Sponsored by..

Saturday, 22 February 2014

On the trail of 3NT Solutions LLP

NOTE: An updated list of IPs can be found here (October 2017)

Yesterday I blogged about a company called 3NT Solutions LLP apparently based in the UK and expressed my reservations about them as a business. They operate quite a large range of IP addresses, but a quick Google search shows pitifully little about this company.

Let's start our investigation by looking them up at Companies House. That gives some basic details:

3NT SOLUTIONS LLP
SUITE 4084
10 GREAT RUSSELL STREET
LONDON
ENGLAND
WC1B 3BQ
Company No. OC363382

LLPs are a relatively new type of company in the UK which allows a firm to be registered with the minimum of details, but there are reports that LLP structures are being widely abused. We'll have a look at the ownership in a moment, but first let's check out this grand-sounding office in Central London..


It is, in fact, the Bloomsbury branch of Mail Boxes Etc and "suite" is simply a euphemism for "mail box".. in other words, this is a mail drop address that most likely forwards any mail to another address, a trick that conceals the full owners of the company.

OK, so that address is a bust. But the WHOIS records for their IP blocks, and their previous address registered at Companies House is something different:

DALTON HOUSE
60 WINDSOR AVENUE
LONDON
SW19 2RR

We can trundle over to that on Google StreetView too..


Dalton House is basically the same thing as the MBE address, it offers a brass plaque somewhere and a mail forwarding service. So no real clues as to ownership here either.

A trip back to Companies House to find their Company Register information [rtf] reveals very little, except two related companies in Belize.



LLP DESIGNATED MEMBER:
DARL IMPEX LTD


Appointed:
01/04/2011


Nationality:
NATIONALITY UNKNOWN


No. of Appointments:
1


Address:
35 NEW ROAD



BELIZE



BELIZE



NA










LLP DESIGNATED MEMBER:
LEGRANT TRADING LTD.


Appointed:
19/03/2013


Nationality:
NATIONALITY UNKNOWN


No. of Appointments:
1


Address:
BLAKE BUILDING SUITE 102, GROUND FLOOR, BLAKE BUIL



CORNER EYRE&HUTSON STREETS



BELIZE CITY



BELIZE



NA





Belize is a pretty much a haven for offshore companies, so it is quite likely that these two Belize companies are owned by someone in a different country again.

The domain registration for 3nt.com doesn't really give any more information, and oddly enough their website is down (so how do they expect to attract business?). But if we do a WHOIS lookup on one of their IP ranges then it becomes much more clear.

inetnum:        5.61.32.0 - 5.61.47.255
netname:        INFERNO-NL-DE
descr:          ********************************************************
descr:          * We provide virtual and dedicated servers on this Subnet.
descr:          *
descr:          * Those services are self managed by our customers
descr:          * therefore, we are not using this IP space ourselves
descr:          * and it could be assigned to various end customers.
descr:          *
descr:          * In case of issues related with SPAM, Fraud,
descr:          * Phishing, DDoS, portscans or others,
descr:          * feel free to contact us with relevant info
descr:          * and we will shut down this server: abuse@3nt.com
descr:          ********************************************************
country:        DE
admin-c:        TNTS-RIPE
tech-c:         TNTS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-3NT
mnt-routes:     LEASEWEB-MNT
source:         RIPE # Filtered

person:         Neil Young
address:        3NT SOLUTIONS LLP
address:        DALTON HOUSE 60, WINDSOR AVENUE
address:        LONDON, UK
phone:          +442081333030
abuse-mailbox:  abuse@3nt.com
nic-hdl:        TNTS-RIPE
mnt-by:         MNT-3NT
source:         RIPE # Filtered

route:          5.61.32.0/20
descr:          Routed via LEASEWEB
origin:         AS16265
mnt-by:         OCOM-MNT
source:         RIPE # Filtered


Alright, let's cut a long story short because we know who this is.. it's Serbian web host inferno.name who have featured on this blog several times before all the way back to 2011. Similar records exist on all of 3NT's ranges, linking them firmly with inferno.name.

Not it's not a particular surprise to see that inferno.name is trading under a different name, as the scummy sites they host pretty much ruined their reputation. And yeah, this blog helped with that.

I had a look into some of 3NT's IP ranges and you can tell instantly from these samples [csv] that they are pretty low-grade spammy sites. What you can't tell from that list are the command and control servers that they run, and of course they also host malware.

The following IP range are allocated to 3NT Solutions LLP. I recommend that you block them.
5.45.64.0/21
5.45.72.0/22
5.45.76.0/22
5.61.32.0/20
37.1.192.0/21
37.1.200.0/21
37.1.208.0/21
37.1.216.0/21
37.252.2.0/24
37.252.12.0/24
130.0.232.0/21

In addition, these other (smaller) ranges are allocated to inferno.name and v3servers.net who are the same outfit. I also recommend that you block these:
 46.21.147.128/25
46.21.148.128/25
46.22.211.0/25
80.79.124.128/26
92.48.122.0/28
92.48.122.16/28
92.48.122.32/28
92.48.122.48/28
94.100.17.128/26
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

15 comments:

Ari said...

Don't know if You already have noticed that they have much more IP's

for example
130.0.232.0 - 130.0.239.255
37.1.216.0 - 37.1.223.255

And if You check behind this link, there's a lot of websites, quite many in Russia

http://myip.ms/view/ip_owners/20670/3Nt_Solutions_Llp.html

Conrad Longmore said...
This comment has been removed by the author.
Conrad Longmore said...

