Posted by: paragon | October 6, 2009

Traffic from Kintiskton, LLC ( who and what is this a bot? )

Kintiskton

Source: http://endellion.me.uk/info/Kintiskton.html

It sounds like a place-name, doesn’t it? But GOGL maps has never heard of it. Did I mean “Kingston”? Nope.
The Background

On 27 February 2009, a host with IP addresses in the range from 65.208.151.112 to 65.208.151.119 comes into the webserver unannounced, and begins to look at all my photographs at breakneck speed, in utter disregard of the robots.txt. This is not right, so I want to know more.

First off: the output of Whois shows that within the range owned by MCI Communications is a small range given over to this Kintiskton LLC thingy. These are the exact IPs I’m getting the crawls from.
[bored@Fedora httpd]# whois 65.208.151.112
[Querying whois.arin.net]
[whois.arin.net]
MCI Communications Services, Inc. d/b/a Verizon Business UUNET65 (NET-65-192-0-0-1)
65.192.0.0 – 65.223.255.255
Kintiskton LLC UU-65-208-151-112-D1 (NET-65-208-151-112-1)
65.208.151.112 – 65.208.151.119

# ARIN WHOIS database, last updated 2009-02-26 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.

The “user-agent” reported by these Kintiskton hosts is “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”, in other words, 32-bit XP without automatic updates. In a 2007 Usenet forum post someone says that “95% of requests made to my site by this browser is spam.” This looks like a hopeful angle, but going through my own logs it does look to be legit, clicking in from Google for instance.

Googling Kintiskton leaves one with the distinct impression that there are lots of webmasters wondering why they are getting hits from this outfit, but nobody with an answer.
Looking up !NET-65-208-151-112-1 at whois.arin.net.
CustName: Kintiskton LLC
Address: PO BOX 7360
City: MOUNTAIN VIEW
StateProv: CA
PostalCode: 94037-7360
Country: US
RegDate: 2008-07-30
Updated: 2008-07-30

The Google for the actual IP address yields some info from the Project Honeynet, to wit that some spam had originated from these IP’s. Another page at Webmaster World forum goes off on the kintiskon.com angle — see below.

Someone at moveable type was worried about searches on their blog carried out by this IP. (http://forums.movabletype.org/2009/02/possible-security-compromise.html)
In my backend, i noticed there were heaps of search queries in my activity log

Search: query for ‘world vision’ 65.208.151.115 1 day ago
Search: query for ‘sponsor’ 65.208.151.117 1 day ago
Search: query for ‘pet TV’ 65.208.151.112 1 day ago

My Findings

First off, “kintiskton.com” is registered since Nov 2008 to someone in Australia, who has a hilarious web of pages (on 64.202.189.170 = GoDaddy) all including the following warning:

“NiteLyf.com [or whatever else] is protected by the World Internet Names Numbers Authority (WINNA) and is also protected by the World Internet Property Protection Organization (WIPPO) and cannot be copied or duplicated in any way or form. If any human, person, child, animal, plant, computer, alien, rock, company, business or thing is found to have used information from this site, they or it will be reported to the World Internet Authority (WIA) where they will have their World Internet privileges terminated indefinitely and will be black listed from all use of the World Internet. ”

I tremble before them. Never wanted to use the World Internet anyway. I don’t think their WIPPO is related to WIPO, which seems to be a legit offshoot of the United Nations. The directors of both WIPO and WIPPO are Australian, but that hardly implies a link between them. Much less can I tie WIPPO, nor yet WIPO, which interestingly is dedicated to intellectual property, to the IP addresses doing the scanning.

The kintiskton.com masters have disabled right-clicking on their site. Instead of the usual menu a pop-up appears:

Which is yet another domain registered by this hilarious joker with delicious delusions of grandeur in Queensland, who, when he is not registering domain names, likes to jump off ferry boats and swim to the houses of important people. Quite a few of the domains trace back to Seoul.

Either way, by the looks of things, this has not a lot to do with the actions of 65.208.151.112 et.al., even though there are some tantalising aspects here.

Next up is kintiskton.net (created 25 Feb 2009 — 2 days ago!) running on secureservers.net (64.202.189.170 — godaddy parking, I thought, but also forwarding now?), which redirects to creeva.com (hosted by midphase.com).

They’re having a baby. Creeva says: “I am a writer sometimes, a computer security professional at others. I have strong feelings on many things and could care less about what I deem unimportant. I am myself and no other.” It never ceases to amaze me how many computer security professionals there are in this world.

Creeva.com was registered in 2006, but both domains were registered by Brent Gueth. The address given is 2100 Apollo Drive, Brook Park, Ohio 44142. This is an 18.000 sq ft property rented by Lockheed Martin Information Technologies, subcontracted by NASA. My conspiracy hair is starting to stand upright.

Originally creeva.com had a much more domestic address in Asland, OH. If the later is Brent’s place of work and the earlier his residence, then he would have a 55 mile trip to work. That is perfectly doable, I suppose. I can’t place any Symantec buildings in Brook Park, though, but that might just be my impatience with Gogl.

Could it be that Mr Gueth has nothing to do with the website crawling? Perhaps he was a victim and registered the domain for reasons of personal interest?

Lastly is kintiskton.org, which was registered in Canada (tucows) and running in Slovenia from IP 84.255.194.203 (“T-2 Access Network”), on 26 February 2009 — yesterday!

This has something to do with (as in: it gets forwarded to) eDition-on.net, which was registered, also through tucows, by someone from Ljubljana. From the page: “Digitalne publikacije so uporabno marketinško orodje, ki poveča obseg bralcev, prihrani stroške za tisk in distribucijo, poveča prodajo, hkrati pa bralca popelje skozi obogateno interaktivno vsebino.” I don’t think these are involved either, even though there is a great deal of obfuscation going on with the use of contactprivacy.org.

One conclusion in need of drawing here is that there is incredible interest in kintiskton-related registrations. Maybe I should do some myself? I note that kintiskton.co.uk is still available.
Resolution

An attempt to run nmap on their range gets absolutely no replies: “filtered” is the result. Presumably these servers are not expecting incoming traffic and I’ve been blocked.

A traceroute to the 65.208.151.112 IP reveals that the last packets are received from alter.net:

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator>tracert 65.208.151.112

Tracing route to 65.208.151.112 over a maximum of 30 hops

1 <10 ms <10 ms <10 ms 10.0.0.138
2 * * * Request timed out.
3 32 ms 32 ms 32 ms 10.1.2.5
4 31 ms 31 ms 30 ms 10.1.2.161
5 31 ms 30 ms 31 ms 79.141.38.121.available.above.net [79.141.38.121]
6 103 ms 102 ms 103 ms so-0-1-0.mpr1.dca2.us.above.net [64.125.27.57]
7 103 ms 102 ms 102 ms xe-0-1-0.er1.dca2.us.above.net [64.125.27.25]
8 103 ms 102 ms 103 ms xe-1-0-0.er2.dca2.us.above.net [64.125.27.22]
9 103 ms 103 ms 103 ms 64.125.31.210
10 105 ms 105 ms 104 ms above-uu.iad10.us.above.net [64.125.13.174]
11 105 ms 104 ms 105 ms 0.ge-4-3-0.XL4.IAD8.ALTER.NET [152.63.40.230]
12 181 ms 181 ms 181 ms 0.so-4-0-0.CL2.PHX2.ALTER.NET [152.63.117.70]
13 181 ms 180 ms 180 ms 213.ATM7-0.GW1.PHX2.ALTER.NET [152.63.113.253]
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 kintiskton-gw.customer.alter.net [63.114.61.170] reports: Destination net unreachable.

Trace complete.

This “alter.net” domain, which is clearly responsible in some way for traffic going to the 65.208.151.x range belongs to another Verizon Business, called MarkMonitor. From their whois-entry:

MarkMonitor, the Global Leader in Enterprise Brand Protection

Domain Management
Online Trademark Protection
Online Channel Protection
AntiPhishing Solutions

And suddenly their interest in my photographs is resolved, along with the rather odd search queries the blog owner reported on the movabletype forum. They make perfect sense in terms of potential copyright infringement.

Of course having a public webserver renders one liable to visits from the public, and the only way to have a safe server is to unplug it from the mains. But MarkMonitor not only saw fit to load almost all my photo albums (thank heavens my bandwidth doesn’t cost per GB…), they also did this in just under 3 hours. My poor little server has been slogging its little socks of, and all that because some dumb cnuts think there might be a picture hidden among my snapshots that their hallowed customers might own the copyright to?

MarkMonitor (CEO Irfan Salim shown left) of course do not have to obey the robots.txt because they obey the far greater overlord of commerce. Says Markmonitor’s founder Faisal Shah on the event of the start of their alliance with LexisNexis: “Through Markmonitor’s service, Lexis-Nexis customers will have access to easy, affordable technology for managing the daunting task of combing thousands of Web sites that could potentially be a problem [my italics]” (source). Cheers chaps, nice to know that I fell into your problem radar, but your range has been banned from my server now.
What is Kintiskton?

Now I am left with just one question: what on earth is Kintiskton when it’s at home? It’s not a surname, not a place name in the USA, UK, Australia… It’s not an anagram for anything sensible. It’s not in the OED or the Who’s Who. It isn’t found in the Gale Databases.

It is not K. Sitnik (shown left), or is it?

Answers on a postcard please, or maybe email.

28 May 2009 — additional

Microsoft is launching a new search engine, called “bing” (http://bing.com/) to replace their wretched “Live Search.” And who registered bing.com if not my good friends at MarkMonitor.

This also seems to be a good moment to point out that in terms of Copyright Infringement, the list of unwelcome data-grabbing crawlers visiting my website has grown, and now includes entities such as “Lloyds TSB Asset Management.” At least they identified themselves, which cannot be said for all.

Advertisements

Responses

  1. If interested, you can try global whois lookup service to check who owns a domain name or IP address from http://www.webtoolhub.com/tn561381-whois-lookup.aspx


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: