Monday, 19 November 2012

SudoCC.org

SudoCC.org home/login page.

I came across this site being spammed on many forums, and I wanted to look into this further. What kind of criminal spams his illegal website on a public forum that is probably monitored by the respective authorities? Probably not a smart one so I wanted to see what I could dig up just from the website and free tools, usable by anyone.

 

IP Lookup
Well the first thing I did was use a Firefox plugin called FlagFox. All I have to do is click the flag in the URL bar (which already shows the hosting country) and I get redirected to a site which shows a map, and the following details.

You can confirm these yourself by checking here:

http://geoip.flagfox.net/?ip=50.7.199.221&host=www.sudocc.org

So for starters, at least it's not hosted in the US....so he's safe...right?


So the next thing I did was look up the IP of the server hosting the content and were presented with the following information. So we can clearly see FDCservers.net is the host. We've also got the contact information for their abuse & support departments should we require them. Next step? Let's visit the FDCServers AUP (Acceptable Use Policy Website.)


Uh oh...FDC Servers do NOT support illegal activities. ( http://fdcservers.net/aup.php ) FDC servers are also hosted in the US, so that means we have a hacker / vendor who is selling credit card and financial data on a US hosted smart...either we have a honeypot, someone very desperate or an idiot.


http://whois.domaintools.com/sudocc.org

What else can we do? Let's check out the domain registrar. Finally, we're seeing SOME sense. He's enabled domain WHOIS privacy. Must be impossible to get busted from this right....


Well...let's go and ask Gossimer.com what they think;


http://www.gossimer.com/tos.html

Nope...Gossimer isn't having any of that either. So we have a vendor, who is selling the financial data, which is illegal and has a domain that is from a US based site which strictly prohibits the use of their services for such activities...and is hosted on a US based site.

Honeypot / It's a tarp!
Desperate individual who cannot afford off-shore hosting?
An idiot.

You decide.

If you're going to enter the online cyber-crime world....at least do it properly.

Thursday, 22 March 2012

[FIX] Couldn't Bind HTTPS Acceptor Socket



I recently got back into network analysis and thought I should refresh my skills with the most common tool, Cain & Abel. It's not the most user friendly but imho it's the most comprehensive. Has almost everything you could want in one nifty tool. However, I reached a snag when attempting to capture packets over a device that was on my network. This annoying error message isn't really descriptive nor does it offer much help. Thankfully, this post should clear it up for users like me who have had trouble with this message.

The message simply means that something is already using the HTTPS (443) port on your machine. Now there are two things you should do to fix this and ensure it stays that way. The first thing you need to do is disable HTTPS sniffing.

Open up C&A. Go to Configure -> Filters & Ports and untick the HTTPS box. Press Apply and then OK.

The next thing to do is download something called TCPview. (Click Here) Open it up and this is what you're looking for.


Now it may not be Skype that's using the HTTPS port, it could be anything. Just click on the Local Port tab at the top to sort by name and scroll down till you find either HTTPS or 443. End the process and voila. HTTPS is no longer in use and your back on track.