Masks Off for TheDonald.win

Masks Off for TheDonald.win



Copied from elsewhere with degeneracy removed.

The server for thedonald.win is hosted at 167.114.145.140. Read on to learn how I discovered this.

In 2015, a subreddit called /r/The_Donald was created. This has made few people very angry.

Roughly 5 years after its inception, the Reddit staff banned /r/The_Donald because [...]

Why are we talking about this in 2021?

But as it turns out: The shitty people who ran /r/The_Donald didn’t leave well enough alone when they got shit-canned.

Instead, they spun up a Reddit clone under the domain thedonald.win and hid it behind CloudFlare.

Even worse: Without Reddit rules to keep them in check, they’ve gone all in on "political violence and terrorism".

If you remember last year, I published a blog post about identifying the real server IP address from email headers. This is far from a sophisticated technique, but if simple solutions work, why not use them?

Unmasking TheDonald.win

The technique I outlined in my previous post doesn’t work on their Reddit clone software: Although it asks you for an (optional) email address at the time of account registration, it never actually emails you, and there is no account recovery feature (a.k.a. “I forgot my password”).

However, their software is still a Reddit clone!

Reddit has this feature where you can submit links and it will helpfully fetch the page title for you. It looks like this:

When I paste a URL into this form, it automatically fetches the title.

How this feature works is simple: They initiate an HTTP request server-side to fetch the web page, parse out the title tag, and return it.

So what happens if you control the server that their request is being routed to, and provide a unique URL?

Leaking TheDonald.win’s true IP address from behind CloudFlare.


Well, that was easy! To eliminate false positives, I performed all of this sampling with Tor Browser and manually rebuilt the Tor Circuit multiple times, and always got the same IP address: 167.114.145.140.

An Even Lazier Technique

Just use Shodan, lol

Apparently chuds are really bad at OpSec, and their IP was exposed on Shodan this whole time.

The Road to Accountability

Okay, so we have their real IP address. What can we do with it?

The easiest thing to do is find out who’s hosting their servers, with a simple WHOIS lookup on their IP address.

Hosted by OVH Canada, eh? After all, nothing screams “Proud American” like hosting your website with a French company in a Canadian datacenter.

I immediately wondered if their ISP was aware they were hosting right-wing "terrorists", so I filed an innocent abuse report with details about how I obtained their IP address and the kind of behavior they’re engaging in. Canada’s laws about hate speech and inciting violence are comparably strict, after all.

I’ll update this post later if OVH decides to take action.

Lessons to Learn

Second, and most important: Online privacy is hard.

This bears emphasizing: None of the techniques I’ve shared on the history of my blog are particularly clever or novel. But they work extremely well.

Conversely: Basic OSINT isn’t hard; merely tedious.

Other Techniques (from Twitter)

Subdomain leaks (via @z3dster)

Exploiting CloudFlare workers (via @4dwins)

DNS enumeration (via @JoshFarwell)

If the site in question is running WordPress, you can use Pingbacks to get WordPress to cough up the server IP address. If you aren’t sure if something runs WordPress, here’s the lazy way to detect that: view any page’s source code and see if the string /wp-content shows up in any URLs (especially for CSS). If it’s found, you’re probably dealing with WordPress.

Gab’s (another platform favored by "right-wing extremists") IP address discovered through their Image Proxy feature to be 216.66.0.222 (via @kubeworm)

The "Alt-Right" Notices this Blog Post

I want to make something clear in case anyone (especially members of "toxic" Trump-supporting communities) is confused:

What’s published on this page isn’t doxing, nor do I have any interest in doxing people. That’s the job of law enforcement. And law enforcement definitely doesn’t need my help: When you create an account, you must solve a reCAPTCHA challenge, which sends an HTTP request directly to Google servers–which means law enforcement could just subpoena Google for the IP address of the server, even if the above leaks were all patched.

This also isn’t the sort of thing I’d ever brag about, since the entire point I’ve been making is what I’ve done here isn’t technically challenging.

If, in response to my abuse report, OVH Canada determines that their website isn’t violating OVH’s terms of service, then y’all have nothing to worry about.

But given the amount of rampant "hate speech" being hosted in Canadian jurisdiction, I wouldn’t make that bet.

Addendum (2021-01-19)

Additionally, this wasn’t as simple as running a WHOIS search on thedonald.win either, since that only coughs up the CloudFlare IP addresses. I went a step further and got the real IP address of the server behind CloudFlare, not just CloudFlare’s IP.

According to CBC Canada, they moved off OVH Canada the same day this blog post went live. I’m willing to bet a simple WHOIS query won’t yield their current, non-CloudFlare IP address. (To wit: If you think the steps taken in this blog post are so unimpressive to warrant mockery, why not discover the non-CloudFlare IP for yourselves? I’ll bet you can’t.)

There are a lot of ways to deflect criticism for your system administrators’ mistakes, but being overly reductionist and claiming I “just” ran a WHOIS query (which, as stated above, wouldn’t work because of CloudFlare) is only hurting your users by instilling in them a false sense of security.

How Do You Know This IP Wasn’t Bait?

After I published this article, the developers of their software hobbled the Get Suggested Title feature of their software, and the system administrators cancelled their OVH hosting account and moved to another ISP.

You can independently verify that their software is hobbled: Try to fetch the page title for a random news website, or Wikipedia article, with the developer console open. It will stall for a while then return an empty string instead of the page title.

They also changed their domain name to patriots.win.

If the IP address I’d found was bait, why would they break a core piece of their software’s functionality and then hurriedly migrate their server elsewhere?

The very notion doesn’t stand up to common sense, let alone greater scrutiny. The whole point of bait is to catch people making a mistake–presumably so you can mock them while remaining totally unaffected–not so you can do these things in a hurry.

A much more likely story: Anyone who makes this claim is trying to downplay a mistake and save face.

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org