Blog for hpHosts, and whatever else I feel like writing about ....

Saturday, 30 January 2010

Full Circle Magazine: Issue 33

Issue 33 is out: creating a media center, education, and sync

A new month (well, in two days) and a new magazine issue is out.
This month, we’ve got:

- Command and Conquer.
- How-To : Program in Python – Part 7, Create A Media Center with a Revo, Ubuntu and Boxee, and The Perfect Server – Part 3.
- My Story – Ubuntu in Public Education, and Why I Use Linux.
- Review – Exaile.
- MOTU Interview – Didier Roche.
- Top 5 – Synchronization Clients.
- Ubuntu Women, Ubuntu Games and all the usual goodness!

Read more

Get it while it's hot!

Issues 0 - Current



Spambot Search Tool: v0.43

* Fixed bug when SBST run on Windows Server systems (doesn't seem to like some of the error handling)
* Fixed Colours for new manual submission ;o)


As if by magic .....

... awww, did my last post annoy someone? T'would seem so, as I noticed the following new user registration whilst going through the new account;

Recognize the IP range? (same IP as the Craigslist fraud rubbish, and same range as Blackhatworld - both mentioned in the previous post).

Friday, 29 January 2010

Craigs List: Allow me to beat you over the head (softly of course)

I received an e-mail around 30 mins or so ago, pointing me to The individual that reported it had been called by someone referencing this site, claiming to be an employee of Craigs List.

I did a little digging and yep, it's a phishing scam. I decided to call Craigs List to inform them of the site, and the additional stuffage I found - a decision I was about to regret. Calling the US from the UK isn't cheap, so Craigs List leaving me on hold to wait for an operator, for 25 mins, to then be told AFTER the 25 mins, and AFTER the damn automated voice told me I was "now first in the queue", that there were no CS reps available and to leave a message, has me more than a little annoyed with them.

Dear Craigs List, if you're going to provide a phone number, and going to tell people they're in queue - don't then proceed to tell them there's no-one available, that just annoys the hell out of us. Tell me as soon as the damn automated service answers, and I'll be happy with that, I understand sometimes call centers/offices get extremely "busy" (I've had my share of having to try getting through to BT ;o)). I'd ask why these companies don't just hire more staff if they can't deal with the call volume, but we know the answer to that so lets not bother.

Anywho, the site in question,, resides at (AS46664 VOLUMEDRIVE - VolumeDrive). Looking at it's DNS servers showed quite an interesting little relationship. The sites WhoIs is privacy protected, but the DNS servers WhoIs isn't. The DNS servers domain, resides at the same IP and is owned by;

Melissa Walker
P.O, Box 122
La Crosse, Kansas 67548
United States
+785 623-8544

If we do a little digging on this one, we see not only are they running a "work from home" scam;

But more interestingly, there's also a tie to (amongst others), which resides on the same /24 (, and which is known for everything from fraud to malware and everything else inbetween.

I'm working on gathering a list of domains owned by "Melissa Walker" (pretty confident the WhoIs details are faked), and will post those as soon as I have gathered them. In the meantime, I'd suggest blocking this entire /24 as I'm not seeing any legit domains residing there.

If you have received an e-mail, or received a phone call, offering anything to do with work from home rubbish, or from someone claiming to be from Craigs List (or any other company), HANG UP!. DO NOT engage them, DO NOT reply to them, and NEVER give them any credit card etc details (doing so opens you up to the risk of identity theft), and if they're claiming to be calling on behalf of Microsoft, Malwarebytes or any other IT/security company, DO NOT give them remote access to your computer (neither Microsoft, Malwarebytes nor any other legit company I'm aware of, will cold-call you).

If someone is calling or e-mailing, claiming to be from a company you are used to dealing with, ask for their name, then hang up and call the company using the number you usually use to deal with them (and this especially goes for those times when they're claiming to be from your bank etc).

Remember: Legit companies should NEVER call you unless YOU have asked them to (i.e. they're returning your call), and even then - always treat them with the utmost suspicion.

Side note: The same content that's at was also previously at (Cached on Jan 15th 2010, but this site whilst still registered, currently does not resolve)

Pinball Publisher Network: The ghost of Zango toolbar has a Facebook fan page

Here’s something they don’t teach in marketing 101: If you’re pushing software that no one wants -- like, say, annoying adware -- and your downloads are going nowhere, what do you do?

Answer: you push somebody else’s popular software AND BUNDLE YOUR CRAP WITH IT!

Remember Zango? It was that irritating adware company that spent years and a million weasel words trying to make its operation seem legitimate. It was fined $3 million in 2006 by the U.S. Federal Trade Commission and it unsuccessfully sued anti-virus vendor Kaspersky in Federal Court in 2007 for calling the Zango malcode “malcode?” After several years of sagging revenue amidst a larger collapse of the adware industry, the company finally folded and sold its assets at fire sale prices last April. (Sunbelt Blog story here. )

The buyer, Pinball Publisher Network, is still distributing Zango and sadly enough it still offers users nothing of any value, which is why PPN offers Open Office, 7-Zip and Firefox bundled with it. PPN and its affiliates are simply trying to piggyback on those programs and in the process, leech from their value and good name.

Read more

Tuesday, 26 January 2010

Info: hpHosts server downtime

Just a note folks, I'm beginning the conversion of the hpHosts databases as I write this, so the hpHosts website will be down for the next few hours whilst the conversion takes place.

Monday, 25 January 2010

vURL Online: Now back online

I've just gotten back folks, and am happy to announce, vURL has now been fully converted to MySQL, and is now back online.

Please let me know if you notice any problems.

Sunday, 24 January 2010

The Great 99 Cent Software Experiment of 2010

I’m curious and thinking a crazy single day experiment could be fun and may be worth the risk. So what the hell. If you want to upgrade to WinPatrol PLUS on January 29th, I’ll give you a lifetime WinPatrol membership for less than a dollar. Instead of the regular price of $29.95 I’ll provide a coupon on that brings the price down to $0.99 USD. That comes out to approx. .70 € to our international friends

This will be a one-day only “experiment” starting at midnight EST on Jan 29th and will last 24 hours. Will over 30 times the normal number customers upgrade to WinPatrol PLUS? If so, will other software developers notice?

Like our current $30 plan, the 99¢ license will be good for life. Like sales in the App Store or Droid Market however, this license is only valid for a single computer. Coupons are also limited to one per customer. Sound fair enough? If you’ve been someday planning on upgrading to WinPatrol PLUS, January 29th is the day to remember. Just go to this Friday and you may be a part of history

Saturday, 23 January 2010

Enigma Software Group: So much for "building relationships"

I'll not go into the ESG/SpyHunter history, you can read about that elsewhere. Suffice to say, after discussions with Enigma Software Group, and changes they made, I removed them from hpHosts back in 2008;

So you'll forgive me for being surprised to receive an e-mail from their lawyer, threatening to sue me. I did however, find it funny that a lawyer working in the security field, would've sent an e-mail with a PDF attached, and the content of the e-mail being simply;

Dear Sir

Please see attached letter.

Yours faithfully

Dominic Bray

Needless to say, this is hillarious. There are millions of e-mails floating round with malicious PDF's attached, and simple sentences such as the above. At first I thought it was a spear campaign, given my name was in the subject line, but alas nope - it was to be far from funny.

ESG's and their lawyer have demanded that I do the following by Tuesday, else they're taking me to court;

1. Remove the reference to SpyHunter from the FSA description (this is the *only* thing I did wrong - I forgot about it's being there when I delisted them, plain and simple, and I removed them when I got the e-mail, all ESG had to do was drop me an e-mail)

2. Remove the following 3 sites, which they're now claiming are theirs;

FYI, these DO NOT make any mention of their being owned by ESG, they're affiliate sites, or were last time I spoke to Alvin. Aside from this, they're listed because they fail to clearly mention the user has to pay for whatever the program finds, and fail to mention the relationship to ESG - both of these are misleading and covered under the FSA classification

As I told them, I would've included these sites regardless of the product they're peddling, due to the methods in which they're doing such.

3. Send them an apology worded as;

"I accept that Enigma Software Group's product, SpyHunter, is not a rogue, bogus or fraudulent application, and should not be classified as one.

I regret that I have previously criticised Enigma Software Group and that I made a number of incorrect statements about them and their products. Many of these statements were inaccurate and portrayed Enigma Software Group in a particularly unfair light, for which I apologise."

And yep, they worded that for me, how nice. However, I've not said ESG/SpyHunter are rogue/malicious since prior to their removal in 2008, indeed I stated both on my site and my blog that they were no longer considered such, and clarified that after hearing from a Mr Criswell earlier this year.

I am happy to apologise for forgetting to remove the word SpyHunter from the FSA classification description, but I'm not going to apologise for something I've not said or done.

4. To post said apology on the hpHosts website (or at least, I'm assuming it's the hpHosts site they want it on, they never specified which of my sites they wanted it on)

5. To post an apology to each one of the following;


Here's the problem with this one - I've not rated anything on SiteAdvisor for aslong as I can remember, and I've certainly not rated anything to do with ESG/SH on SiteAdvisor. I'm guessing the comments they believe I posted, are those that have been posted by other people, and happen to reference hpHosts. Sorry ESG, I'm not going to be held liable for something OTHER PEOPLE have posted.

6. "Not to make any statement, whether written, oral or otherwise, which is defamatory of or represents a malicious falsehood about ESG"

Again, I've done no such thing.

7. "Not to allege in any way that the current version of ESG's SpyHunter software is "rogue" or "malware" or any other kind of harmful software"

And again, I've done no such thing.

8. "Within 14 days of notification of the amount, to provide my proposals for paying ESG its legal costs incurred in relation to this matter"

Err, I guess ESG have forgotten hpHosts is a non-profit "hobby" site, and as such, doesn't make any money. Not sure what they're expecting me to pay them with.

9. "To provide, by Friday 29 January 2010, my proposals for compensating ESG for damage caused to it as a result of the defamatory allegations and malicious falsehoods published on the Website; and"

And again, hpHosts !=making money.

10. "To agree to incorporate the above in a court order if so required by ESG."

Needless to say, the only thing I've done wrong here, is forgetting to remove a single word from the FSA description - that's it. I've not said ESG/SH are rogue, I've not said they're malicious, I've not posted anything claiming they're rogue/malicious to SiteAdvisor, or anywhere else for that matter.

Alas it seems ESG have decided they don't want to build relationships within the security community, they just want to sue everyone instead. Guess we know who their nex target is going to be. I am wondering why they've chosen to threaten to sue me however, given I found alot of sites where people *have* called them rogue/malicious within the past 1-6 months! (i.e. not 2 years ago!).

Thursday, 21 January 2010

SEVAHOST-AS Seva-Host Ltd (AS49313) and SMS Fraud

I received an e-mail earlier, pointing to an Angelfire hosted site;

Expecting malware or fake meds, I decided to take a look to see which of the two it was. Surprisingly I was wrong - it was neither. The site leads to, a site completely in Russian (and annoyingly, given most of the text is actually image based, untranslatable with Google). Remembering a previous episode and something my friend Dmitry at Kaspersky advised me, I took a closer look. claims to offer a program for your mobile phone, that will allow you to see through everyones clothes (errr, yeah, you can see where this is going). Indeed, shown on the site is a woman dancing, and someone holding a phone in front of her, showing her clothing magically removed whilst she's dancing, and all via the program offered by the site.

However, to get this miracle program, you've got to send them an SMS at a charge of approx £0.14GBP. The real cost however, is likely MUCH higher (indeed, the one Dmitry looked at for me, actually cost you closer to £5, though that one was claiming to be a rogue!!, ah the joys).

