Catch Amazon and other Bolshevik hackers using Linux/Unix netstat, traceroute, dig and whois.

It was mentioned in Block Akamai and Google that new generation of Cyber Bolsheviks, that in 1970s got settled in USA is doing some nasty stuff using USA as their Hacking base, because of chronic Inability of USA Police force to confront them and restore RULE of LAW in the USA.

In this post I will illustrate their hacking activities in Europe using basic Linux networking tools netstat, traceroute, dig and whois. My analysis may help other Internet users (both in Europe and USA) identify, block and report hackers to Police.

In late May 2018 I decided to upload new pictures from High Energy Physics Conference in Rome in 2017 where I first presented my "Motley String" theory. To do that I logged into my ISP and then started Upload of my new picture. Couple of minutes later, I suspected that upload takes too long and decided to check my Internet connections (in new Console tab) using my favorite netstat command: $netstat -tapecn.

The result was VERY interesting! Instead of connections to my ISP, there was ONLY connection to the IP 54.93.71.192. Next thing I did was to check strange IP using whois utility. New Result was EVEN MORE Interesting:

$ whois 54.93.71.192
getaddrinfo(whois.arin.net): Name or service not known
.
.
.
Sometimes hackers (e.g. from IANA.org and VERISIGN.com as you'll see below) use addresses of IPv6 protocol. In that case one can use dig -x command and get hackers domain name first!
.
dig -x 2a00:1450:400f:80d

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -x 2a00:1450:400f:80d
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20107
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;2a00:1450:400f:80d.in-addr.arpa. IN	PTR

;; AUTHORITY SECTION:
in-addr.arpa.		3600	IN	SOA	b.in-addr-servers.arpa. nstld.iana.org.

.
.

Also we can use very helpful Linux/Unix tool dig with "-i" argument for IPv6 reverse lookups, in case of sophisticated hacker attacks!

.
.
$ dig -i verisign-grs.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -i verisign-grs.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 837
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;verisign-grs.com.		IN	A

;; AUTHORITY SECTION:
verisign-grs.com.	10702	IN	SOA	av1.nstld.com. mdnshelp.verisign.com. 1522086425 300 7200 1209600 86400

Now we can ping their domain and get IP range for Verisign hacker:

.
$ whois 72.13.63.55

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/whois_reporting/index.html
#


NetRange:       72.13.32.0 - 72.13.63.255
CIDR:           72.13.32.0/19
NetName:        VRSNNETBLK-1
.

And IP ragne for IANA.org hacker:

.
$ whois 192.0.43.8
.
CIDR:           192.0.32.0/20
NetName:        ICANN
.

Basically, Attacking my PC hacker stopped whois service on his network and I could not see on which network they are located. They also tried using IPv6 protocol addresses trying to confuse me.

That is actually typical sign of serious hacking attempt.

But for every nasty hacker there is smart Linux/UNIX developer knowledgeable about *NIX networking tools!

One of the most useful networking tools on Linux/Unix is traceroute. It allows you to see how IP packets travel across networks and thus identify ALL routers and networks IP packets go through on their way to your PC.

So next thing I do is trace that nasty IP:

$ traceroute 54.93.71.192
traceroute to 54.93.71.192 (54.93.71.192), 30 hops max, 60 byte packets
 1  homerouter.cpe (192.168.8.1)  0.434 ms  0.776 ms  0.718 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * avk6-vpe-3.bundle-ether2s15.tele2.net (130.244.71.98)  3110.886 ms  3145.918 ms
 8  avk6-vpe-4.bundle-ether1.tele2.net (130.244.71.225)  3152.802 ms  3170.759 ms  3186.711 ms
 9  hgd-core-1.bundle-ether70.tele2.net (130.244.71.222)  3212.738 ms  3230.664 ms  3251.632 ms
10  hgd-peer-1.et-6-1-0-unit0.tele2.net (130.244.195.17)  3270.679 ms  3283.736 ms  3305.713 ms
11  52.95.218.172 (52.95.218.172)  3326.458 ms  3355.599 ms  3379.510 ms
12  52.93.2.48 (52.93.2.48)  3440.514 ms 52.93.2.112 (52.93.2.112)  3460.507 ms 52.93.2.96 (52.93.2.96)  102.830 ms
13  52.93.2.139 (52.93.2.139)  91.510 ms 52.93.2.107 (52.93.2.107)  134.104 ms 52.93.2.157 (52.93.2.157)  256.331 ms
14  54.239.43.24 (54.239.43.24)  360.309 ms 54.239.43.26 (54.239.43.26)  360.298 ms  360.257 ms
15  54.239.106.86 (54.239.106.86)  360.222 ms 54.239.106.40 (54.239.106.40)  360.176 ms 54.239.106.18 (54.239.106.18)  374.726 ms
16  54.239.106.143 (54.239.106.143)  407.727 ms 54.239.106.59 (54.239.106.59)  427.550 ms 54.239.106.141 (54.239.106.141)  442.583 ms
.
.
.
As you see from the output above, my mobile operator is Tele2, Super speedy 4G Swedish Operator, active not only in Sweden, but in several other European countries, including Holland and Russia.

Also we see that packets coming to my PC from nasty IP come through IP address 54.239.106.32.
So I check who that may be using same whois tool as before:

$ whois 54.239.106.32
CIDR:           54.224.0.0/12
NetName:        AMAZON-2011L
OrgName:        Amazon Technologies Inc.
OrgId:          AT-88-Z
Address:        410 Terry Ave N.
City:           Seattle
StateProv:      WA
.
.

And because the hacker could NOT stop whois service on ALL computers his packets come through to my box, I can see that he is actually sitting on Amazon Technologies Inc network with name AMAZON-2011L and with CIDR 54.224.0.0/12.

Which is EXACTLY what I need to know!

My next step after identifying the hacker is to BLOCK him/her from connecting to my box!

As I described in Akamai article, I do it best by using Linux/Unix iptables tool.

In new console tab, I switch user (su) to Linux/Unix superuser with ( $ #) prompt and edit /etc/init.d/networking configuration file appending it with two new IP rules for the kernel: one for incoming IP connections from Amazon hacking network, and another for possible outgoing connections to their network, in case they already installed a spy ware on my box!

.
.
 #Amazon
 iptables -A INPUT -s 54.224.0.0/12 -j DROP
 iptables -A OUTPUT -s 54.224.0.0/12 -j DROP
 .
 #VERISIGN
 iptables -A INPUT -s 72.13.32.0/19 -j DROP
 iptables -A OUTPUT -s 72.13.32.0/19 -j DROP
 .
 .
 iptables-save
 iptables -L
.
.

After that I restart my network services with # /etc/init.d/networking restart command or simply reboot my box.

After rebooting my Linux PC and starting Firefox browser I see the following in netstat -tapecn output:

.
tcp        0      1 192.168.1.100:53095     50.112.136.93:443       SYN_SENT    1000       22952       4002/firefox-esr
tcp        0      1 192.168.1.100:58888     212.247.20.35:80        SYN_SENT    1000       24741       4002/firefox-esr
tcp        0      1 192.168.1.100:53538     171.64.78.27:80         SYN_SENT    1000       18354       4002/firefox-esr
tcp        0      1 192.168.1.100:38258     212.247.20.26:80        SYN_SENT    1000       23965       4002/firefox-esr
tcp        0      1 192.168.1.100:56736     172.217.20.46:443       SYN_SENT    1000       22946       4002/firefox-esr
tcp        0      1 192.168.1.100:53091     50.112.136.93:443       SYN_SENT    1000       18356       4002/firefox-esr
tcp        0      1 192.168.1.100:60007     54.69.184.117:443       SYN_SENT    1000       18366       4002/firefox-esr
tcp        0      1 192.168.1.100:41756     172.217.22.174:443      SYN_SENT    1000       23973       4002/firefox-esr
tcp        0      1 192.168.1.100:53536     171.64.78.27:80         SYN_SENT    1000       18352       4002/firefox-esr
tcp        0      1 192.168.1.100:51750     216.58.211.138:443      SYN_SENT    1000       18355       4002/firefox-esr
tcp        0      1 192.168.1.100:51754     216.58.211.138:443      SYN_SENT    1000       22951       4002/firefox-esr
tcp        0      1 192.168.1.100:53531     171.64.78.27:80         SYN_SENT    1000       22945       4002/firefox-esr
tcp        0      1 192.168.1.100:38278     212.247.20.26:80        SYN_SENT    1000       22954       4002/firefox-esr
tcp        0      1 192.168.1.100:41748     172.217.22.174:443      SYN_SENT    1000       18353       4002/firefox-esr
tcp        0      1 192.168.1.100:53533     171.64.78.27:80         SYN_SENT    1000       22947       4002/firefox-esr
tcp        0      1 192.168.1.100:57635     216.58.207.234:443      SYN_SENT    1000       22948       4002/firefox-esr
tcp        0      1 192.168.1.100:60008     54.69.184.117:443       SYN_SENT    1000       22953       4002/firefox-esr
tcp        0      1 192.168.1.100:39322     54.148.92.105:443       SYN_SENT    1000       22949       4002/firefox-esr
.

As you see in netstat output those nasty Akamai (212.247.20.35), IANA (171.64.78.27), Google (172.217.20.46), Amazon (50.112.136.93) and Verisign hackers connections to my box are ALL GONE! They just keep trying to connect like silly s.... :-)

Now I can relax a bit and upload files to my web site fast and reliable!

You will find New Cyber Bolsheviks gang leaders (aka Google) IP ranges on Droid-calendar page of my site.

MONITORING your network connections with netstat is the KEY element of Best Internet security practice!

Readers of my Droid-calendar page already familiar with Google Android NON-stoppable services and user data "extractions" and "synchronizations" with NSA/CIA databases and Facebook profiles, which CRIMINALS later use for many different scenarios: from selling their "goodies" to potential customers to influencing USA elections as Facebook and Analytica scandal demonstrated recently!

All this means that Bloody Satanic Bolsheviks have already taken over USA and now prepare American version of 1917 in Russia and RED TERROR for North Americans (most importantly in USA and Canada).

Dear fellow North Americans! Your freedoms and democracy are in GREAT DANGER!

Get United and Never give up your ARMS and RIGHTS and FREEDOMS!!!

RED DEVIL is knocking on your door!

Summary:

Cyber version of Bolshevik VIRUS includes NOT ONLY Google, Microsoft and AKAMAI but several other major companies working closely with them: Amazon Technologies is THE MOST Active in hacking on European sites and they have HUGE number of IPs allocated in Different parts of the world.

When Bolsheviks International establish their base in a new country they quickly turn it into CRIME ZONE where there is NO LAW and police is not doing what it is supposed to do!

Post Soviet Russia is ONE Major Example. Now pretty much same thing happens in the USA.

Bolshevik VIRUS MOSTLY infects RICH and prosperous countries, and then SUCKS and destroys them.

Here is list of some of their IP ranges that I came across in process of blocking their numerous hacking attempts!

.

#AMAZON-EU-AWS, Dublin, IE, new range!
deny from 46.51.128.0/18


#AMAZON-NRT,JP
deny from 52.192.0.0/15

#Amazon-ICN,KR
deny from 13.124

#Amazo-ZFRA,Muenchen
deny from 3.120.0.0/14
deny from 35.156.0.0/14

#AmazonTechnologies,WA, new Huge IP ranges below!

deny from 99.80.0.0/15
deny from 99.78.128.0/17
deny from 99.82.128.0/18
deny from 99.79.0.0/16
deny from 99.82.0.0/17

deny from 54.216.0.0/14
deny from 54.220.0.0/15
deny from 54.208.0.0/13

deny from 18.128.0.0/9
deny from 18.218
deny from 18.233
deny from 18.188
deny from 54.240.0.0/12
deny from 18.215
deny from 18.216.0.0/15
deny from 50.16.0.0/14
deny from 54.192.0.0/12
deny from 18.228
deny from 18.219
deny from 18.220.0.0/14
deny from 18.224.0.0/14
deny from 54.193
deny from 54.80.0.0/12
deny from 54.72.0.0/13
deny from 54.198
deny from 13.56.0.0/14
deny from 13.52.0.0/14
deny from 50.112
deny from 107.20.0.0/14
deny from 34.192.0.0/10
deny from 52.88.0.0/13
deny from 52.84.0.0/14
deny from 54.200.0.0/14
deny from 35.160.0.0/13
deny from 72.21.192.0/19
deny from 54.64.0.0/13
deny from 52.192.0.0/11
deny from 54.216.0.0/14
deny from 54.208.0.0/13
deny from 54.220.0.0/15
deny from 54.240.0.0/12
deny from 54.210.0.0/15
deny from 52.8.249
deny from 54.68.185
deny from 54.224.0.0/12
deny from 54.79
deny from 54.242.0.0/15
deny from 184.72.0.0/15
deny from 54.160.0.0/12
deny from 52.0.0.0/11
deny from 52.64.0.0/12
deny from 23.20.0.0/14
deny from 52.32.0.0/11
deny from 54.144.0.0/12
deny from 54.80.0.0/12
deny from 54.72.0.0/13
deny from 54.176.0.0/12
.
.

One closely related to Amazon company is called Cloudflare, Inc. They are based in San Francisco, but recently aquired huge IP range in Denmark, hiding there as digitaladvisor.dk:


$ whois 104.28.25.101
CIDR:           104.16.0.0/12, new IP range in Denmark!
NetName:        CLOUDFLARENET
OrgName:        Cloudflare, Inc.
OrgId:          CLOUD14
Address:        101 Townsend Street
City:           San Francisco
StateProv:      CA
.
.

You may see them connecting to your PC without invitation! like most Bolsheviks gangsters do!

What is interesting here, is that Bolsheviks from USA seem to be celebrating Christmas in their own VERY SPECIAL WAY: by purchasing New HUGE IP ranges in European Union (Ireland, Denmark, Germany, etc) and using them for Sniffing, Hacking etc!

European Commission, European Police Forces and Open Source Community need to keep those Bolsheviks "activities" under close control and disrupt their networks as needed!

