KatsBits Community

General Category => Blog => Topic started by: kat on July 22, 2011, 09:53:19 PM

Title: Kintiskton LLC & Big Sky Investment Hospitality Inc
Post by: kat on July 22, 2011, 09:53:19 PM
I last wrote about Kintiskton LLC on another website (now dead and gone) after discovering they search through web sites using a very aggressive 'bot/spider' that seems to completely ignore robots.txt instructions. The reasons for this behaviour are still unclear, speculation is that it's done to seek out potentially infringing copyright material because the trail leads back to law firms that deal specifically in Intellectual Property.

It's a long convoluted story (see below) because, although there are business records registered with various State agencies in the USA (notably California and Delaware), there doesn't appear to be any other business presence to be found, anywhere. Not in any Yellow/White pages, local business listings, nothing, just a PO Box No. If one searches "Kintiskton LLC" all that crops up are web site owners concerned over the massively disproportionate amount of bandwidth this bot uses up as it data mines its way through peoples properties.

So what's new since then? MCI Communications Services Inc. appear to have another tentacle, "Big Sky Investment Hospitality Inc", doing a similar thing to Kintiskton as it also appears to be spidering web sites using a range of different IP addresses and ignoring robots.txt. BSIH Inc is apparently an investment firm (according to some initial searching), but having a tie-in to MCI makes ones spider-sense tingle. There is potentially a website but the domain details don't match other information on BSIH (it's seriously old-skool for an investment company!).

With regards to Kintiskon LLC; they've since changed their registration agent (the entity that handles their legal paperwork etc), previously this was "The Corporation Trust Company" (ctadvantage.com), now it's "Corporation Service Company" (cscglobal.com). This may not mean anything in of itself other than changing providers as is their want, but these two registration companies appear to service most of the top 1000 businesses in the USA.

It's all pretty annoying stuff. The bots can be blocked by adding the following ranges to .htaccess or hosting controlpanels;

Quote
OK, first the 'warning'.

If you run a blog that has a lot of content, notably images - photos, graphics and so on, you need to block the following IP range in your .htaccess file;

Code: [Select]
IP range: 65.208.151.112 - 65.208.151.119
The 'short' reason is because that range of addresses has been associated with (what could be construed as DDoS) 'attacks' on web sites whereby the 'spider' (bot) operating from those IP's searches web sites, notably blog's, in a very aggressive fashion looking for 'content' (more on this in a second).

I use the word "aggressive" to highlight the potential seriousness of what this spider is doing; it's reading all the content you may have sitting on your server, not just some, or the content you have publicly visible, but ALL - it's ignoring any 'restrictions' that may be in place to deny access to normal 'spiders' and 'robots' in a robots.txt file. What this means for web site and blog owners is that it can chew through Gigabytes of bandwidth in a very short time frame; hundreds of MB in minutes, so, if your host is anything like mine an 'attack' of this nature will engage a 'safety protocol' which disables a site because it sees that as very suspicious activity. Or, you sites daily/weekly/monthly bandwidth will be used resulting in either a site lock down or you footing a huge bandwidth bill at the end of the month.


Now for the long explanation.

I was looking through the site stats for my web site the other day and noticed a massive spike in page loads/views. Whenever something like that happens I've got into the habit of checking it out to make sure nothing untoward is going. In this instance there was; the site was being hit several time by each of the seven IP addresses in the range mention above. Normally there's nothing odd about this except on this occasion the referrals were all 'raw', by that it's meant that visitors to the site were in effect opening the site directly rather than linking in from anywhere - which is usually what accounts for a spike; a page from your site being listed on Digg, MySpace or some other such traffic magnet.

First thing is to do something called an "IP lookup" to see if an 'entity' can be had which gives you a point of reference on what to do next, so in goes 65.208.151.118, which returns the following;

Code: [Select]
IP Address : 65.208.151.118
Host : 65.208.151.118
Location : US, United States
City : Diamond Bar, CA 91765
Organization : Kintiskton LLC
ISP : Verizon Business

So Kintiskton LLC is located in Diamond Bar, California, USA. Well no, it's not. Searching the 'Net for additional information on this reveals different geographical locations for Kintiskton LLC, one has it in Campbell, California, and my own double checking at time of writing this news item had the LLC in Las Vegas, Nevada. Good job I copy/pasted the results otherwise I'd be thinking I made a mistake. Kintiskton LLC is astonishingly mobile!.

