Community Alert BPServers, a "Bullet Proof Host", Just Reselling from Ecatel - Also Ran by Peanuthero

[Community Alert] BPServers, a "Bullet Proof Host", Just Reselling from Ecatel - Also Ran by Peanuthero - Printable Version

+- Hack Forums (https://hackforums.net)
+-- Forum: Marketplace (https://hackforums.net/forumdisplay.php?fid=105)
+--- Forum: Marketplace Discussions (https://hackforums.net/forumdisplay.php?fid=163)
+--- Thread: [Community Alert] BPServers, a "Bullet Proof Host", Just Reselling from Ecatel - Also Ran by Peanuthero (/showthread.php?tid=5399544)

Pages: 1 2 3 4

BPServers, a "Bullet Proof Host", Just Reselling from Ecatel - Also Ran by Peanuthero - BV1 - 09-08-2016

Unfortunately, this thread won't be as controversial as I generally like my threads to be, as the member and product in question are fairly discrete, and there isn't a lot to argue about. They simply are lying to their customers and HF. I actually thought the user in question was just mistaken and didn’t know better, but upon speaking with him it became clear that he’d rather bury his head in the sand and continue his current advertising campaign than own up to his sins.

Enter BPServers.ru and SkylerRaine (featuring a surprise guest at the end)
SkylerRaine: https://hackforums.net/member.php?action=profile&uid=3258067
BPServers.ru: https://hackforums.net/showthread.php?tid=5384024

I’ve always been interested in Bullet Proof Hosting and learning about the datacenters they make use of. Not for any specific reason, just to learn more about where abuse online originates from. When I saw BPServers.ru were claiming to be making use of an African Datacenter, I instantly became intrigued. Generally one of the first things I check when looking into a site like this, is simply where they registered their domain name from.

Strike 1:
[Image: 0YShsbD.png]

Not the biggest red flag in the world, just found it to be very odd that a so called Bullet Proof Host is using a registrar such as 101domain. A single well written report and the domain is gone. Whatever though, I’m really interested in this African Datacenter they speak of.

I was browsing their website, marveling at their cute package names “Phishing Server,” “Hardcore Botnet,” and “Dark Army” when I noticed something that caught my eye. I’m very familiar with Ecatel (also known as Quasi Networks and Novogara) and these packages looked to be straight off of the Ecatel website. In fact, they were…

Strike 2:
[Image: 8jDi88m.png]

That’s interesting, considering Ecatel doesn’t offer hosting anywhere but the Netherlands. This finally made me curious enough to start digging into BPServers.ru. My personal opinion is, if you want to buy an Ecatel server, you should be able to without having to pay 200% markup. Anyways, I initiated contact with SkylerRaine attempting to get more information on their network. I decided to hit him with the underground tactics and attempt to finagle an IP address out of him (https://i.imgur.com/MzGNXRD.png).

Eventually he relented and gave me an IP address. The IP address is: 93.174.93.222.

Strike 3:
[Image: 5bUkZIG.png]

Before I continue, let’s get a bit of backstory on Ecatel real quick. In late 2015, Ecatel Ltd. (AS29073) rebranded their corporation to Quasi Networks LTD. In doing so, they moved their corporate activities within the Netherlands to an offshore location in Seychelles. They made this move for tax evasion purposes. Their entire network however, stayed in the Netherlands, nothing changed there at all. AS29073 is now labeled as Quasi Networks LTD. Now this is why I thought maybe SkylerRaine just made a mistake, that he thought since Ecatel moved their corporate headquarters to Seychelles, that he thought the network was located there too. Sadly, no. He knows this, but if he revealed this, he’d be revealing his lie.

So let’s go back to that IP address, 93.174.93.222. Let’s reference the Ecatel/Quasi Networks AS number again as well, AS29073. If we look here, http://bgp.he.net/AS29073#_prefixes, that IP range falls under AS29073, belonging to Novogara. But who is Novogara you ask? Novogara is Ecatel. In late April of this year, Ecatel was allegedly purchased by Novogara LTD, as you can see in this nice and friendly email delivered to Ecatel’s customer base: https://i.imgur.com/h6EWuDz.png

I attempted to explain all of this to SkylerRaine, but was met with a bunch of read PM’s, but no replies. The last thing he said to me was this:

He doesn’t understand, or maybe he does, that just because the company who owns the IP is based out of Seychelles, and the whois on the IP says Seychelles, does not mean that the IP is pointing at a server out of Seychelles. In fact, the IP is pointing exactly where we’d expect it to be pointing to, the Netherlands. Novogara, Ecatel, and Quasi Networks all offer servers in just 1 single location, the Netherlands. To further strengthen this claim, here is a Traceroute showing the connection never leaving Europe:

Strike 4(I think I skipped some?):
[Image: YXNw58x.png]

Your Bullet Proof Servers that you are purchasing from BPServers.ru are simply Ecatel/Novogara servers marked up 150-200%. You’re not getting Bullet Proof, you’re getting abuse resistant at best, for 2x the price than normal people pay for it. The servers are in the Netherlands, Ecatel has been raided before, and will be raided again. I’ve personally had a server seized by law enforcement out of their datacenter a few years back.

Additional Resources:
Ecatel is Rebranding to Quasi Networks: https://ejanic.com/ecatel-is-rebranding-to-quasi-networks/
Ecatel LTD --> Quasi Networks LTD (IBC): https://www.lowendtalk.com/discussion/70172/ecatel-ltd-quasi-networks-ltd-ibc
Ecatel is now Novogara, l.o.l: https://www.lowendtalk.com/discussion/82220/ecatel-is-now-novogara-l-o-l

Strike 5:
A NEW CHALLENGER HAS APPEARED

So I’ll make this part quick because I don’t really remember who Peanuthero is, but apparently he scammed a few thousand dollars from users here and got himself perm banned. It has become pretty clear that SkylerRaine is here to proxy sell for Peanuthero. Here is an image of Skype showing Peanuthero advertising BPServers.ru:

[Image: yO5tJdL.png]

Furthermore, that image shows Peanuthero’s personal website, acuata.com. On acuata.com, we can see Peanuthero’s network of website’s that he owns and operates:

[Image: QjA8FWh.png]

Clearly you can see BPServers.ru amongst his other websites. But maybe he just added BPServers.ru to his site to mess with us you might ask!? The registrant of BPServers.ru is the same registrant as Layer7.pw, another site shown on Peanuthero’s personal website:

https://whois.domaintools.com/bpservers.ru (https://i.imgur.com/XT7Nf2c.png)
https://whois.domaintools.com/layer7.pw (https://i.imgur.com/7Q0vyX8.png)
Registrant Email: [email protected]

Let’s look at all the relevant Peanuthero shit related to that email! https://www.google.com/search?q=asterionserveurs%40hotmail.fr&ie=utf-8&oe=utf-8#q=%22asterionserveurs%40hotmail.fr%22

TL;DR:
BPServers.ru is a “Bullet Proof Host” that claims to have servers in an African Datacenter. They also claim you can get away with hosting anything you want there. To quote SkylerRaine, “Botnet, Phishing, Scanning, DDOS and anything in your mind is Welcome !” Turns out however, they do not use an African Datacenter, they are in fact simply reselling Ecatel servers for 1.5x to 2x the price. Additionally, banned HF user and major scammer Peanuthero is the actual owner of the website, SkylerRaine is simply proxy selling for him.

* - Αbel - 09-08-2016

Well this is interesting. As proxy selling isn't allowed on HF. We'll have to see what he says now.

* - Rezy - 09-08-2016

Always thought she/he was sketchy cause she upgraded in the same week she made her account and opened a giveaway.

* - Gary. - 09-08-2016

That's some interesting shit. Way to go. Read all of it. Some people are just stupid and think they can get away with shit like that.

Until someone like you actually investigates.

Good job!

* - HostSlick - 09-08-2016

Starting a BulletProof Hosting Company would probably cost 5keur+ if you dont want to be Reseller.
Starting with a own IP range that might cost 3000,00 EUR. Servers you still can rent but if you own the IPs you can ignore most Abuse reports ;)

I always doubt that.

But of course, Ecatels IPs - most of them are now GeoLocated in Seychelles to their new Brand QUASI Networks. Servers are still in amsterdam.

btw as i know - Seychelles didnt got any Datacenter.

* - BV1 - 09-08-2016

He's seen this, said nobody will care if the servers are Ecatel. O.o

* - Αbel - 09-08-2016

(09-08-2016, 06:56 PM)Previously Known As.... Wrote: He's seen this, said nobody will care if the servers are Ecatel. O.o

Guess he's a really slow guy, don't know why he thinks that.

* - CheGuevara★ - 09-08-2016

Great job with this I am sure you had a fun time investigating it.
Was a really interesting read. Thanks man, great work again and keep it up!

Best wishes,
C.

* - Koolsami7 - 09-08-2016

(09-08-2016, 06:56 PM)Previously Known As.... Wrote: He's seen this, said nobody will care if the servers are Ecatel. O.o

Really? Guess he doesn't mind losing business.. What a dumbass lol

* - Eilif - 09-08-2016

lol, reselling Ecatel for double the price and actually having sales is quite an achievement already.

But technically it is somewhat "bulletproof" since they are known to cater spammers, crimeware and illegal porn to some extend, which is why it's the most hated (and blocked) provider out there (along with ColoCrossing).

But it sure as hell ain't located in Africa xD Unless he subtly meant the company/jurisdiction of course? The only issue I see as a bystander would be Peanuthero making a bank again in the background.

Thanks for the investigation. Insane detective work once again 🙂

* - BV1 - 09-08-2016

(09-08-2016, 09:59 PM)Eilif Wrote: lol, reselling Ecatel for double the price and actually having sales is quite an achievement already.

But technically it is somewhat "bulletproof" since they are known to cater spammers, crimeware and illegal porn to some extend, which is why it's the most hated (and blocked) provider out there (along with ColoCrossing).

But it sure as hell ain't located in Africa xD Unless he subtly meant the company/jurisdiction of course? The only issue I see as a bystander would be Peanuthero making a bank again in the background.

Thanks for the investigation. Insane detective work once again 🙂

Ecatel is resistant, but far from Bulletproof. They do cater to criminals, but they also do respond to abuse reports. I've also personally had a server located in Ecatel's Datacenter picked up by law enforcement back in late 2013.

And he didn't just mean the company is based in Africa, he implied the servers were in an African Datacenter. Additionally, jurisdiction lies in the location of the servers, not the company. So that argument wouldn't fly either.

* - Backopy - 09-09-2016

Great find.

I don't even think Africa is "bulletproof" at all, I've always preferred Israel or Costa Rica. I hear Iraq is nice too.

* - Eilif - 09-09-2016

(09-09-2016, 12:13 AM)Backopy Wrote: Great find.

I don't even think Africa is "bulletproof" at all, I've always preferred Israel or Costa Rica. I hear Iraq is nice too.

The only Iraq provider I know is XSLTel, and they'll only list NL/SE locations public, while any special servers can be bought via their support for hefty price.

* - BV1 - 09-09-2016

(09-09-2016, 12:13 AM)Backopy Wrote: Great find.

I don't even think Africa is "bulletproof" at all, I've always preferred Israel or Costa Rica. I hear Iraq is nice too.

Seychelles is a great location to set up an anonymous corporation for tax evasion and corporate privacy purposes. Not for any other reasons.

* - SIM-3115565 - 09-09-2016

Lmao really they are reselling Ecatel now that funny because I was caught scanning with them got suspended and once you start spoofing they rate limit you to 100mbps.