It was mentioned in Block Akamai and Google that new generation of Cyber Bolsheviks, that in 1970s got settled in USA is doing some nasty stuff using USA as their Hacking base, because of chronic Inability of USA Police force to confront them and restore RULE of LAW in the USA.
In this post I will illustrate their hacking activities in Europe using basic Linux networking tools netstat, traceroute, dig and whois. My analysis may help other Internet users (both in Europe and USA) identify, block and report hackers to Police.
In late May 2018 I decided to upload new pictures from High Energy Physics Conference in Rome in 2017 where I first presented my "Motley String" theory. To do that I logged into my ISP and then started Upload of my new picture. Couple of minutes later, I suspected that upload takes too long and decided to check my Internet connections (in new Console tab) using my favorite netstat command:
Result was VERY interesting! Instead of connections to my ISP, there was ONLY connection to the IP 54.93.71.192. Next thing I did was to check strange IP using whois utility. Result was EVEN MORE Interesting:
$ whois 54.93.71.192
getaddrinfo(whois.arin.net): Name or service not known
Sometimes hackers (e.g. from IANA.org and VERISIGN.com as you'll see below) use addresses of IPv6 protocol for which whois can not provide any data. In that case one can use dig -x command and get hackers domain name first!
$ dig -x 2a00:1450:400f:80d
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -x 2a00:1450:400f:80d
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20107
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;2a00:1450:400f:80d.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
in-addr.arpa. 3600 IN SOA b.in-addr-servers.arpa. nstld.iana.org.
Also we can use very helpful Linux/Unix tool dig with "-i" argument for IPv6 reverse lookups, in case of sophisticated hacker attacks!
$ dig -i verisign-grs.com
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -i verisign-grs.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 837
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;verisign-grs.com. IN A
;; AUTHORITY SECTION:
verisign-grs.com. 10702 IN SOA av1.nstld.com. mdnshelp.verisign.com. 1522086425 300 7200 1209600 86400
Now we can get IP range for Verisign hacker:
$ whois 72.13.63.55
CIDR: 72.13.32.0/19
NetName: VRSNNETBLK-1
And IP ragne for IANA.org hacker:
$ whois 192.0.43.8
CIDR: 192.0.32.0/20
NetName: ICANN
Basically Attacking my PC hackers stopped whois service on his network and I could not see on which network they are located. They also tried using IPv6 protocol addresses trying to confuse me.
That is actually typical sign of serious hacking attempt.
But for every nasty hacker there is smart Linux/UNIX developer knowledgeable about *NIX networking tools!
One of the most useful networking tools on Linux/Unix is traceroute. It allows you to see how IP packets travel across networks and thus identify ALL routers and networks IP packets go through on their way to your PC.
So next thing I do is trace that nasty IP:
$ traceroute 54.93.71.192
traceroute to 54.93.71.192 (54.93.71.192), 30 hops max, 60 byte packets
1 homerouter.cpe (192.168.8.1) 0.434 ms 0.776 ms 0.718 ms
2
3
4
5
6
7 avk6-vpe-3.bundle-ether2s15.tele2.net (130.244.71.98) 3110.886 ms 3145.918 ms
8 avk6-vpe-4.bundle-ether1.tele2.net (130.244.71.225) 3152.802 ms 3170.759 ms 3186.711 ms
9 hgd-core-1.bundle-ether70.tele2.net (130.244.71.222) 3212.738 ms 3230.664 ms 3251.632 ms
10 hgd-peer-1.et-6-1-0-unit0.tele2.net (130.244.195.17) 3270.679 ms 3283.736 ms 3305.713 ms
11 52.95.218.172 (52.95.218.172) 3326.458 ms 3355.599 ms 3379.510 ms
12 52.93.2.48 (52.93.2.48) 3440.514 ms 52.93.2.112 (52.93.2.112) 3460.507 ms 52.93.2.96 (52.93.2.96) 102.830 ms
13 52.93.2.139 (52.93.2.139) 91.510 ms 52.93.2.107 (52.93.2.107) 134.104 ms 52.93.2.157 (52.93.2.157) 256.331 ms
14 54.239.43.24 (54.239.43.24) 360.309 ms 54.239.43.26 (54.239.43.26) 360.298 ms 360.257 ms
15 54.239.106.86 (54.239.106.86) 360.222 ms 54.239.106.40 (54.239.106.40) 360.176 ms 54.239.106.18 (54.239.106.18) 374.726 ms
16 54.239.106.143 (54.239.106.143) 407.727 ms 54.239.106.59 (54.239.106.59) 427.550 ms 54.239.106.141 (54.239.106.141) 442.583 ms
As you see from the output above, my mobile operator is Tele2, Super speedy 4G Swedish Operator, active not only in Sweden, but in several other European countries, including Holland and Russia! And packets coming to my PC from nasty IP come through IP address 54.239.106.32. So I check who that may be using same whois tool as before:
$ whois 54.239.106.32
CIDR: 54.224.0.0/12
NetName: AMAZON-2011L
OrgName: Amazon Technologies Inc.
