Grooveshark.im: What a DNS Sinkhole Looks Like, Or, Adventures in Censorship



I had an interesting time of it recently, on the World Wide Web, as I was attempting to check out the latest instantiation of the renegade undead Grooveshark.  You probably know that the popular music streaming site was shut down for good on April 30. 

You may not know that almost immediately, another one sprung up in its place. 

I was first hipped to this phenomena by Digital Music News http://www.digitalmusicnews.com/permalink/2015/05/19/grooveshark-vc-dies-grooveshark-im-surfaces.  Here is an excerpt from Torrentfreak on the ongoing situation: https://torrentfreak.com/record-labels-sue-new-grooveshark-seize-domains-150515/

So I decided I would check out this supposed 'new' Grooveshark – and, since things got ...interesting, to report on what I had found.
 

Grooveshark.im : 50.116.111.75 -- courtesy Robtex.comThis is not about or because of the music -- others have reported on this; I hear mp3s were ripped from somewhere.  This incarnation was never functional for me as a music site. I miss the old Grooveshark, I really do. (I heard one can still get playlists.... ) But my browser has been found out -- too old, perhaps finally, though I suspect I have yet a trick or two up my sleeve.  (It wasn't too old for the old Grooveshark.) 

No -- instead, i want to illustrate what it looks like when DNS is sinkholed. I think the information may stand you all in good stead one day in the not too distant future, for some reason.
 
So it goes like this:

I try to go directly to http://grooveshark.im.   'Its a trap,' I am informed by my version of Firefox.  More on that in a little bit.   For now, no Grooveshark, so I keep trying.


I try to use cURL, through the 'NIX terminal, and at first get nothing.I look up the site in Robtex.  It looks a a little odd ---  but there it has that IP. So I do a traceroute, both as myself, and though the use of a remote traceroute server.  Mine never completes, at least at first; later it does, though I get the same results through my browser.   But there is something definitely there.

Thinking the site may actually be dangerous (I do take the warning seriously) I thought, before I access it directly, let's try getting just the source over the web.

After all, webmasters have special software and equipment to handle the Evil, right?

My favorite online toot for this is Hurl.it, which will call a page you specify with parameters you specify using the syntax of cURL.  This allows you to set user agent, referer, cookies, even what offset to continue at, what data to upload, and what type of authentication to use, if you know what you're doing.  (Mastering cURL syntax is one of the most incredibly rewarding things you can do for yourself, if you like that sort of thing, that is.) 

No dice.

 

No dice using the IP address either.

So, getting bolder, I use that IP address in terminal, and get some source code.  Save it and view in terminal, and it is for this strange cgi-generated page:

Meanwhile, a computer running Windows was able to just go directly to the site, like that, no problem.  He had to manually remove the 's' in https, that's all.  He was picking out songs and everything.  Same local network.

So I go back and just enter in the address, and look at that warning that Firefox throws up. It doesn't look like the normal error message from Firefox.  Here, for comparison, are a few versions of the error messages with which I am familiar.






 And here is the error I received when attempting to access Grooveshark.im:
 

I decided to try a web proxy, and, despite noticing a warning or two, went with an old favorite, Anonymouse.  I figured that I just wanted to see if I could get the page, at this point, and would deal with the finer details later.  Anonymouse did in fact deliver the goods.


It should be noted that my fellow Windows computer abandoned the site, before streaming any music, after they required an upgrade to Firefox -- which was already upgraded! So perhaps they aren't 'specifically too good,' to understate the matter -- but why block my computer from the ISP level and allow another on the same network to merely hack the URL?

The observant will note that all the examples of the warning error message above include, somewhere on the page,  an option to circumvent the block and load the page anyway.  The last error page does not.  It simply includes a button that opens up a comment form: a textbox that appears when you click on 'Tell us'.

I decided to write them a little note, whoever 'they' are.

I thought I would reproduce it here.




Comments always welcome. Contact me on twitter or email me should there be a problem with the comment system.

Be seeing you.