[–] collegetoker [S] 0 points 7 points 7 points (+7|-0) ago
Hopefully this is useful to somebody.
[–] collegetoker [S] 0 points 4 points 4 points (+4|-0) ago
A state, a city, and GPS coordinates. That's what I think I have. Did you even read all the way down?
[–] turn-down-for-what 0 points 2 points 2 points (+2|-0) ago
Dreamhost has hundreds of thousands of clients. Worldcorpo is just one of them. If we run under the assumption that Dreamhost puts customer's websites on the data center closest to the customers billing address (not a crazy assumption) then we know the operator lives in the VA/DC area. That's it.
Sure, go storm Dreamhosts's castle for the 50mb of Worldcorpo data stored on a hard drive on a server on a rack in a cage. I'm not sure what you'll accomplish though.
I think the most effective attack vector would be to call Dreamhost pretending to have forgotten your password or whatever and do a little social engineering to try and get an email address or name associated with the account.
[–] EvaEverywhere ago
Yeah, this provides nothing, just points to a very common used hosting provider that is quite shitty and unhelpful to their clients.
[–] collegetoker [S] 0 points 4 points 4 points (+4|-0) ago
They added a data center in Aushburn VIrginia
https://discussion.dreamhost.com/thread-137051.html
That is where it is, I can guarantee it.
[–] sound_of_silence 1 point 2 points 3 points (+3|-1) ago
ashburn's not too far from DC..
[–] equineluvr 1 point 3 points 4 points (+4|-1) ago
[–] collegetoker [S] 0 points 5 points 5 points (+5|-0) ago
Don't do anything too crazy now. I don't want a bodycount on my hands.
[–] collegetoker [S] 0 points 1 point 1 point (+1|-0) ago
Also, those are their corporate offices, not their data centers.
[–] Emergence1 0 points 1 point 1 point (+1|-0) ago (edited ago)
Hypothetically alternate names:
http://edu.run/content/images/
Here's a good list: https://voat.co/v/pizzagate/1653341
Looks like a bunch of various redirects to the same site and a couple misc sites on the same server.
hmm. https://pastebin.com/RVibxA6h probably before they took it over most of the sites appeared in 2016
misc other shit: Owner: 陈朝阳 Hosting company: New Dream Network, LLC Registrar: China NIC IPs: 208.113.128.159 DNS: ns1.22.cn ns2.22.cn 500nianqian@gmail.com
-not helpful
[–] collegetoker [S] ago (edited ago)
39.018,-77.539 - Ashburn, Virginia, United States
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=208.113.128.159?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 208.113.128.0 - 208.113.255.255
CIDR: 208.113.128.0/17
NetName: DREAMHOST-BLK6
NetHandle: NET-208-113-128-0-1
Parent: NET208 (NET-208-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: New Dream Network, LLC (NDN)
RegDate: 2006-04-12
Updated: 2012-03-02
Ref: https://whois.arin.net/rest/net/NET-208-113-128-0-1
OrgName: New Dream Network, LLC
OrgId: NDN
Address: 417 Associated Rd.
Address: PMB #257
City: Brea
StateProv: CA
PostalCode: 92821
Country: US
RegDate: 2001-04-16
Updated: 2017-01-28
Comment: Address location was created regardless of geographic location.
