0
4

[–] ArthurEdens 0 points 4 points (+4|-0) ago 

I think someone found that out a while back and it only added to the mystery

0
5

[–] collegetoker [S] 0 points 5 points (+5|-0) ago  (edited ago)

Where did they think it's from? Because I 100 percent know where it is and I know that it's hosted on a server with another website (or a mirrror of worldcorpo) on it. It's flarum.cn, but it's the same site.

0
1

[–] ArthurEdens 0 points 1 point (+1|-0) ago 

I think they found a few locations like LA, NJ, and Austrailia. Can't for sure remember. (voat search isn't working for me). And they found a link to another site too. You should definitely post what you got anyway.

0
4

[–] fartyshorts 0 points 4 points (+4|-0) ago 

I looked in to all of this before. The same host that hosts worldcorpo hosts several domains that are all mirrors of worldcorpo. They all have hidden names, except one. That one is owned by a (female) nerd who works at NASA. I still have all of this in my notes somewhere.

0
7

[–] collegetoker [S] 0 points 7 points (+7|-0) ago 

Hopefully this is useful to somebody.

0
2

[–] Vindicator 0 points 2 points (+2|-0) ago 

0
4

[–] paulieweb 0 points 4 points (+4|-0) ago 

Dreamhost is a pretty big, standard hosting service. Not sure what you think you have here??

0
4

[–] collegetoker [S] 0 points 4 points (+4|-0) ago 

A state, a city, and GPS coordinates. That's what I think I have. Did you even read all the way down?

0
2

[–] turn-down-for-what 0 points 2 points (+2|-0) ago 

Dreamhost has hundreds of thousands of clients. Worldcorpo is just one of them. If we run under the assumption that Dreamhost puts customer's websites on the data center closest to the customers billing address (not a crazy assumption) then we know the operator lives in the VA/DC area. That's it.

Sure, go storm Dreamhosts's castle for the 50mb of Worldcorpo data stored on a hard drive on a server on a rack in a cage. I'm not sure what you'll accomplish though.

I think the most effective attack vector would be to call Dreamhost pretending to have forgotten your password or whatever and do a little social engineering to try and get an email address or name associated with the account.

0
0

[–] EvaEverywhere ago 

Yeah, this provides nothing, just points to a very common used hosting provider that is quite shitty and unhelpful to their clients.

0
3

[–] Yuke 0 points 3 points (+3|-0) ago 

Opencoporates for New Dream Network, LLC gives two addresses:

135 S. STATE COLLEGE BLVD, STE 500, Brea, CA, 92821

707 WILSHIRE BLVD STE 5050, LOS ANGELES CA 90017

https://opencorporates.com/companies/us_ga/12014142

0
4

[–] collegetoker [S] 0 points 4 points (+4|-0) ago 

They added a data center in Aushburn VIrginia

https://discussion.dreamhost.com/thread-137051.html

That is where it is, I can guarantee it.

1
2

[–] sound_of_silence 1 point 2 points (+3|-1) ago 

ashburn's not too far from DC..

0
1

[–] 9347162? 0 points 1 point (+1|-0) ago 

So the 417 and the 135 address are right by me and very close to each other ..

0
0

[–] Yuke ago 

Can't hurt to scope it out!

1
3

[–] equineluvr 1 point 3 points (+4|-1) ago 

0
8

[–] 9346927? 0 points 8 points (+8|-0) ago 

Omg I live less than 2 miles from there in brea

0
5

[–] collegetoker [S] 0 points 5 points (+5|-0) ago 

Don't do anything too crazy now. I don't want a bodycount on my hands.

0
10

[–] 9346992? 0 points 10 points (+10|-0) ago 

This is a mail house right next door to A pizza place that I have no idea how it's in business because it sucks

0
1

[–] collegetoker [S] 0 points 1 point (+1|-0) ago 

Also, those are their corporate offices, not their data centers.

0
1

[–] 9347233? 0 points 1 point (+1|-0) ago 

They do about 58 mill a year

0
1

[–] Emergence1 0 points 1 point (+1|-0) ago  (edited ago)

Hypothetically alternate names:

http://www.databucket.info/

http://edu.run/content/images/

http://workfacer.com/

Here's a good list: https://voat.co/v/pizzagate/1653341

Looks like a bunch of various redirects to the same site and a couple misc sites on the same server.

hmm. https://pastebin.com/RVibxA6h probably before they took it over most of the sites appeared in 2016

misc other shit: Owner: 陈朝阳 Hosting company: New Dream Network, LLC Registrar: China NIC IPs: 208.113.128.159 DNS: ns1.22.cn ns2.22.cn 500nianqian@gmail.com

-not helpful

0
0

[–] collegetoker [S] ago  (edited ago)

http://edu.run

39.018,-77.539 - Ashburn, Virginia, United States



#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=208.113.128.159?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       208.113.128.0 - 208.113.255.255
CIDR:           208.113.128.0/17
NetName:        DREAMHOST-BLK6
NetHandle:      NET-208-113-128-0-1
Parent:         NET208 (NET-208-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   New Dream Network, LLC (NDN)
RegDate:        2006-04-12
Updated:        2012-03-02
Ref:            https://whois.arin.net/rest/net/NET-208-113-128-0-1


OrgName:        New Dream Network, LLC
OrgId:          NDN
Address:        417 Associated Rd.
Address:        PMB #257
City:           Brea
StateProv:      CA
PostalCode:     92821
Country:        US
RegDate:        2001-04-16
Updated:        2017-01-28
Comment:        Address location was created regardless of geographic location.
Ref:            https://whois.arin.net/rest/org/NDN


OrgNOCHandle: NETOP274-ARIN
OrgNOCName:   NetOPs
OrgNOCPhone:  +1-714-706-4182 
OrgNOCEmail:  netops@dreamhost.com
OrgNOCRef:    https://whois.arin.net/rest/poc/NETOP274-ARIN

OrgAbuseHandle: DAT5-ARIN
OrgAbuseName:   DreamHost Abuse Team
OrgAbusePhone:  +1-714-706-4182 
OrgAbuseEmail:  abuse@dreamhost.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/DAT5-ARIN

OrgTechHandle: NETOP274-ARIN
OrgTechName:   NetOPs
OrgTechPhone:  +1-714-706-4182 
OrgTechEmail:  netops@dreamhost.com
OrgTechRef:    https://whois.arin.net/rest/poc/NETOP274-ARIN


Host script results:
| dns-brute: 
|   DNS Brute-force hostnames: 
|     mx.edu.run - 208.113.128.159
|     admin.edu.run - 208.113.128.159
|     host.edu.run - 208.113.128.159
|     devel.edu.run - 208.113.128.159
|     stats.edu.run - 208.113.128.159
|     http.edu.run - 208.113.128.159
|     mx0.edu.run - 208.113.128.159
|     development.edu.run - 208.113.128.159
|     administration.edu.run - 208.113.128.159
|     svn.edu.run - 208.113.128.159
|     mx1.edu.run - 208.113.128.159
|     devsql.edu.run - 208.113.128.159
|     id.edu.run - 208.113.128.159
|     ads.edu.run - 208.113.128.159
|     mysql.edu.run - 208.113.128.159
|     syslog.edu.run - 208.113.128.159
|     images.edu.run - 208.113.128.159
|     devtest.edu.run - 208.113.128.159
|     adserver.edu.run - 208.113.128.159
|     test.edu.run - 208.113.128.159
|     news.edu.run - 208.113.128.159
|     info.edu.run - 208.113.128.159
|     dhcp.edu.run - 208.113.128.159
|     alerts.edu.run - 208.113.128.159
|     test1.edu.run - 208.113.128.159
|     noc.edu.run - 208.113.128.159
|     internal.edu.run - 208.113.128.159
|     alpha.edu.run - 208.113.128.159
|     ns.edu.run - 208.113.128.159
|     direct.edu.run - 208.113.128.159
|     ap.edu.run - 208.113.128.159
|     test2.edu.run - 208.113.128.159
|     internet.edu.run - 208.113.128.159
|     ns0.edu.run - 208.113.128.159
|     dmz.edu.run - 208.113.128.159
|     apache.edu.run - 208.113.128.159
|     testing.edu.run - 208.113.128.159
|     intra.edu.run - 208.113.128.159
|     ns1.edu.run - 208.113.128.159
|     dns.edu.run - 208.113.128.159
|     app.edu.run - 208.113.128.159
|     upload.edu.run - 208.113.128.159
|     intranet.edu.run - 208.113.128.159
|     ns2.edu.run - 208.113.128.159
|     vm.edu.run - 208.113.128.159
|     dns0.edu.run - 208.113.128.159
|     ipv6.edu.run - 208.113.128.159
|     ns3.edu.run - 208.113.128.159
|     apps.edu.run - 208.113.128.159
|     vnc.edu.run - 208.113.128.159
|     dns1.edu.run - 208.113.128.159
|     ntp.edu.run - 208.113.128.159
|     lab.edu.run - 208.113.128.159
|     appserver.edu.run - 208.113.128.159
|     voip.edu.run - 208.113.128.159
|     dns2.edu.run - 208.113.128.159
|     ops.edu.run - 208.113.128.159
|     ldap.edu.run - 208.113.128.159
|     aptest.edu.run - 208.113.128.159
|     vpn.edu.run - 208.113.128.159
|     download.edu.run - 208.113.128.159
|     oracle.edu.run - 208.113.128.159
|     linux.edu.run - 208.113.128.159
|     auth.edu.run - 208.113.128.159
|     web.edu.run - 208.113.128.159
|     en.edu.run - 208.113.128.159
|     local.edu.run - 208.113.128.159
|     owa.edu.run - 208.113.128.159
|     web2test.edu.run - 208.113.128.159
|     erp.edu.run - 208.113.128.159
|     backup.edu.run - 208.113.128.159
|     log.edu.run - 208.113.128.159
|     pbx.edu.run - 208.113.128.159
|     eshop.edu.run - 208.113.128.159
|     whois.edu.run - 208.113.128.159
|     beta.edu.run - 208.113.128.159
|     s3.edu.run - 208.113.128.159
|     mail.edu.run - 208.113.128.159
|     exchange.edu.run - 208.113.128.159
|     wiki.edu.run - 208.113.128.159
|     blog.edu.run - 208.113.128.159
|     secure.edu.run - 208.113.128.159
|     mail2.edu.run - 208.113.128.159
|     f5.edu.run - 208.113.128.159
|     www.edu.run - 208.113.128.159
|     cdn.edu.run - 208.113.128.159
|     mail3.edu.run - 208.113.128.159
|     server.edu.run - 208.113.128.159
|     fileserver.edu.run - 208.113.128.159
|     chat.edu.run - 208.113.128.159
|     www2.edu.run - 208.113.128.159
|     mailgate.edu.run - 208.113.128.159
|     shop.edu.run - 208.113.128.159
|     firewall.edu.run - 208.113.128.159
|     citrix.edu.run - 208.113.128.159
|     xml.edu.run - 208.113.128.159
|     main.edu.run - 208.113.128.159
|     sip.edu.run - 208.113.128.159
|     forum.edu.run - 208.113.128.159
|     cms.edu.run - 208.113.128.159
|     manage.edu.run - 208.113.128.159
|     smtp.edu.run - 208.113.128.159
|     ftp.edu.run - 208.113.128.159
|     corp.edu.run - 208.113.128.159
|     mgmt.edu.run - 208.113.128.159
|     ftp0.edu.run - 208.113.128.159
|     crs.edu.run - 208.113.128.159
|     sql.edu.run - 208.113.128.159
|     mirror.edu.run - 208.113.128.159
|     git.edu.run - 208.113.128.159
|     cvs.edu.run - 208.113.128.159
|     squid.edu.run - 208.113.128.159
|     mobile.edu.run - 208.113.128.159
|     gw.edu.run - 208.113.128.159
|     database.edu.run - 208.113.128.159
|     ssh.edu.run - 208.113.128.159
|     monitor.edu.run - 208.113.128.159
|     help.edu.run - 208.113.128.159
|     db.edu.run - 208.113.128.159
|     ssl.edu.run - 208.113.128.159
|     mssql.edu.run - 208.113.128.159
|     helpdesk.edu.run - 208.113.128.159
|     demo.edu.run - 208.113.128.159
|     stage.edu.run - 208.113.128.159
|     mta.edu.run - 208.113.128.159
|     home.edu.run - 208.113.128.159
|_    dev.edu.run - 208.113.128.159

