Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 29 April 2010

Full Circle Magazine: Issue 36

Please join me in congratulating the editors of FCM (Full Circle Magazine), for reaching their 3rd anniversary.

Lets hope they'll get to including some security related stuffage at some point too ;o)

Wow! I can’t believe it’s been three years. The release of issue 36 (and Lucid Lynx!) marks the 3rd anniversary of FCM. We’ve gone far from those first posts in the Ubuntu Forums and we have you — all of our supporters and readers — to thank for it. (Also, big props to our Full Circle Podcast hosts! If you haven’t go listen to the latest episode once you finish reading the magazine.) Here’s to many more years and issues!

This month:

• Some thoughts on year three of FCM.
• Command and Conquer.
• How To: Program in Python – Part 10, Retouching in GIMP – Part 3, and Use Google Effectively.
• Book Review – Automating Linux and Unix System Administration.
• MOTU Interview – Jo Shields.
• Top 5 – Scanning Applications.
• Plus: Ubuntu Women, Ubuntu Games, My Opinion, My Story, and all the usual goodness


Read more
http://fullcirclemagazine.org/2010/04/29/issue-36-and-a-third-anniversary/

Get it while it's hot!
http://fullcirclemagazine.org/issue-36/

Issues 0 - Current
http://fullcirclemagazine.org/downloads/

Forums:
http://ubuntuforums.org/forumdisplay.php?f=270

Wiki:
http://wiki.ubuntu.com/UbuntuMagazine

Tuesday 27 April 2010

Foxit' forced Ask installation, Adobe' bloat with bundling - there is an alternative

Hat tip to Bill for the heads up. I've known about Sumatra for a while, but kept forgetting about it.

Adobe makes extra money every time someone downloads and installs the Google Toolbar. I usually know better but even I didn’t see the check box in my haste to download most recent Acrobat reader. Given the number of vulnerabilities that keep occurring with the Acrobat reader I always recommend folks check to to be sure they have newest version.

I’ve never been a fan of companies which keep trying to add programs to my autorun list. Adobe Download Manager installs a number of components that run in the background and regularly connect to see if I need my software updated. These includes the Adobe Speed Launcher ( read_sl.exe ), Adobe Reader and Acrobat Manager ( adobearm.exe ), AcroIEHelper Library ( AcroIEHelper.dll ) and Adobe PDF Helper ( Acroiehelpershim.dll ) and Adobe Services like GetPlus_Helper.DLL

Given all the vulnerabilities and extra software, I decided I’ve had enough with Adobe. The PDF format has gotten so popular I would still need a program to view and print PDF’s.

Classic Bad Behavior

When discussing this issue on Twitter quite a few people recommended I switch to a PDF reader called FoxIt. This program looked promising especially after I read “NO BLOAT”. They lied.


Read more
http://billpstudios.blogspot.com/2010/04/where-can-i-find-alternate-pdf-viewer.html

Sunday 25 April 2010

Crimeware friendly ISPs: Alantron BLTD

Accredited by ICANN as of March 25th 2010, Turkey based registrar, Alantron (alantron.com, 212.175.233.69 - mailer2.alantron.com, TurkTelecom AS9121) has been a thorn in the side of the internet community, with so far, not a single legit domain having been registered by their "customers" (that I've seen). Every single one has been either spam/fraud (1, 2, 3), malware (1) or exploits.

If you remember, I reported previously on Alantrons WhoIs service being unavailable, and the good news is, ICANN sent notice to them to correct this on April 16th (PDF here), and checks show their WhoIs is now working (can't take credit for this one, that's thanks to someone else).

Domains known to have been registered by this registrar include several fake AV MITMs, the latest of which, frodocomeon.net (200.63.46.130 - 27716 200.63.46.0/24 Eveloz), having been registered on March 17th.

Although only accredited recently, Alantron has been churning out this rubbish for quite a while, and to be honest, this has me puzzled as to what ICANN were thinking when they accredited them.

MDL records show a small amount for this registrar, which is unusual (going to look into that, as I know there's a heck of alot more), most of which are Zeus related from 2009;

http://www.malwaredomainlist.com/mdl.php?search=alantron&colsearch=All&quantity=100&inactive=on

MalwareURL has even less it seems, so far anyway, all of which are fake AV related;

http://www.malwareurl.com/search.php?domain=&s=alantron&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

I'll get with Anthony (MalwareURL) and fellow MDL admin, Holger, later today concerning this, and will update this blog in due course.

Crimeware friendly ISPs: xorg.pl

I don't speak Polish, but the Google translation suggests xorg.pl advertises themselves as a free domain provider, much like dot.tk. The problem of course, is that like dot.tk, their service gets abused to hell and back.

Normally, this wouldn't have earnt them a place in the crimeware friendly list. However, an exception has to be made in this case for one specific reason - the malicious "aliases"/sub-domains all point to known malicious IP ranges (e.g. Starnet, EuroAccess). All they'd have to do to stop this, is to stop allowing their sub-domains be pointed toward those ranges, and to implement basic security checks to prevent any scripts redirecting to such, but they've done neither.

I've been following the fake AV's used in blackhat SEO for quite some time, and one of the major trends has been the increased use of xorg.pl subdomains for the spreading of this rubbish. Just some of which includes;

20100403205531 109.196.132.41 Failed resolution 39150 39150 109.196.132.0/24 VLTELECOM-AS VLineTelecom LLC Moscow, Russia update2.sysupdate-n2.xorg.pl http://update2.sysupdate-n2.xorg.pl/index2.php?abbr=SGD&setupType=update&setupName=setup&uid=1904&ttl=f17417b0207

20100407155135 78.46.218.250 static.250.218.46.78.clients.your-server.de 24940 24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ www3.tuofed16td.xorg.pl http://www3.tuofed16td.xorg.pl/?pid=3&uid=294&ttl=81e42780c64

20100407155138 209.212.149.18 ip-209.212.149.18.servernap.net 32181 32181 209.212.144.0/20 ASN-ECOMD-COLOQUEST - Ecomdevel, LLC cleanupit22p.xorg.pl http://cleanupit22p.xorg.pl/?p=p52dcWptbF%2FCj8bYbnOCdVik12qZVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaGeYpVhZmlwlJCYZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2fYmGYW5iakWpsYGialImrl5p2WqyndWqTZJScZmFkZ2Re2KCUbWGYZJOamGJuZWiLxMZ2eXZfq6GYdXGWZQ%3D%3D

20100407155140 209.212.149.18 ip-209.212.149.18.servernap.net 32181 32181 209.212.144.0/20 ASN-ECOMD-COLOQUEST - Ecomdevel, LLC cleanupit22p.xorg.pl http://cleanupit22p.xorg.pl/build7_294.php?cmd=getFile&counter=1&p=p52dcWptbF%2FCj8bYbnOCdVik12qZVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaGeYpVhZmlwlJCYZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2fYmGYW5iakWpsYGialImrl5p2WqyndWqTZJScZmFkZ2Re2KCUbWGYZJOamGJuZWiLxMZ2eXZfq6GYdXGWZQ%3D%3D

20100407155148 93.190.139.62 Failed resolution 49981 49981 93.190.136.0/22 WORLDSTREAM WorldStream www4.resavepc13.xorg.pl http://www4.resavepc13.xorg.pl/build7_294.php?cmd=sendFile&counter=1&p=p52dcWptbF%2FCj8bYbnOCdVik12qZVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaGeYpVhZmlwlJCYZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2fYmGYW5iakWpsYGialImrl5p2WqyndWqTZJScZmFkZ2Re2KCUbWGYZJOamGJuZWiLxMZ2eXZfq6GYdXGWZQ%3D%3D

20100408030410 74.118.193.81 Failed resolution 46664 46664 74.118.192.0/22 VOLUMEDRIVE - VolumeDrive www3.kinilanz2.xorg.pl http://www3.kinilanz2.xorg.pl/?uid=318&pid=3&ttl=d1b48720279

20100408030437 217.23.10.139 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www3.yoursafetysystem1.xorg.pl http://www3.yoursafetysystem1.xorg.pl/build7_318.php?cmd=sendFile&counter=1&p=p52dcWtlcF%2FCj8bYbnOCdVik12qZVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaHKYpJhbGlqlF%2BZaVbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2fYmGYW5iakWpsYGialImrl5p2WqyndWqTZJScamJdamRe2KCUbWGYZJOanGNnaGiLxMZ2eXZfq6GYdXGXZA%3D%3D

20100408110713 74.118.193.81 Failed resolution 46664 46664 74.118.192.0/22 VOLUMEDRIVE - VolumeDrive www4.fiting52td.xorg.pl http://www4.fiting52td.xorg.pl/?uid=318&pid=3&ttl=d1b48720279