@Ari: those are..
37.1.216.0/21
130.0.232.0/21

They have strong Russian and Ukranian connections as well as Serbia. Ukrainian hosts often serve as black-hat hosts for Russian criminals. Serbia and Russia also have close ties.. thanks for that other link.

Unknown said...

Look's like it's same guy as "hostkey".

http://myip.ms/view/web_hosting/112538/Hostkey_B_v.html

Unknown said...

Look's like it's same guy as "hostkey"...

http://myip.ms/view/web_hosting/112538/Hostkey_B_v.html

Unknown said...
This comment has been removed by the author.
Unknown said...

Came across this site while trying to track who was trying to hack my web site. This is the info I received from my site:

A user with IP address 37.1.199.35 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 10. The last username they tried to sign in with was: ''
User IP: 37.1.199.35
User hostname: 37.1.199.35
User location: Germany

Can't find anything about the address on who.is but did find something about the 3NT lot which lead me here.

Carolyn said...

I found several of these sites using my copyrighted material. The whole site is just material copied from other website with an affiliate link to aliexpress trying to sell a similar item, and bivertiser Ads at the top and right sides of the page. I sent in DMCA reports but go no response. Is it impossible to get these poeple to remove the copyrighted material?

Carolyn said...

Continued from above. I am going to contact the affiliate programs this website uses to see if they will at least drop them from their program so that they aren't making money on my materials. I have done this in the past and it works sometimes.

Conrad Longmore said...

@Carolyn: they are not a US operation, so they don't come under the scope of the DMCA. You might have better luck filing a DMCA complaint with Google who will at least drop the spam sites from the search results.

Carolyn said...

Thanks, I just don't know what I would claim except for copyright abuse and they will tell me that I have to fill out a DMCA and send it to the server. They aren't using keyword stuffing, or nonsense text. They just copied complete text from different websites. I have noticed lately that Google isn't very quick to remove copyrighted material from Blogspot or Blogger. They almost always send me an email that they decided not to take action at this time. . . even when the copyright infringement is very obvious such as someone copying an image from my website with my url on the image. I have to then reply to their email protesting the decision. I don't know if this is standard procedure now like insurance companies or if someone at Google is just lazy.

I checked the sites this morning and it looks like the affiliate i complained to dropped them because there ads are no longer on the right-hand side of the page and their linked words don't work. That company was in the US.

Their other affiliate is out of the country, AliExpress and I couldn't even find a way to contact them. They have a DMCA form to complain if someone thinks something on their site is being used in violation of copyright laws, but not for one of their affiliates. You have to put in a foreign phone number and since my phone number doesn't fit in the box, the form doesn't work. I don't want to put in a fake phone number.

I noticed that this site is using five images from my site that refer back to my image files. I think I will change the name of the images so the site won't be able to find them.

Carolyn said...

I changed the names of my images so they don't show up on their site and changed one of the images they link to to read - "Caution" Do not follow any links on this Plastic Mini Spoons Website. It uses copyrighted material, including this image."
http://plastic-mini-spoons-1091.davenport-transportation.biz/

This can be dangerous because if you don't get all the links off of your website, it could show up on your own website. But this website really makes me mad. I tell the website that I changed the image, but they don't have an email address on the site.

Conrad Longmore said...

@Carolyn - I believe that the 3nt.com website is essentially a fake, designed to give the impression that they are a UK company. Their real website is at inferno.name which is all written in Russian. I believe that behind the shell companies that hold 3NT is actually an organisation based in Russia, Ukraine or Serbia (or a combinatio of those three).

Gail Gardner @GrowMap said...

When they cloned a copy of GrowMap.com to a newly registered domain at growmap.org they copied a plugin that notified me of their actions. I tracked them to a server that has cloned copies of many other sites using variations of their domain name.

I have tried (so far unsuccessfully) to get NameCheap to stop pointing the domain they registered to the stolen content. It is my position that refusing to do so makes them complicit in the theft. I have tweeted to EFF.org to see what they have to say.

I also reported the copyright issue to Google, but apparently I need to get a list of every page on my site and hope there aren't more than 1000 of them.

Any other suggestions? This outfit needs more bad publicity and they picked on the wrong person. What can we do?

Gail Gardner @GrowMap said...

I had my entire site cloned by 3NT. Namecheap confirmed the domain they used was registered through them, but refused to stop pointing it at my stolen content. They used privacy guard so figuring out who hosted it was a challenge.

Some lookup sites said 3NT, but one said Ecatel so I emailed abuse@ecatel.info and the next day the clone was suspended. They haven't responded so I don't know 100% that it was them, but I don't know how else it came down.

Ecatel was recently (April 2016) reported as being taken over by Novogara, so maybe they are less tolerant of evil. I'm commenting here so that if anyone else is in the same boat they can possibly try again to get clones and other copyright violations taken down.

Two tips: I got notified because I had the infolinks plugin installed in my site. Even though I did not have it running, they must have activated it when they cloned my site. It "phoned home" and reported the new site which they added to my account and emailed me about.

Also, one cloned site I know of was able to put a warning popup on the cloned site because they had some code in their site that got copied. They activated a warning on the site that says "WARNING: This site is fake. This site is using content stolen from theirdomain.com. To visit the real site, click the link below."

It wouldn't be a bad idea to have that kind of code in your site or a plugin that let's you do that kind of thing. Thanks for the IPs. My tech guy blocked all of them as an additional precaution.