The short codes (numbers) you are told to send the SMS to (for those in the UK) are 79067 or 69067. There is of course, a list of others (/download.php), that appear to be used for other countries;

NB: The numbers encased in [], match up with the short code, cost, country etc

var jph=newArray();
var japh=newArray();
var jm=newArray();
var jv=newArray();
var jc=newArray();

function getText(id)

The scam is run, from what I can find, by Sergey S Pirozhnikov (, owner of and (and several others apparently, still looking into that), registered in 2007 and 2008 via RegTime (surprise surprise) and NAUNET (associated with spam, Zeus and other criminal activities), and hosted at and respectively.

inetnum: -
netname: RM-INVEST
descr: RM-INVEST Ltd
country: RU
admin-c: PIRO1-RIPE
tech-c: PIRO1-RIPE
source: RIPE # Filtered

person: Sergey Pirozhnikov
address: Kazanskaya, 7,
193000 St.Petersburg,
phone: +7 (911) 400-16-11
nic-hdl: PIRO1-RIPE
source: RIPE # Filtered

descr: Wahome IP's =)
origin: AS41947
source: RIPE # Filtered

You'll also have noticed the link to, which as you've guessed, is also involved. was also registered in 2008 (again via NAUNET) by someone that apparently doesn't want to be known. It's hosted at

Getting back to et al. They do of course, provide a "rules" page, which when translated reads (I've formatted it for readability);

Terms of Use


Terms of Use Terms This User Agreement (hereinafter "Agreement") governs the relationship between «» (hereinafter "Service" or "Site"), which is located at, and natural or legal person (hereinafter "User") on the Internet.

1. Subject user agreement to the User Services offers its services on terms that are the subject of this Agreement. Agreement may be changed Site «» unilaterally and without notice to User.

2. Description of Services Based on Service Agreement provides its services to users who have access to the Internet and pre-installed software to work with web-interface available exclusively at «» - this is a joke gaming service that gives users access to the Java-application for a fee. provides user access to the Java-application after the payment made by the user. It is a software application provided by the white-pc user how to help to optimize computer performance. Animated objects are part of the registration site.

3. Entry into force, the Agreement shall enter into force as soon as the User acknowledges and accepts the rules of the Site «», by sending an appropriate SMS message. By accessing imply its consent to this Agreement. Using services of Service means that you have read and agree with the Agreement, even if the user has not finished the stage of registration.

4. Obligations and responsibilities of the user after registration user receives a key to access the personal information section. Service reserves the right not to allow the use of certain passwords or remove these passwords without prior notice. User is responsible for the security of your password and all information publicly published by the User through the Service, including but not limited to comments on the Site «».

5. To gain access you need to send 3 SMS to short number. * Price per page of payment is for 1 day. * Access to the software available for 90 (ninety) days. . Lump sum user pays the entire period of use uslugoy. Oplata Service Service To gain access you need to send 3 SMS to short number. The cost of an SMS message to service number 9690 and 9691 is approximately 300 rubles (for Russia);

Info short numbers and tariffs - to Cost of SMS to 7122 for the operator MTS is 258.3 rubles without VAT, for the rest of about 250 rubles depending on the operator. The approximate cost of a SMS to number 1874 for Latvia - 3.3 lats NDS.Ctoimost window without payment is for 1 test. Cost of SMS to 4171 for Ukraine - 30 hryvnia VAT excluding duty to the pension fund in the amount of 7.5% of the cost of SMS without NDS.Pri accessing the subscriber is able to conduct 100 inspections. The exact cost of SMS, you can check with your mobile operator or website:


a) The user uses the service «» at your own risk. Facilities & Services «» The user is provided on an "as is". Service
«» does not assume any liability, including but not limited to the search results match the user's request,

b) Site «» represents a source of information that is entertaining. All information presented on this site is partly fictitious and should not be taken seriously;

c) Service «» does not warrant that: services «» will comply with your requirements, the quality of services of Service «» will match User's expectations, the results obtained by the User on the Site «» will be accurate; software bugs in the site «» will be corrected;

d) Service Rules

«» does not return the amount of money spent by the User;

d) Service «» is not responsible for any damages, direct, indirect, actual or consequential damages related to the Service, lost profits and other risks, even if the service and its owners have been advised of the possibility of such damages, or if such damages were foreseeable. Thus, the user assumes all risks associated with use of the Service «».

As you've no doubt noticed, this miracle application doesn't exist at all. You've been scammed, and will continue to be, given it's not a single SMS you've got to send. It's apparently a "joke gaming service" (some joke huh?), that provides you with some "java application" once you've been gullible enough to pay them via SMS.

There is of course, as there always is with this type of thing, a long list of other domains involved, and for your viewing pleasure, here they are.

A few of these are no longer alive (failing to resolve). You'll find the validation results (domains were verified as of a few seconds ago) at;

I'm in no doubt that there's alot more I've not yet identified.

So who is providing the upstream connectivity for Seva-Host, and why are they allowing this? Well, the connectivity is provided courtesy of AS47143 TDHN Transit Data Hyper Network, an ISP with ties to other well known criminal organizations, such as root eSolutions, Kabelfoon, WEDARE We Dare BV, amongst many others (it's worth noting aswell, TDHN also have ties to a plethora of LEGIT companies aswell).

A tracert result is also showing Seva-host have connections to UK based firm, Their offices are apparently closed now (ISP's really should learn to run 24/7, abuse and technical issues aren't time specific .....), but I'll be looking into that too.

In the meantime, I'd strongly urge everyone blackhole Seva-Host Ltd's entire range. There's not a single legit domain present, so you're not going to miss anything.

Wednesday, 20 January 2010 is a bogus ad network

We've seen a number of ads being punted through to legitimate ad networks, but it appears that these are leading to a PDF Exploit (don't visit these sites, obviously!).

For example:


Read more

Tuesday, 19 January 2010

Yet another phishing campaign: + Netelligent + +

I received a rather surprising e-mail earlier. Surprising because it was sent to an e-mail address I used specifically for registering on the website a few years ago, and not an address I'd published anywhere (and nope, I'd not given them permission to give it to anyone else).

This particular e-mail is shown to the left, but in short, advertises, which leads to and (SSL certificate for is provided by GoDaddy). These sites are all not surprisingly, involved in fraud.

The people and sites responsible for this are; (lives at, AS18403
FPT-AS-AP FPT Telecom Company 66-68 Vo Van Tan Ho Chi Minh City Vietnam) (lives at, FastHosts)

Name Server:
Name Server:
Creation Date: 2010.01.17
Updated Date: 2010.01.17
Expiration Date: 2011.01.17


Registrant ID: RNCV48A-RU
Registrant Name: Kevin Stubbs
Registrant Organization: Kevin Stubbs
Registrant Street1: 23 Bringston Rd
Registrant City: Lancers
Registrant State: Cheshire
Registrant Postal Code: SM2 7LS
Registrant Country: GB

Administrative, Technical Contact
Contact ID: RNCV48A-RU
Contact Name: Kevin Stubbs
Contact Organization: Kevin Stubbs
Contact Street1: 23 Bringston Rd
Contact City: Lancers
Contact State: Cheshire
Contact Postal Code: SM2 7LS
Contact Country: GB
Contact Phone: +44 645 8393820
Contact E-mail:

Registrar: ANO Regional Network Information Center dba RU-CENTER

Oh and yes, the WhoIs details are fake (for starters, 0645 isn't a valid UK dialing code, it was changed to 0845 years ago)

Name Server:
Name Server:
Creation Date: 2010.01.03
Updated Date: 2010.01.04
Expiration Date: 2011.01.03


Registrant ID: LXHHBQO-RU
Registrant Name: Laurie Harford
Registrant Organization: Laurie Harford
Registrant Street1: 72 Sunshine Rd
Registrant City: Torquay
Registrant Postal Code: TQ2 6AM
Registrant Country: GB

Administrative, Technical Contact
Contact Name: Laurie Harford
Contact Organization: Laurie Harford
Contact Street1: 72 Sunshine Rd
Contact City: Torquay
Contact Postal Code: TQ2 6AM
Contact Country: GB
Contact Phone: +44 7976776382
Contact E-mail:

Registrar: ANO Regional Network Information Center dba RU-CENTER

The phone number listed here is valid, and belongs to an Orange Telecom customer (I'd have called it if it weren't 04:00).

A lovely little list of domains they are also the owners of are;

These are all hosted at And who owns this IP? Why, our old friends Netelligent of course.

Other connected domains include; (AS14280 NETNATION Communications Inc.) (AS32613
IWEB-AS iWeb Technologies Inc.) (AS15418
FASTHOSTS-INTERNET Fasthosts Internet Ltd. Gloucester, UK.)

What's funny of course, is Netelligent recently wanted to convince us they were simply victims, and they'd killed off the criminals on their network. Wonder how they're going to explain this one huh? Especially given the history of the particular /24 in question (previously used by US based XLMarketing, who weren't exactly known for legit marketing methods)

/update 14:28 20-01-2010

I called the mobile number for, and not surprisingly, the number no longer exists.

Lunarpages followup

Remember this folks?

Well, I've been seeing more and more sites across LP IP ranges, containing malicious code, and since I'd not heard back from them concerning the sites listed in the above, I decided to go through those previously mentioned back in August last year, to see which are still carrying malicious code. Thankfully, not many have, with most either being cleaned, closed or cleaned and moved elsewhere.

The following are those still carrying malicious code; ( ( ( ( ( ( ( ( ( ( ( ( ( (

The following have all been cleaned, closed down, or cleaned and moved elsewhere;

I've already e-mailed Lunarpages yet again, to see if they're ready to do something about those still affected, and have also mentioned the new ones I've come across (more on that later).

Saturday, 16 January 2010 down

Seems is down at present folks. No idea why, it's resolving just fine, but the server is refusing the connection (checked via several different sources).


It's back folks :o)

Crimeware friendly ISP's: AS8206 JUNIK-RIGA-LV JUNIKNET Autonomous System JUNIK ISP Network Riga, Latvia

And in todays firing line, competing with the rest for the title of worlds most crimeware friendly ISP, we have AS8206, Latvian based ISP, Junik-Riga-LV.

Junik is being listed for 2 very specific reasons, they're providing connectivity for;

AS29106 VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
AS49314 NEVAL PE Nevedomskiy Alexey Alexeevich

Oh dear, this isn't going to end well is it?

Neval has been home to a plethora of malicious content over the years, and like a few others, I've not yet seen a single legit domain hosted over there. Criminals they DO however host include the miscreants responsible for the YES exploit pack who are housed at (

Not exactly hiding what they're offering are they? (hat tip to SysAdMini for the heads up)

Then of course, there's the usual selection of rogues such as, which is housed at, or this piece of malicious goodness (sadly, only one vendor is detecting this at the time of writing this), which is housed at which was living on and has now moved to another criminal network, (AS24826 KHARKOV-TERMINALS-AS PE Viktor Nastechenko, see here).

Indeed, I'll tell you what, just pick ANY domain within the Neval network, and you'll find it's involved in malicious activity of one description or another.

And then we get to VolgaHost, which is yet another network whose connectivity is provided by Junik, that doesn't contain a single legit domain. Every single one is involved in either exploits or malware of one description or another (ZeUs and Fragus exploits primarily). For example;

One can't help wondering why Junik are allowing this to continue, especially given neither VolgaHost nor Neval are exactly trying to hide it. Well Junik - care to explain yourselves?

Until they do bother to boot these criminals, I'd personally recommend everyone blackhole their ranges. Sadly, this seems to be the only way these ISP's are going to learn.

Botnet domains + DNS resolution

Just a note folks, whilst investigating why the domains associated with botnets weren't resolving (been receiving a plethora of e-mails for everything from SendSpace to HM Revenue and Customs to HSBC etc etc), I did a check on OpenDNS's servers and discovered an issue with their Lodon based server (still failed to resolve even after a cache check).