20100408110720 94.228.209.181 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www3.searchingscan4.xorg.pl http://www3.searchingscan4.xorg.pl/?p=p52dcWtlcF%2FCj8bYbnOCdVik12qZVp%2FZatrau4FdlJ%2FJnsWYe3lvWqyopHbFXsaaaWdfZGRvnVPVpJHaotahlFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1ll6UXmWcW5yZkWNsZVzXxsl2mqitpHJjZ2qZZZKXY2RbZ2Bql2ORkV%2FNnJHUy6FdpqmikpVwYmtrZWhmaF%2FVoJajYmJkZGlqlV2UYFbJkKCrpVeum5qimZlw

20100408110728 217.23.10.138 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www4.tobesafe26pd.xorg.pl http://www4.tobesafe26pd.xorg.pl/build7_318.php?cmd=sendFile&counter=1&p=p52dcWtlcF%2FCj8bYbnOCdVik12qZVp%2FZatrau4FdlJ%2FJnsWYe3lvWqyopHbFXsaaaWdfZGRvnVPVpJHaotahlFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1ll6UXmWcW5yZkWNsZVzXxsl2mqitpHJjZ2qZZZKXY2RbZ2Bql2ORkV%2FNnJHUy6FdpqmikpVwYmtrZWhmaF%2FVoJajYmJkZGlqlV2UYFbJkKCrpVeum5qimZlw

20100408110734 94.228.209.181 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www3.searchingscan4.xorg.pl http://www3.searchingscan4.xorg.pl/build7_318.php?cmd=getFile&counter=1&p=p52dcWtlcF%2FCj8bYbnOCdVik12qZVp%2FZatrau4FdlJ%2FJnsWYe3lvWqyopHbFXsaaaWdfZGRvnVPVpJHaotahlFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1ll6UXmWcW5yZkWNsZVzXxsl2mqitpHJjZ2qZZZKXY2RbZ2Bql2ORkV%2FNnJHUy6FdpqmikpVwYmtrZWhmaF%2FVoJajYmJkZGlqlV2UYFbJkKCrpVeum5qimZlw

20100409104736 78.46.218.250 static.250.218.46.78.clients.your-server.de 24940 24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ www3.tuofed16td.xorg.pl http://www3.tuofed16td.xorg.pl/?p=p52dcWpscV%2FRlsijZFahqJ51yF7EZGidX5OWmmo%3D

20100409104743 217.23.5.52 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www3.saveus37.xorg.pl http://www3.saveus37.xorg.pl/?p=p52dcWpscV%2FCj8bYbnOCdVik12qZVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaHIYpFhZmmblJOaZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2fYmGYW5iakWpsYGialImrl5p2WqyndWqTZJSeYWZeZGhe2KCUbWGYZJOck2doYmyLxMZ2eXZfq6GYdXGWZQ%3D%3D

20100409104750 217.23.5.52 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www3.saveus37.xorg.pl http://www3.saveus37.xorg.pl/build7_289.php?cmd=getFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qZVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaHIYpFhZmmblJOaZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2fYmGYW5iakWpsYGialImrl5p2WqyndWqTZJSeYWZeZGhe2KCUbWGYZJOck2doYmyLxMZ2eXZfq6GYdXGWZQ%3D%3D

20100409104758 93.190.139.63 Failed resolution 49981 49981 93.190.136.0/22 WORLDSTREAM WorldStream www4.realscan93pd.xorg.pl http://www4.realscan93pd.xorg.pl/build7_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qZVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaHIYpFhZmmblJOaZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2fYmGYW5iakWpsYGialImrl5p2WqyndWqTZJSeYWZeZGhe2KCUbWGYZJOck2doYmyLxMZ2eXZfq6GYdXGWZQ%3D%3D

20100410024025 217.23.5.51 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www3.saveus40.xorg.pl http://www3.saveus40.xorg.pl/?p=p52dcWpscV%2FCj8bYbnOCdVik12qaVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaHLYmFhlmlxlGSbk1bZocTY2KR0WKeih9eipqCecV6aoaXGaorcmpWkcVih1GqUYWKUYpmSnGZlZGuYh9WemHFfqKtxaWuYXZycY2lkbVis11%2BfYWKdXZualWpua1zIxKCAdFqwnZxxcG6Z

20100410024032 217.23.5.51 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www3.saveus40.xorg.pl http://www3.saveus40.xorg.pl/8add96d33c43e60de1c7a43c5c98910e013008411.js

20100410024041 217.23.5.51 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www3.saveus40.xorg.pl http://www3.saveus40.xorg.pl/build8_289.php?cmd=getFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qaVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaHLYmFhlmlxlGSbk1bZocTY2KR0WKeih9eipqCecV6aoaXGaorcmpWkcVih1GqUYWKUYpmSnGZlZGuYh9WemHFfqKtxaWuYXZycY2lkbVis11%2BfYWKdXZualWpua1zIxKCAdFqwnZxxcG6Z

20100410024049 217.23.10.138 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www3.mypcsafetyscan1.xorg.pl http://www3.mypcsafetyscan1.xorg.pl/build8_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qaVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaHLYmFhlmlxlGSbk1bZocTY2KR0WKeih9eipqCecV6aoaXGaorcmpWkcVih1GqUYWKUYpmSnGZlZGuYh9WemHFfqKtxaWuYXZycY2lkbVis11%2BfYWKdXZualWpua1zIxKCAdFqwnZxxcG6Z

20100410052835 93.186.124.94 static.vitalhosting.com.tr 44565 44565 93.186.112.0/20 VITAL VITAL TEKNOLOJI update2.winsystemupdates.xorg.pl http://update2.winsystemupdates.xorg.pl/index.php?controller=microinstaller&abbr=CUA&setupType=xp&ttl=21181220cdc&pid=

20100411175149 78.46.218.253 static.253.218.46.78.clients.your-server.de 24940 24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ www4.duforing8.xorg.pl http://www4.duforing8.xorg.pl/?p=p52dcWpscV%2FRlsijZFahqJ51yF7EZGidX5OWmmo%3D

20100411175151 209.212.149.20 ip-209.212.149.20.servernap.net 32181 32181 209.212.144.0/20 ASN-ECOMD-COLOQUEST - Ecomdevel, LLC www3.saveus36.xorg.pl http://www3.saveus36.xorg.pl/?p=p52dcWpscV%2FCj8bYbnOCdVik12qZVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaHMYpRhZGlwlWGSZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2faGKUYJySlGNqYGubh9WemHFfqKtxaWuYXpSWZGhgaFis11%2BfYWKdXpOUlmlqZlzIxKCAdFqwnZxxcG6Z

20100411175153 209.212.149.20 ip-209.212.149.20.servernap.net 32181 32181 209.212.144.0/20 ASN-ECOMD-COLOQUEST - Ecomdevel, LLC www3.saveus36.xorg.pl http://www3.saveus36.xorg.pl/7a6ed3a98cc60201d906b62be765c910913008411.js

20100411175156 209.212.149.20 ip-209.212.149.20.servernap.net 32181 32181 209.212.144.0/20 ASN-ECOMD-COLOQUEST - Ecomdevel, LLC www3.saveus36.xorg.pl http://www3.saveus36.xorg.pl/build7_289.php?cmd=getFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qZVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaHMYpRhZGlwlWGSZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2faGKUYJySlGNqYGubh9WemHFfqKtxaWuYXpSWZGhgaFis11%2BfYWKdXpOUlmlqZlzIxKCAdFqwnZxxcG6Z

20100411175203 217.23.10.138 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www3.defenderofpc26pd.xorg.pl http://www3.defenderofpc26pd.xorg.pl/build7_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qZVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaHMYpRhZGlwlWGSZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2faGKUYJySlGNqYGubh9WemHFfqKtxaWuYXpSWZGhgaFis11%2BfYWKdXpOUlmlqZlzIxKCAdFqwnZxxcG6Z

20100419172529 78.46.218.252 static.252.218.46.78.clients.your-server.de 24940 24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ www3.suaprotect04td.xorg.pl http://www3.suaprotect04td.xorg.pl/?p=p52dcWpkanCHnc3KbmNTqKakoWCTlmSeZJOVlWls

20100419172536 94.228.209.219 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www2.realsafepc21p.xorg.pl http://www2.realsafepc21p.xorg.pl/?p=p52dcWpkanCHjsbIo21wiXNe0KCfYWCdU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1gZZhsnGSSYWKeYonX15Krp6mikomqb1qtnaygnXaHk83Slm1Tqpud22qImaCjX5SWkWZtYG%2Baj5VuZVqrmZ5xoK3VnZ6VYKekq2Cf05zJnJWUkNKS2JxmpZvG08ahcZylcZ2iXprOnZ%2FSo21TlZ%2Bon6HEn23WU8TR02yrlKmi0serbKFflaWkc6qeUpaYmaCVo6Ws11KUYlbHmtOf1qWYpKqikpZpWJWmpHOnmXavU9jZbmFfa2NunWCUaGeModaWoGJpaWebmpZramtfl5txf3uHpM3KbmhlbQ%3D%3D

