On the Trail of Wikileaks — Some Low-Rent IT Detective Work

All the noise about WikiLeaks and the illusive nature of alleged terrorist/rapist/spy and convicted pencil-neck Julian Assange, prompted me to do a little online snooping.

Assange may be resting his pencil-neck on a couch in a relatively-secure, so-far undisclosed apartment location, but his WikiLeaks site has to be hosted on one or more servers, somewhere, with Internet access, or it can’t be spewing forth embarrassing (and probably lethal) secrets.

I started with a “traceroute,” which is a command-line process that lays out the path to a target site — in this case, “wikileaks.org.”

The result is below, with some early hops deleted in a nod to IT paranoia. This was effective about 10:15 AM, CST, December 2, 2010.

C:\Documents and Settings\Tom Cox>tracert wikileaks.org
Tracing route to wikileaks.org [91.121.133.41] over a maximum of 30 hops:
1    <1 ms    <1 ms    <1 ms  192.168.0.1
[...]
9    79 ms   106 ms   104 ms  te-1-2.car2.Nashville1.Level3.net [4.59.200.37]
10   239 ms   101 ms   106 ms  ae-11-11.car1.Nashville1.Level3.net [4.69.140.226]
11   109 ms   138 ms   113 ms  ae-8-8.ebr2.Atlanta2.Level3.net [4.69.140.230]
12   110 ms   127 ms   101 ms  ae-12-51.car2.Atlanta1.Level3.net [4.68.103.3]
13   124 ms   126 ms   133 ms  francetelecom-level3-ge.Atlanta1.Level3.net [4.68.110.162] 
14   122 ms   144 ms   149 ms  xe-2-1-2-0.ashtr1.Ashburn.opentransit.net [193.251.243.25]
15   196 ms   213 ms   203 ms  pos0-1-5-0.pastr1.Paris.opentransit.net [193.251.243.150]
16   207 ms   323 ms   200 ms  gigabitethernet11-1-0.auvcr2.Aubervilliers.opentransit.net
[193.251.132.117]
17   212 ms   206 ms   214 ms  te2-3.parse3.Paris.opentransit.net [193.251.129.13]
18   202 ms     *      215 ms  th1-1-6k.fr.eu [213.251.128.57]
19   203 ms     *        *     rbx-1-6k.fr.eu [213.186.32.194]
20   211 ms   201 ms   222 ms  rbx-41-m1.fr.eu [213.251.191.119]
21   292 ms   248 ms   206 ms  ns201695.ovh.net [91.121.133.41]
Trace complete.

To flesh out the search, I went to WHOIS and entered the last IP address, 91.121.133.41.

Here’s the result:

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '91.121.132.0 - 91.121.135.255'
inetnum: 91.121.132.0 - 91.121.135.255
netname: OVH
descr: OVH SAS
descr: Dedicated Servers
descr: http://www.ovh.com
country: FR
admin-c: OK217-RIPE
tech-c: OTC2-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
role: OVH Technical Contact
address: OVH SAS
address: 2 rue Kellermann
address: 59100 Roubaix
address: France
admin-c: OK217-RIPE
tech-c: GM84-RIPE
nic-hdl: OTC2-RIPE
abuse-mailbox: abuse@ovh.net
mnt-by: OVH-MNT
source: RIPE # Filtered
person: Octave Klaba
address: OVH SAS
address: 2 rue Kellermann
address: 59100 Roubaix
address: France
phone: +33 9 74 53 13 23
nic-hdl: OK217-RIPE
abuse-mailbox: abuse@ovh.net
mnt-by: OVH-MNT
source: RIPE # Filtered
% Information related to '91.121.0.0/16AS16276'
route: 91.121.0.0/16
descr: OVH ISP
descr: Paris,  France
origin: AS16276
mnt-by: OVH-MNT
source: RIPE # Filtered

Seems like only yesterday that some Amazon servers were hosting the site. Apparently the pressure on Amazon caused an eviction noticed to be served, and WikiLeaks moved on, its virtual couch no longer a place of welcome.

Is anyone surprised that the cheese-eating surrender monkeys are hosting the pencil-neck’s site? How long before it is moved, again?

Open a DOS window, enter tracert wikileaks.org and follow it!
Advertisements

Tags: , , , ,

2 Responses to “On the Trail of Wikileaks — Some Low-Rent IT Detective Work”

  1. Robert Kimchi Says:

    Curiously enough, the server that is updating all the Wikileaks mirrors via FTP and rsync+SSH is based on a Wanadoo (French ISP) ADSL connection in the Aubervilliers region of Paris. It appears to be a dynamic IP so I would guess someone with this server set up on their home broadband connection.

    • Tom Cox Says:

      There’s no lack of grassroots IT support for this venture…Clearly, there is a lot more to this story than Internet hide-and-seek. Why do I get the feeling I’m watching history in the making?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: