Archive for December, 2010

WHERE’S WIKILEAKS (AS OF THIS MOMENT)?

December 3, 2010

WHERE’S WIKILEAKS?

Whose couch is WikiLeaks sleeping on, today? The “.org” domain is no more, thanks to Fox News Radio on WLAC for that info! It’s now (or most recently, anyway) “.ch” in Sweden.

C:\Documents and Settings\Tom Cox>tracert wikileaks.ch

Tracing route to wikileaks.ch [88.80.13.160] over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.0.1
[local ISP hops] –
9 83 ms 86 ms 85 ms TenGigE0-0-0-0.GW4.ATL5.ALTER.NET [63.122.230.125]
10 116 ms 93 ms 91 ms 0.ge-1-1-0.XT1.ATL5.ALTER.NET [152.63.82.253]
11 82 ms 93 ms 93 ms 0.so-5-1-0.XT1.ATL4.ALTER.NET [152.63.0.85]
12 82 ms 91 ms 96 ms TenGigE0-6-1-0.GW7.ATL4.ALTER.NET [152.63.80.133]
13 94 ms 91 ms 94 ms teliasonera-gw.customer.alter.net [157.130.90.238]
14 100 ms 109 ms 109 ms ash-bb1-link.telia.net [80.91.247.172]
15 110 ms 110 ms 104 ms 80.91.248.201
16 200 ms 226 ms 201 ms kbn-bb1-link.telia.net [80.91.247.114]
17 204 ms 208 ms 230 ms s-bb2-link.telia.net [80.91.248.50]
18 210 ms 224 ms 216 ms s-b3-link.telia.net [80.91.249.220]
19 210 ms 214 ms 319 ms tsic-206.kn1.sth.portlane.net [213.248.66.206]
20 215 ms 238 ms 228 ms i2b-154.kn1.sth.portlane.net [80.67.0.154]
21 227 ms 225 ms 213 ms sth-sod1-crdn-1-ge-1-2-801.i2b.se [178.16.212.10]
22 247 ms 227 ms 221 ms sth-sln1-crdn-1-ge-2-3-800.i2b.se [178.16.212.5]
23 216 ms 207 ms 213 ms cust-prq-nt.i2b.se [178.16.212.2]
24 210 ms 247 ms 203 ms mail.wikileaks.org [88.80.13.160]

Trace complete.

WHOIS search:

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘88.80.12.0 – 88.80.13.255’

inetnum: 88.80.12.0 – 88.80.13.255
netname: PRQ-NET-INT
descr: prq Inet – Access
descr: Customer / link addresses
country: SE
admin-c: pIN7-RIPE
tech-c: pIN7-RIPE
status: ASSIGNED PA
mnt-by: MNT-PRQ
source: RIPE # Filtered

role: prq Inet NOC
address: PRQ AB
address: Box 1206
address: SE 11479 Stockholm
address: Sweden
remarks: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
remarks: !! Abuse reports should ONLY be sent to abuse@prq.se !!
remarks: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
abuse-mailbox: abuse@prq.se
admin-c: PW1115-RIPE
tech-c: PW1115-RIPE
nic-hdl: PIN7-RIPE
mnt-by: MNT-PRQ
source: RIPE # Filtered

% Information related to ‘88.80.0.0/19AS33837’

route: 88.80.0.0/19
descr: Periquito aggregated route
origin: AS33837
mnt-by: MNT-PRQ
source: RIPE # Filtered

On the Trail of Wikileaks — Some Low-Rent IT Detective Work

December 2, 2010

All the noise about WikiLeaks and the illusive nature of alleged terrorist/rapist/spy and convicted pencil-neck Julian Assange, prompted me to do a little online snooping.

Assange may be resting his pencil-neck on a couch in a relatively-secure, so-far undisclosed apartment location, but his WikiLeaks site has to be hosted on one or more servers, somewhere, with Internet access, or it can’t be spewing forth embarrassing (and probably lethal) secrets.

I started with a “traceroute,” which is a command-line process that lays out the path to a target site — in this case, “wikileaks.org.”

The result is below, with some early hops deleted in a nod to IT paranoia. This was effective about 10:15 AM, CST, December 2, 2010.

C:\Documents and Settings\Tom Cox>tracert wikileaks.org
Tracing route to wikileaks.org [91.121.133.41] over a maximum of 30 hops:
1    <1 ms    <1 ms    <1 ms  192.168.0.1
[...]
9    79 ms   106 ms   104 ms  te-1-2.car2.Nashville1.Level3.net [4.59.200.37]
10   239 ms   101 ms   106 ms  ae-11-11.car1.Nashville1.Level3.net [4.69.140.226]
11   109 ms   138 ms   113 ms  ae-8-8.ebr2.Atlanta2.Level3.net [4.69.140.230]
12   110 ms   127 ms   101 ms  ae-12-51.car2.Atlanta1.Level3.net [4.68.103.3]
13   124 ms   126 ms   133 ms  francetelecom-level3-ge.Atlanta1.Level3.net [4.68.110.162] 
14   122 ms   144 ms   149 ms  xe-2-1-2-0.ashtr1.Ashburn.opentransit.net [193.251.243.25]
15   196 ms   213 ms   203 ms  pos0-1-5-0.pastr1.Paris.opentransit.net [193.251.243.150]
16   207 ms   323 ms   200 ms  gigabitethernet11-1-0.auvcr2.Aubervilliers.opentransit.net
[193.251.132.117]
17   212 ms   206 ms   214 ms  te2-3.parse3.Paris.opentransit.net [193.251.129.13]
18   202 ms     *      215 ms  th1-1-6k.fr.eu [213.251.128.57]
19   203 ms     *        *     rbx-1-6k.fr.eu [213.186.32.194]
20   211 ms   201 ms   222 ms  rbx-41-m1.fr.eu [213.251.191.119]
21   292 ms   248 ms   206 ms  ns201695.ovh.net [91.121.133.41]
Trace complete.

To flesh out the search, I went to WHOIS and entered the last IP address, 91.121.133.41.

Here’s the result:

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '91.121.132.0 - 91.121.135.255'
inetnum: 91.121.132.0 - 91.121.135.255
netname: OVH
descr: OVH SAS
descr: Dedicated Servers
descr: http://www.ovh.com
country: FR
admin-c: OK217-RIPE
tech-c: OTC2-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
role: OVH Technical Contact
address: OVH SAS
address: 2 rue Kellermann
address: 59100 Roubaix
address: France
admin-c: OK217-RIPE
tech-c: GM84-RIPE
nic-hdl: OTC2-RIPE
abuse-mailbox: abuse@ovh.net
mnt-by: OVH-MNT
source: RIPE # Filtered
person: Octave Klaba
address: OVH SAS
address: 2 rue Kellermann
address: 59100 Roubaix
address: France
phone: +33 9 74 53 13 23
nic-hdl: OK217-RIPE
abuse-mailbox: abuse@ovh.net
mnt-by: OVH-MNT
source: RIPE # Filtered
% Information related to '91.121.0.0/16AS16276'
route: 91.121.0.0/16
descr: OVH ISP
descr: Paris,  France
origin: AS16276
mnt-by: OVH-MNT
source: RIPE # Filtered

Seems like only yesterday that some Amazon servers were hosting the site. Apparently the pressure on Amazon caused an eviction noticed to be served, and WikiLeaks moved on, its virtual couch no longer a place of welcome.

Is anyone surprised that the cheese-eating surrender monkeys are hosting the pencil-neck’s site? How long before it is moved, again?

Open a DOS window, enter tracert wikileaks.org and follow it!