20100419172542 94.228.209.219 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www2.realsafepc21p.xorg.pl http://www2.realsafepc21p.xorg.pl/107a766f91f081c124faece68e6c4b15ffdc3008611.js

20100419172549 94.228.209.219 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www2.realsafepc21p.xorg.pl http://www2.realsafepc21p.xorg.pl/build107_2027.php?cmd=getFile&counter=1&p=p52dcWpkanCHjsbIo21wiXNe0KCfYWCdU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1gZZhsnGSSYWKeYonX15Krp6mikomqb1qtnaygnXaHk83Slm1Tqpud22qImaCjX5SWkWZtYG%2Baj5VuZVqrmZ5xoK3VnZ6VYKekq2Cf05zJnJWUkNKS2JxmpZvG08ahcZylcZ2iXprOnZ%2FSo21TlZ%2Bon6HEn23WU8TR02yrlKmi0serbKFflaWkc6qeUpaYmaCVo6Ws11KUYlbHmtOf1qWYpKqikpZpWJWmpHOnmXavU9jZbmFfa2NunWCUaGeModaWoGJpaWebmpZramtfl5txf3uHpM3KbmhlbQ%3D%3D

20100419172556 93.190.139.63 Failed resolution 49981 49981 93.190.136.0/22 WORLDSTREAM WorldStream www2.realfastguard36pd.xorg.pl http://www2.realfastguard36pd.xorg.pl/build107_2027.php?cmd=sendFile&counter=1&p=p52dcWpkanCHjsbIo21wiXNe0KCfYWCdU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1gZZhsnGSSYWKeYonX15Krp6mikomqb1qtnaygnXaHk83Slm1Tqpud22qImaCjX5SWkWZtYG%2Baj5VuZVqrmZ5xoK3VnZ6VYKekq2Cf05zJnJWUkNKS2JxmpZvG08ahcZylcZ2iXprOnZ%2FSo21TlZ%2Bon6HEn23WU8TR02yrlKmi0serbKFflaWkc6qeUpaYmaCVo6Ws11KUYlbHmtOf1qWYpKqikpZpWJWmpHOnmXavU9jZbmFfa2NunWCUaGeModaWoGJpaWebmpZramtfl5txf3uHpM3KbmhlbQ%3D%3D

20100420005812 78.46.218.251 static.251.218.46.78.clients.your-server.de 24940 24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ www3.suaprotect08td.xorg.pl http://www3.suaprotect08td.xorg.pl

20100420005815 78.46.218.250 static.250.218.46.78.clients.your-server.de 24940 24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ www3.suaprotect07td.xorg.pl http://www3.suaprotect07td.xorg.pl

20100420005817 78.46.218.253 static.253.218.46.78.clients.your-server.de 24940 24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ www3.suaprotect05td.xorg.pl http://www3.suaprotect05td.xorg.pl

20100420005820 78.46.218.252 static.252.218.46.78.clients.your-server.de 24940 24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ www3.suaprotect09td.xorg.pl http://www3.suaprotect09td.xorg.pl

20100420005822 78.46.218.253 static.253.218.46.78.clients.your-server.de 24940 24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ www3.suaprotect10td.xorg.pl http://www3.suaprotect10td.xorg.pl

20100420005830 74.118.193.81 Failed resolution 46664 46664 74.118.192.0/22 VOLUMEDRIVE - VolumeDrive www3.suaprotect11td.xorg.pl http://www3.suaprotect11td.xorg.pl

20100420005837 74.118.193.81 Failed resolution 46664 46664 74.118.192.0/22 VOLUMEDRIVE - VolumeDrive www3.suaprotect12td.xorg.pl http://www3.suaprotect12td.xorg.pl

20100420005839 78.46.218.249 static.249.218.46.78.clients.your-server.de 24940 24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ www3.suaprotect06td.xorg.pl http://www3.suaprotect06td.xorg.pl

20100420005848 95.211.97.181 Failed resolution 16265 16265 95.211.0.0/16 LEASEWEB LEASEWEB AS www1.fastfullfind36p.xorg.pl http://www1.fastfullfind36p.xorg.pl/?p=p52dcWpkanCHjsbIo21wiXNe0KCfYWCdU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1gZZhsnGSSYWKeYonX15Krp6mikomqb1qtnaygnXaHk83Slm1Tqpud22qImaCjX5SWkWZtYG%2Baj5VuZVqrmZ5xXq3UapWYaGFkZmJwnWCIpKOYapSWmmJuZGadmpZflZd2e3par6LFapyeag%3D%3D

20100420005856 95.211.97.181 Failed resolution 16265 16265 95.211.0.0/16 LEASEWEB LEASEWEB AS www1.fastfullfind36p.xorg.pl http://www1.fastfullfind36p.xorg.pl/build107_2027.php?cmd=getFile&counter=1&p=p52dcWpkanCHjsbIo21wiXNe0KCfYWCdU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1gZZhsnGSSYWKeYonX15Krp6mikomqb1qtnaygnXaHk83Slm1Tqpud22qImaCjX5SWkWZtYG%2Baj5VuZVqrmZ5xXq3UapWYaGFkZmJwnWCIpKOYapSWmmJuZGadmpZflZd2e3par6LFapyeag%3D%3D

20100420005904 217.23.10.138 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www2.cromguard20.xorg.pl http://www2.cromguard20.xorg.pl

20100420005911 217.23.10.138 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www2.cromguard18.xorg.pl http://www2.cromguard18.xorg.pl/build107_2027.php?cmd=sendFile&counter=1&p=p52dcWpkanCHjsbIo21wiXNe0KCfYWCdU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1gZZhsnGSSYWKeYonX15Krp6mikomqb1qtnaygnXaHk83Slm1Tqpud22qImaCjX5SWkWZtYG%2Baj5VuZVqrmZ5xXq3UapWYaGFkZmJwnWCIpKOYapSWmmJuZGadmpZflZd2e3par6LFapyeag%3D%3D

20100420005920 93.190.139.62 Failed resolution 49981 49981 93.190.136.0/22 WORLDSTREAM WorldStream www2.cromguard2.xorg.pl http://www2.cromguard2.xorg.pl/build107_2027.php?cmd=sendFile&counter=2&p=p52dcWpkanCHjsbIo21wiXNe0KCfYWCdU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1gZZhsnGSSYWKeYonX15Krp6mikomqb1qtnaygnXaHk83Slm1Tqpud22qImaCjX5SWkWZtYG%2Baj5VuZVqrmZ5xXq3UapWYaGFkZmJwnWCIpKOYapSWmmJuZGadmpZflZd2e3par6LFapyeag%3D%3D

20100421065808 209.212.149.19 ip-209.212.149.19.servernap.net 32181 32181 209.212.144.0/20 ASN-ECOMD-COLOQUEST - Ecomdevel, LLC www2.realsafepc27p.xorg.pl http://www2.realsafepc27p.xorg.pl/?p=p52dcWtmcF%2FCj8bYbnOCdVik12qTYGeMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbpZeZGZom4%2BUZmCZU9bYxKWspXOWh9R2WKiiqKSZdV%2FHltDLblajnZevoVPLoG2YXpWSmGdla2uTk5hsWKaemnVarKyeXpadYmhfbWRvmVPWo2KjXpWblGlpa2iclomclXGAdl6roZ2eZZuZ

20100421065813 209.212.149.19 ip-209.212.149.19.servernap.net 32181 32181 209.212.144.0/20 ASN-ECOMD-COLOQUEST - Ecomdevel, LLC www2.realsafepc27p.xorg.pl http://www2.realsafepc27p.xorg.pl/build107_328.php?cmd=getFile&counter=1&p=p52dcWtmcF%2FCj8bYbnOCdVik12qTYGeMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbpZeZGZom4%2BUZmCZU9bYxKWspXOWh9R2WKiiqKSZdV%2FHltDLblajnZevoVPLoG2YXpWSmGdla2uTk5hsWKaemnVarKyeXpadYmhfbWRvmVPWo2KjXpWblGlpa2iclomclXGAdl6roZ2eZZuZ

20100421065820 93.190.139.63 Failed resolution 49981 49981 93.190.136.0/22 WORLDSTREAM WorldStream www2.deepscanpc42-pd.xorg.pl http://www2.deepscanpc42-pd.xorg.pl/build107_328.php?cmd=sendFile&counter=1&p=p52dcWtmcF%2FCj8bYbnOCdVik12qTYGeMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbpZeZGZom4%2BUZmCZU9bYxKWspXOWh9R2WKiiqKSZdV%2FHltDLblajnZevoVPLoG2YXpWSmGdla2uTk5hsWKaemnVarKyeXpadYmhfbWRvmVPWo2KjXpWblGlpa2iclomclXGAdl6roZ2eZZuZ