0
0

[–] Emergence1 ago 

oh yeah those are working. I can't connect to the ftp though.

0
0

[–] collegetoker [S] ago  (edited ago)

Databucket.info

92.242.140.255 - 51.4964,-0.1224 - United Kingdom

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-31 03:44 EDT
Nmap scan report for databucket.info (208.113.128.159)
Host is up (0.079s latency).
rDNS record for 208.113.128.159: ip-208-113-128-159.nodes.dream.io

Host script results:
| dns-brute: 
|   DNS Brute-force hostnames: 
|     devel.databucket.info - 92.242.140.21
|     stats.databucket.info - 92.242.140.21
|     http.databucket.info - 92.242.140.21
|     mx0.databucket.info - 92.242.140.21
|     development.databucket.info - 92.242.140.21
|     svn.databucket.info - 92.242.140.21
|     syslog.databucket.info - 92.242.140.21
|     id.databucket.info - 92.242.140.21
|     devsql.databucket.info - 92.242.140.21
|     test.databucket.info - 92.242.140.21
|     mysql.databucket.info - 92.242.140.21
|     devtest.databucket.info - 92.242.140.21
|     info.databucket.info - 92.242.140.21
|     alerts.databucket.info - 92.242.140.21
|     dhcp.databucket.info - 92.242.140.21
|     test1.databucket.info - 92.242.140.21
|     alpha.databucket.info - 92.242.140.21
|     noc.databucket.info - 92.242.140.21
|     test2.databucket.info - 92.242.140.21
|     internet.databucket.info - 92.242.140.21
|     ap.databucket.info - 92.242.140.21
|     dmz.databucket.info - 92.242.140.21
|     testing.databucket.info - 92.242.140.21
|     apache.databucket.info - 92.242.140.21
|     ns0.databucket.info - 92.242.140.21
|     upload.databucket.info - 92.242.140.21
|     app.databucket.info - 92.242.140.21
|     vm.databucket.info - 92.242.140.21
|     ipv6.databucket.info - 92.242.140.21
|     apps.databucket.info - 92.242.140.21
|     vnc.databucket.info - 92.242.140.21
|     lab.databucket.info - 92.242.140.21
|     aptest.databucket.info - 92.242.140.21
|     linux.databucket.info - 92.242.140.21
|     en.databucket.info - 92.242.140.21
|     auth.databucket.info - 92.242.140.21
|     ops.databucket.info - 92.242.140.21
|     web.databucket.info - 92.242.140.21
|     erp.databucket.info - 92.242.140.21
|     oracle.databucket.info - 92.242.140.21
|     web2test.databucket.info - 92.242.140.21
|     log.databucket.info - 92.242.140.21
|     eshop.databucket.info - 92.242.140.21
|     beta.databucket.info - 92.242.140.21
|     owa.databucket.info - 92.242.140.21
|     whois.databucket.info - 92.242.140.21
|     blog.databucket.info - 92.242.140.21
|     pbx.databucket.info - 92.242.140.21
|     wiki.databucket.info - 92.242.140.21
|     f5.databucket.info - 92.242.140.21
|     cdn.databucket.info - 92.242.140.21
|     s3.databucket.info - 92.242.140.21
|     www.databucket.info - 208.113.128.159
|     secure.databucket.info - 92.242.140.21
|     www2.databucket.info - 92.242.140.21
|     firewall.databucket.info - 92.242.140.21
|     citrix.databucket.info - 92.242.140.21
|     xml.databucket.info - 92.242.140.21
|     forum.databucket.info - 92.242.140.21
|     cms.databucket.info - 92.242.140.21
|     shop.databucket.info - 92.242.140.21
|     manage.databucket.info - 92.242.140.21
|     ftp.databucket.info - 208.113.128.159
|     mgmt.databucket.info - 92.242.140.21
|     crs.databucket.info - 92.242.140.21
|     mirror.databucket.info - 92.242.140.21
|     git.databucket.info - 92.242.140.21
|     cvs.databucket.info - 92.242.140.21
|     sql.databucket.info - 92.242.140.21
|     mobile.databucket.info - 92.242.140.21
|     gw.databucket.info - 92.242.140.21
|     database.databucket.info - 92.242.140.21
|     squid.databucket.info - 92.242.140.21
|     monitor.databucket.info - 92.242.140.21
|     help.databucket.info - 92.242.140.21
|     db.databucket.info - 92.242.140.21
|     ssh.databucket.info - 92.242.140.21
|     mssql.databucket.info - 92.242.140.21
|     helpdesk.databucket.info - 92.242.140.21
|     demo.databucket.info - 92.242.140.21
|     ssl.databucket.info - 92.242.140.21
|     mta.databucket.info - 92.242.140.21
|     home.databucket.info - 92.242.140.21
|     dev.databucket.info - 92.242.140.21
|_    stage.databucket.info - 92.242.140.21

