xorl %eax, %eax

OPSEC fail: TanieRC

with 2 comments

So, a few hours ago I noticed that Sh1ttyKids mentioned the OPSEC fail of a darkweb illegal drug dealer, the TanieRC. So, I decided to make a more detailed post about it in order to help more people discover and report those cyber-crime websites to the authorities. So, let’s see what’s TanieRC…



TanieRC is a Polish illegal drug dealer that started in 20 October 2017. Here is where the OPSEC of this threat actor failed, using Censys.io you can search for the contents of an indexed website. In this case, searching for IPv4 entries that include “taniercil76mgjl3.onion” which is part of the website as you can see in the HTML code of the page, reveals the real IP address of this Tor hidden service. A big fail in the server configuration as the whole purpose of a Tor hidden service is to hide the actual servers that are serving the content.



This is clearly an operational security fail on the cyber-criminal side. Below is a quick list what we learned from this OPSEC failure in this particular case.

IP address        : 193.70.95.90
Hostname          : ip90.ip-193-70-95.eu
Onion address     : taniercil76mgjl3.onion
Web server        : nginx 1.2.1
SSH daemon        : OpenSSH 6.0p1
Operating System  : Debian-4+deb7u2 
SSH fingerpint    : e2890700ba42d5baf545a61afe1427fe24a0472bfafe79d6b8563e3ba6caf95d
Available services: HTTP, SSH, FTP

 
Starting with a WHOIS it is clear that this server is not hosted directly to the French OVH, but instead it is from a small Polish hosting provider called IQ-Group that registered this range in 11 September 2017. The IQ-Group itself was registered in RIPE in 06 July 2017.

inetnum:        193.70.95.80 - 193.70.95.95
netname:        OVH_151685543
country:        PL
descr:          Failover Ips
org:            ORG-IA1520-RIPE
admin-c:        OTC12-RIPE
tech-c:         OTC12-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
created:        2017-09-11T15:33:27Z
last-modified:  2017-09-11T15:33:27Z
source:         RIPE

organisation:   ORG-IA1520-RIPE
org-name:       Adam Buhl IQgroup
org-type:       OTHER
address:        10 Sudeckiej Dywizji Zmechanizowanej 4
address:        45-828 Opole
address:        PL
e-mail:         abuhl@iq-group.pl
phone:          +48.609651027
abuse-c:        ACRO9280-RIPE
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2017-07-06T08:16:12Z
last-modified:  2017-10-30T14:49:52Z
source:         RIPE

 
Since this is tiny IP range, we can easily scan it to see if there are any other illegal websites hosted there. The result is the following.

193.70.95.80 - not used
193.70.95.81 - not used
193.70.95.82 - not used
193.70.95.83 - not used
193.70.95.84 - not used
193.70.95.85 - Apache2 Ubuntu Default Page, Postfix, & SSH
193.70.95.86 - Apache2 Ubuntu Default Page, Postfix, & SSH
193.70.95.87 - Apache2 Ubuntu Default Page, Postfix, & SSH
193.70.95.88 - Apache2 Ubuntu Default Page, Postfix, & SSH
193.70.95.89 - PHP info page, Postfix, & SSH
193.70.95.90 - TanieRC (drug dealer)
193.70.95.91 - webkillerr.xaa.pl
193.70.95.92 - Apache2 Ubuntu Default Page, Postfix, & SSH
193.70.95.93 - GGspeak.pl
193.70.95.94 - not used
193.70.95.95 - not used

 
This suspicious hosting provider also points to an address (10 Sudeckiej Dywizji Zmechanizowanej 4, 45-828 Opole) which leads to some industrial area of warehouses. Kind of an an unusual place for a small hosting company. Here is a photo from Google Street View for the specified address.



Again, none of those directly relate the hosting provider company with the drug dealer, but it is definitely a relationship that needs some further investigation. In the future I will post more of those quick investigations from failed OPSEC of illegal websites. Hope that you liked it. :)

Written by xorl

November 11, 2017 at 22:54

Posted in opsec

2 Responses

Subscribe to comments with RSS.

  1. who gives a flying fuck

    BEE EFF DEE

    November 12, 2017 at 05:25

  2. My hometown :)

    yet

    December 6, 2017 at 08:54


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s