Another closely connected to Google and Amazon Bolsheviks company is OVH which is also VERY active in hacking and has Large number of IPs located in different parts of France, Canada, USA and UK.

.
#OVH,Roubaix
deny from 137.74
deny from 213.251.128.0/18
deny from 79.137.0.0/17
deny from 149.202
deny from 164.132
deny from 51.254.0.0/15
deny from 149.202
deny from 92.222
deny from 37.187
deny from 5.135
deny from 5.196
deny from 151.80
deny from 188.165
.
#OVH, Paris,London,NY
deny from 87.98.128.0/17
deny from 193.70.0.0/17
deny from 91.134
deny from 176.31
#via Romania/Ireland!
deny from 151.80
deny from 46.105
deny from 91.121
deny from 94.23
deny from 37.59
deny from 188.165
deny from 178.32.0.0/15
deny from 5.39.0.0/17
deny from 37.59.97
deny from 92.222
.

Some of the Major Internet Hacking and Sniffing CRIMINALS are working at Hetzner Online AG.

They are BASED in Germany, but have MANY offices in Europe, including Russia (where they operate as mydedicated.ru), South Africa/Cape town, and on one occasion (after being identified) they had changed their IP range to HUGE AMPRNET, Amature Radio Digital Net (44.0.0.0/8)!!!

Charging by their WIDE Spread locations (from Cape town to Germany to Russia to ...), it is CORE member of Bolsheviks International CRIMINAL GANG!

Below is list of (some of) their IP ranges:

 #Hetzner Attacker found! :-)
 iptables -A INPUT -s 88.99.232.0/16 -j DROP
 
 #Hetzner ranges in Europe
 iptables -A INPUT -s 195.201.0.0/16 -j DROP 
 iptables -A INPUT -s 144.76.0.0/16 -j DROP
 iptables -A INPUT -s 213.133.96.0/20 -j DROP
 iptables -A INPUT -s 94.130.0.0/16 -j DROP
 iptables -A INPUT -s 178.63.0.0/16 -j DROP
 iptables -A INPUT -s 138.201.0.0/16 -j DROP
 iptables -A INPUT -s 88.99.0.0/16 -j DROP
 iptables -A INPUT -s 213.239.192.0/18 -j DROP
 iptables -A INPUT -s 136.243.0.0/16 -j DROP
 iptables -A INPUT -s 5.9.0.0/16 -j DROP
 iptables -A INPUT -s 88.198.0.0/16 -j DROP
 iptables -A INPUT -s 78.46.0.0/15 -j DROP
 iptables -A INPUT -s 144.76.0.0/16 -j DROP
 iptables -A INPUT -s 148.251.0.0/16 -j DROP
 iptables -A INPUT -s 176.9.0.0/16 -j DROP

 iptables -A INPUT -s 5.9.31.0/24 -j DROP
 iptables -A INPUT -s 196.40.97.0/24 -j DROP
 iptables -A INPUT -s 196.22.142.0/24 -j DROP

 #FI,helsinki
 iptables -A INPUT -s 95.216.0.0/16 -j DROP

 #Hetzner in Russia: mydedicated.ru
 iptables -A INPUT -s  46.4.0.0/16 -j DROP
 iptables -A INPUT -s  188.40.0.0/16 -j DROP

 #HETZNER,CapeTown,ZA
 iptables -A INPUT -s  129.232.128.0/17 -j DROP
 iptables -A INPUT -s  197.221.0.0/18 -j DROP
 iptables -A INPUT -s  197.221.10.0/23 -j DROP
 iptables -A INPUT -s  96.22.132.0/24 -j DROP

 #HETZNER changed name and CIDR to AMPRNET, Amature Radio Digital Net!
 iptables -A INPUT -s 44.0.0.0/8 -j DROP

All of the above as well as previously *documented* attempts by Google to "sniff" private information without permission from WiFi networks in Germany:

and cheating on customers using Safari browser cookies (see my Blog item here) makes me think that recommendations in my article "Block Akamai and Google" are correct.

Technologies change but Bolsheviks genes are still the same and will always try to achieve the same paranoid goals as previous generations of the VIRUS, this time using CYBER space.

The Best way to deal with Bolsheviks hacking is by sharing this information across Internet, EXPOSING their criminal activities and methods and Reporting them to Police!

One beautiful day Police in the USA and/or in Europe! will come to offices of Amazon Technologies, OVH, Hetzner, etc. and run another simple Linux/Unix command from inside their networks and identify the hackers by NAMEs!

.
$ nslookup 54.93.71.192
.

and finally send those silly humanoids behind the bars!

YOUR awareness, Positive Attitude, and basic Linux/Unix skills may play crucial role in dismantling Bolsheviks criminal networks around the globe with Gods Help!

Let's start working on it!