Tracking Computers and Devices in North Korea

/ nick / Leave a comment

Tracking the active torrenting in North Korea reveals some interesting things. Someone really loves Modern Family, but this also reveals more about the devices inside of North Korea based on the drivers they are downloading:

 

Screen Shot 2019-07-20 at 4.53.02 PMScreen Shot 2019-07-20 at 4.54.43 PM

Here’s a list of the most common IP’s that have been torrenting in the last few months:

175.45.177.173
175.45.177.180
175.45.177.184
175.45.177.186

175.45.178.17
175.45.178.19
175.45.178.21
175.45.178.23
175.45.178.25
175.45.178.31
175.45.178.102
175.45.178.115

Wikipedia Edits

/ nick / 2 Comments

At times someone from a North Korean address has edited the following Wikipedia pages:

175.45.176.130

This one seems a little serious

User talk:Jimbo Wales: https://en.wikipedia.org/wiki/index.php?curid=9870625&diff=prev&oldid=614463449

175.45.176.135

SD Card- https://secure.wikimedia.org/wikipedia/en/wiki/index.php?curid=315794&diff=prev&oldid=608633609

175.45.176.140

Someone feels strongly about CMS’s

Screen Shot 2019-05-18 at 12.26.40 PM.png

Content Management System- https://en.wikipedia.org/wiki/index.php?curid=75885&diff=prev&oldid=449076598

Mobile country code- https://secure.wikimedia.org/wikipedia/en/wiki/index.php?curid=6855629&diff=prev&oldid=534160820

New Asian–African Strategic Partnership- https://en.wikipedia.org/wiki/index.php?curid=37183551&diff=prev&oldid=583476306

Skyline- https://en.wikipedia.org/wiki/index.php?curid=26949434&diff=prev&oldid=578541976

User:Fisherjs- https://en.wikipedia.org/wiki/index.php?curid=5071547&diff=prev&oldid=500394392

175.45.176.143

Aron da Silva- https://en.wikipedia.org/wiki/index.php?curid=30183322&diff=prev&oldid=637412128

175.45.176.144

The Eternal Champion- https://en.wikipedia.org/wiki/index.php?curid=4935162&diff=prev&oldid=568064567

Real-time Transport Protocol- https://en.wikipedia.org/wiki/index.php?curid=26163&diff=prev&oldid=597787522

 

 

Open SMTP Relay

/ nick / Leave a comment

Looks like there’s an open mail relay hosted in the DPRK. Masked the domain for privacy reasons. Only resolves to DPRK domains.

Resolving hostname…
Connecting…
Connection: opening to smtp.XXXXXX.kp:25, timeout=300, options=array (
)
Connection: opened
SERVER -> CLIENT: 220 mail.star-co.net.kp ESMTP Postfix
CLIENT -> SERVER: EHLO tools.wormly.com
SERVER -> CLIENT: 250-mail.star-co.net.kp
250-PIPELINING
250-SIZE 1000000000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
CLIENT -> SERVER: MAIL FROM:
SERVER -> CLIENT: 250 2.1.0 Ok
CLIENT -> SERVER: RCPT TO:
SERVER -> CLIENT: 250 2.1.5 Ok
CLIENT -> SERVER: DATA
SERVER -> CLIENT: 354 End data with .
CLIENT -> SERVER: Date: Mon, 29 Apr 2019 02:58:14 +0000
CLIENT -> SERVER: To: flph@star-co.net.kp
CLIENT -> SERVER: From: Wormly SMTP Test
CLIENT -> SERVER: Subject: Wormly SMTP Test Message
CLIENT -> SERVER: Message-ID: <513d1d6870dbfc59c46586d3494dcc8c@blog.wormly.com>
CLIENT -> SERVER: MIME-Version: 1.0
CLIENT -> SERVER: Content-Type: text/plain; charset=iso-8859-1
CLIENT -> SERVER:
CLIENT -> SERVER: This message was sent using the Wormly SMTP testing tool by this user:
CLIENT -> SERVER: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
CLIENT -> SERVER: 185.210.218.100
CLIENT -> SERVER:
CLIENT -> SERVER: .
SERVER -> CLIENT: 250 2.0.0 Ok: queued as 5AF6222C37A4
CLIENT -> SERVER: QUIT
SERVER -> CLIENT: 221 2.0.0 Bye
Connection: closed
Message completed successfully.