Just a heads up, I have mostly de-hackerified this website and it should be a little more stable for now, unless you have problems getting through cloudflare. We’re going to have a new redesign rolled out soon that is more secure by design, but since I can’t get the vast majority of you to read more than 2 or 3 sentences here if it isn’t in your social feed come take a look here at Facebook and see what I’m putting on the public’s front page. Give us a follow and get a free map to the next level and beyond.
Necessary immediate edit: I definitely spoke too soon as these supposedly neutral Swiss fucks are trying to install software if I try to visit my own site in a cleaner browser.
┌──(kali㉿kali)-[~]
└─$ nslookup awayduomatt.info
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: awayduomatt.info
Address: 185.155.186.24
Name: awayduomatt.info
Address: 185.155.184.57
┌──(kali㉿kali)-[~]
└─$
┌──(kali㉿kali)-[~]
└─$ whois 185.155.186.24
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions
% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.
% Information related to ‘185.155.184.0 – 185.155.187.255’
% Abuse contact for ‘185.155.184.0 – 185.155.187.255’ is ‘[email protected]’
inetnum: 185.155.184.0 – 185.155.187.255
netname: CH-AS5398-20160610
country: CH
org: ORG-AS976-RIPE
admin-c: AAD128-RIPE
tech-c: AN32937-RIPE
status: ALLOCATED PA
mnt-by: lir-ch-as5398-1-MNT
mnt-by: RIPE-NCC-HM-MNT
created: 2022-06-24T06:46:34Z
last-modified: 2022-06-24T06:46:34Z
source: RIPE
organisation: ORG-AS976-RIPE
org-name: AS5398 SA
country: CH
org-type: LIR
address: Via G.B. Pioda 12
address: 6900
address: Lugano
address: SWITZERLAND
phone: +41580582319
admin-c: AAD128-RIPE
tech-c: AN32937-RIPE
abuse-c: AR68488-RIPE
mnt-ref: lir-ch-as5398-1-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: lir-ch-as5398-1-MNT
created: 2022-06-09T12:31:36Z
last-modified: 2022-06-09T12:31:36Z
source: RIPE # Filtered
role: AS5398 Admin Dept
address: SWITZERLAND
address: Lugano
address: 6900
address: Via G.B. Pioda 12
phone: +41580582319
nic-hdl: AAD128-RIPE
mnt-by: lir-ch-as5398-1-MNT
created: 2022-06-09T12:31:35Z
last-modified: 2022-06-09T12:31:36Z
source: RIPE # Filtered
role: AS5398 NOC
address: SWITZERLAND
address: Lugano
address: 6900
address: Via G.B. Pioda 12
phone: +41580582319
nic-hdl: AN32937-RIPE
mnt-by: lir-ch-as5398-1-MNT
created: 2022-06-09T12:31:35Z
last-modified: 2022-06-09T12:31:36Z
source: RIPE # Filtered
% Information related to ‘185.155.186.0/24AS203639’
route: 185.155.186.0/24
origin: AS203639
mnt-by: mnt-ch-lss-1
created: 2020-11-03T09:46:12Z
last-modified: 2020-11-03T09:46:12Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.112 (SHETLAND)
Further edit: Doesn’t that seem like the weirdest traceroute to a foreign company you have ever seen?
┌──(kali㉿kali)-[~]
└─$ traceroute 185.155.186.24
traceroute to 185.155.186.24 (185.155.186.24), 30 hops max, 60 byte packets
1 10.0.2.2 (10.0.2.2) 0.887 ms 0.775 ms 0.728 ms
2 10.0.2.2 (10.0.2.2) 3.247 ms 3.199 ms 3.139 ms
The call is coming from inside the house for sure. That’s 2-hops in a super close segment of my starlink internet internal class A network. Usually I have 5 to 7 hops that all go through starlink internals and then one more hop direct to resource, without any other company’s public routers in between.
┌──(kali㉿kali)-[~]
└─$ traceroute 185.155.186.24
traceroute to 185.155.186.24 (185.155.186.24), 30 hops max, 60 byte packets
1 10.0.2.2 (10.0.2.2) 3.229 ms 3.093 ms 3.042 ms
2 10.0.2.2 (10.0.2.2) 2.974 ms 2.915 ms 3.608 ms
The kali instance definitely has access to public internet.
┌──(kali㉿kali)-[~]
└─$ ping google.com
PING google.com (142.251.33.110) 56(84) bytes of data.
64 bytes from sea30s10-in-f14.1e100.net (142.251.33.110): icmp_seq=1 ttl=115 time=31.2 ms
64 bytes from sea30s10-in-f14.1e100.net (142.251.33.110): icmp_seq=2 ttl=115 time=27.3 ms
64 bytes from sea30s10-in-f14.1e100.net (142.251.33.110): icmp_seq=3 ttl=115 time=28.5 ms
Extra WTF
Let’s do this:
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” –script-args mincvss=5.0 185.155.186.24185.155.186.24185.155.186.24–script vulners –script ftp-anon
maybe a spiderfoot full scan on AS5398.com SA
and
awayduomatt.info
HTTP response headers
| HTTP/1.1 301 Moved Permanently | |
|---|---|
| Server | openresty |
| Date | Sun, 26 May 2024 20:14:09 GMT |
| Content-Type | text/html |
| Content-Length | 166 |
| Connection | keep-alive |
| Location | https://awayduomatt.info/ |
| HTTP/1.1 200 OK | |
| Server | openresty |
| Date | Sun, 26 May 2024 20:14:10 GMT |
| Content-Type | text/html; charset=utf-8 |
| Connection | keep-alive |
| cache-control | private |
| set-cookie | sid=t3~rlboltxkqmkpcqzknvwpagrw; path=/ |
This isn’t even a hackback, this is just figuring out who’s messing with your shit and doing research on the problem.
Out of the around 10 or so hacking groups and individuals that had a real presence in the internals of my website, these guys are different, because they are controlling my google ads to exploit visitors and not simply hijacking website control. I’d imagine the software they are pushing is aimed at consumers and readers and not terminally online tech people.
Curiouser and curiouser
So this file was in a shadow copy backed up to my NAS, funny thing is. I don’t use shadow copy. I’ve never actually looked in to how the pilot the thing and never a clear offer to turn it on in any windows box, so I just assume it’s not there. Never see it for restore, and I rely on backups on external hardware. I’m supposed to be root on the NAS and admin on here, somehow I’m already 5 directories deep on shadow copy backups. Thought that was just a single bit switch in win files to back-up or no?
And see this is the surface layer of how your facebook gets so hacked so quickly. It’s really worse than these, but if you are going to engage with clicks on this you are your own problem. Nice thing about letting some of these sit there undeleted though, is you start to see cornerstones of the network that they are coming from. And some of these are hobby scammers, that don’t know their machine is already completely out of their control.