Nmap done: 1 IP address (1 host up) scanned in 2.95 seconds

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '92.242.140.0 - 92.242.140.255'

% Abuse contact for '92.242.140.0 - 92.242.140.255' is 'abuse@barefruit.co.uk'

inetnum:        92.242.140.0 - 92.242.140.255
netname:        BAREFRUIT-ERRORHANDLING
descr:          BAREFRUIT-US-ANYCAST-A
country:        GB
org:            ORG-BL53-RIPE
admin-c:        PR42-RIPE
tech-c:         PR42-RIPE
status:         ASSIGNED PA
mnt-by:         CATALYST2-MNT
created:        2008-03-11T16:59:41Z
last-modified:  2008-07-24T17:13:47Z
source:         RIPE

organisation:   ORG-BL53-RIPE
org-name:       Barefruit Ltd.
org-type:       LIR
address:        5 Windmill Street
address:        London
address:        W1T 2JA
address:        UNITED KINGDOM
phone:          +44 207 637 0304
admin-c:        PR42-RIPE
mnt-ref:        CATALYST2-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         CATALYST2-MNT
abuse-c:        BA5057-RIPE
created:        2007-12-14T12:37:34Z
last-modified:  2016-09-28T10:03:34Z
source:         RIPE # Filtered

person:         Paul Redpath
remarks:        Catalyst2 Services Ltd
org:            ORG-csl3-RIPE
address:        Forsyth House
address:        Cromac Square
address:        Belfast
address:        BT2 8LA
phone:          +44 800 107 7979
fax-no:         +44 845 280 4993
abuse-mailbox:  abuse@catalyst2.com
mnt-by:         CATALYST2-MNT
created:        2004-01-12T14:35:03Z
last-modified:  2014-01-14T15:15:38Z
source:         RIPE # Filtered
nic-hdl:        PR42-RIPE

% Information related to '92.242.140.0/24AS45028'

route:          92.242.140.0/24
descr:          BF-MC-1
origin:         AS45028
mnt-by:         CATALYST2-MNT
created:        2008-04-23T11:52:47Z
last-modified:  2008-04-23T11:52:47Z
source:         RIPE

0
0

[–] 9347225? ago  (edited ago)

What are the images of ? I don't want to click on them

0
1

[–] 9347195? 0 points 1 point (+1|-0) ago 

load more comments ▼ (14 remaining)