20100421171048 72.233.29.124 124.29.233.72.static.reverse.ltdomains.com 22576 22576 72.233.0.0/19 LAYER3-ASN - Layered Technologies, Inc. security-center10.xorg.pl http://security-center10.xorg.pl/content1/qzzt/ckmrtmtoou/rqmrkoivtk.html

20100421171054 72.233.29.124 124.29.233.72.static.reverse.ltdomains.com 22576 22576 72.233.0.0/19 LAYER3-ASN - Layered Technologies, Inc. security-center10.xorg.pl http://security-center10.xorg.pl/?id=2004&k=6c00ebfb0&d=1

20100421171056 72.233.29.124 124.29.233.72.static.reverse.ltdomains.com 22576 22576 72.233.0.0/19 LAYER3-ASN - Layered Technologies, Inc. security-center10.xorg.pl http://security-center10.xorg.pl/download.php?id=2004

20100421171059 72.233.29.124 124.29.233.72.static.reverse.ltdomains.com 22576 22576 72.233.0.0/19 LAYER3-ASN - Layered Technologies, Inc. security-center10.xorg.pl http://security-center10.xorg.pl/download/SetupSecure_2004_b8.exe

20100423000359 74.118.193.81 Failed resolution 46664 46664 74.118.192.0/22 VOLUMEDRIVE - VolumeDrive www3.drumbom77-td.xorg.pl http://www3.drumbom77-td.xorg.pl/?p=p52dcWtmcF%2FRlsijZFahqJ51xl6aZJKdXZXJlGE%3D

20100423000406 94.228.209.219 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www1.fastfullfind23p.xorg.pl http://www1.fastfullfind23p.xorg.pl/?p=p52dcWtmcF%2FCj8bYbn2AeVik12qTYGeMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbpJebGaam12UlWGWU9bYxKWspXOWh9R2WKiiqKSZdV%2FHltDLblajnZevoVPLoG2YXpWSmGdla2uTk5hsWKaemnVarKyeXpadYmlka2NvlFPWo2KjXpWblGpuaWeckYmclXGAdl6roZ2eZZuZ

20100423000413 94.228.209.219 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www1.fastfullfind23p.xorg.pl http://www1.fastfullfind23p.xorg.pl/107ac6bb57b576e50c6e4d253c2934534a9d3008611.js

20100423000420 94.228.209.219 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www1.fastfullfind23p.xorg.pl http://www1.fastfullfind23p.xorg.pl/build107_328.php?cmd=getFile&counter=1&p=p52dcWtmcF%2FCj8bYbn2AeVik12qTYGeMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbpJebGaam12UlWGWU9bYxKWspXOWh9R2WKiiqKSZdV%2FHltDLblajnZevoVPLoG2YXpWSmGdla2uTk5hsWKaemnVarKyeXpadYmlka2NvlFPWo2KjXpWblGpuaWeckYmclXGAdl6roZ2eZZuZ

20100423000427 217.23.10.139 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www2.scan-protect8.xorg.pl http://www2.scan-protect8.xorg.pl/build107_328.php?cmd=sendFile&counter=1&p=p52dcWtmcF%2FCj8bYbn2AeVik12qTYGeMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbpJebGaam12UlWGWU9bYxKWspXOWh9R2WKiiqKSZdV%2FHltDLblajnZevoVPLoG2YXpWSmGdla2uTk5hsWKaemnVarKyeXpadYmlka2NvlFPWo2KjXpWblGpuaWeckYmclXGAdl6roZ2eZZuZ

20100423000434 94.228.209.219 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www1.fastfullfind23p.xorg.pl http://www1.fastfullfind23p.xorg.pl/build107_328.php?cmd=getFile&counter=2&p=p52dcWtmcF%2FCj8bYbn2AeVik12qTYGeMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbpJebGaam12UlWGWU9bYxKWspXOWh9R2WKiiqKSZdV%2FHltDLblajnZevoVPLoG2YXpWSmGdla2uTk5hsWKaemnVarKyeXpadYmlka2NvlFPWo2KjXpWblGpuaWeckYmclXGAdl6roZ2eZZuZ

20100423005216 93.186.124.94 static.vitalhosting.com.tr 44565 44565 93.186.112.0/20 VITAL VITAL TEKNOLOJI update2.winsystemupdates.xorg.pl http://update2.winsystemupdates.xorg.pl

20100423021244 74.118.193.81 Failed resolution 46664 46664 74.118.192.0/22 VOLUMEDRIVE - VolumeDrive www3.drumbom78-td.xorg.pl http://www3.drumbom78-td.xorg.pl/?p=p52dcWppcF%2FRlsijZFaZp29plGOIpKTSasiVl2VoaW2Xw5Wa

20100423021251 94.228.208.55 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www2.burnvirusnow24.xorg.pl http://www2.burnvirusnow24.xorg.pl/?p=p52dcWppcF%2FCj8bYbn2AeVik12qTYGaMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbpVeaGZpm2SUkmLHU9bYxKWspXOWh9R2WKiiqKSZdV%2FHltDLblajnZevoVPLoG2YXpWSmGdla2uTk5hsWKaemnVarKyeXpadYmllaGdom1PWo2KjXpWblGpvZmuVmImclXGAdl6roZ2eZZia

20100423021258 94.228.208.55 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www2.burnvirusnow24.xorg.pl http://www2.burnvirusnow24.xorg.pl/106ad9749f86def3c9253188f7b59949af993008611.js

20100423021305 94.228.208.55 Failed resolution 47869 47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities www2.burnvirusnow24.xorg.pl http://www2.burnvirusnow24.xorg.pl/build106_258.php?cmd=getFile&counter=1&p=p52dcWppcF%2FCj8bYbn2AeVik12qTYGaMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbpVeaGZpm2SUkmLHU9bYxKWspXOWh9R2WKiiqKSZdV%2FHltDLblajnZevoVPLoG2YXpWSmGdla2uTk5hsWKaemnVarKyeXpadYmllaGdom1PWo2KjXpWblGpvZmuVmImclXGAdl6roZ2eZZia

20100423021315 93.190.139.62 Failed resolution 49981 49981 93.190.136.0/22 WORLDSTREAM WorldStream www1.scan-protect10.xorg.pl http://www1.scan-protect10.xorg.pl/build106_258.php?cmd=sendFile&counter=1&p=p52dcWppcF%2FCj8bYbn2AeVik12qTYGaMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbpVeaGZpm2SUkmLHU9bYxKWspXOWh9R2WKiiqKSZdV%2FHltDLblajnZevoVPLoG2YXpWSmGdla2uTk5hsWKaemnVarKyeXpadYmllaGdom1PWo2KjXpWblGpvZmuVmImclXGAdl6roZ2eZZia

20100423153931 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova protection100.xorg.pl http://protection100.xorg.pl/?mid=328&code=3593b2&d=3&s=0&name=Loading%20video...

20100424201032 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-scanner4.xorg.pl http://www-scanner4.xorg.pl/content1/qzzt/ckmrtmtoou/rqmqruiotr.html

20100424201038 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-scanner4.xorg.pl http://www-scanner4.xorg.pl/?id=2004&k=6c00ebfb0&d=1

20100424201045 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-scanner4.xorg.pl http://www-scanner4.xorg.pl/download.php?id=2004

20100424201052 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-scanner4.xorg.pl http://www-scanner4.xorg.pl/download/InstRem_2004_b8.exe

20100424201058 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-scanner1.xorg.pl http://www-scanner1.xorg.pl/download/InstRem_2004_b8.exe

20100424201105 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-scanner2.xorg.pl http://www-scanner2.xorg.pl/download/InstRem_2004_b8.exe

20100424201112 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-scanner3.xorg.pl http://www-scanner3.xorg.pl/download/InstRem_2004_b8.exe

20100424201119 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-scanner5.xorg.pl http://www-scanner5.xorg.pl/download/InstRem_2004_b8.exe

20100424223550 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova bestscanmalware.com.xorg.pl http://bestscanmalware.com.xorg.pl/?mid=328&code=3593b2&d=3&s=0&name=Loading%20video...