Ref: https://whois.arin.net/rest/org/NDN
OrgNOCHandle: NETOP274-ARIN
OrgNOCName: NetOPs
OrgNOCPhone: +1-714-706-4182
OrgNOCEmail: netops@dreamhost.com
OrgNOCRef: https://whois.arin.net/rest/poc/NETOP274-ARIN
OrgAbuseHandle: DAT5-ARIN
OrgAbuseName: DreamHost Abuse Team
OrgAbusePhone: +1-714-706-4182
OrgAbuseEmail: abuse@dreamhost.com
OrgAbuseRef: https://whois.arin.net/rest/poc/DAT5-ARIN
OrgTechHandle: NETOP274-ARIN
OrgTechName: NetOPs
OrgTechPhone: +1-714-706-4182
OrgTechEmail: netops@dreamhost.com
OrgTechRef: https://whois.arin.net/rest/poc/NETOP274-ARIN
Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| mx.edu.run - 208.113.128.159
| admin.edu.run - 208.113.128.159
| host.edu.run - 208.113.128.159
| devel.edu.run - 208.113.128.159
| stats.edu.run - 208.113.128.159
| http.edu.run - 208.113.128.159
| mx0.edu.run - 208.113.128.159
| development.edu.run - 208.113.128.159
| administration.edu.run - 208.113.128.159
| svn.edu.run - 208.113.128.159
| mx1.edu.run - 208.113.128.159
| devsql.edu.run - 208.113.128.159
| id.edu.run - 208.113.128.159
| ads.edu.run - 208.113.128.159
| mysql.edu.run - 208.113.128.159
| syslog.edu.run - 208.113.128.159
| images.edu.run - 208.113.128.159
| devtest.edu.run - 208.113.128.159
| adserver.edu.run - 208.113.128.159
| test.edu.run - 208.113.128.159
| news.edu.run - 208.113.128.159
| info.edu.run - 208.113.128.159
| dhcp.edu.run - 208.113.128.159
| alerts.edu.run - 208.113.128.159
| test1.edu.run - 208.113.128.159
| noc.edu.run - 208.113.128.159
| internal.edu.run - 208.113.128.159
| alpha.edu.run - 208.113.128.159
| ns.edu.run - 208.113.128.159
| direct.edu.run - 208.113.128.159
| ap.edu.run - 208.113.128.159
| test2.edu.run - 208.113.128.159
| internet.edu.run - 208.113.128.159
| ns0.edu.run - 208.113.128.159
| dmz.edu.run - 208.113.128.159
| apache.edu.run - 208.113.128.159
| testing.edu.run - 208.113.128.159
| intra.edu.run - 208.113.128.159
| ns1.edu.run - 208.113.128.159
| dns.edu.run - 208.113.128.159
| app.edu.run - 208.113.128.159
| upload.edu.run - 208.113.128.159
| intranet.edu.run - 208.113.128.159
| ns2.edu.run - 208.113.128.159
| vm.edu.run - 208.113.128.159
| dns0.edu.run - 208.113.128.159
| ipv6.edu.run - 208.113.128.159
| ns3.edu.run - 208.113.128.159
| apps.edu.run - 208.113.128.159
| vnc.edu.run - 208.113.128.159
| dns1.edu.run - 208.113.128.159
| ntp.edu.run - 208.113.128.159
| lab.edu.run - 208.113.128.159
| appserver.edu.run - 208.113.128.159
| voip.edu.run - 208.113.128.159
| dns2.edu.run - 208.113.128.159
| ops.edu.run - 208.113.128.159
| ldap.edu.run - 208.113.128.159
| aptest.edu.run - 208.113.128.159
| vpn.edu.run - 208.113.128.159
| download.edu.run - 208.113.128.159
| oracle.edu.run - 208.113.128.159
| linux.edu.run - 208.113.128.159
| auth.edu.run - 208.113.128.159
| web.edu.run - 208.113.128.159
| en.edu.run - 208.113.128.159
| local.edu.run - 208.113.128.159
| owa.edu.run - 208.113.128.159
| web2test.edu.run - 208.113.128.159
| erp.edu.run - 208.113.128.159
| backup.edu.run - 208.113.128.159
| log.edu.run - 208.113.128.159
| pbx.edu.run - 208.113.128.159
| eshop.edu.run - 208.113.128.159
| whois.edu.run - 208.113.128.159
| beta.edu.run - 208.113.128.159
| s3.edu.run - 208.113.128.159
| mail.edu.run - 208.113.128.159
| exchange.edu.run - 208.113.128.159
| wiki.edu.run - 208.113.128.159
| blog.edu.run - 208.113.128.159
| secure.edu.run - 208.113.128.159
| mail2.edu.run - 208.113.128.159
| f5.edu.run - 208.113.128.159
| www.edu.run - 208.113.128.159
| cdn.edu.run - 208.113.128.159
| mail3.edu.run - 208.113.128.159
| server.edu.run - 208.113.128.159
| fileserver.edu.run - 208.113.128.159
| chat.edu.run - 208.113.128.159
| www2.edu.run - 208.113.128.159