All of their other servers are unaffected by whatever is causing the issue, and correctly resolve these domains.

As an FYI, the following is a list of those from the latest e-mails;


Notice of Underreported Income
Obtain Digital Certificate
This Document Contains Important Information
Please read this important information concerning your privacy
Fw: look
Re: your photo
A new settings file for the mailbox has just been released
Hello my friend , you have received a new greeting from somebody who cares you !!!
Fw:'s photo

NB: The subject with "" in it, for those unaware, is the subject used for the OWA lookie-like, and contained whatever e-mail address it was being sent to, i.e.


NB: The URL with "" in it, for those unaware, is the URL used for the OWA lookie-like, and contained whatever e-mail address it was being sent to, i.e.

IP Details:

NB: A few were failing to resolve at the time of posting this, I've included them in the list anyway for the sake of clarity

Incase you've not also noticed, those with numbers in the hostname, also appear to be valid where the number is 0-9, for example;

Friday, 15 January 2010

Dear PayPal: What the heck are you smoking?

With the blackhat SEO campaigns taking advantage of Haiti to infect people and rip them all of, you'd have thought PayPal would've had a little forethought before sending this out.

I must ask PayPal, what the heck were you thinking when the thought "Ooooh, lets send an EMAIL to our members, in HTML of course, to ask them for MONEY!".

Anyone ever tell you about phishing scams and the like?

Your sending this e-mail out is beyond belief. If you're going to ask your members for money, for christs sake, at least do it responsibly.

Wednesday, 13 January 2010

Immediate hpHosts server downtime

Just a note folks, the hpHosts server is making some very strange noises (typical, get 2 servers re-built and another decides it wants to be a problem), and doesn't sound too well, so I'm going to take it offline with immediate effect, to take a look and see what the problem is.

I'm not expecting the downtime to be more than 30-45 mins or so.

Tuesday, 12 January 2010

hpHOSTS - UPDATED January 12th, 2010

hpHOSTS - UPDATED January 12th, 2010

The hpHOSTS Hosts file has been updated. There is now a total of 118,743 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 12/01/2010 18:00
  2. Last Verified: 11/01/2010 12:00

Download hpHosts now!

Monday, 11 January 2010

Riccom Ltd: Where'd they go?

I thought you guys would be interested in the latest validation results, which shows where quite a few prior Riccom customers have now gone over to. Note: the results do not include PTR details (only did a quick validation as I'm busy with work and hpHosts at present).

The shortlist of ISP's they've moved to are;

1. AS29073 Ecatel (no surprise there)
2. AS29073 Ecatel (no surprise there)
3. AS17431 TONET Beijing TONEK Information Technology Development Company (Previously: AS17620 CNCGROUP-BJ CNCGROUP IP network of Beijing region MAN network)
4. AS39369 PORT80 AB, Sweden Rix Telecom AB, Sweden
5. AS24826 KHARKOV-TERMINALS-AS PE Viktor Nastechenko
6. AS29550 EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks
7. AS16265 LeaseWeb AS Amsterdam, Netherlands
8. AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE (surprise surprise)
9. AS8551 BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone
10. AS21844 THEPLANET-AS2 Internet Services, Inc.
11. AS29550 EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks
12. AS32181 ASN-CQ-GIGENET ColoQuest/GigeNet ASN (Customer Route [BODHOST])
13. AS5577 ROOT eSolutions (nope, I'm not surprised either)

There's a handful presently not resolving, but more interestingly, quite a few still resolving to (the still non-routed) Riccom range.

HostExploit: Top Bad Hosts

HostExploit has provided a facility that now allows you to see which of the ISP's currently online, are within their list of the worlds worst. Names you'll currently see include Velcom, Netelligent, ZHM, NetDirect, Neval etc etc etc.

Take a peek, and pop over to their new SiteVet (well, new to me anyway) site, which provides extensive details (some details only provided if you pay a fee apparently) on the hosts in question.

Sunday, 10 January 2010

Crimeware friendly ISP's: RETN-AS (AS9002)

You may be asking yourself, why are RETN-AS being listed as crimeware friendly? Well, to keep this short and simple, I'll tell you - NET-UA-AS limited corp (AS40965 and SOFTNET (AS50073 SOFTNET Software Service Prague s.r.o.).

The SOFTNET range was first seen in November 2009, and ever since then, has served nothing but exploits, rogues, and other malicious goodness. As an example;

20091203144843        Failed resolution

20091203144849        Failed resolution

20091203144856        Failed resolution

20091203170625        Failed resolution

20091203170625        Failed resolution

20091203174552        Failed resolution

20091203174559        Failed resolution

20091203184004        Failed resolution

20091203184035        Failed resolution

20091203184043        Failed resolution

20091203185116        Failed resolution

20091203185122        Failed resolution

20091216232337        Failed resolution

20091216232743        Failed resolution

20091216234048        Failed resolution

20091217162619        Failed resolution

20091217162625        Failed resolution

20091217172430        Failed resolution

20091217220200        Failed resolution

20091218204222        Failed resolution

20091218204229        Failed resolution

20091219223809        Failed resolution

20091219230806        Failed resolution

20091219230813        Failed resolution

20091219230820        Failed resolution

20091220202254        Failed resolution

20091222194031        Failed resolution

20091226180004        Failed resolution

20091226180011        Failed resolution

20091226180017        Failed resolution

20091226180024        Failed resolution

20091226180031        Failed resolution

20091226180038        Failed resolution

20091226180045        Failed resolution

20091226180052        Failed resolution

20091226180059        Failed resolution

20091226180106        Failed resolution

20091226180113        Failed resolution

20091229041225        Failed resolution

20091229044150        Failed resolution

20091231003134        Failed resolution

20100106000146        Failed resolution

20100107013523        Failed resolution

20100107014531        Failed resolution

20100107014903        Failed resolution

20100107015151        Failed resolution

20100107015325        Failed resolution

20100107015358        Failed resolution

20100107015952        Failed resolution

20100107020255        Failed resolution

20100107023038        Failed resolution

20100107023145        Failed resolution

20100107023351        Failed resolution

20100107024238        Failed resolution

20100108140135        Failed resolution

20100109062406        Failed resolution

Fancy an example of the malicious goodness on the NET-UA-AS range? Ah, go on then;

20090724003339        Failed resolution

20090724004208        Failed resolution

20090724004214        Failed resolution

20090724004228        Failed resolution

20090724004235        Failed resolution

20090724190105        Failed resolution

20090724190230        Failed resolution

20090727102324        Failed resolution

20090729012523        Failed resolution

20090729190907        Failed resolution

20090729192140        Failed resolution

20090801135738        Failed resolution

20090802010328        Failed resolution

20090802010417        Failed resolution

20090802010506        Failed resolution

20090802010630        Failed resolution

20090802010712        Failed resolution

20090802010909        Failed resolution

20090802011108        Failed resolution

20090802011201        Failed resolution

20090802011303        Failed resolution

20090802012441        Failed resolution

20090802014108        Failed resolution

20090802014142        Failed resolution

20090802015755        Failed resolution

20090802022755        Failed resolution

20090802022801        Failed resolution

20090802022806        Failed resolution

20090802024138        Failed resolution

20090802024144        Failed resolution

20090802031326        Failed resolution

20090802035102        Failed resolution

20090802035108        Failed resolution

20090802035114        Failed resolution

20090802035120        Failed resolution

20090802035127        Failed resolution

20090802035324        Failed resolution

20090802042445        Failed resolution

20090802043730        Failed resolution

20090802055341        Failed resolution

20090802055348        Failed resolution

20090802055353        Failed resolution

20090802055501        Failed resolution

20090802055517        Failed resolution

20090802055523        Failed resolution

20090802055529        Failed resolution

20090802055535        Failed resolution

20090802064312        Failed resolution

20090802074324        Failed resolution

20090802074330        Failed resolution

20090802074336        Failed resolution

20090802074356        Failed resolution

20090802074414        Failed resolution

20090802075818        Failed resolution

20090802075824        Failed resolution

20090802132148        Failed resolution

20090803182114        Failed resolution

20090803182121        Failed resolution

20090803182127        Failed resolution

20090804002137        Failed resolution

20090806135925        Failed resolution

20090806205128        Failed resolution

20090810182304        Failed resolution

20090810182310        Failed resolution

20090811160630        Failed resolution

20090811164314        Failed resolution

20090811164608        Failed resolution

20090811164648        Failed resolution

20090811170333        Failed resolution

20090811232842        Failed resolution

20090812172835        Failed resolution

20090812190313        Failed resolution

20090813122310        Failed resolution

20090813122316        Failed resolution

20090813122322        Failed resolution

20090813124050        Failed resolution

20090813124055        Failed resolution

20090813124104        Failed resolution

20090813135519        Failed resolution

20090813140957        Failed resolution

20090813150613        Failed resolution

20090815190141        Failed resolution

20090818201700        Failed resolution

20090819063120        Failed resolution

20090819063336        Failed resolution

20090823174614        Failed resolution

20090823174704        Failed resolution

20090823174709        Failed resolution

20090823174715        Failed resolution

20090823174720        Failed resolution

20090823174726        Failed resolution

20090823174732        Failed resolution

20090823230052        Failed resolution

20090823230058        Failed resolution

20090823230104        Failed resolution

20090823230109        Failed resolution

20090823230115        Failed resolution

20090823230121        Failed resolution

20090823230127        Failed resolution

20090823230132        Failed resolution

20090823230138        Failed resolution

20090823230144        Failed resolution

20090823230149        Failed resolution

20090823230155        Failed resolution

20090823230201        Failed resolution

20090823230207        Failed resolution

20090823230212        Failed resolution

20090823230218        Failed resolution

20090823230224        Failed resolution

20090823230229        Failed resolution

20090823230235        Failed resolution

20090823230241        Failed resolution

20090823230246        Failed resolution

20090823230252        Failed resolution

20090823230258        Failed resolution

20090823231013        Failed resolution

20090823231019        Failed resolution

20090823231024        Failed resolution

20090823231030        Failed resolution

20090823231035        Failed resolution

20090826170607        Failed resolution

20090826170839        Failed resolution

20090828060028        Failed resolution

20090828060034        Failed resolution

20090828060041        Failed resolution

20090828060047        Failed resolution

20090828060106        Failed resolution

20090828060158        Failed resolution

20090828060204        Failed resolution

20090828060210        Failed resolution

20090828060217        Failed resolution

20090828060223        Failed resolution

20090828060252        Failed resolution

20090828060702        Failed resolution

20090828060911        Failed resolution

20090828061049        Failed resolution

20090828061128        Failed resolution

20090828061134        Failed resolution

20090828061148        Failed resolution

20090828061240        Failed resolution

20090828061305        Failed resolution

20090828061405        Failed resolution

20090828061423        Failed resolution

20090828061447        Failed resolution

20090828061619        Failed resolution

20090828062354        Failed resolution

20090828062400        Failed resolution

20090829001049        Failed resolution

20090830023412        Failed resolution

20090831175124        Failed resolution

20090831175130        Failed resolution

20090831175136        Failed resolution

20090831175143        Failed resolution

20090831175149        Failed resolution

20090831182337        Failed resolution

20090831184412        Failed resolution

20090831184418        Failed resolution

20090831184424        Failed resolution

20090831184430        Failed resolution

20090831184541        Failed resolution

20090831185520        Failed resolution

20090831204333        Failed resolution

20090831204339        Failed resolution

20090831204345        Failed resolution

20090831204410        Failed resolution

20090831204845        Failed resolution

20090831210431        Failed resolution

20090831210437        Failed resolution

20090831210602        Failed resolution

20090901001525        Failed resolution

20090901001551        Failed resolution

20090901001617        Failed resolution

20090901023211        Failed resolution

20090901023220        Failed resolution

20090902033417        Failed resolution

20090902114515        Failed resolution

20090902114521        Failed resolution

20090902114823        Failed resolution

20090902114829        Failed resolution

20090902114835        Failed resolution

20090902114906        Failed resolution

20090902114912        Failed resolution

20090902114918        Failed resolution

20090902115224        Failed resolution

20090903151514        Failed resolution

20090909020308        Failed resolution

20090909020325        Failed resolution

20090909020331        Failed resolution

20090909040833        Failed resolution

20090909040839        Failed resolution

20090909040858        Failed resolution

20090909040904        Failed resolution

20090910191743        Failed resolution

20090910191749        Failed resolution

20090910191755        Failed resolution

20090910191801        Failed resolution

20090910191806        Failed resolution

20090910191813        Failed resolution

20090910191820        Failed resolution

20090910191826        Failed resolution

20090910191832        Failed resolution

20090910191839        Failed resolution

20090910191845        Failed resolution

20090910191854        Failed resolution

20090910191901        Failed resolution

20090910191907        Failed resolution

20090910191914        Failed resolution

20090910191920        Failed resolution

20090910191927        Failed resolution

20090910191933        Failed resolution

20090910191939        Failed resolution

20090910191945        Failed resolution

20090910191951        Failed resolution

20090910191959        Failed resolution

20090910192005        Failed resolution

20090910192011        Failed resolution

20090910192017        Failed resolution

20090910192023        Failed resolution

20090910192029        Failed resolution

20090910192035        Failed resolution

20090910192043        Failed resolution

20090910192049        Failed resolution

20090910192055        Failed resolution

20090910192102        Failed resolution

20090910192108        Failed resolution

20090910192114        Failed resolution

20090910192119        Failed resolution

20090910192125        Failed resolution

20090910192131        Failed resolution

20090910192137        Failed resolution

20090910192143        Failed resolution

20090910192149        Failed resolution

20090910192155        Failed resolution

20090910192201        Failed resolution

20090910192207        Failed resolution

20090910192213        Failed resolution

20090910192221        Failed resolution

20090910192227        Failed resolution

20090910192233        Failed resolution

20090910192239        Failed resolution

20090910192247        Failed resolution

20090910192253        Failed resolution

20090910192259        Failed resolution

20090910192305        Failed resolution

20090910192311        Failed resolution

20090910192317        Failed resolution

20090910192324        Failed resolution

20090910192330        Failed resolution

20090910192336        Failed resolution

20090910192342        Failed resolution

20090910192348        Failed resolution

20090910192354        Failed resolution

20090910192400        Failed resolution

20090910192407        Failed resolution

20090910192413        Failed resolution

20090910192419        Failed resolution

20090910192425        Failed resolution

20090910192431        Failed resolution

20090910192437        Failed resolution

20090910192443        Failed resolution

20090910192449        Failed resolution

20090910192455        Failed resolution

20090910192501        Failed resolution

20090910192507        Failed resolution

20090910192514        Failed resolution

20090910192521        Failed resolution

20090910192527        Failed resolution

20090910192532        Failed resolution

20090910192538        Failed resolution

20090910192544        Failed resolution

20090910192550        Failed resolution

20090910192556        Failed resolution

20090910192602        Failed resolution

20090910192608        Failed resolution

20090910192615        Failed resolution

20090910192621        Failed resolution

20090910192627        Failed resolution

20090910192633        Failed resolution

20090910192639        Failed resolution

20090910192646        Failed resolution

20090910192652        Failed resolution

20090910192659        Failed resolution

20090910192705        Failed resolution

20090910192711        Failed resolution

20090910192717        Failed resolution

20090910192723        Failed resolution

20090910192729        Failed resolution

20090910192735        Failed resolution

20090910192741        Failed resolution

20090910192747        Failed resolution

20090910192753        Failed resolution

20090910192759        Failed resolution

20090910192805        Failed resolution

20090910192811        Failed resolution

20090910192816        Failed resolution

20090910192823        Failed resolution

20090910192829        Failed resolution

20090910192835        Failed resolution

20090910192841        Failed resolution

20090910192848        Failed resolution

20090910220405        Failed resolution

20090910223610        Failed resolution

20090910223619        Failed resolution

20090910223625        Failed resolution

20090910223630        Failed resolution

20090910224418        Failed resolution

20090912015912        Failed resolution

20090912015922        Failed resolution

20090912020121        Failed resolution

20090912020130        Failed resolution

20090912020140        Failed resolution

20090912020145        Failed resolution

20090912020212        Failed resolution

20090912020222        Failed resolution

20090912020231        Failed resolution

20090912020248        Failed resolution

20090912020300        Failed resolution

20090912020306        Failed resolution

20090912020313        Failed resolution

20090912020458        Failed resolution

20090912020506        Failed resolution

20090912020513        Failed resolution

20090912020520        Failed resolution

20090912020527        Failed resolution

20090912020532        Failed resolution

20090912020538        Failed resolution

20090912020548        Failed resolution

20090912020555        Failed resolution

20090912020627        Failed resolution

20090912020634        Failed resolution

20090912020641        Failed resolution

20090912020648        Failed resolution

20090912020658        Failed resolution

20090912020842        Failed resolution

20090912024107        Failed resolution

20090912024153        Failed resolution

20090912024202        Failed resolution

20090920200647        Failed resolution

20090920200653        Failed resolution

20090920200658        Failed resolution

20090920200704        Failed resolution

20090929015616        Failed resolution

20090929032538        Failed resolution

20090929032543        Failed resolution

20090929203012        Failed resolution

20090929204317        Failed resolution

20090930141221        Failed resolution

20090930141305        Failed resolution

20090930141920        Failed resolution

20090930141925        Failed resolution

20090930141931        Failed resolution

20090930141937        Failed resolution

20090930142059        Failed resolution

20090930142849        Failed resolution

20090930165802        Failed resolution

20090930165808        Failed resolution

20091001165819        Failed resolution

20091002170409        Failed resolution

20091002170416        Failed resolution

20091003180400        Failed resolution

20091003180406        Failed resolution

20091003180412        Failed resolution

20091010212343        Failed resolution

20091014001840        Failed resolution

20091014183446        Failed resolution

20091014210133        Failed resolution

20091101131708        Failed resolution

20091101131722        Failed resolution

20091105131909        Failed resolution

We're not done however, NET-UA-AS also have ties to other well known malicious networks, such as;

AS24826 KHARKOV-TERMINALS-AS PE Viktor Nastechenko (,

Who house (amongst others) this lovely lot;

20091108003231        Failed resolution

20091120105541        Failed resolution

20091203154847        Failed resolution

20091203173009        Failed resolution

20091203183153        Failed resolution

20091203212829        Failed resolution

20091203212849        Failed resolution

20091203212855        Failed resolution

20091203212902        Failed resolution

20091203212915        Failed resolution

20091203212928        Failed resolution

20091216200944        Failed resolution

20091216225125        Failed resolution

20091216225137        Failed resolution

20091216230047        Failed resolution

20091218230707        Failed resolution

20091218230714        Failed resolution

20091218230720        Failed resolution

20091219221451        Failed resolution

20091219230615        Failed resolution

20091220001155        Failed resolution

20091220001202        Failed resolution

20091220001211        Failed resolution

20091220001318        Failed resolution

20091220002410        Failed resolution

20091222194806        Failed resolution

20091230150650        Failed resolution

20100107013408        Failed resolution


20090803185100        Failed resolution

20090808063743        Failed resolution

20090808064306        Failed resolution

20090808065605        Failed resolution

20090808071254        Failed resolution

20090808071300        Failed resolution

20090808071306        Failed resolution

20090808082827        Failed resolution

20090820175828        Failed resolution

20090820175835        Failed resolution

20090823184023        Failed resolution

20090823184029        Failed resolution

20090823184034        Failed resolution

20090823184040        Failed resolution

20090914174808        Failed resolution

20091001164708        Failed resolution

20091002184731        Failed resolution

20091002184737        Failed resolution

20091002184743        Failed resolution

20091002184749        Failed resolution

20091003025943        Failed resolution

20091003175954        Failed resolution

20091004183057        Failed resolution

20091004183119        Failed resolution

20091004231259        Failed resolution

20091004231305        Failed resolution

20091004231351        Failed resolution

20091004231357        Failed resolution

20091004231708        Failed resolution

20091004231714        Failed resolution

20091004231838        Failed resolution

20091004235932        Failed resolution

20091007205011        Failed resolution

20091007205216        Failed resolution

20091007205224        Failed resolution

20091007205229        Failed resolution

20091007205235        Failed resolution

20091007205241        Failed resolution

20091007210403        Failed resolution

20091007210409        Failed resolution

20091010022315        Failed resolution

20091014184020        Failed resolution

20091014184829        Failed resolution

20091014194646        Failed resolution

20091014194652        Failed resolution

20091014194755        Failed resolution

20091014194802        Failed resolution

20091014200903        Failed resolution

20091014201006        Failed resolution

20091014201015        Failed resolution

20091014201026        Failed resolution

20091014210807        Failed resolution

20091015224214        Failed resolution

20091015225545        Failed resolution

20091020011220        Failed resolution

20091020011939        Failed resolution

20091021232805        Failed resolution

20091021232831        Failed resolution

20091021232837        Failed resolution

20091023003118        Failed resolution

20091023003124        Failed resolution

20091024015233        Failed resolution

20091024015240        Failed resolution

20091024015607        Failed resolution

20091024020151        Failed resolution

20091024020159        Failed resolution

20091026180701        Failed resolution

20091026181540        Failed resolution

20091026195438        Failed resolution

20091028023459        Failed resolution

20091028023852        Failed resolution

20091101130036        Failed resolution

20091101130926        Failed resolution

20091101130933        Failed resolution

20091101130942        Failed resolution

20091101131439        Failed resolution
Failed resolution

20091101131446        Failed resolution

20091101133854        Failed resolution

20091105131234        Failed resolution

20091105131241        Failed resolution

20091108003134        Failed resolution

20091115160033        Failed resolution

20091115160739        Failed resolution

20091115161816        Failed resolution

20091115162135        Failed resolution

20091115162408        Failed resolution

20091115162934        Failed resolution

20091120101346        Failed resolution

20091120101354        Failed resolution

20091120101834        Failed resolution

20091120104445        Failed resolution

20091120105143        Failed resolution

20091120105204        Failed resolution

20091120110245        Failed resolution

20091120112820        Failed resolution

20091120112823        Failed resolution

20091120112850        Failed resolution

20091120113157        Failed resolution

20091120113223        Failed resolution

20091120113223        Failed resolution

20091120113244        Failed resolution

20091120113244        Failed resolution

20091120113250        Failed resolution

20091120113251        Failed resolution

20091120113257        Failed resolution

20091120113257        Failed resolution

20091120113304        Failed resolution

20091120113304        Failed resolution

20091120113312        Failed resolution

20091120113312        Failed resolution

20091120113322        Failed resolution

20091120113322        Failed resolution

20091120113339        Failed resolution

20091120113339        Failed resolution

20091122183110        Failed resolution

20091122183117        Failed resolution

20091122183124        Failed resolution

20091124151805        Failed resolution

20091124151821        Failed resolution

20091124192005        Failed resolution

20091125000124        Failed resolution

Both of these networks are dedicated to malicious activity from what I've seen.

Anyone else seeing a pattern here? It's begging the question of why RETN aren't putting a stop to this. They're the ones providing the upstream connectivity, so surely, as was done to Riccom a few weeks ago, they could shut this lot down?

There's also a connection here, to Rise

Which has ties to NETASSIST (and yep, so 3 of the above). NETASSIST have ties to the likes of root eSolutions and several other Ukrainian AS's;

I'm looking forward to RETN's explanation for this one, whatever it may be.