Iranian Web Site Identifies Protesters

gerdab.ir is online again. I made a reverse DNS and I got this domains on the same IP:

IP: 81.12.13.144
IP Country: Iran, Islamic Republic of
9 Hosts on this IP

Number Domain / Host
1. iranxiran.com
3. gerdab.ir
4. گرداب | Gerdab.ir
5. 81.12.13.144
6. avizoon.com
7. amihot.org
8. گرداب | Gerdab.ir
9. gholi.com

The second one was a side with half naked girls but it seems they are not from the iran government: firekos.com.

A traceroute shows that the websites now are hosted in iran:
4 12 ms 11 ms 11 ms cr02.frf02.pccwbtn.net [80.81.192.50] -> IP Country: United States
5 240 ms 240 ms 240 ms 217.218.155.206 -> IP Country: Iran
6 242 ms 242 ms 242 ms 217.218.127.250
7 249 ms 249 ms 249 ms 62.220.96.121
->
inetnum: 62.220.96.0 - 62.220.107.255
netname: TAKTA-NET
role: Sinet Technical Team
address: Soroush Rasaneh Institute
address: Tehran, IRAN 19959-63451
address: No.91 , 5th East St., Seoul St.

8 241 ms 244 ms 242 ms 62.220.99.6
9 243 ms 257 ms 277 ms vl900.aeolus.sh.tehran.sinet.ir [81.12.12.5]
10 * * *

(that is a traceroute from germany to gerdab.ir)
Maybe someone can use this informations ...

1 & 19 arrested

towards the bottom of the page it says:

Dear fellow countrymen to help the owners of images 1 and 19 were arrested and identified information that these people will be published soon.

This is truly awful. Can someone get this into Rachel Maddows hands or something?
She'd probably be all over these jerks; if nothing else we can let everyone else who they host know whats going on.

gerdab.ir is still ONLINE

The site is still online.

I am based in Portugal and can still access it.

The site apparently handles very well all PageReboot etc... type of requests.

PLEASE PLEASE PLEASE we need to find alternate way for taking this site down ! Please help !

For the past 24hours at least the site has been up and running.

while true ; do w3m -dump 'http://81.12.13.144/fa/pages/?cid=407' > /dev/null ; done

So far this is all I got. I'm still working on figuring out out to use nemesis to craft TCP SYN/ACK packets to flood their port 80 with. May just stick with nmap. Speaking of nmap:

nmap -A -D 219.238.94.59,123.25.226.249,79.140.184.81 81.12.13.144
Password:

Starting Nmap 4.76 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2009-06-26 11:30 CEST
Interesting ports on 81.12.13.144:
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
|_ FTP bounce check: no banner
80/tcp open http Apache httpd 2.2.3 ((CentOS) DAV/2 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8b mod_perl/2.0.2 Perl/v5.8.8)
| robots.txt: has 3 disallowed entries
|_ /cgi-bin/ /js/ /css/
|_ HTML title: \xDA\xAF\xD8\xB1\xD8\xAF\xD8\xA7\xD8\xA8 | Gerdab.ir
554/tcp open rtsp?
7070/tcp open realserver?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING) : Cisco embedded (86%)
Aggressive OS guesses: Cisco Catalyst 1900 switch (86%)
No exact OS matches for host (test conditions non-ideal).

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
**[clip]**
8 248.50 217.218.155.206
9 247.92 217.218.127.250
10 248.21 62.220.96.121
11 248.78 62.220.99.6
12 248.16 vl900.aeolus.sh.tehran.sinet.ir (81.12.12.5)
13 249.52 81.12.13.144


...Apache2.2.3 has major documented vulnerabilities:
portaudit: apache -- Cross-site scripting vulnerability
portaudit: apache -- multiple vulnerabilities

Please use this info

the DNS entry's been blocked or removed now. The page is still accessible with the direct IP 81.12.13.144 or by telnet to port 80.

There's no reason to give up the ddos yet...

refresher

Hey everybody. I don't know much about computers, but I understand that you need a lot of people to flood certain websites with traffic so that they are inoperable? I can probably get a lot of people to do it if that would help.

Please confirm for me that this is the program:

Refresher - Free software downloads and reviews - CNET Download.com

Also confirm that this is the website:

اغتشاشگران را شناسایی کنید

Are there other websites? And are there any special settings that I should include in the instructions in terms of using Refresher 1.2?

I want to try to get this strategy spreading virally across the western social networks...

Maybe the internet connection will slow down if you do this. Don't know what to do.
Also you have to use different IPs because they will put you on a black list like they did to me.

current site is down

The DNS and IP have gone missing!

Can anyone verify if the site or similar has popped up somewhere else?

the DNS and IP aren't responding...

Can anyone say what the successful strategy was? Did the host take it down? Was it DDoS?

It is not responding anymore. But it is possible that they blocked it to be accessed from outside Iran.

Besides I have question. I am new here. I want to publish a very useful site for Iranians inside
Whats the best way? Can anyone put this in here? Where it belongs to.

Center for the Study of Strategic Nonviolent Defense

Thanks

Hi

DDoS did not work on this site. I tried and recommanded this to many on twitter, maybe it helped.


cyberwar4iran

Hi,

No DDoS did not work on it. I tried and tweet this one.

cyberwar4iran

Maybe it helped.

I've created a thread with links to the site's Farsi version in "Protest Advice".

Thank you. Great resource.

Thank you,

I am an Iranian and do it for Iran. You guys are great.

Just a quick question. Could you tell me where you came across the site please?

help Iranian Protestors to win their Asylum

No title

add This link to all the US sites and make youtubes. اغتشاشگران را شناسایی کنید (لیست اول)

this men can leave Iran and seek Asylum as they are most wanted ....
You can help by putting presure to the world wide media of what Islamic Republic of Iran is all about...

Thank you Sereen

I am currently refreshing the page every 5 seconds, and will keep this running all night. Let me know if I can help any more.

Reloading is an ineffective strategy.

Try SlowLoris. Using SlowLoris, it is possible to kill a server with only a few machines running the tool. It is extremely useful. Read more at the link.

amidoinitrite?

sorry i deleted my question.

Could we have some updates about activists "standing in front of" web pages?

Gerdab.ir is STILL UP!

Verified by viewing through a proxy. They have simply blocked all US traffic, causing them to appear down.

We need other methods to destroy this site.

Also:

domain: gerdab.ir
remarks: (Domain Holder) Mehran Emami
remarks: (Domain Holder Address) Hafte Tir Sq., Mofateh St., No.36,, Tehran, Tehran,
IR
admin-c: me337-irnic
tech-c: me337-irnic
zone-c: me337-irnic
nserver: ns1.sinet.ir
nserver: ns2.sinet.ir
source: IRNIC # Filtered

person: Mehran Emami
remarks: ---
address: ---
e-mail:
phone: +98 21 22461580
fax-no:
nic-hdl: me337-irnic
source: IRNIC # Filtered

Use Tor.

Tor will make you look like your request is coming from somewhere else.

This.

However, it is quite nearly impossible to conduct any sort of DDoS through Tor, due to its slowness.

We may try looking for alternative means.

ALSO: Note that just one or two people outside the US running SlowLoris could completely incapacitate the site. However, it will only work reliably on linux.

SlowLoris is capable of "poisoning" an HTTP server, and causing it to become unresponsive for an extended period of time. It also DOESN'T LEAVE ANY LOGS until AFTER you close the program. (Logs are unavoidable, unfortunately.) What this means is that as long as SlowLoris is running, they won't know who is attacking them.

We need two or three people outside of the US to direct a SlowLoris attack from Linux.

lovelier fied

from Spain i'm getting a 500 Internal Server Error, but server is up

Same from the Netherlands.

A few choice thoughts for their files

I tried to report someone (Fearless Leader) but the page wouldn't load after submission, so I think they're having problems.

who knows how to use slowloris via proxy?

There has to be some way of using slowloris via a proxy.
Anyone know how?

Actually, it looks like Gerdab hasn't really blocked the US. They just disguised their page by causing an error when someone visits from the US. You might still be able to loris them from here.

Anyway, if you need to use it through a proxy, you can try PyLoris. PyLoris is a Python implementation of the same type of attack, and it has some extra features, including the ability to route through a SOCKS proxy.

thanks, seisatsu.

I'm in canada and I get the 500 error. When I'm using loris on linux, I get back a command line status response all the time (after the setup minute required) that says like "sent 0 packets successfully" whereas when I first used loris 2 days ago, and the site could be viewed in a webbrowser no problem, it said "sent 500 packets successfully" again and again "sleeping for 10 minutes".

So it's definitely not working the regular way anymore.

To help...

I am Iranian-American residing in US and I speak Persian very well, anything I can do to help, anything I can translate, anything at all, I am all for it. Please let me know....I talk to my mom in Tehran almost every other day if the lines would let me and its real hard to make a connection specailly during our day light time. Tehran is 11 and 1/2 hour ahead of us.

They're doing something strange to gerdab site!
I couldn't access it from any anti-filter program i used but it was up and the web page would come where I used Iran's IP!
but today from Iran it's saying "Service Unavailable" but I can access it from anti-filter!
I can't get to know what they are doing!

this gets me paranoid

I know that this anonymous / whyweprotest project depends on chaos and good will (though I'll just insert that it disgusts me that the group also engages in lame luring of older men for sex chats with members posing as teen girls to create an arrestable situation)

but I think Sanonymous' offer of his anti filter software just has too little information to be trustworthy.
If he has created a program to crack the iranian government's firewalls, then he's created something truly amazing which should be sufficiently robust to last for a few weeks at least before government hackers or just amateurs can program to defend against it.

His website includes the source code (supposedly, I didn't compile it to use, it just has a link with the windows binary and a link with a source code package). But I'm not that good at programming so I can't tell if this is a government trick to collect IPs just by looking at the source code.

I don't have the guts to try it , but he says that his software allows you to connect to iran. Well, so what? We're not trying to gain access just for its own sake. We're trying to shut down websites that we think are monstrously fascistic and oppressive. He doesn't explain how or if you can use his software for that purpose.

Moreover: what the hell kind of a name for an illegal piece of software made by a supporter of the iranian reform/resistance side would be called "nofilterisgreat" to rhyme with allahu akbar (god is great) being shouted from the rooftops in iran's cities? Why would anyone on the mousavi side want to draw such obvious attention to themselves instead of giving it a more generic name and distributing it more widely? Especially if it's such a great program. anonymous/whyweprotest is not the center of this cyber resistance and it shouldn't be the only place such supposedly great software would be distributed.

I wouldn't use it. I would recommend for any programmers to take a better look at the source code and see what it does. But this seems to be a program that provides no benefit to our purpose of taking down bad sites and by its mysterious nature poses a huge risk of being a government trick to, who knows, maybe just send your ip address back to their server so that they can permanently block it or even try to play a denialofservice attack on you and thus fight back against this whole effort.

Huge risk, no reward. I won't try it.

And if some of you anonymous/whyweprotest hackers weren't so screwed up as to waste your time playing sexophobe internet guardian of teenage girls (that IS or WAS another of your projects wasn't it?) you might be thinking quickly enough to realize that this could be a horrible trick by an iranian government programmer.

wall of text, failpasta, facepalm.jpg here, but you got a point on the other thread

SAnonymous is legit btw, hes been around

DUDE I have nothing to do with the software why are you telling everyone it's mine??

btw if you had any computer sense you could understand how this software is working and it's just a SOCKs proxy and nothing to do with "crack the iranian government's firewalls"! you could search for "FreeGate" and "Ultrasurf" some programs that is almost the same as this one that is being used in Iran and China for a long time...!

and by the way why are you so into cyber sex and stuff? no one is looking for that in here...!

and also if you have free internet and you are TRYing to shutdown the Iran's gov sites, we people in Iran need to get the news from the internet and government has blocked all of the sites that would have real news! even iranian sites that would write news not the bullshit there is on the gov sites!

what i'm trying to say is that if you have unfiltered internet dont worry about this software at all! enjoy the free internet and pray for us, May be internet be free for us too!

thanks dude!

He is referring to the cybertraps some anons are laying down to catch pedophiles, you know, child lovers. Anons got one so far

Anonymous (group) - Wikipedia, the free encyclopedia)

Internet Vigilante Group - Encyclopedia Dramatica

And maybe also when anons made Oprah Winfrey say over 9000 penises on TV.

Information about Gerdab.ir

Hello,

The website mentioned in the forum earlier belongs to one of the most horrible information and intelligent networks in Iran: The Intelligence Bureau of Revolutionary Guards.

The website limits or denies access from most of the known proxy providers out there so most of the time it is hard to connect to the website from outside Iran. This is done to blockade possible attacks from outsider IPs.

The official operating system for the network is a variation of Linux because they do not trust Microsoft productions. Also they use other open source tools to manage their dirty job.

To send fake information by use of Google translator does not work the way our friends here tried before because it is very easy to identify the structure of an informative text block in Persian from a non-sense post.

The pictures provided there hold no meaning of intelligent work. This means that no information is needed to identify the people in the pictures. These pictures are just provided to scare Iranians not to take part in any demonstrations that may be held in future. The people in those photos are already identified but they pretend that they "need" some kind of information because of two things:

1- This will project a fake image of people's support for their cause and also put people against people.

2- They try to invest more on "rats" that may will to inform them of those already known protesters.

In order to paralyze this network of fear the people outside of Iran have to understand the notes above.

Thank you all for your support and care. I may appreciate this hard work of yours on behalf of Iranian people.

Cyrus of Persia
MMIX

The regime is attacking now in these moment with a cyber war!!!urgent help!!

THE REGIME IS ATTACKING NOW IN THESE MOMENT WITH A CYBER WAR!!!URGENT HELP!!

Persons unknown are destroying the #iranelection tag on Twitter. Currently the real messages coordinating Iranian political opposition to the Regime --are being drowned out by massive volume of tweet spam for a product called Turbo Cash Generator. ( Turbo Cash Generator - Earn Online Using Twitter )

also, the gerdab.ir site is up and running again. Lots of new pictures. Slightly new page layout and design.

My slowloris session is effective again. On my linux, it says, like, "successfully sent 2000000" packets, after many hours of it going.

But the site is back up, and very fast. Either too few people are using slowloris to keep the server busy (it's still at the same ip address). Or they've found a way to deal with the attack.

Whether or not the iranian gov will really use the informant data to make real arrests and intimidation is not for us to guess. Who knows?

But for sure it is a very intimidating project, all those pictures with a red circle around the face (note how it's almost, almost like a cross hair in a gun sight).

Any ideas?

read the documentation for slowloris.

read it well.

test the program a little bit with some other site. Idk, maybe google will never have time to complain against you.

When you're ready, and you're comfortable, use it against gerdab.ir

Because, I first just used it with instructions from here and another site.

But you can control how often it sends and how many packets it sends.

If you want, you can set it to resend every second if necessary. 10,000 packets if you wish. It probably won't perform quite that well though, since most hardware isn't that fast.

But DO NOT test it with gerdab.ir. One of the dangers is that, when you close slowloris, at gerdab.ir, the server may be set up to then read the ip of who was attacking it and block them. You'll never know.

After I closed my original session to start a new one, I tested gerdab.ir just in my webbrowser to look. Well, all of a sudden I am now "403 Forbidden you don't have permission to access this server". So they caught and blocked me. Now my slowloris attack may be almost irrelevant, even though it's now set to flood them with many, often.

So, get it right the first time. Test elsewhere. Then hit gerdab.ir.

Oh la la. You go from feeling like a hero to zero so fast in this game.