OrgId: AT-88-Z
Address: 410 Terry Ave N.
City: Seattle
StateProv: WA
And because the hacker could NOT stop whois service on ALL computers his packets come through to my box, I can see that he is actually sitting on Amazon Technologies Inc network with name AMAZON-2011L and with CIDR 54.224.0.0/12. Which is EXACTLY what I need to know!
My next step after identifying the hacker is to BLOCK him/her from connecting to my box!
As I described in Akamai article, I do it best by using Linux/Unix iptables tool.
In new console tab, I switch user (su) to Linux/Unix superuser with ( $ #) prompt and edit /etc/init.d/networking configuration file appending it with two new IP rules for the kernel: one for incoming IP connections from Amazon hacking network, and another for outgoing connections to their network in case they already installed a spy ware on my box!
#Amazon
iptables -A INPUT -s 54.224.0.0/12 -j DROP
iptables -A OUTPUT -s 54.224.0.0/12 -j DROP
#VERISIGN
iptables -A INPUT -s 72.13.32.0/19 -j DROP
iptables -A OUTPUT -s 72.13.32.0/19 -j DROP
iptables-save
iptables -L
After that I restart my network services with # /etc/init.d/networking restart command!
Rebooting my Linux PC and starting Firefox browser I see the following in netstat -tapecn output:
tcp 0 1 192.168.1.100:53095 50.112.136.93:443 SYN_SENT 1000 22952 4002/firefox-esr
tcp 0 1 192.168.1.100:58888 212.247.20.35:80 SYN_SENT 1000 24741 4002/firefox-esr
tcp 0 1 192.168.1.100:53538 171.64.78.27:80 SYN_SENT 1000 18354 4002/firefox-esr
tcp 0 1 192.168.1.100:38258 212.247.20.26:80 SYN_SENT 1000 23965 4002/firefox-esr
tcp 0 1 192.168.1.100:56736 172.217.20.46:443 SYN_SENT 1000 22946 4002/firefox-esr
tcp 0 1 192.168.1.100:53091 50.112.136.93:443 SYN_SENT 1000 18356 4002/firefox-esr
tcp 0 1 192.168.1.100:60007 54.69.184.117:443 SYN_SENT 1000 18366 4002/firefox-esr
tcp 0 1 192.168.1.100:41756 172.217.22.174:443 SYN_SENT 1000 23973 4002/firefox-esr
tcp 0 1 192.168.1.100:53536 171.64.78.27:80 SYN_SENT 1000 18352 4002/firefox-esr
tcp 0 1 192.168.1.100:51750 216.58.211.138:443 SYN_SENT 1000 18355 4002/firefox-esr
tcp 0 1 192.168.1.100:51754 216.58.211.138:443 SYN_SENT 1000 22951 4002/firefox-esr
tcp 0 1 192.168.1.100:53531 171.64.78.27:80 SYN_SENT 1000 22945 4002/firefox-esr
tcp 0 1 192.168.1.100:38278 212.247.20.26:80 SYN_SENT 1000 22954 4002/firefox-esr
tcp 0 1 192.168.1.100:41748 172.217.22.174:443 SYN_SENT 1000 18353 4002/firefox-esr
tcp 0 1 192.168.1.100:53533 171.64.78.27:80 SYN_SENT 1000 22947 4002/firefox-esr
tcp 0 1 192.168.1.100:57635 216.58.207.234:443 SYN_SENT 1000 22948 4002/firefox-esr
tcp 0 1 192.168.1.100:60008 54.69.184.117:443 SYN_SENT 1000 22953 4002/firefox-esr
tcp 0 1 192.168.1.100:39322 54.148.92.105:443 SYN_SENT 1000 22949 4002/firefox-esr
As you see in netstat output those nasty Akamai (212.247.20.35), IANA (171.64.78.27), Google (172.217.20.46), Amazon (50.112.136.93) and Verisign hackers connections to my box are GONE!
