‘All too often arrogance accompanies strength, and we must never assume that justice is on the side of the strong. The use of power must always be accompanied by moral choice.’ – Theodore Bikel
As most of us are aware Lulzsec’s webserver (www.lulzsecurity.com) is protected by Cloudflare, and as such when you do a WHOIS the IP you see 22.214.171.124 as the endpoint, which is assigned by CloudFlare, and not the actual IP of the server. On a side note: I am sure BTW that CloudFlare are enjoying the free yet dubious publicity and advertising they garner from Lulzsec using them to hide behind.
So it came to my attention that if you input www.lulzsecurity.com into your browser it redirects to lulzsecurity.com (without the www) – this led me to do some digging, and here is what I found. They are on two different IP’s – if not physical boxes, and the DNS records held by Lulzsec’s CloudFlare account does the work of separating the 2 out.
After a little more digging I found that the 2 actual IP addresses hiding behind CloudflareÂ are as follows:
www.lulzsecurity.com (with www – redirects to lulzsecurity.com)
THIS REDIRECTS WITH A 302 TO THE SERVER BELOW.
Actual IP address: 126.96.36.199
Netblock registered to: PrivateSystems Networks 518 Kimberton Road PMB 355 Phoenixville PA US 19460
It’s running Apache/2.2.3 under CentOS and was moved to CloudFlare on the 5-Jun-2011
Here’s the port scan:
25/tcp filtered smtp
53/tcp open domain
80/tcp open http
443/tcp open https
465/tcp filtered smtps
587/tcp filtered submission
2200/tcp open unknown
3306/tcp open mysql
6667/tcp filtered irc
lulzsecurity.com (without the www)
THIS IS THE ACTUAL SERVER HOSTING THEIR SITE.
Actual IP address: 188.8.131.52
Netblock registered to: PIRADIUS-NET
It’s running Nginx/1.0.4 under Linux and was moved also to CloudFlare on the 5-Jun-2011
ALL PORTS FILTERED – which stands to reason.
If I am correct – you can expect to see some downtime at http://www.lulzsecurity.com while they scurry around chasing their tails to change host and update their Cloudflare DNS settings before ‘someone’ hits them hard.
Tickety Tock Tock.
3 Hours after this post was ummm – posted. Lulzsec announced their ‘dibandment’ and said farewell – even tho only hours previously they were hyping up their big release on Monday and will be ‘delivering lulz all calendar year round’.
At the same time…
the truly doxed ‘leader’ of lulzsec (SABU aka @anonymousabu) forgot about his personal domain ‘PRVT.ORG’ and the fact that it was due for renewal, it auto-renewed anyway, but the domain privacy didn’t. – And Abu was to busy trolling the trolls trolling him to remember.
The connection between Sabu and PRVT.ORG is already widely documented:
Here’s the new WHOIS as of yesterday.
and here’s a pastebin just in case: http://t.co/1lmFj0d
And a dump:
Created On:25-Jun-2002 16:38:43 UTC
Last Updated On:26-Jun-2011 01:23:02 UTC
Expiration Date:25-Jun-2012 16:43:58 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant Name:hector monsegur
Registrant Street1:90 avenue d #f
Registrant City:new york
Registrant Postal Code:10009
Registrant Phone Ext.:
Registrant FAX Ext.:
Registrant Email:[email protected]
Admin Name:hector monsegur
Admin Street1:90 avenue d #f
Admin City:new york
Admin Postal Code:10009
Admin Phone Ext.:
Admin FAX Ext.:
Admin Email:[email protected]
Tech Name:hector monsegur
Tech Street1:90 avenue d #f
Tech City:new york
Tech Postal Code:10009
Tech Phone Ext.:
Tech FAX Ext.:
Tech Email:[email protected]
Nuff Said. See you next time.