domain Name:PRVT.ORG
Created On:25-Jun-2002 16:38:43 UTC
Last Updated On:26-Jun-2011 01:23:02 UTC
Expiration Date:25-Jun-2012 16:43:58 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:AUTORENEWPERIOD
Registrant ID:CR25623846
Registrant Name:hector monsegur
Registrant Street1:90 avenue d #f
Registrant Street2:
Registrant Street3:
Registrant City:new york
Registrant State/Province:NY
Registrant Postal Code:10009
Registrant Country:US
Registrant Phone:+1.9173889070
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:xavier@openplans.org
Admin ID:CR25623848
Admin Name:hector monsegur
Admin Street1:90 avenue d #f
Admin Street2:
Admin Street3:
Admin City:new york
Admin State/Province:NY
Admin Postal Code:10009
Admin Country:US
Admin Phone:+1.9173889070
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:xavier@openplans.org
Tech ID:CR25623847
Tech Name:hector monsegur
Tech Street1:90 avenue d #f
Tech Street2:
Tech Street3:
Tech City:new york
Tech State/Province:NY
Tech Postal Code:10009
Tech Country:US
Tech Phone:+1.9173889070
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:xavier@openplans.org
Name Server:NS77.DOMAINCONTROL.COM
Name Server:NS78.DOMAINCONTROL.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

Nuff Said. See you next time.


……..

Related Posts