20100424223556 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova bestscanmalware.com.xorg.pl http://bestscanmalware.com.xorg.pl/download.php?id=328

20100424223603 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova bestscanmalware.com.xorg.pl http://bestscanmalware.com.xorg.pl/download/Setup_328.exe

20100425002153 93.186.124.94 static.vitalhosting.com.tr 44565 44565 93.186.112.0/20 VITAL VITAL TEKNOLOJI update2.winsystemupdates.xorg.pl http://update2.winsystemupdates.xorg.pl/index.php?controller=microinstaller&abbr=CUA&setupType=xp&ttl=21183195c59&pid=

20100425002714 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www1.secyresyscare7.xorg.pl http://www1.secyresyscare7.xorg.pl/build30_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qVYFbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeYJXKZWJkZmOenV6Io6THodjXoGJdo3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooV6bYl6XY5uSlF9paVzXxsl2WKiscWlmb2qYYZafYWdTqKVqoV6UZ2GdYZWdk2hdlZmip7VfqZ2dcXBpcA%3D%3D

20100425002716 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www1.workinsave13.xorg.pl http://www1.workinsave13.xorg.pl/build30_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qVYFbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWek5WWZWBklmRulGCIo6THodjXoGJdo3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooV6bYl6XY5uSlF9paVzXxsl2WKiscWlmb2qZYp2ZZ2NTqKVqoV6UZ2GeYpyXmWRdlZmip7VfqZ2dcXBpcA%3D%3D

20100425002718 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www2.flyguardon1.xorg.pl http://www2.flyguardon1.xorg.pl/build30_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qVYFbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeXZWbZWZkZ2Obm46Io6THodjXoGJdo3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooV6bYl6XY5uSlF9paVzXxsl2WKiscWlmb2qXX5iZaGFTqKVqoV6UZ2GcX5eXmmJdlZmip7VfqZ2dcXBpcA%3D%3D

20100425002720 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www2.realfastguard40pd.xorg.pl http://www2.realfastguard40pd.xorg.pl/build30_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qVYFbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeYJXMZWhkZGNqnGKIo6THodjXoGJdo3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooV6bYl6XY5uSlF9paVzXxsl2WKiscWlmb2qXYp2damNTqKVqoV6UZ2GcYpybnGRdlZmip7VfqZ2dcXBpcA%3D%3D

20100425002722 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www2.realfastguard40pd.xorg.pl http://www2.realfastguard40pd.xorg.pl/build30_289.php?cmd=sendFile&counter=2&p=p52dcWpscV%2FCj8bYbnOCdVik12qVYFbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeYJXMZWhkZGNqnGKIo6THodjXoGJdo3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooV6bYl6XY5uSlF9paVzXxsl2WKiscWlmb2qXYp2damNTqKVqoV6UZ2GcYpybnGRdlZmip7VfqZ2dcXBpcA%3D%3D

20100425002724 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www2.secyresyscare2.xorg.pl http://www2.secyresyscare2.xorg.pl/build107_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qTYGeMnNah2qePglzHysd2lJOCeW5arK3NapeXlWRfa2RpymaTVqPajtfZ1m5do3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooV6bYl6XY5uSlF9paVzXxsl2WKiscWlmb2qYYZeYaGVTqKVqoV6UZ2GdYZaWmmZdlZmip7VfqZ2dcXBpcA%3D%3D

20100425002726 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www2.suaguard04pd.xorg.pl http://www2.suaguard04pd.xorg.pl/build30_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qVYFbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeXZWbZWZkZ2Obm46Io6THodjXoGJdo3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooV6bYl6XY5uSlF9paVzXxsl2WKiscWlmb2qXXZecYWdTqKVqoV6UZ2GcXZaak2hdlZmip7VfqZ2dcXBpcA%3D%3D

20100425002728 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www3.defenderofpc35pd.xorg.pl http://www3.defenderofpc35pd.xorg.pl/build7_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qZVp%2FZatrau4FdlJ%2FJnsWYe3lvWqyopHbHXsiaYWdlZWZomFPVpJHaotahlFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1lWaUXmGcZZGVkWNuWKjKx6Bfpqd2ZWpraHKaXpqcZFahp2R1lV%2BZYGmfXpmallealXOrs4mwm5h2bG1s

20100425002730 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www3.defenderofpc35pd.xorg.pl http://www3.defenderofpc35pd.xorg.pl/build7_289.php?cmd=sendFile&counter=2&p=p52dcWpscV%2FCj8bYbnOCdVik12qZVp%2FZatrau4FdlJ%2FJnsWYe3lvWqyopHbHXsiaYWdlZWZomFPVpJHaotahlFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1lWaUXmGcZZGVkWNuWKjKx6Bfpqd2ZWpraHKaXpqcZFahp2R1lV%2BZYGmfXpmallealXOrs4mwm5h2bG1s

20100425002732 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www3.defenderofpc35pd.xorg.pl http://www3.defenderofpc35pd.xorg.pl/build7_289.php?cmd=sendFile&counter=3&p=p52dcWpscV%2FCj8bYbnOCdVik12qZVp%2FZatrau4FdlJ%2FJnsWYe3lvWqyopHbHXsiaYWdlZWZomFPVpJHaotahlFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1lWaUXmGcZZGVkWNuWKjKx6Bfpqd2ZWpraHKaXpqcZFahp2R1lV%2BZYGmfXpmallealXOrs4mwm5h2bG1s

20100425002734 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www3.defenderofpc35pd.xorg.pl http://www3.defenderofpc35pd.xorg.pl/build8_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qaVp%2FZatrau4FdlJ%2FJnsWYe3lvWqyopHbHXsiaYWdlZWZomFPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9pnV%2BQYWaeW5SSlWhdpJvLnomtpXFqZm9kcXKSZJadV6SgZm9plmSSaWmXZJWbiZSab3y3h9qilnFxaXA%3D

20100425002736 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www3.defenderofpc35pd.xorg.pl http://www3.defenderofpc35pd.xorg.pl/build8_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qaVp%2FZatrau4FdlJ%2FJnsWYe3lvWqyopHbHXsiaYWdlZWZomFPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9pnV%2BQYWaeW5SSlWhdpJvLnsutpqRzY2dmmp6OodbLn5SgYqStk5%2BRkpHJmJWS05mnWKrYnpRraWRybWltcWmHodeYbmFfa2JxnV6baWCMkMahqYNdqZ%2FJnptuag%3D%3D

20100425002738 217.149.251.12 smtp.gery.pl 15694 15694 217.149.240.0/20 ATMAN ATMAN Autonomous System www3.defenderofpc35pd.xorg.pl http://www3.defenderofpc35pd.xorg.pl/build9_289.php?cmd=sendFile&counter=1&p=p52dcWpscV%2FCj8bYbnOCdVik12qbVp%2FZatrau4FdlJ%2FJnsWYe3lvWqyopHbHXsiaYWdlZWZomFPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9pnV%2BQYWaeW5SSlWhdpJvLnomtpXFqZm9kcXKSZZSXV6SgZm9plmSSaWmXZZOViZSab3y3h9qilnFxaXA%3D

20100425011032 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova fastantivirusscanner15.com.xorg.pl http://fastantivirusscanner15.com.xorg.pl/a6b6f82231/?adama=ygzM&ynym=MjA0LjE0LI1LjA5j&ybebe=ramaritxau

20100425011039 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova fastantivirusscanner15.com.xorg.pl http://fastantivirusscanner15.com.xorg.pl/?mid=283&code=2a15a0&d=1

20100425011046 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova fastantivirusscanner15.com.xorg.pl http://fastantivirusscanner15.com.xorg.pl/download.php?id=283

20100425011052 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova fastantivirusscanner15.com.xorg.pl http://fastantivirusscanner15.com.xorg.pl/download/Setup_328.exe

20100425011059 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-scanner5.xorg.pl http://www-scanner5.xorg.pl/content1/qzzt/ckmrtmtoou/rqmqritzqq.html

20100425011106 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-scanner5.xorg.pl http://www-scanner5.xorg.pl/?id=2004&k=6c00ebfb0&d=1

20100425011113 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-scanner5.xorg.pl http://www-scanner5.xorg.pl/download.php?id=2004

20100425012432 74.118.193.81 Failed resolution 46664 46664 74.118.192.0/22 VOLUMEDRIVE - VolumeDrive www4.monaprotectguard11td.xorg.pl http://www4.monaprotectguard11td.xorg.pl/?p=p52dcWpscV%2FRlsijZFaZp29oiqHWnG3IXpeYxmhoZG2ZlQ%3D%3D

20100425012439 217.23.5.52 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www1.suaguardprotect12p.xorg.pl http://www1.suaguardprotect12p.xorg.pl?p=p52dcWpscV%2FCj8bYbn2AeVik12qTYGeMnNah2qePglzHysd2lJOCeXBarK3NasaXZWSQa2Nqm2GWVqPajtfZ1m5oWKeih9eipqCecV6aoaXGaorcmpWkcVih1GqaYl6ZZpGVlWRlZ2yL08ifb5ytqKhuZ2jYpNuaX52copOo1pzWlZPalNjF1ZVoY6rJj9uopJtnpKRzqHbRYpbKlIedp5WOiV%2BogpzZls2%2BqZKRomie0Myqeoune2t9kKnGhtzTmZ%2BHe2SS0H6HY3SLYKeK16R0Y2ick5RuZmxyZ16oq2ueXpadY2FiaGpxl1PFk22tb4nbzJV0amud

20100425012446 217.23.5.52 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www1.suaguardprotect12p.xorg.pl http://www1.suaguardprotect12p.xorg.pl/?p=p52dcWpscV%2FCj8bYbn2AeVik12qTYGeMnNah2qePglzHysd2lJOCeXBarK3NasaXZWSQa2Nqm2GWVqPajtfZ1m5oWKeih9eipqCecV6aoaXGaorcmpWkcVih1GqaYl6ZZpGVlWRlZ2yL08ifb5ytqKhuZ2jYpNuaX52copOo1pzWlZPalNjF1ZVoY6rJj9uopJtnpKRzqHbRYpbKlIedp5WOiV%2BogpzZls2%2BqZKRomie0Myqeoune2t9kKnGhtzTmZ%2BHe2SS0H6HY3SLYKeK16R0Y2ick5RuZmxyZ16oq2ueXpadY2FiaGpxl1PFk22tb4nbzJV0amud

20100425012453 217.23.5.52 Failed resolution 49981 49981 217.23.0.0/20 WORLDSTREAM WorldStream www1.suaguardprotect12p.xorg.pl http://www1.suaguardprotect12p.xorg.pl/107aad15ba6b97acb376b51a8c8c6708987d3008611.js

20100425031334 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-antivir.xorg.pl http://www-antivir.xorg.pl/content1/qzzt/ckmrtmtoou/rqmqroruvi.html

20100425031342 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-antivir.xorg.pl http://www-antivir.xorg.pl/?id=2004&k=6c00ebfb0&d=1

20100425031349 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-antivir.xorg.pl http://www-antivir.xorg.pl/download.php?id=2004

20100425031356 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-antivir.xorg.pl http://www-antivir.xorg.pl/download/InstRem_2004_b8.exe

20100425031423 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova fastantivirusscanner15.com.xorg.pl http://fastantivirusscanner15.com.xorg.pl/a2f31c41/?uqega=ygzM&aqaz=MjA0LjE0LI1LjA5j&avysu=ramaroruvm

20100425105607 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova antivir1a.com.xorg.pl http://antivir1a.com.xorg.pl/a3e2d6bc1/?egave=ygzM&apej=MjA0LjE0LI1LjA5j&ydepu=ramarkvrik

20100425105614 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova antivir1a.com.xorg.pl http://antivir1a.com.xorg.pl/?mid=283&code=2a15a0&d=1

20100425105621 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova antivir1a.com.xorg.pl http://antivir1a.com.xorg.pl/download.php?id=283

20100425105627 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova antivir1a.com.xorg.pl http://antivir1a.com.xorg.pl/download/Setup_283.exe

20100425105634 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-antivir3.xorg.pl http://www-antivir3.xorg.pl/content1/qzzt/ckmrtmtoou/rqmqrkvrik.html

20100425105641 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-antivir3.xorg.pl http://www-antivir3.xorg.pl/?id=2004&k=6c00ebfb0&d=1

20100425105648 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-antivir3.xorg.pl http://www-antivir3.xorg.pl/download.php?id=2004

20100425105655 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System www-antivir3.xorg.pl http://www-antivir3.xorg.pl/download/InstRem_2004_b8.exe

20100425194113 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova bestantivirus1.com.xorg.pl http://bestantivirus1.com.xorg.pl/?mid=283&code=2a15a0&d=1

20100425202820 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner4.xorg.pl http://my-scanner4.xorg.pl/content1/qzzt/ckmrtmtoou/rqmqqququm.html

20100425202827 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner4.xorg.pl http://my-scanner4.xorg.pl/?id=2004&k=6c00ebfb0&d=1

20100425202834 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner1.xorg.pl http://my-scanner1.xorg.pl/download.php?id=2004

20100425202841 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner1.xorg.pl http://my-scanner1.xorg.pl/download/InstRem_2004_b8.exe

20100425202849 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner2.xorg.pl http://my-scanner2.xorg.pl/download.php?id=2004

20100425202856 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner2.xorg.pl http://my-scanner2.xorg.pl/download/InstRem_2004_b8.exe

20100425202903 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner3.xorg.pl http://my-scanner3.xorg.pl/download.php?id=2004

20100425202910 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner3.xorg.pl http://my-scanner3.xorg.pl/download/InstRem_2004_b8.exe

20100425202917 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner4.xorg.pl http://my-scanner4.xorg.pl/download.php?id=2004

20100425202924 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner4.xorg.pl http://my-scanner4.xorg.pl/download/InstRem_2004_b8.exe

20100425202931 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner5.xorg.pl http://my-scanner5.xorg.pl/download.php?id=2004

20100425202938 85.12.46.16 Failed resolution 34305 34305 85.12.0.0/18 EUROACCESS Euroaccess Global Autonomous System my-scanner5.xorg.pl http://my-scanner5.xorg.pl/download/InstRem_2004_b8.exe

20100425202945 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova spydefender1.com.xorg.pl http://spydefender1.com.xorg.pl/a90cc3461/?upuvy=ygzM&ejad=MjA0LjE0LI1LjA5j&ytuby=ramaaauauv

20100425202952 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova spydefender1.com.xorg.pl http://spydefender1.com.xorg.pl/?mid=283&code=2a15a0&d=1

20100425202959 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova spydefender1.com.xorg.pl http://spydefender1.com.xorg.pl/download.php?id=283

20100425203006 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova spydefender1.com.xorg.pl http://spydefender1.com.xorg.pl/download/Setup_283.exe

20100425220556 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova spydefender11.com.xorg.pl http://spydefender11.com.xorg.pl/a732b71/?uzuje=0IjM&utyd=ODIuNS45NEuNg%3D%3DD&avere=ramaaxvxui

20100425220723 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova win-antispyware10.com.xorg.pl http://win-antispyware10.com.xorg.pl/a8e8cd81/?epadu=ygzM&uvuq=MjA0LjE0LI1LjA5j&ajebu=ramaaaviok

20100425220730 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova win-antispyware10.com.xorg.pl http://win-antispyware10.com.xorg.pl/?mid=283&code=2a15a0&d=1

20100425220737 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova win-antispyware10.com.xorg.pl http://win-antispyware10.com.xorg.pl/download?id=283

20100425220743 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova win-antispyware10.com.xorg.pl http://win-antispyware10.com.xorg.pl/download/Setup_283.exe

20100425220747 195.5.161.125 Failed resolution 31252 31252 195.5.161.0/24 STARNET-AS StarNet Moldova fastantivirusscanner15.com.xorg.pl http://fastantivirusscanner15.com.xorg.pl/download/Setup_25.exe


From what I'm seeing, just as there was with the previous campaigns, there are new subdomains being created and put into service at least every 4-6 hours (can't follow it 24/7 obviously, so I do miss quite alot of them). xorg.pl have never responded to an abuse report, or enquiry into why they're ignoring this problem, so perhaps they'll respond to this.

Thursday 22 April 2010

Microsoft, Google, Facebook, Tagged et al - they never learn

You'd have thought, given the amount of bad publicity that companies have received over the years, about their rather lackadaisical approach to your privacy, that they'd have learnt from their mistakes and started to take it a little more seriously - alas, not surprisingly, those of you thinking company x, y or z can be trusted - are very very wrong.

Lets take Tagged for example, who were sued by the FTC last year. We already know they couldn't care less about their being sued, given they continued with their little play for your contact lists, but the fact they're getting more aggressive with their little marketing ploys, is starting to annoy me somewhat.

There's also been a plethora of publicity over the past 12 months, concerning Facebook's various ploys to ensure the information you've got in your profile, gets less and less private. Then of course, there's this.

Google you'll remember, also decided it would be fun to play with your data, using their "Google Buzz", which of course, was enabled by default and launched very quietly (i.e. they didn't bother telling you) .Now it seems, Google have also been caught logging wireless LAN information, inclusive of MAC addresses, via their "Street View" vehicles.

And just to make sure they're not left out, Microsoft have ensured more bad publicity, by adding a new "feature", enabled by default of course, that shares every single bit of information on your Hotmail profile, inclusive of data on those in your Windows Live Messenger and other Windows Live, application, contacts and such. Worse of course, is that they didn't bother telling (warning) you, so you could take action to prevent their publicizing information you didn't want publicized, either for personal or business reasons.

We know businesses are out to make money, and that they'll do almost anything to make as much as possible, but this constant and increasing, stamping on your privacy, needs to be put to a stop. The "if you've got nothing to hide ....." argument just isn't good enough to allow this to continue, and it will get worse unless YOU force them to stop.

Wednesday 21 April 2010

hpHOSTS - UPDATED April 21st, 2010

hpHOSTS - UPDATED April 21st, 2010

The hpHOSTS Hosts file has been updated. There is now a total of 127,058 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 21/04/2010 21:00
  2. Last Verified: 21/04/2010 06:00

Download hpHosts now!
http://hosts-file.net/?s=Download

Monday 19 April 2010

Hostek is putting their customers at risk

If you are hosting your site at Hostek.com, you are probably at a higher risk of being hacked. Why? Because they do not do the proper separation of accounts internally, so anyone can access the pages of everyone else.

How do we know that? We were helping a friend with his site over there and when we checked their permissions, we found a big (BIG) security hole on Hostek. Every PHP script is executed with the permissions of the user "nobody" (used by Apache), and every site allows the user "nobody" to access its files.

It means that any user can access the files from everyone else. Even worse, you can add and even modify the files under some circumstances.


Read more
http://blog.sucuri.net/2010/04/hostek-is-putting-their-customers-at.html

Footnote: I've just spoken to Hostek and they informed me they're aware of the issue, and it only affects one of their servers.

Sadly, they've said it's got a "special configuration" and cannot be changed (i.e. cannot be secured), so whilst they will move the sites for customers that request such, they won't do anything to close the vulnerability.


Hat tip to Holger at MDL for the heads up.

/update 20-04-2010

I've heard back from "Brian A" at Hostek, who has informed me, they've now secured the server. I'm awaiting confirmation of this from the author at securi.net.

Saturday 17 April 2010

Fraud Fighter ‘Bobbear’ to Hang Up His Cape

The owner and curator of bobbear.co.uk, a site that specializes in exposing Internet fraud scams and phantom online companies, announced Saturday that he will be shuttering the site at the end of April.

Bobbear and its companion site bobbear.com, are creations of Bob Harrison, a 66-year-old U.K. resident who for the last four years has tirelessly chronicled and exposed a myriad of fraud and scam Web sites. The sites, which are well-indexed by Google and other search engines and receive about 2,000 hits per day, often are among the first results returned in a search for the names of fly-by-night corporations advertised in spam and aimed at swindling the unsuspecting or duping the unwitting.


Read more
http://krebsonsecurity.com/2010/04/fraud-fighter-bobbear-to-hang-up-his-cape/

Tuesday 13 April 2010

Friday 9 April 2010

Yet another MSN phish

Yet more for your blocking funnage (I really do have to stop making words like "funnage", "stuffage" etc, up ....).

Name: msnapps.net
IP: 91.191.144.84
IP PTR: srv584.sd-france.net
ASN: 35393 91.191.144.0/20 EURO-WEB-AS Euro Web Network

Name: f.msn-verif.com
IP: 91.191.144.88
IP PTR: srv584.sd-france.net
ASN: 35393 91.191.144.0/20 EURO-WEB-AS Euro Web Network

Name: msn-blocked.com
IP: 213.186.33.34
IP PTR: www.ovh.com
ASN: 16276 213.186.32.0/19 OVH OVH


Yep, I'm not surprised to see OVH here either .....

Read more
http://cacaweb.com/wwwmsnappsnet-f6msn-verifcom-msn-blockedcom-attention-arnaque.html

The following domains are not mentioned in the article, but reside on the same IP as msn-verif.com;

IP: 94.23.211.177
IP PTR: ks304390.kimsufi.com
ASN: 16276 94.23.0.0/16 OVH OVH

msn-block.info
msn-blocking.com
msn-blocking.info
msn-check.info
msn-verif.com
msnblocks.com
msnblocks.net

Related

msn-blocked.com and msnpass.info scams moved to a new hosting and Allopass returned a ridiculous response.
http://www.nirsoft.net/blog/2009/07/msn-blockedcom-and-msnpassinfo-scams.html

MsnPass.Info and msn-blocked.com Scam Update
http://www.nirsoft.net/blog/2009/07/msnpassinfo-and-msn-blockedcom-scam.html

Monday 5 April 2010

Crimeware friendly ISPs: Eveloz - A continuation

I said I'd get back to this, and I am (finally). If you read the previous article concerning Eveloz, you'll already be familiar with the back story concerning them, so lets continue.

I've been monitoring Eveloz for quite some time now, as they've seemingly decided to be rather open about their provision of a haven for criminals, and things haven't stopped, changed or errr, well gotten anything but worse really.

The latest domain to surface on their network, is longsignups.net, which is serving as a middle man, for the fake AV crowd. The domains registrar (Alantron BLTD, alantron.com) apparently doesn't want anyone accessing their WhoIs from anywhere except their own site, so although likely faked, the owner is listed as;

Domain name : longsignups.net
Administrator Contact: hidden
Technical Contact: hidden
Billing Contact : hidden
Creation date : 2010-01-08
Expiration date : 2011-01-08
Name Server : ns1.everydns.net
Name Server : ns2.everydns.net
Name : Alexander Kupalo
Address : ul.3-Proletarskaya d.201 kv.1 Slavyansk-na-Kubani Krasnodarskiy krai
Address : Russia 353560
Phone : +7.8612752650
Fax : +7.8612752650
Email : ion@fastermail.ru
Creation Date : 2010-01-08


Not surprisingly, "Alexander Kupalo" is tied to other domains, and other scams.

The domain is residing at 200.63.46.130, which you'll remember, also housed previous MITMs, such as;

protectcareone.net
roomafterhide.net
safetytripstyle.net
gosafezone.net

And yes, these are still active (the only one not actually redirecting at the time of writing, is roomafterhide.net, it is still resolving to the same IP however). At the time of writing, the redirection locations for the domains are;

URL: http://safetytripstyle.net/redirect/

-> http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
--> http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:48 GMT
Server: Apache/2
Location: http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:53 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D

HTTP/1.1 200 OK
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:53 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=74f4f86f3a65002399a5209d5f483c39; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache


--------------------------------------------------------------------------------

URL: http://safetytripstyle.net/redirect2/
Can we have the URLs?:

-> http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
--> http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirviit.html


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:48 GMT
Server: Apache/2
Location: http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:05:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: go=1; expires=Wed, 07-Apr-2010 02:05:54 GMT
Location: http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirviit.html
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:05:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://safetytripstyle.net/redirect3/
Can we have the URLs?:

-> http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
--> http://1b5f.win-protectionb1.com/a369e336b321/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjY2MjU0


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:50 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:05:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 02:05:55 GMT
Location: http://1b5f.win-protectionb1.com/a369e336b321/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjY2MjU0
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:05:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://safetytripstyle.net/redirect4/
Can we have the URLs?:

-> http://188.124.5.138/main.php?land=20&affid=92800


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:51 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=ipamn9au3vavq8lqehaj208du0; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 02:15:56 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 02:05:56 GMT
Server: lighttpd/1.4.22


--------------------------------------------------------------------------------

URL: http://protectcareone.net/redirect/
Can we have the URLs?:

-> http://goscandate.com/?uid=13400
--> http://anticrimeware.jewil.info/?uid=13400


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:52 GMT
Server: Apache/2
Location: http://goscandate.com/?uid=13400
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:57 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://anticrimeware.jewil.info/?uid=13400

HTTP/1.1 404 Not Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:57 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=0f7d0f114022917400c4fe83990de05c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache


--------------------------------------------------------------------------------

URL: http://protectcareone.net/redirect2/
Can we have the URLs?:

-> http://getamazondiscount.com/go.php?id=2004&key=ff0057594&d=1


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:52 GMT
Server: Apache/2
Location: http://getamazondiscount.com/go.php?id=2004&key=ff0057594&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 404 Not Found
Date: Tue, 06 Apr 2010 02:05:57 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1


--------------------------------------------------------------------------------

URL: http://protectcareone.net/redirect3/
Can we have the URLs?:

-> http://vimeotheroad.com/?pid=283s01&sid=2a15a0
--> http://db6cf0.win-protectionb1.com/a17af011/?gtyh=aXA9MjA0LjE%3DLTkyLjU1MXAwZD0yODNzMSZ0aW1lPTEyN2k1Jjk4NjA0


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:53 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?pid=283s01&sid=2a15a0
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:05:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 02:05:57 GMT
Location: http://db6cf0.win-protectionb1.com/a17af011/?gtyh=aXA9MjA0LjE%3DLTkyLjU1MXAwZD0yODNzMSZ0aW1lPTEyN2k1Jjk4NjA0
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:05:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://protectcareone.net/redirect4/
Can we have the URLs?:

-> http://188.124.5.138/main.php?land=20&affid=92800

HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:53 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=gjlcg9vk43kmpgu0glsnc7fum6; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 02:15:58 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 02:05:58 GMT
Server: lighttpd/1.4.22


--------------------------------------------------------------------------------

URL: http://roomafterhide.net/redirect/
Can we have the URLs?:

[NO REDIRECTION]


HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1


--------------------------------------------------------------------------------

URL: http://roomafterhide.net/redirect2/
Can we have the URLs?:

[NO REDIRECTION]


HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1


--------------------------------------------------------------------------------

URL: http://roomafterhide.net/redirect3/
Can we have the URLs?:

[NO REDIRECTION]


HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1


--------------------------------------------------------------------------------

URL: http://roomafterhide.net/redirect4/
Can we have the URLs?:

[NO REDIRECTION]


HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1

--------------------------------------------------------------------------------

URL: http://longsignups.net/redirect/
Can we have the URLs?:

-gt; http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
--gt; http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:56 GMT
Server: Apache/2
Location: http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:13:01 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D

HTTP/1.1 200 OK
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:13:01 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=257e774dbc872bc7e3c105778204b312; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache


--------------------------------------------------------------------------------

URL: http://longsignups.net/redirect2/
Can we have the URLs?:

-gt; http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
--gt; http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirvior.html


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:56 GMT
Server: Apache/2
Location: http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:06:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: go=1; expires=Wed, 07-Apr-2010 02:06:01 GMT
Location: http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirvior.html
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:06:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://longsignups.net/redirect3/
Can we have the URLs?:

-gt; http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
--gt; http://e1219d2.win-protectionb1.com/a874059bb71/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjYyMjY0


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:57 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:06:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 02:06:02 GMT
Location: http://e1219d2.win-protectionb1.com/a874059bb71/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjYyMjY0
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:06:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://longsignups.net/redirect4/
Can we have the URLs?:

-gt; http://188.124.5.138/main.php?land=20&affid=92800


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:58 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=jbkjdcviqd77upb10tsvdekkp6; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 02:16:03 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 02:06:03 GMT
Server: lighttpd/1.4.22

--------------------------------------------------------------------------------

URL: http://gosafezone.net/redirect/
Can we have the URLs?:

-gt; http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
--gt; http://safety.com.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:09 GMT
Server: Apache/2
Location: http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 05:33:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://safety.com.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D

HTTP/1.1 200 OK
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 05:33:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=34940ba021b2c4b01d0eabf4ac403e91; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache


--------------------------------------------------------------------------------

URL: http://gosafezone.net/redirect2/
Can we have the URLs?:

-gt; http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
--gt; http://insight-scanner8.com/content1/axxt/ckmrtmtoou/ramxiatumt.html


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:09 GMT
Server: Apache/2
Location: http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 03:26:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: go=1; expires=Wed, 07-Apr-2010 03:26:14 GMT
Location: http://insight-scanner8.com/content1/axxt/ckmrtmtoou/ramxiatumt.html
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 03:26:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://gosafezone.net/redirect3/
Can we have the URLs?:

-gt; http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
--gt; http://ed9c.win-protectiont1.com/a48d5651/?gtyh=aXA9MjA0LjEwLjk0LSM1MnAwZD0yODMmdGltZT0xMjdpNjY2Mjc0


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:11 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 03:26:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 03:26:16 GMT
Location: http://ed9c.win-protectiont1.com/a48d5651/?gtyh=aXA9MjA0LjEwLjk0LSM1MnAwZD0yODMmdGltZT0xMjdpNjY2Mjc0
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 03:26:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://gosafezone.net/redirect4/
Can we have the URLs?:

-gt; http://188.124.5.138/main.php?land=20&affid=92800


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:12 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=sh0bcvrotsdvbl6ucjucud15p4; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 03:36:17 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 03:26:17 GMT
Server: lighttpd/1.4.22


Looking over this /24, there appears to be only 1 IP (200.63.46.108) that's actually housing legit websites. The rest are either malware related or phishing related. One rather interesting phishing domain is beverified.org, which claims to, well let's see what they say shall we;

"Beverified.org is the premier free age verification service used by safe adults in the area"

Age verification? Really? How is this done then? Well actually it isn't (as if you were surprised). All it actually does, is submit your information to;

https://securejoinsite.com/join.php

Note: Accessing join.php directly results in an error stating invalid input parameters. You can view what it actually contains using the following URL;

http://securejoinsite.com/join.php?act=el3122.&siteid=elx_fbook&tnum=839&iframe=y


A site with no homepage, and registered to a company that evidently can't decide where they are (address is Cyprus, but telephone number has a +44 (UK) dialing code).

Registration Service Provided By: NEOTIKA CAPITAL LTD
Contact: +44.2076917819

Domain Name: SECUREJOINSITE.COM

Registrant:
Neotika Capital Ltd
Constantinos Ellinas (legal@neotikacapitalltd.com)
Flat/Office 2, 8 Georgiou Seferi
Nicosia
Nicosia,1076
CY
Tel. +044.2076917819

Creation Date: 05-May-2009
Expiration Date: 05-May-2011

Domain servers in listed order:
dns2.allnetservers.net
dns1.allnetservers.net


dns2.allnetservers.net resides at 208.94.64.126 (AS36529 208.94.64.0/24 RACKCO). RACKCO also has several other /24's and based on the sites hosted there, all of them need blackholed.

A little further digging, showed a plethora of similar phishing sites housed at;

209.44.111.0/24 - AS10929 Netelligent
69.60.198.0/24 - AS11696 Simlab Bell Atlantic Global Networks Madison, NJ
206.223.183.0/24 - AS21949 BEANFIELD-AS Beanfield Technologies inc. 77 Mowat Ave. Toronto, ON M6K3E3
64.38.198.0/24 - AS19181 CWIE Cavecreek Wholesale Internet Exchange, LLC
64.154.5.0/24 - AS19181 CWIE Cavecreek Wholesale Internet Exchange, LLC

Getting back to Eveloz however, I've tried numerous times to reach both themselves, and their upstreams, and to date, no response has been received, so personally, I'm still recommending they be blackholed.

References:

Crimeware friendly ISP's: Eveloz (AS27716, 200.63.40.0/21, 200.63.48.0/23, 190.5.224.0/22)
http://hphosts.blogspot.com/2009/12/crimeware-friendly-isps-eveloz-as27716.html

Friday 2 April 2010

Spambot Search Tool: v0.48

Apologies for yet another bug fix folks. My fault for doing this stuff when I'm half asleep (I broke the last update).

v0.48

* Fixed display of results (now properly centered)
* Modified check_spammers.php (submission to FSL/SFS)
* Fixed IsValidEmail function
+ Added resolve_host function (makes things a little cleaner)
* Modified query so username + email are case insensitive.

Download:
http://support.it-mate.co.uk/?mode=Products&act=DL&p=spambotsearchtool

Thursday 1 April 2010

AS29073 Ecatel: Need more proof of their being crimeware friendly?

We didn't exactly need anymore proof that Ecatel (AS29073) were crimeware friendly, but I came across ryan1918.com (again) earlier, and the following just kinda jumped out at me - thanks for providing the final nail in Ecatels coffin!


I've already had Ecatels ranges blocked for some time now, and I believe this should now convince everyone else to do the same. To save you some time, these are all to be blackholed;

62.41.26.0/24
62.41.27.0/24
89.248.160.0/21
89.248.168.0/24
89.248.169.0/24
89.248.170.0/23
89.248.172.0/23
89.248.174.0/24
89.248.175.0/24
93.174.88.0/21
94.102.48.0/20
94.102.49.0/24
94.102.62.0/24

Incase you're wondering, ryan1918.com is a site that's controlled by a criminal, and not surprisingly, is involved in everything from hacking to fraud to exploits to - well, pretty much everything blackhat/criminal, that you care to think of. The domains WhoIs is (again not surprisingly) hidden, courtesy of "MONIKER" (moniker.com), one of many registrars that in my opinion, should be shut down.

/update: 08:02

I forgot to mention, "Ryan" also has;

ryan1918.info
ryan1918.net
ryan1918.org

All residing at 67.19.72.202 (AS21844 67.18.0.0/15 THEPLANET-AS - ThePlanet.com Internet Services, Inc.)

/update 04-04-2010 16:57

It would seem chaps and chapesses, that Ecatel were non too pleased about Ryan's post, and have since booted his site (contrary to his "hard drive failure" message, currently present on his sites homepage). His sites new IP is 174.132.192.92 (5c.c0.84ae.static.theplanet.com, AS21844 174.132.0.0/15 THEPLANET-AS - ThePlanet.com Internet Services, Inc.).

There's quite a few suspicious domains also residing here, which I'll be taking a look at in due course.


New IP = 89.248.168.47 = Ecatel.

/update 13-04-2010 12:48

This one has jumped to varying ISP's since the original article was published, including a UK based ISP (UKNOC, uknoc.co.uk) at 85.92.87.193, and has now jumped back to Ecatel (same IP as before), presumably before he finds another ISP. LE are involved with this one now however, so I'll not be following this one anymore, got to leave it to them.

References:

Crimeware friendly ISP's: Ecatel (AS29073)
http://hphosts.blogspot.com/2009/11/crimeware-friendly-isps-ecatel-as29073.html

Great News source code released!

You've been asking for it, and waiting patiently since Jack originally announced his changing the project to Open Source, and now - you've to wait no more. Great News, as of April 1st (and nope, it's not a AFJ!) is officially open source (released with a GPL licence), with the source code available at;

http://www.curiostudio.com/forum/viewtopic.php?f=9&t=3073

Source code is C++, for those wondering.