Find the ip address of a seized website

So your favorite site is now displaying the following message:

This domain name has been seized by ICE – Homeland Security Investigations

In this example we will use the recently seized domain “torrent-finder.com”.

What “ICE” have done is changed the IP address that the domain resolved to, to one of their own.

The easiest way to see what the IP address currently is, is by using the “ping” command:

[hm2k@server~]$ ping torrent-finder.com
PING torrent-finder.com (74.81.170.110) 56(84) bytes of data.

— torrent-finder.com ping statistics —
1 packets transmitted, 0 received, 100% packet loss, time 0ms

We can see that “torrent-finder.com” domain currently resolves to the “74.81.170.110” IP address.

We know this is the incorrect IP as visiting 74.81.170.110 in your browser beings up the “seized” notice.

So what’s the real IP? Here’s how you find out:

First of all you need to Whois the domain name. There are various ways you can do this, from using a program to sending raw commands to the whois server yourself. In this case we will use a whois website:

The Whois record should show the following details which we will find useful:

   Domain servers in listed order:
      NS51.DOMAINCONTROL.COM
      NS52.DOMAINCONTROL.COM

Now, here’s what you do to find the right IP:

[hm2k@server~]$ nslookup torrent-finder.com NS51.DOMAINCONTROL.COM
Server:         NS51.DOMAINCONTROL.COM
Address:        216.69.185.26#53

Name:   torrent-finder.com
Address: 208.101.51.57

So, there you have it: the real IP. Let’s just check that by visiting 208.101.51.57 in our browser.

Ah yes, that’s it, the real site pops up.

Now it’s up to you. To make life easier for yourself you could now go ahead and add these newly found details to your hosts file so you don’t have to look them up again.

It doesn’t work!?

Unfortunately, this doesn’t work for every domain as “ICE” seem to have changed some domains (eg: cartoon77.com) to have NS1.SEIZEDSERVERS.COM and NS2.SEIZEDSERVERS.COM as the name servers.

A little set back, however a little fishing on Google and you will soon come across the correct name servers.

[hm2k@server ~]$ nslookup cartoon77.com NS1.DNSPOD.NET
Server:         NS1.DNSPOD.NET
Address:        121.12.116.83#53

Name:   cartoon77.com
Address: 174.137.55.5

Again, that’s the real IP. However, with this one you’ll have to add it into your hosts file for this to work, which should look like this, for example:

174.137.55.5 cartoon77.com
174.137.55.5 www.cartoon77.com

Hey presto! Get to your favorite seized sites in a couple of clicks.

Update

Based on this I have now started a project that provides you with an alternative hosts file as a work around.

Enjoy!