| mailgate.edu.run - 208.113.128.159
| shop.edu.run - 208.113.128.159
| firewall.edu.run - 208.113.128.159
| citrix.edu.run - 208.113.128.159
| xml.edu.run - 208.113.128.159
| main.edu.run - 208.113.128.159
| sip.edu.run - 208.113.128.159
| forum.edu.run - 208.113.128.159
| cms.edu.run - 208.113.128.159
| manage.edu.run - 208.113.128.159
| smtp.edu.run - 208.113.128.159
| ftp.edu.run - 208.113.128.159
| corp.edu.run - 208.113.128.159
| mgmt.edu.run - 208.113.128.159
| ftp0.edu.run - 208.113.128.159
| crs.edu.run - 208.113.128.159
| sql.edu.run - 208.113.128.159
| mirror.edu.run - 208.113.128.159
| git.edu.run - 208.113.128.159
| cvs.edu.run - 208.113.128.159
| squid.edu.run - 208.113.128.159
| mobile.edu.run - 208.113.128.159
| gw.edu.run - 208.113.128.159
| database.edu.run - 208.113.128.159
| ssh.edu.run - 208.113.128.159
| monitor.edu.run - 208.113.128.159
| help.edu.run - 208.113.128.159
| db.edu.run - 208.113.128.159
| ssl.edu.run - 208.113.128.159
| mssql.edu.run - 208.113.128.159
| helpdesk.edu.run - 208.113.128.159
| demo.edu.run - 208.113.128.159
| stage.edu.run - 208.113.128.159
| mta.edu.run - 208.113.128.159
| home.edu.run - 208.113.128.159
|_ dev.edu.run - 208.113.128.159
[–] collegetoker [S] ago (edited ago)
Databucket.info
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-31 03:44 EDT
Nmap scan report for databucket.info (208.113.128.159)
Host is up (0.079s latency).
rDNS record for 208.113.128.159: ip-208-113-128-159.nodes.dream.io
Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| devel.databucket.info - 92.242.140.21
| stats.databucket.info - 92.242.140.21
| http.databucket.info - 92.242.140.21
| mx0.databucket.info - 92.242.140.21
| development.databucket.info - 92.242.140.21
| svn.databucket.info - 92.242.140.21
| syslog.databucket.info - 92.242.140.21
| id.databucket.info - 92.242.140.21
| devsql.databucket.info - 92.242.140.21
| test.databucket.info - 92.242.140.21
| mysql.databucket.info - 92.242.140.21
| devtest.databucket.info - 92.242.140.21
| info.databucket.info - 92.242.140.21
| alerts.databucket.info - 92.242.140.21
| dhcp.databucket.info - 92.242.140.21
| test1.databucket.info - 92.242.140.21
| alpha.databucket.info - 92.242.140.21
| noc.databucket.info - 92.242.140.21
| test2.databucket.info - 92.242.140.21
| internet.databucket.info - 92.242.140.21
| ap.databucket.info - 92.242.140.21
| dmz.databucket.info - 92.242.140.21
| testing.databucket.info - 92.242.140.21
| apache.databucket.info - 92.242.140.21
| ns0.databucket.info - 92.242.140.21
| upload.databucket.info - 92.242.140.21
| app.databucket.info - 92.242.140.21
| vm.databucket.info - 92.242.140.21
| ipv6.databucket.info - 92.242.140.21
| apps.databucket.info - 92.242.140.21
| vnc.databucket.info - 92.242.140.21
| lab.databucket.info - 92.242.140.21
| aptest.databucket.info - 92.242.140.21
| linux.databucket.info - 92.242.140.21
| en.databucket.info - 92.242.140.21
| auth.databucket.info - 92.242.140.21
| ops.databucket.info - 92.242.140.21
| web.databucket.info - 92.242.140.21
| erp.databucket.info - 92.242.140.21
| oracle.databucket.info - 92.242.140.21
| web2test.databucket.info - 92.242.140.21
| log.databucket.info - 92.242.140.21
| eshop.databucket.info - 92.242.140.21
| beta.databucket.info - 92.242.140.21
| owa.databucket.info - 92.242.140.21
| whois.databucket.info - 92.242.140.21
| blog.databucket.info - 92.242.140.21
| pbx.databucket.info - 92.242.140.21
| wiki.databucket.info - 92.242.140.21
| f5.databucket.info - 92.242.140.21
| cdn.databucket.info - 92.242.140.21
| s3.databucket.info - 92.242.140.21
| www.databucket.info - 208.113.128.159
| secure.databucket.info - 92.242.140.21
| www2.databucket.info - 92.242.140.21
| firewall.databucket.info - 92.242.140.21
| citrix.databucket.info - 92.242.140.21
| xml.databucket.info - 92.242.140.21
| forum.databucket.info - 92.242.140.21
| cms.databucket.info - 92.242.140.21
| shop.databucket.info - 92.242.140.21
| manage.databucket.info - 92.242.140.21
| ftp.databucket.info - 208.113.128.159
| mgmt.databucket.info - 92.242.140.21
| crs.databucket.info - 92.242.140.21
| mirror.databucket.info - 92.242.140.21
| git.databucket.info - 92.242.140.21
| cvs.databucket.info - 92.242.140.21
| sql.databucket.info - 92.242.140.21
| mobile.databucket.info - 92.242.140.21
| gw.databucket.info - 92.242.140.21
| database.databucket.info - 92.242.140.21
| squid.databucket.info - 92.242.140.21
| monitor.databucket.info - 92.242.140.21
| help.databucket.info - 92.242.140.21
| db.databucket.info - 92.242.140.21
| ssh.databucket.info - 92.242.140.21
| mssql.databucket.info - 92.242.140.21
| helpdesk.databucket.info - 92.242.140.21
| demo.databucket.info - 92.242.140.21
| ssl.databucket.info - 92.242.140.21
| mta.databucket.info - 92.242.140.21
| home.databucket.info - 92.242.140.21
| dev.databucket.info - 92.242.140.21
|_ stage.databucket.info - 92.242.140.21
Nmap done: 1 IP address (1 host up) scanned in 2.95 seconds
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '92.242.140.0 - 92.242.140.255'
% Abuse contact for '92.242.140.0 - 92.242.140.255' is 'abuse@barefruit.co.uk'
inetnum: 92.242.140.0 - 92.242.140.255
netname: BAREFRUIT-ERRORHANDLING
descr: BAREFRUIT-US-ANYCAST-A
country: GB
org: ORG-BL53-RIPE
admin-c: PR42-RIPE
tech-c: PR42-RIPE
status: ASSIGNED PA
mnt-by: CATALYST2-MNT
created: 2008-03-11T16:59:41Z
last-modified: 2008-07-24T17:13:47Z
source: RIPE
organisation: ORG-BL53-RIPE
org-name: Barefruit Ltd.
org-type: LIR
address: 5 Windmill Street
address: London
address: W1T 2JA
address: UNITED KINGDOM
phone: +44 207 637 0304
admin-c: PR42-RIPE
mnt-ref: CATALYST2-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: CATALYST2-MNT
abuse-c: BA5057-RIPE
created: 2007-12-14T12:37:34Z
last-modified: 2016-09-28T10:03:34Z
source: RIPE # Filtered
person: Paul Redpath
remarks: Catalyst2 Services Ltd
org: ORG-csl3-RIPE
address: Forsyth House
address: Cromac Square
address: Belfast
address: BT2 8LA
phone: +44 800 107 7979
fax-no: +44 845 280 4993
abuse-mailbox: abuse@catalyst2.com
mnt-by: CATALYST2-MNT
created: 2004-01-12T14:35:03Z
last-modified: 2014-01-14T15:15:38Z
source: RIPE # Filtered
nic-hdl: PR42-RIPE
% Information related to '92.242.140.0/24AS45028'
route: 92.242.140.0/24
descr: BF-MC-1
origin: AS45028
mnt-by: CATALYST2-MNT
created: 2008-04-23T11:52:47Z
last-modified: 2008-04-23T11:52:47Z
source: RIPE
[–] ArthurEdens 0 points 4 points 4 points (+4|-0) ago
I think someone found that out a while back and it only added to the mystery
[–] collegetoker [S] 0 points 5 points 5 points (+5|-0) ago (edited ago)
Where did they think it's from? Because I 100 percent know where it is and I know that it's hosted on a server with another website (or a mirrror of worldcorpo) on it. It's flarum.cn, but it's the same site.
[–] ArthurEdens 0 points 1 point 1 point (+1|-0) ago
I think they found a few locations like LA, NJ, and Austrailia. Can't for sure remember. (voat search isn't working for me). And they found a link to another site too. You should definitely post what you got anyway.
[–] fartyshorts 0 points 4 points 4 points (+4|-0) ago
I looked in to all of this before. The same host that hosts worldcorpo hosts several domains that are all mirrors of worldcorpo. They all have hidden names, except one. That one is owned by a (female) nerd who works at NASA. I still have all of this in my notes somewhere.