12/31/2013

Anonymous OpSafeWinter exposed


After several hours researching the so called operation safe winter being conducted by Anonymous I found several red flags. mainly wepay donation pages.

Since scamming and otherwise abusive behavior is taking place by people involved with this operation, including the campaign being used to spam the anti-government opNSA. I am exposing ip's of people involved, and supporting the opsafewinter campaign.

There are some bot's in the list, but that's to be expected when phishing.

First I wanted to test how effective the trap was, so i ran over to the main Anonops irc channel #Anonops. Sure enough, I got some hits, curious discovery was one IP was inside facebook's own corporate network. could this be facebook monitoring hacker activity? or has one of their servers/computers been compromised? Hard to say.

December 31, 2013: 199.59.161.30 <--- Bot
December 31, 2013: 31.151.158.2 <--- Human
December 31, 2013: 96.255.149.128 <--- Human
December 31, 2013: 81.157.105.93 <--- Human
December 31, 2013: 75.16.201.31 <--- Human
December 31, 2013: 173.252.74.119 <--- Facebook?!?
December 31, 2013: 67.81.217.135 <--- Human

Next I went over to cyber gorilla's IRC Network to further test things, but i found it to be mainly dead and just full of idling users despite all the advertising it's received in the last few weeks. All I got was some hits from their server bots that display the title of the url posted.

December 31, 2013: 5.9.108.74 <--- Bot

Since I've already exposed the site in this test, it was time to burn it down. I posted the link from the Anonrelations account on twitter and watched the hits and RT's. I'm not going to sift through the list and pick out the automated bots but the first 9 hit way too fast to be human.

December 31, 2013: 199.59.148.210 <-- Too fast to be human
December 31, 2013: 199.59.148.209 <-- Too fast to be human
December 31, 2013: 69.164.201.127 <-- Too fast to be human
December 31, 2013: 54.241.198.78   <-- Too fast to be human
December 31, 2013: 54.241.198.78   <-- Too fast to be human
December 31, 2013: 74.112.131.242 <-- Too fast to be human
December 31, 2013: 74.112.131.241 <-- Too fast to be human
December 31, 2013: 46.236.7.246     <-- Too fast to be human
December 31, 2013: 54.241.41.133   <-- Too fast to be human

The rest are anyone's guess. I was able to cross reference some of these with older logs, and they were in fact associated with several known anonymous members. so in that aspect, the honeypot was a success.

December 31, 2013: 65.52.244.38
December 31, 2013: 173.192.79.101
December 31, 2013: 46.236.24.48
December 31, 2013: 98.137.207.17
December 31, 2013: 98.137.207.17
December 31, 2013: 54.196.145.175
December 31, 2013: 199.59.148.211
December 31, 2013: 37.59.16.156
December 31, 2013: 199.59.161.30
December 31, 2013: 54.224.152.41
December 31, 2013: 46.252.18.106
December 31, 2013: 46.246.92.155
December 31, 2013: 74.112.131.241
December 31, 2013: 23.227.176.35
December 31, 2013: 23.227.176.34
December 31, 2013: 23.227.176.34
December 31, 2013: 23.227.176.35
December 31, 2013: 98.137.207.17
December 31, 2013: 46.236.26.102
December 31, 2013: 54.225.58.239
December 31, 2013: 130.155.204.198
December 31, 2013: 212.124.109.166
December 31, 2013: 212.124.109.166
December 31, 2013: 74.96.97.57
December 31, 2013: 50.57.227.76
December 31, 2013: 74.112.131.242
December 31, 2013: 54.225.52.78
December 31, 2013: 54.225.52.78
December 31, 2013: 66.249.74.72
December 31, 2013: 199.189.85.8
December 31, 2013: 205.188.94.164
December 31, 2013: 54.196.127.20

Now that things are broken down. lets take a look at the header data on a few of these, and that will give us a better indication of what's a bot, and who's human.

Anonops Bot.
199.59.161.30 - - [31/Dec/2013:13:19:03 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59585 "-" "Mozilla/5.0 (Compatible; Supybot 0.83.4.1+gribble (2011-08-12T18:12:56-0400))"

Human
31.151.158.2 - - [31/Dec/2013:13:19:20 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"

Human
96.255.149.128 - - [31/Dec/2013:13:19:21 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"

Human
81.157.105.93 - - [31/Dec/2013:13:19:31 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"

Human
75.16.201.31 - - [31/Dec/2013:13:20:33 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"

Interesting Facebook hit from inside anonops.
173.252.74.119 - - [31/Dec/2013:13:22:08 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 206 11165 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"

Human
67.81.217.135 - - [31/Dec/2013:13:28:13 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"

Cyber Gorilla IRC Bot
5.9.108.74 - - [31/Dec/2013:13:58:49 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 285 "-" "Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"

Interesting. amazon IP. automated i'm sure.
54.241.198.78 - - [31/Dec/2013:14:04:48 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 227 "-" "Google-HTTP-Java-Client/1.17.0-rc (gzip)"

Human
65.52.244.38 - - [31/Dec/2013:14:04:50 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11114 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"

Appears human but tried to snag robots.txt. not familiar with flipboard.
54.196.145.175 - - [31/Dec/2013:14:05:46 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 597 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (FlipboardProxy/1.1; +http://flipboard.com/browserproxy)"

Hi twitter.
199.59.148.211 - - [31/Dec/2013:14:06:55 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11114 "-" "Twitterbot/1.0"

Aww how cute. someone was going to post my article as fact.. you know. cause the internet said it was real.
37.59.16.156 - - [31/Dec/2013:14:07:18 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (compatible; PaperLiBot/2.1; http://support.paper.li/entries/20023257-what-is-paper-li)"

Human
46.246.92.155 - - [31/Dec/2013:14:09:22 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"

Interesting
98.137.207.17 - - [31/Dec/2013:14:13:56 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59613 "-" "NING/1.0"

Human - Ipad news reader
54.225.58.239 - - [31/Dec/2013:14:14:09 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11133 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Contact: feedback@getprismatic.com"

Not sure.
130.155.204.198 - - [31/Dec/2013:14:15:10 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 58824 "-" "Java/1.6.0_27"

Another NING
212.124.109.166 - - [31/Dec/2013:14:20:39 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 366 "-" "NING/1.0"

Human
74.96.97.57 - - [31/Dec/2013:14:20:42 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11169 "http://t.co/WlGhlJdTYz" "Mozilla/5.0 (Windows NT 6.0; rv:26.0) Gecko/20100101 Firefox/26.0"

web proxy I think
50.57.227.76 - - [31/Dec/2013:14:20:42 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 285 "-" "EventMachine HttpClient"

Human
54.225.52.78 - - [31/Dec/2013:14:21:00 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2008091620 Firefox/3.0.2"

Human
205.188.94.164 - - [31/Dec/2013:14:21:20 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59613 "-" "Jakarta Commons-HttpClient/3.1"

I'll look deeper into the logs when I get time, I do see that injection was successful on most occasions.










1 comments: