Community Alert Shadowhosting.net - Fake Bullet Proof Hosting - Ban Evasion - Proxy Selling

[Community Alert] Shadowhosting.net - Fake Bullet Proof Hosting - Ban Evasion - Proxy Selling - Printable Version

+- Hack Forums (https://hackforums.net)
+-- Forum: Marketplace (https://hackforums.net/forumdisplay.php?fid=105)
+--- Forum: Marketplace Discussions (https://hackforums.net/forumdisplay.php?fid=163)
+--- Thread: [Community Alert] Shadowhosting.net - Fake Bullet Proof Hosting - Ban Evasion - Proxy Selling (/showthread.php?tid=5406971)

Pages: 1 2

Shadowhosting.net - Fake Bullet Proof Hosting - Ban Evasion - Proxy Selling - BV1 - 09-16-2016

Thread: SHADOWHOSTING.NET == BULLETPROOF // OFFSHORE // DMCA IGNORED ///// [MALWARE HOSTING]
User: manandco
Banned Account: SkylerRaine
Proxy Selling for: Peanuthero + Peanuthero_

Point numero uno:
Right off the bat, I'm going to just post the evidence that links all of this... SkylerRaine, manandco, BPServers, ShadowHosting, and Peanuthero all together.

One of my first realizations that made me start looking into these "Bullet Proof" hosts popping up is that every single site that Peanuthero owns and operates, as well as the sites SkylerRaine and manandco operate, use the nameservers Lee and Leah from Cloudflare. This alone doesn't mean much, tons of site's here use those name servers, but I'll explain why I suspected that this very easily may be the common link between everything. When you make an account with Cloudflare, unless you upgrade it, you will only ever get the same 2 nameservers for every site that is on your account. So with that, I contacted a Cloudflare representative who I've been speaking with recently to confirm this for me. Indeed, as you can see in the screenshot above, Peanuthero's site, Layer7.pw, is on the same account as SkylerRaine's site, BPServers.ru, and manandco's site, ShadowHosting.net. Earlier this week I got SkylerRaine banned for proxy selling for Peanuthero, and it seems like immediately they transitioned into the new account manandco to continue their sales.

Point numero dos:
My next hunch was their writing style. I guess a few foreign members type like this, but it was what actually got me looking into manandco more. They, Skyler and manandco, put spaces in between the last word of the sentence and the punctuation.

Other things that stand out:

They both use pictures of scene girls.
Both purchased the L33t upgrade before making 10 posts, very rarely does someone do that without having prior experience on this forum.
Both were always using some variation of "livechat is online" as their go to thread bump.

Point numero tres:
In the next screenshot, you'll see manandco's first post on this forum was used to bump one of Peanuthero's sales threads. You'll also see that Peanuthero also gave him positive reputation 2 days before manandco had made a single post on this forum.

There is obvious collusion there. After getting that rep and making that post, manandco's account sat dormant for nearly 4 months. Once their other sales account, SkylerRaine got banned, they brought this account back out to conduct sales.

Point numero tres point cinco:
Both Peanuthero's website, Acuata.com, and mandanco's website, ShadowHosting, use the same contact information:

Point numero quatro:
On to the webhosting being sold. It is the same exact situation as with BPServers.ru. ShadowHosting is advertising their services as Bullet Proof Web Hosting out of Seychelles. I made a thread the other day asking if anyone can help me get a bit more insight on this, and a member, who will remain anonymous unless he wishes to be named, sent me the IP address, as well as his login for his ShadowHosting.net account, and his Web Hosting control panel. Through all of this, I was able to gather the following:

Server IP address is located in the Netherlands on Ecatel's network. IP is 80.82.78.*** (All IP's on this range belong to Ecatel aka Quasi Networks)
ASN belongs to Quasi Networks, which is a shell corporation set up by Ecatel, located in Seychelles.
Actual server location is located in the Netherlands, in Ecatel's datacenter.
None of your data is touching Seychelles. It is all in the NL.

IP Address Whois: 80.82.78.0/24#_whois" target="_blank" rel="ugc" class="mycode_url">http://bgp.he.net/net/ 80.82.78.0/24#_whois (Note the IP owner is in SC, not the server location)
IP Address Location: http://bgp.he.net/AS29073#_prefixes (All IP's on the range route to the Netherlands)

Just like with BPServers, a traceroute on the IP is following the exact same hops, concluding in the Netherlands
ShadowHosting:

BPServers:

For more information on Ecatel and Quasi Networks, please reference my previous thread here rather than me retyping it: https://hackforums.net/showthread.php?tid=5399544
Everything written on the previous thread will really break open why this is clearly hosted on an Ecatel box in the NL, and not somewhere else in Seychelles.

Thanks for reading!

* - Silent ⁮ - 09-16-2016

Wow, valid report op, ive seen your other thread on this before. You have taken a lot of time to prove to this community about this guy. Thanks

* - SIM-3115565 - 09-16-2016

Once again this nigga is on it again guys busting these idiots that fail so bad. Hell yeah OP keep it up.

* - Fộrcəd - 09-16-2016

Hq report as always, starting to wonder if there is any hosting on HF that is actually "bulletproof"

* - Danny Khalifa - 09-16-2016

Damn man.
Thank you very much for that!

* - Express Me - 09-16-2016

Dam just smacked his ass all around the world

* - Drug Problems - 09-16-2016

Man previously known as always... you always make such HQ posts. Good job on the post thank you for the alert!

* - Gary. - 09-16-2016

And they don't stop coming

Good work like always!

* - BlackLayer - 09-16-2016

Good detective OP 😎, this guy are fucking retarded or complete stupid's multi-accounting... 😑

* - Eilif - 09-16-2016

And another one bites dust..

I wonder if Peanuthero will make yet another "host" appear from nowhere with another thread design and another domain name..

In the end its might start to cost him more than he can make from here after getting busted and having to close down repeatedly.

* - BV1 - 09-16-2016

Apparently they don't hide the fact that their servers are based in the NL.

(also that's not a Seychelles flag...)

Hmmmmmm.....
Also since when does Ecatel allow malware and botnets? I seen plenty of suspensions and terminations for malware hosting on Ecatel once reported.

Also apparently Bullet Proof does not mean the same thing on HF as it does anywhere else, according to manandco.

Finally.... more proof he's working with Peanuthero

Both Peanuthero's website, Acuata.com, and mandanco's website, ShadowHosting, use the same contact information:

* - 2073436 - 09-16-2016

Damn good thread, I love the way you catch all these scammers. Good job and I hope you will catchy many more.

* - Codefuser - 09-16-2016

You could also verify that 2/more sites are on the same CF account by checking their NS. Last I checked CF assigned unique NS pairs to each user.

* - Method - 09-16-2016

OP you're literally a fuking detective.

Good work mate.

* - BV1 - 09-16-2016

(09-16-2016, 07:16 PM)Codefuser Wrote: You could also verify that 2/more sites are on the same CF account by checking their NS. Last I checked CF assigned unique NS pairs to each user.

I don't think it's unique, but they do group them together. Crimeflare helps with that, they have a search for this very purpose.