It was mentioned in Block Akamai and Google that new generation of Cyber Bolsheviks, that in 1970s got settled in USA is doing some nasty stuff using USA as their Hacking base, because of chronic Inability of USA Police force to confront them and restore RULE of LAW in the USA.
In this post I will illustrate their hacking activities in Europe using basic Linux networking tools netstat, traceroute, dig and whois. My analysis may help other Internet users (both in Europe and USA) identify, block and report hackers to Police.
In late May 2018 I decided to upload new pictures from High Energy Physics Conference in Rome in 2017 where I first presented my "Motley String" theory. To do that I logged into my ISP and then started Upload of my new picture. Couple of minutes later, I suspected that upload takes too long and decided to check my Internet connections (in new Console tab) using my favorite netstat command: $netstat -tapecn.
The result was VERY interesting! Instead of connections to my ISP, there was ONLY connection to the IP 22.214.171.124. Next thing I did was to check strange IP using whois utility. New Result was EVEN MORE Interesting:
Sometimes hackers (e.g. from IANA.org and VERISIGN.com as you'll see below) use addresses of IPv6 protocol. In that case one can use dig -x command and get hackers domain name first!
$ whois 126.96.36.199 getaddrinfo(whois.arin.net): Name or service not known . . .
. dig -x 2a00:1450:400f:80d ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -x 2a00:1450:400f:80d ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20107 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;2a00:1450:400f:80d.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: in-addr.arpa. 3600 IN SOA b.in-addr-servers.arpa. nstld.iana.org. . .
Also we can use very helpful Linux/Unix tool dig with "-i" argument for IPv6 reverse lookups, in case of sophisticated hacker attacks!
. . $ dig -i verisign-grs.com ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -i verisign-grs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 837 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;verisign-grs.com. IN A ;; AUTHORITY SECTION: verisign-grs.com. 10702 IN SOA av1.nstld.com. mdnshelp.verisign.com. 1522086425 300 7200 1209600 86400
Now we can ping their domain and get IP range for Verisign hacker:
And IP ragne for IANA.org hacker:
. $ whois 188.8.131.52 . CIDR: 184.108.40.206/20 NetName: ICANN .
Basically, Attacking my PC hacker stopped whois service on his network and I could not see on which network they are located. They also tried using IPv6 protocol addresses trying to confuse me.
That is actually typical sign of serious hacking attempt.
But for every nasty hacker there is smart Linux/UNIX developer knowledgeable about *NIX networking tools!
One of the most useful networking tools on Linux/Unix is traceroute. It allows you to see how IP packets travel across networks and thus identify ALL routers and networks IP packets go through on their way to your PC.
So next thing I do is trace that nasty IP:
As you see from the output above, my mobile operator is Tele2, Super speedy 4G Swedish Operator, active not only in Sweden, but in several other European countries, including Holland and Russia.
$ traceroute 220.127.116.11 traceroute to 18.104.22.168 (22.214.171.124), 30 hops max, 60 byte packets 1 homerouter.cpe (192.168.8.1) 0.434 ms 0.776 ms 0.718 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * avk6-vpe-3.bundle-ether2s15.tele2.net (126.96.36.199) 3110.886 ms 3145.918 ms 8 avk6-vpe-4.bundle-ether1.tele2.net (188.8.131.52) 3152.802 ms 3170.759 ms 3186.711 ms 9 hgd-core-1.bundle-ether70.tele2.net (184.108.40.206) 3212.738 ms 3230.664 ms 3251.632 ms 10 hgd-peer-1.et-6-1-0-unit0.tele2.net (220.127.116.11) 3270.679 ms 3283.736 ms 3305.713 ms 11 18.104.22.168 (22.214.171.124) 3326.458 ms 3355.599 ms 3379.510 ms 12 126.96.36.199 (188.8.131.52) 3440.514 ms 184.108.40.206 (220.127.116.11) 3460.507 ms 18.104.22.168 (22.214.171.124) 102.830 ms 13 126.96.36.199 (188.8.131.52) 91.510 ms 184.108.40.206 (220.127.116.11) 134.104 ms 18.104.22.168 (22.214.171.124) 256.331 ms 14 126.96.36.199 (188.8.131.52) 360.309 ms 184.108.40.206 (220.127.116.11) 360.298 ms 360.257 ms 15 18.104.22.168 (22.214.171.124) 360.222 ms 126.96.36.199 (188.8.131.52) 360.176 ms 184.108.40.206 (220.127.116.11) 374.726 ms 16 18.104.22.168 (22.214.171.124) 407.727 ms 126.96.36.199 (188.8.131.52) 427.550 ms 184.108.40.206 (220.127.116.11) 442.583 ms . . .
Also we see that packets coming to my PC from nasty IP come through IP address 18.104.22.168.
So I check who that may be using same whois tool as before:
$ whois 22.214.171.124 CIDR: 126.96.36.199/12 NetName: AMAZON-2011L OrgName: Amazon Technologies Inc. OrgId: AT-88-Z Address: 410 Terry Ave N. City: Seattle StateProv: WA . .
And because the hacker could NOT stop whois service on ALL computers his packets come through to my box, I can see that he is actually sitting on Amazon Technologies Inc network with name AMAZON-2011L and with CIDR 188.8.131.52/12.
Which is EXACTLY what I need to know!
My next step after identifying the hacker is to BLOCK him/her from connecting to my box!
As I described in Akamai article, I do it best by using Linux/Unix iptables tool.
In new console tab, I switch user (su) to Linux/Unix superuser with ( $ #) prompt and edit /etc/init.d/networking configuration file appending it with two new IP rules for the kernel: one for incoming IP connections from Amazon hacking network, and another for possible outgoing connections to their network, in case they already installed a spy ware on my box!
. . #Amazon iptables -A INPUT -s 184.108.40.206/12 -j DROP iptables -A OUTPUT -s 220.127.116.11/12 -j DROP . #VERISIGN iptables -A INPUT -s 18.104.22.168/19 -j DROP iptables -A OUTPUT -s 22.214.171.124/19 -j DROP . . iptables-save iptables -L . .
After that I restart my network services with # /etc/init.d/networking restart command or simply reboot my box.
After rebooting my Linux PC and starting Firefox browser I see the following in netstat -tapecn output:
. tcp 0 1 192.168.1.100:53095 126.96.36.199:443 SYN_SENT 1000 22952 4002/firefox-esr tcp 0 1 192.168.1.100:58888 188.8.131.52:80 SYN_SENT 1000 24741 4002/firefox-esr tcp 0 1 192.168.1.100:53538 184.108.40.206:80 SYN_SENT 1000 18354 4002/firefox-esr tcp 0 1 192.168.1.100:38258 220.127.116.11:80 SYN_SENT 1000 23965 4002/firefox-esr tcp 0 1 192.168.1.100:56736 18.104.22.168:443 SYN_SENT 1000 22946 4002/firefox-esr tcp 0 1 192.168.1.100:53091 22.214.171.124:443 SYN_SENT 1000 18356 4002/firefox-esr tcp 0 1 192.168.1.100:60007 126.96.36.199:443 SYN_SENT 1000 18366 4002/firefox-esr tcp 0 1 192.168.1.100:41756 188.8.131.52:443 SYN_SENT 1000 23973 4002/firefox-esr tcp 0 1 192.168.1.100:53536 184.108.40.206:80 SYN_SENT 1000 18352 4002/firefox-esr tcp 0 1 192.168.1.100:51750 220.127.116.11:443 SYN_SENT 1000 18355 4002/firefox-esr tcp 0 1 192.168.1.100:51754 18.104.22.168:443 SYN_SENT 1000 22951 4002/firefox-esr tcp 0 1 192.168.1.100:53531 22.214.171.124:80 SYN_SENT 1000 22945 4002/firefox-esr tcp 0 1 192.168.1.100:38278 126.96.36.199:80 SYN_SENT 1000 22954 4002/firefox-esr tcp 0 1 192.168.1.100:41748 188.8.131.52:443 SYN_SENT 1000 18353 4002/firefox-esr tcp 0 1 192.168.1.100:53533 184.108.40.206:80 SYN_SENT 1000 22947 4002/firefox-esr tcp 0 1 192.168.1.100:57635 220.127.116.11:443 SYN_SENT 1000 22948 4002/firefox-esr tcp 0 1 192.168.1.100:60008 18.104.22.168:443 SYN_SENT 1000 22953 4002/firefox-esr tcp 0 1 192.168.1.100:39322 22.214.171.124:443 SYN_SENT 1000 22949 4002/firefox-esr .
Now I can relax a bit and upload files to my web site fast and reliable!
You will find New Cyber Bolsheviks gang leaders (aka Google) IP ranges on Droid-calendar page of my site.
MONITORING your network connections with netstat is the KEY element of Best Internet security practice!
Readers of my Droid-calendar page already familiar with Google Android NON-stoppable services and user data "extractions" and "synchronizations" with NSA/CIA databases and Facebook profiles, which CRIMINALS later use for many different scenarios: from selling their "goodies" to potential customers to influencing USA elections as Facebook and Analytica scandal demonstrated recently!
All this means that Bloody Satanic Bolsheviks have already taken over USA and now prepare American version of 1917 in Russia and RED TERROR for North Americans (most importantly in USA and Canada).
Dear fellow North Americans! Your freedoms and democracy are in GREAT DANGER!
Get United and Never give up your ARMS and RIGHTS and FREEDOMS!!!
RED DEVIL is knocking on your door!
Cyber version of Bolshevik VIRUS includes NOT ONLY Google, Microsoft and AKAMAI but several other major companies working closely with them: Amazon Technologies is THE MOST Active in hacking on European sites and they have HUGE number of IPs allocated in Different parts of the world.
When Bolsheviks International establish their base in a new country they quickly turn it into CRIME ZONE where there is NO LAW and police is not doing what it is supposed to do!
Post Soviet Russia is ONE Major Example. Now pretty much same thing happens in the USA.
Bolshevik VIRUS MOSTLY infects RICH and prosperous countries, and then SUCKS and destroys them.
Here is list of some of their IP ranges that I came across in process of blocking their numerous hacking attempts!
. #AMAZON-EU-AWS, Dublin, IE, new range! deny from 126.96.36.199/18 #AMAZON-NRT,JP deny from 188.8.131.52/15 #Amazon-ICN,KR deny from 13.124 #Amazo-ZFRA,Muenchen deny from 184.108.40.206/14 deny from 220.127.116.11/14 #AmazonTechnologies,WA, new Huge IP ranges below! deny from 18.104.22.168/15 deny from 22.214.171.124/17 deny from 126.96.36.199/18 deny from 188.8.131.52/16 deny from 184.108.40.206/17 deny from 220.127.116.11/14 deny from 18.104.22.168/15 deny from 22.214.171.124/13 deny from 126.96.36.199/9 deny from 18.218 deny from 18.233 deny from 18.188 deny from 188.8.131.52/12 deny from 18.215 deny from 184.108.40.206/15 deny from 220.127.116.11/14 deny from 18.104.22.168/12 deny from 18.228 deny from 18.219 deny from 22.214.171.124/14 deny from 126.96.36.199/14 deny from 54.193 deny from 188.8.131.52/12 deny from 184.108.40.206/13 deny from 54.198 deny from 220.127.116.11/14 deny from 18.104.22.168/14 deny from 50.112 deny from 22.214.171.124/14 deny from 126.96.36.199/10 deny from 188.8.131.52/13 deny from 184.108.40.206/14 deny from 220.127.116.11/14 deny from 18.104.22.168/13 deny from 22.214.171.124/19 deny from 126.96.36.199/13 deny from 188.8.131.52/11 deny from 184.108.40.206/14 deny from 220.127.116.11/13 deny from 18.104.22.168/15 deny from 22.214.171.124/12 deny from 126.96.36.199/15 deny from 52.8.249 deny from 54.68.185 deny from 188.8.131.52/12 deny from 54.79 deny from 184.108.40.206/15 deny from 220.127.116.11/15 deny from 18.104.22.168/12 deny from 22.214.171.124/11 deny from 126.96.36.199/12 deny from 188.8.131.52/14 deny from 184.108.40.206/11 deny from 220.127.116.11/12 deny from 18.104.22.168/12 deny from 22.214.171.124/13 deny from 126.96.36.199/12 . .
One closely related to Amazon company is called Cloudflare, Inc. They are based in San Francisco, but recently aquired huge IP range in Denmark, hiding there as digitaladvisor.dk:
$ whois 188.8.131.52 CIDR: 184.108.40.206/12, new IP range in Denmark! NetName: CLOUDFLARENET OrgName: Cloudflare, Inc. OrgId: CLOUD14 Address: 101 Townsend Street City: San Francisco StateProv: CA . .
You may see them connecting to your PC without invitation! like most Bolsheviks gangsters do!
What is interesting here, is that Bolsheviks from USA seem to be celebrating Christmas in their own VERY SPECIAL WAY: by purchasing New HUGE IP ranges in European Union (Ireland, Denmark, Germany, etc) and using them for Sniffing, Hacking etc!
European Commission, European Police Forces and Open Source Community need to keep those Bolsheviks "activities" under close control and disrupt their networks as needed!
Another closely connected to Google and Amazon Bolsheviks company is OVH which is also VERY active in hacking and has Large number of IPs located in different parts of France, Canada, USA and UK.
. #OVH,Roubaix deny from 137.74 deny from 220.127.116.11/18 deny from 18.104.22.168/17 deny from 149.202 deny from 164.132 deny from 22.214.171.124/15 deny from 149.202 deny from 92.222 deny from 37.187 deny from 5.135 deny from 5.196 deny from 151.80 deny from 188.165 . #OVH, Paris,London,NY deny from 126.96.36.199/17 deny from 188.8.131.52/17 deny from 91.134 deny from 176.31 #via Romania/Ireland! deny from 151.80 deny from 46.105 deny from 91.121 deny from 94.23 deny from 37.59 deny from 188.165 deny from 184.108.40.206/15 deny from 220.127.116.11/17 deny from 37.59.97 deny from 92.222 .
Some of the Major Internet Hacking and Sniffing CRIMINALS are working at Hetzner Online AG.
They are BASED in Germany, but have MANY offices in Europe, including Russia (where they operate as mydedicated.ru), South Africa/Cape town, and on one occasion (after being identified) they had changed their IP range to HUGE AMPRNET, Amature Radio Digital Net (18.104.22.168/8)!!!
Charging by their WIDE Spread locations (from Cape town to Germany to Russia to ...), it is CORE member of Bolsheviks International CRIMINAL GANG!
Below is list of (some of) their IP ranges:
#Hetzner Attacker found! :-) iptables -A INPUT -s 22.214.171.124/16 -j DROP #Hetzner ranges in Europe iptables -A INPUT -s 126.96.36.199/16 -j DROP iptables -A INPUT -s 188.8.131.52/16 -j DROP iptables -A INPUT -s 184.108.40.206/20 -j DROP iptables -A INPUT -s 220.127.116.11/16 -j DROP iptables -A INPUT -s 18.104.22.168/16 -j DROP iptables -A INPUT -s 22.214.171.124/16 -j DROP iptables -A INPUT -s 126.96.36.199/16 -j DROP iptables -A INPUT -s 188.8.131.52/18 -j DROP iptables -A INPUT -s 184.108.40.206/16 -j DROP iptables -A INPUT -s 220.127.116.11/16 -j DROP iptables -A INPUT -s 18.104.22.168/16 -j DROP iptables -A INPUT -s 22.214.171.124/15 -j DROP iptables -A INPUT -s 126.96.36.199/16 -j DROP iptables -A INPUT -s 188.8.131.52/16 -j DROP iptables -A INPUT -s 184.108.40.206/16 -j DROP iptables -A INPUT -s 220.127.116.11/24 -j DROP iptables -A INPUT -s 18.104.22.168/24 -j DROP iptables -A INPUT -s 22.214.171.124/24 -j DROP #FI,helsinki iptables -A INPUT -s 126.96.36.199/16 -j DROP #Hetzner in Russia: mydedicated.ru iptables -A INPUT -s 188.8.131.52/16 -j DROP iptables -A INPUT -s 184.108.40.206/16 -j DROP #HETZNER,CapeTown,ZA iptables -A INPUT -s 220.127.116.11/17 -j DROP iptables -A INPUT -s 18.104.22.168/18 -j DROP iptables -A INPUT -s 22.214.171.124/23 -j DROP iptables -A INPUT -s 126.96.36.199/24 -j DROP #HETZNER changed name and CIDR to AMPRNET, Amature Radio Digital Net! iptables -A INPUT -s 188.8.131.52/8 -j DROP
All of the above as well as previously *documented* attempts by Google to "sniff" private information without permission from WiFi networks in Germany:
The Economist: Google's Wi-Fi-scanning travails
and cheating on customers using Safari browser cookies (see my Blog item here) makes me think that recommendations in my article "Block Akamai and Google" are correct.
Technologies change but Bolsheviks genes are still the same and will always try to achieve the same paranoid goals as previous generations of the VIRUS, this time using CYBER space.
The Best way to deal with Bolsheviks hacking is by sharing this information across Internet, EXPOSING their criminal activities and methods and Reporting them to Police!
One beautiful day Police in the USA and/or in Europe! will come to offices of Amazon Technologies, OVH, Hetzner, etc. and run another simple Linux/Unix command from inside their networks and identify the hackers by NAMEs!
. $ nslookup 184.108.40.206 .
and finally send those silly humanoids behind the bars!
YOUR awareness, Positive Attitude, and basic Linux/Unix skills may play crucial role in dismantling Bolsheviks criminal networks around the globe with Gods Help!
Let's start working on it!