This is what Shodan has to say. Lots of coverage in China, moderate coverage in the U.S., Germany, and sparse coverage in a few other places.
Oddly, the bulk of US coverage seems to be centered around Washington D.C., but I'll explain that later.
What's that one little odd dot dead center?
Is that... the White House?
Well that's certainly something. To me that seems simultaneously wildly unlikely, but also specific enough that it's not a completely random mistake.
> https://www.shodan.io/host/47.89.183.149
Above is the info that Shodan has.
So it's hosted in Alibaba Cloud infrastructure? Then this location makes even less sense.
---
## IP Geo-Locators
So let's check it against two IP geo-locators and see what data centers are in the area.
### **Option 1**
### **Option 2**
Option 1 has many candidates, and Option 2 has just one so lets try to rule that one out first.
Here's that data centers company. https://www.globalinxdatacenters.com/
that *would* make sense for an international cloud provider to host in a datacenter that's "Just a few yards from the Spanish Subsea company, Telxius Cable Landing Station (CLS)". Lets see if we can verify this.
> https://www.peeringdb.com/fac/7073
So the PeeringDB doesn't list Alibaba as one of the networks in this facility. That rules that one out. OK, let's see if we can pin down what direction this thing is in.
---
## ISP Enumeration
Okay let's try another method. I tried a number of probes from [Hurricane Electric's traceroute](https://bgp.he.net/traceroute/) but the last few hops are always obfuscated.
```
Traceroute from 171.67.70.16 to 47.89.183.149
Using RIPE, Probe 6525
STARTED QUERY AT 2025/06/23 05:59:22 UTC
Fetching Measurement: 111499624
Traceroute from 171.67.70.16 to 47.89.183.149 (47.89.183.149):
1 sw-tor-01.esrg.stanford.edu (171.67.70.1) 0.28ms * *
2 * 10.214.4.253 0.607ms 0.404ms
3 he-rtr-vlan12.SUNet (171.66.0.209) 1.48ms 0.623ms 0.606ms
4 * e0-62.core2.pao1.he.net (184.105.177.237) 1.041ms 1.086ms
5 port-channel6.core3.sjc1.he.net (184.104.195.113) 1.349ms * *
6 * port-channel13.core1.fmt2.he.net (184.104.188.144) 1.662ms *
7 * * *
8 port-channel7.core3.mci3.he.net (184.104.195.214) 36.392ms 36.612ms *
9 * * *
10 * * *
11 47.246.112.197 61.289ms 197.587ms *
12 * * *
13 * * *
14 47.89.183.149 60.635ms 60.778ms 62.858ms
Completed in 107.97s
```
OK, maybe a different method. BGP? God forbid.
So let's toss this in Hurricane Electric's Looking glass.
```
core2.abq1.he.net> show ip bgp routes detail 47.89.183.149
Number of BGP Routes matching display condition : 2
Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED
E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH m:NOT-INSTALLED-MULTIPATH
S:SUPPRESSED F:FILTERED s:STALE x:BEST-EXTERNAL
1 Prefix: 47.89.160.0/19, Rx path-id:0x00000000, Tx path-id:0x001d0001, rank:0x00000001, Status: BMI, Age: 65d18h26m51s
NEXT_HOP: 206.126.237.184, Metric: 440, Learned from Peer: 216.218.252.24 (6939)
LOCAL_PREF: 100, MED: 0, ORIGIN: igp, Weight: 0, GROUP_BEST: 1
AS_PATH: 45102
COMMUNITIES: 6939:1111 6939:7496 6939:8840 6939:9001
2 Prefix: 47.89.160.0/19, Rx path-id:0x00000000, Tx path-id:0x000f0001, rank:0x00000002, Status: MI, Age: 33d18h58m43s
NEXT_HOP: 206.126.237.184, Metric: 440, Learned from Peer: 216.218.253.19 (6939)
LOCAL_PREF: 100, MED: 0, ORIGIN: igp, Weight: 0, GROUP_BEST: 0
AS_PATH: 45102
COMMUNITIES: 6939:1111 6939:7496 6939:8840 6939:9001
Last update to IP routing table: 3d16h7m39s
```
OK OK cool, we have a `NEXT HOP` at `NEXT_HOP: 206.126.237.184`. getting somewhere. This is still HE's infrastructure, but it at least points us in the right direction. (note that 6939:1111 are Hurricane Electric's own tags. not the ASN or community we want.)
---
## Data Center OSINT
The [PeeringDB](https://www.peeringdb.com/net/6824) page for the Alibaba ASN45102 shows 1 Peering that matches that next hop name.
That rules out a good number of the options from our first search.
This exchange has 3 Local facilities listed:
and the only one with Alibaba listed as a network is [Equinix DC1-DC15, DC21 - Ashburn](https://www.peeringdb.com/fac/1)
and its GPS coordinates are fairly close to the one listed in the first IP locator hit!