A name means being able to investigate further, a check against company records in fact. This took a bit of doing as Kintiskton didn't show up in any corporate registry that I searched, it took another blog to threw up some information revealing that the LLC was registered in Delaware, sure enough searching the Department of Corporation on Delaware.gov returns the following;

Code: [Select]
File Number : 4540856
Incorporation Date / Formation Date : 05/01/2008 (mm/dd/yyyy)
Entity Name : KINTISKTON LLC
Entity Kind : LIMITED LIABILITY COMPANY (LLC)
Entity Type : GENERAL
Residency : DOMESTIC
State : DE

What's more, Kintiskton has an 'agent' that presumably 'manage' the corporate paperwork;

Code: [Select]
Name:THE CORPORATION TRUST COMPANY
Address: CORPORATION TRUST CENTER 1209 ORANGE STREET
City:WILMINGTON
County:NEW CASTLE
State:DE
Postal Code:19801
Phone:(302)658-7581

And they have a web site - ctadvantage.com. So what do they do? Amongst other things CT are...;

Quote
"... a Wolters Kluwer business, provides intelligent software and service solutions that empower legal professionals to more effectively manage dynamic information, speed workflows and make critical decisions ... and electronic discovery solutions; and innovative trademark research offerings ... CT is part of Wolters Kluwer Corporate Legal Services."

But wait, it does get even better than this. Try a traceroute on any one of the suspect IP's and it terminates at alter.net, if you type that URL it open Verizons home page. The "whois" on the traced IP confirms "Verizon Business", or more precisely, "MCI Communications Services" which trade as "Verizon".

Another name, another check. Performing a domain look-up on alter.net returns the following (results are truncated for convenience - my emphasis added);

Code: [Select]
Registrant:
Verizon Business Global LLC

Domain Name: alter.net
Registrar Name: Markmonitor.com
Registrar Homepage: http://www.markmonitor.com

Administrative Contact:
Domain Administrator
Verizon Trademark Services LLC
1320 North Court House Road
Arlington VA 22201
US

Who are MarkMonitor? Well;

"... is the global leader in enterprise brand protection. More than half the Fortune 100 depend on MarkMonitor to help safeguard their brands online." [link (http://www.markmonitor.com/products/online_trademark_protection.php)]

Quote
"Combining the widest and most frequently updated sources of online information with unique, proprietary analytics for identifying and prioritizing trademark infringement, Online Trademark Protection enables companies to prevent potential trademark abuse, detect it quickly when it happens, and respond swiftly and efficiently with automated and managed brand enforcement services".

So what has all to do with Kintiskton LLC? I'm not entirely sure at the moment except to say that all of these companies seem directly linked to or associated with Verizon in a greater capacity that just domain name administration and management. One also can't ignore the obvious observation that The Corporation Trust Company and MarkMonitor are both law firms or 'agencies' within the realms of copyright and trademarks enforcement so it looks like Kintiskton LLC may very well be the 'investigatory' arm of this whole operation, sending out an abusive and aggressive search spider that's for all intents and purposes is forcing entry whilst sniffing out copyright and trademark infringements. Their, or it's actions, do raise serious questions over what and how it's doing it's work - privacy advocates would throw a fit finding this stuff out!.

Almost forgot. Adding to the apparent confusion. Search the IP address and you'll get another company pop up by the name of "Jarvis Universal Purchase Co.", nothing unusual in of itself except that this reference goes back to the early last year, and again, using the same IP range.

There are also a couple of "Kintiskton" derived domain names, none of which appear to correlate with the company registration information mentioned above; kintiskton.com is registered to "World Intellectual Property Protection Organization" in Australia, which in reality appears to be someone that's simply squatting the domain. Kintiskton.org forwards to edition-on.net a company in Slovenia. Kintiskton.net is registered to some chap in Ohio. Overall these registrations appear to be nothing more than opportunist domain name squatters trying to capitalise on a problem.
Title: Re: Kintiskton LLC & Big Sky Investment Hospitality Inc
Post by: kat on February 09, 2012, 06:28:41 AM
Seems like Kintiskton (http://www.katsbits.com/smforum/index.php?topic=293.msg1649#msg1649)* are at it again with a new set of IP ranges. Bear in mind that if these ranges still appear in forums 'traces' after being added to .htaccess, it may be the sites cache not clearing rather than the IP addresses somehow bypassing "deny from..." instructions. Anywho, new IPs are;
The Arin registration details are a little odd considering the history of this dating back a good few years; why "Registration Date" is listed as 2011-12-08" I've no idea (by the way, is that 12th of August, or 8th December 2011? American dating is rather confusing at times).
Quote
Name   Kintiskton LLC
Handle   C02904464
Street   PO BOX 7360
City   MOUNTAIN VIEW
State/Province   CA
Postal Code   94037-7360
Country   US
Registration Date   2011-12-08
Last Updated   2011-12-08
*circular link back to first post