Now I can relax a bit and upload files to my web site fast and reliable!
You will find New Cyber Bolsheviks gang leaders (aka Google) IP ranges on Droid-calendar page of my site.
MONITORING your network connections with netstat is the KEY element of Best Internet security practice!
Readers of my Droid-calendar page already familiar with Google Android NON-stoppable services and user data "extractions" and "synchronizations" with NSA/CIA databases and Facebook profiles, which CRIMINALS later use for many different scenarios: from selling their "goodies" to potential customers to influencing USA elections as Facebook and Analytica scandal demonstrated recently!
All this means that Bloody Satanic Bolsheviks have already taken over USA and now prepare American version of 1917 in Russia and RED TERROR for North Americans (most importantly in USA and Canada).
Dear fellow North Americans! Your freedoms and democracy are in GREAT DANGER!
Get United and Never give up your ARMS and RIGHTS and FREEDOMS!!!
RED DEVIL is knocking on your door!
Summary:
Cyber version of Bolshevik VIRUS includes NOT ONLY Google, Microsoft and AKAMAI but several other major companies working closely with them: Amazon Technologies is MOST active in hacking on European sites and they have HUGE number of IPs allocated in Different parts of the world.
When Bolsheviks International establish their base in a new country they quickly turn it into CRIME ZONE where there is NO LAW and police is not doing what it is supposed to do!
Post Soviet Russia is ONE Major Example. Now pretty much same thing happens in the USA.
Bolshevik VIRUS MOSTLY infects RICH and prosperous countries, and then SUCKS and destroys them.
Here is list of some of their IP ranges that I came across in process of blocking their numerous hacking attempts!
#AMAZON-NRT,JP
deny from 52.192.0.0/15
#Amazon-ICN,KR
deny from 13.124
#Amazo-ZFRA,Muenchen
deny from 3.120.0.0/14
deny from 35.156.0.0/14
#AmazonTechnologies,WA
deny from 18.128.0.0/9
deny from 18.218
deny from 18.233
deny from 18.188
deny from 54.240.0.0/12
deny from 18.215
deny from 18.216.0.0/15
deny from 50.16.0.0/14
deny from 54.192.0.0/12
deny from 18.228
deny from 18.219
deny from 18.220.0.0/14
deny from 18.224.0.0/14
deny from 54.193
deny from 54.80.0.0/12
deny from 54.72.0.0/13
deny from 54.198
deny from 13.56.0.0/14
deny from 13.52.0.0/14
deny from 50.112
deny from 107.20.0.0/14
deny from 34.192.0.0/10
deny from 52.88.0.0/13
deny from 52.84.0.0/14
deny from 54.200.0.0/14
deny from 35.160.0.0/13
deny from 72.21.192.0/19
deny from 54.64.0.0/13
deny from 52.192.0.0/11
deny from 54.216.0.0/14
deny from 54.208.0.0/13
deny from 54.220.0.0/15
deny from 54.240.0.0/12
deny from 54.210.0.0/15
deny from 52.8.249
deny from 54.68.185
deny from 54.224.0.0/12
deny from 54.79
deny from 54.242.0.0/15
deny from 184.72.0.0/15
deny from 54.160.0.0/12
deny from 52.0.0.0/11
deny from 52.64.0.0/12
deny from 23.20.0.0/14
deny from 52.32.0.0/11
deny from 54.144.0.0/12
deny from 54.80.0.0/12
deny from 54.72.0.0/13
deny from 54.176.0.0/12
Another closely connected to Google and Amazon Bolsheviks company is OVH which is also VERY active in hacking and has Large number of IPs located in different parts of France, Canada, USA and UK.
#OVH,Roubaix
deny from 137.74
deny from 213.251.128.0/18
deny from 79.137.0.0/17
deny from 149.202
deny from 164.132
deny from 51.254.0.0/15
deny from 149.202
deny from 92.222
deny from 37.187
deny from 5.135
deny from 5.196
deny from 151.80
deny from 188.165
#OVH, Paris,London,NY
deny from 87.98.128.0/17
deny from 193.70.0.0/17
deny from 91.134
deny from 176.31
#via Romania/Ireland!
deny from 151.80
deny from 46.105
deny from 91.121
deny from 94.23
deny from 37.59
deny from 188.165
deny from 178.32.0.0/15
deny from 5.39.0.0/17
deny from 37.59.97
deny from 92.222
Some of the Major Internet Hacking and Sniffing CRIMINALS are working at Hetzner Online AG.
They are BASED in Germany, but have MANY offices in Europe, including Russia (where they operate as mydedicated.ru), South Africa/Cape town, and on one occasion (after being identified) they had changed their IP range to HUGE AMPRNET, Amature Radio Digital Net (44.0.0.0/8)!!!
Charging by their WIDE Spread locations (from Cape town to Germany to Russia to ...), it is CORE member of Bolsheviks International CRIMINAL GANG!
Below is list of (some of) their IP ranges:
#Hetzner Attacker found! :-)
iptables -A INPUT -s 88.99.232.0/16 -j DROP
#Hetzner ranges in Europe
iptables -A INPUT -s 195.201.0.0/16 -j DROP
iptables -A INPUT -s 144.76.0.0/16 -j DROP
iptables -A INPUT -s 213.133.96.0/20 -j DROP
iptables -A INPUT -s 94.130.0.0/16 -j DROP
iptables -A INPUT -s 178.63.0.0/16 -j DROP
iptables -A INPUT -s 138.201.0.0/16 -j DROP
iptables -A INPUT -s 88.99.0.0/16 -j DROP
iptables -A INPUT -s 213.239.192.0/18 -j DROP
iptables -A INPUT -s 136.243.0.0/16 -j DROP
iptables -A INPUT -s 5.9.0.0/16 -j DROP
iptables -A INPUT -s 88.198.0.0/16 -j DROP
iptables -A INPUT -s 78.46.0.0/15 -j DROP
iptables -A INPUT -s 144.76.0.0/16 -j DROP
iptables -A INPUT -s 148.251.0.0/16 -j DROP
iptables -A INPUT -s 176.9.0.0/16 -j DROP
iptables -A INPUT -s 5.9.31.0/24 -j DROP
iptables -A INPUT -s 196.40.97.0/24 -j DROP
iptables -A INPUT -s 196.22.142.0/24 -j DROP
#FI,helsinki
iptables -A INPUT -s 95.216.0.0/16 -j DROP
#Hetzner in Russia: mydedicated.ru
iptables -A INPUT -s 46.4.0.0/16 -j DROP
iptables -A INPUT -s 188.40.0.0/16 -j DROP
#HETZNER,CapeTown,ZA
iptables -A INPUT -s 129.232.128.0/17 -j DROP
iptables -A INPUT -s 197.221.0.0/18 -j DROP
iptables -A INPUT -s 197.221.10.0/23 -j DROP
iptables -A INPUT -s 96.22.132.0/24 -j DROP
#HETZNER changed name and CIDR to AMPRNET, Amature Radio Digital Net!
iptables -A INPUT -s 44.0.0.0/8 -j DROP
All of the above as well as previously documented attempts by Google to "sniff" private information without permission from WiFi networks in Germany:
The Economist: Google's Wi-Fi-scanning travails
The Guardian: Google admits collecting Wi-Fi data through Street View cars and cheating on customers using Safari browser cookies (see my Blog item here) makes me think that recommendations in my article "Block Akamai and Google" are correct.
Technologies change but Bolsheviks genes are still the same and will always try to achieve the same paranoid goals as previous generations of the VIRUS, this time using CYBER space.
The Best way to deal with Bolsheviks hacking is by sharing this information across Internet, EXPOSING their criminal activities and methods and Reporting them to Police!
One beautiful day Police in the USA and/or in Europe! will come to office of Amazon Technologies, OVH, Hetzner, etc. and run another simple Linux/Unix command from inside their network and identify the hackers by NAMEs!
$ nslookup 54.93.71.192
and finally send those silly humanoids behind the bars!
YOUR awareness, Positive Attitude, and basic Linux/Unix skills may play crucial role in dismantling Bolsheviks criminal networks around the globe with Gods Help!
Let's start working on it!
Source: http://www.matveev.se/net/catchAmazonHacker.htm