[Alibaba's page on their zones](www.alibabacloud.com/help/en/cloud-migration-guide-for-beginners/latest/regions-and-zones) confirms the presence of a virginia zone!
OK so we know at the Very Least that this server touches the internet from one of these 16 data centers.
Let's try and narrow it down even further.
One good website for this is [Data Center Map](https://www.datacentermap.com)
But knowing what we know we can try some more targeted google searches.
Searching `ashburn data centers "alibaba"` gives us two leads.
1. An AI generated response saying "**Location:** Alibaba Cloud has a data center in Ashburn, Virginia, specifically within the Equinix DC2 facility."
- That's nice and all but... sauce? (source?)
2. A potential source: https://epsilontel.com/solutions/cloud-connect/alibaba-cloud-express-connect/
- 
OK so let's check Data Center Map.
> https://www.datacentermap.com/usa/virginia/ashburn/equinix-ashburn2/ecosystem/
Promising- but clicking into it reveals
> www.datacentermap.com/as/24429/
And that's not quite right. That's not our enumerated ASN45102.
Weirdly enough searching `ashburn data centers "alibaba" "DC2"` gave me this lead.
Sooo... Let's look at DC11 on DataCenter Map
>https://www.datacentermap.com/usa/virginia/ashburn/equinix-dc11/ecosystem/
Which tells us that Alibaba has presence in this Equinix DC11.
That's a pretty solid lead.
Another link from that search shows me that this Alibaba server might be present in [CoreSite Reston VA1](https://marketplace.upstack.com/data-centers/coresite-data-center-reston-va1) However this is NOT corroborated by either the [PeeringDB](https://www.peeringdb.com/fac/668) or [Data Center Map](https://www.datacentermap.com/usa/virginia/reston/coresite-va1/ecosystem/) entry for that facility.
So, our best guess is Equinix DC11. And yes, without owning the infrastructure ourselves, I believe this is as good as it gets.
---
### But wait- Why is it on top of the White House???
IP address Geolocation is NOT an exact science. The returned coordinates from any given service (In Shodan.io's case: MaxMind GeoIP) are an approximation based on a number of factors like where the organization that the blocks were allocated to is located, and if that organization publishes or discloses any data about it.
MaxMind (Who Shodan gets their IP geo-location data from) states “**IP geo-location is inherently imprecise. Locations are often near the center of the population.** Any location provided by a GeoIP database should not be used to identify a particular address or household." in their [Developer Documentation](https://dev.maxmind.com/geoip/docs/databases/city-and-country/)
This alone starts to elucidate the seemingly disagreeing data we'd been seeing.
Virginia Beach is the highest population of Virginia. So if the geolocation data set only knows Virginia and not a city it defaults to the highest populated city.
If the data set only has Ashburn and [Ashburn VA is part of the Washington DC metropolitan Area](https://en.wikipedia.org/wiki/Ashburn,_Virginia) then the location assumes the center of the population density of that metro area and it appears that the default location for that is the White House Lawn.
We can see this "Bug" in effect here. [How an internet mapping glitch turned a random Kansas farm into a digital hell](https://web.archive.org/web/20160410191721/https://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/)
> As any geography nerd knows, the precise center of the United States is in [northern Kansas](https://en.wikipedia.org/wiki/Geographic_center_of_the_contiguous_United_States), near the Nebraska border. Technically, the latitudinal and longitudinal coordinates of the center spot are 39°50′N 98°35′W. In digital maps, that number is an ugly one: 39.8333333,-98.585522. So back in 2002, when MaxMind was first choosing the default point on its digital map for the center of the U.S., it decided to clean up the measurements and go with a simpler, nearby latitude and longitude: 38°N 97°W or 38.0000,-97.0000.
>
> As a result, for the last 14 years, every time MaxMind’s database has been queried about the location of an IP address in the United States it can’t identify, it has spit out the default location of a spot two hours away from the geographic center of the country. This happens a lot: 5,000 companies rely on MaxMind’s IP mapping information, and in all, there are now over _600 million_ IP addresses associated with that default coordinate. If any of those IP addresses are used by a scammer, or a computer thief, or a suicidal person contacting a help line, MaxMind’s database places them at the same spot: 38.0000,-97.0000.
So what are all these? These are dots on the map from my original search. They all appear a lot closer to the supposed location of the data centers from which they originate. why are they more specific?
If you click into each one, they show that they're hosted by different cloud providers. The only one located on the White House is Alibaba hosted. This is because they do not provide any more detailed information about geolocation beyond "Greater Washington D.C. Metropolitan Area"
---
This How-To is a bit of a mess, but I hope it shows how you can use a few tools to triangulate the location of a server.
I hope you enjoyed this little OSINT exercise.
Other Articles In This Series