OPSEC fail: TanieRC
So, a few hours ago I noticed that Sh1ttyKids mentioned the OPSEC fail of a darkweb illegal drug dealer, the TanieRC. So, I decided to make a more detailed post about it in order to help more people discover and report those cyber-crime websites to the authorities. So, let’s see what’s TanieRC…
TanieRC is a Polish illegal drug dealer that started in 20 October 2017. Here is where the OPSEC of this threat actor failed, using Censys.io you can search for the contents of an indexed website. In this case, searching for IPv4 entries that include “taniercil76mgjl3.onion” which is part of the website as you can see in the HTML code of the page, reveals the real IP address of this Tor hidden service. A big fail in the server configuration as the whole purpose of a Tor hidden service is to hide the actual servers that are serving the content.
This is clearly an operations security fail on the cyber-criminal side. Below is a quick list what we learned from this OPSEC failure in this particular case.
IP address : 193.70.95.90 Hostname : ip90.ip-193-70-95.eu Onion address : taniercil76mgjl3.onion Web server : nginx 1.2.1 SSH daemon : OpenSSH 6.0p1 Operating System : Debian-4+deb7u2 SSH fingerpint : e2890700ba42d5baf545a61afe1427fe24a0472bfafe79d6b8563e3ba6caf95d Available services: HTTP, SSH, FTP
Starting with a WHOIS it is clear that this server is not hosted directly to the French OVH, but instead it is from a small Polish hosting provider called IQ-Group that registered this range in 11 September 2017. The IQ-Group itself was registered in RIPE in 06 July 2017.
inetnum: 193.70.95.80 - 193.70.95.95 netname: OVH_151685543 country: PL descr: Failover Ips org: ORG-IA1520-RIPE admin-c: OTC12-RIPE tech-c: OTC12-RIPE status: ASSIGNED PA mnt-by: OVH-MNT created: 2017-09-11T15:33:27Z last-modified: 2017-09-11T15:33:27Z source: RIPE organisation: ORG-IA1520-RIPE org-name: Adam Buhl IQgroup org-type: OTHER address: 10 Sudeckiej Dywizji Zmechanizowanej 4 address: 45-828 Opole address: PL e-mail: abuhl@iq-group.pl phone: +48.609651027 abuse-c: ACRO9280-RIPE mnt-ref: OVH-MNT mnt-by: OVH-MNT created: 2017-07-06T08:16:12Z last-modified: 2017-10-30T14:49:52Z source: RIPE
Since this is tiny IP range, we can easily scan it to see if there are any other illegal websites hosted there. The result is the following.
193.70.95.80 - not used 193.70.95.81 - not used 193.70.95.82 - not used 193.70.95.83 - not used 193.70.95.84 - not used 193.70.95.85 - Apache2 Ubuntu Default Page, Postfix, & SSH 193.70.95.86 - Apache2 Ubuntu Default Page, Postfix, & SSH 193.70.95.87 - Apache2 Ubuntu Default Page, Postfix, & SSH 193.70.95.88 - Apache2 Ubuntu Default Page, Postfix, & SSH 193.70.95.89 - PHP info page, Postfix, & SSH 193.70.95.90 - TanieRC (drug dealer) 193.70.95.91 - webkillerr.xaa.pl 193.70.95.92 - Apache2 Ubuntu Default Page, Postfix, & SSH 193.70.95.93 - GGspeak.pl 193.70.95.94 - not used 193.70.95.95 - not used
This suspicious hosting provider also points to an address (10 Sudeckiej Dywizji Zmechanizowanej 4, 45-828 Opole) which leads to some industrial area of warehouses. Kind of an an unusual place for a small hosting company. Here is a photo from Google Street View for the specified address.
Again, none of those directly relate the hosting provider company with the drug dealer, but it is definitely a relationship that needs some further investigation. In the future I will post more of those quick investigations from failed OPSEC of illegal websites. Hope that you liked it. :)
who gives a flying fuck
BEE EFF DEE
November 12, 2017 at 05:25
My hometown :)
yet
December 6, 2017 at 08:54