Tuesday, September 7, 2021

prolifewhistleblower timeline.

Not really review other than to help sort a lot of iffy reporting I'm reading. Some of the formatting is od to make easier for copy / pasting.

On submitting reports:

First off there is a meme going around to use a VPN to submit fake reports. In the short term this might work but any IT department worth anything would block or at least flag any reports from known VPN IPs. So you need a botnet or to crowdsource. This guy did an app for submitting fake reports to make it easy to crowdsource but read on first. https://www.statesman.com/story/tech/2021/09/02/tiktok-iphone-code-fools-texas-abortion-whistleblower-site/5701760001/?utm_source=SND&utm_medium=Facebook&utm_campaign=statesman&fbclid=IwAR1Nk7c5-kt_TYRp8ap5JFArtc2xDg1XJCgtBlBYnwpupm_jJE29k_Sd0bU


Here is what I've sorted about the site. 

Status as of late on 9/3:

A lot of what is getting reported seems to be vague or wrong.  For instance the New York Times has used both prolifewhistleblower dot com and profilewhistleblower dot com. On 9/2 profilewhistleblower was basically a dead site with just a copyright notice.

The domain prolifewhistleblower dot com was registered at GoDaddy on June 7th. They moved the registration to Epik Holdings Inc on Sept 3rd. The prolifewhistleblower "site" was and is hosted at Sucuri which is a web security company. The prolifewhistleblower "site" seems to have a bad cert so maybe they are not good at it. But that might be by design too. eSet is blocking prolifewhistleblower as a possible "unwanted content" site. Probably because they appear to be a prefilter for websites. If you get past all that is redirects to texasrighttolife dot com. They claim there GoDaddy booted them so there was probably a hidden site hosted at GoDaddy that prolifewhistleblower originally redirected to so Sucuri could filter suspicious traffic. So they are probably gathering IPs submitting while the form is offline to filter with later.

texasrighttolife dot com is hosted at IP 66.85.248.21 which is at RightForge in Washington DC.

Ars Technica got it more right than most that referenced them. From their updates it sounds like the site moved hosting to Digital Ocean for a bit before I started digging.

Epik told the Daily Beast they do not want to host it either though they are still acting as register which many seem to mistakenly think is the same thing. So they may want to boot that as well.

Update 9/7/2021 about noon

The Washington Post was reporting the site was down for a second time.

https://www.washingtonpost.com/nation/2021/09/06/texas-abortion-ban-website/

I'm guessing they got the 404 because they tried a full URL instead of going the the site's top level. 

The domain is still registered at Epik Holdings Inc but as of 2021-09-04T04:24:02Z the domain points to a new IP 88.214.197.102 which is "hosted" at Overoptic Systems LTD DBM in the UK.  Though DNS appears set up for a site redirect to texasrighttolife.com so technically it is not hosted anywhere.

curl -v http://prolifewhistleblower.com

* STATE: INIT => CONNECT handle 0x800096238; line 1491 (connection #-5000)

* Added connection 0. The cache now contains 1 members

* STATE: CONNECT => WAITRESOLVE handle 0x800096238; line 1532 (connection #0)

*   Trying 88.214.197.102:80...

* TCP_NODELAY set

* STATE: WAITRESOLVE => WAITCONNECT handle 0x800096238; line 1611 (connection #0)

* Connected to prolifewhistleblower.com (88.214.197.102) port 80 (#0)

* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x800096238; line 1667 (connection #0)

* Marked for [keep alive]: HTTP default

* STATE: SENDPROTOCONNECT => DO handle 0x800096238; line 1685 (connection #0)

> GET / HTTP/1.1

> Host: prolifewhistleblower.com

> User-Agent: curl/7.66.0

> Accept: */*

>

* STATE: DO => DO_DONE handle 0x800096238; line 1756 (connection #0)

* STATE: DO_DONE => PERFORM handle 0x800096238; line 1877 (connection #0)

* Mark bundle as not supporting multiuse

* HTTP 1.1 or later with persistent connection

< HTTP/1.1 301 Moved Permanently

< Server: nginx/1.19.4

< Date: Tue, 07 Sep 2021 16:05:19 GMT

< Transfer-Encoding: chunked

< Connection: keep-alive

< Location: https://www.texasrighttolife.com/

< Content-Type: text/html

< Access-Control-Allow-Origin: *

<

* STATE: PERFORM => DONE handle 0x800096238; line 2067 (connection #0)

* multi_done

* Connection #0 to host prolifewhistleblower.com left intact

* Expire cleared (transfer 0x800096238)

profilewhistleblower dot com has added links to another Linode Network Operations server www6.profilewhistleblower.com which appears to be a parked, not yet set up subdomain. I would not be surprised if it ends up hosting a malware dropper.

At about 8PM 

The domain is resolving to the IP 185.255.121.2 which is back at Epik. still redirecting to texasrighttolife.