Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 18 January 2012

Alert: Eventbee.com abuse

The formspring.me abuse is continuing, but in the meantime, it looks like they're having a bash on eventbee.com too.

http://www.eventbee.com/v/pharm/event?eid=839465373
http://www.eventbee.com/v/pharm/event?eid=809069363
http://www.eventbee.com/v/pharm/event?eid=830974301
http://www.eventbee.com/v/pharm/event?eid=849867363
http://www.eventbee.com/v/pharm/event?eid=879564391
http://www.eventbee.com/v/pharm/event?eid=878464203
http://www.eventbee.com/v/pharm/event?eid=819167471
http://www.eventbee.com/v/pharm/event?eid=899162271
http://www.eventbee.com/v/pharm/event?eid=819167471
http://www.eventbee.com/v/pharm/event?eid=859066273
http://www.eventbee.com/v/pharm/event?eid=889763272
http://www.eventbee.com/v/pharm/event?eid=818167303
http://www.eventbee.com/v/pharm/event?eid=880375301
http://www.eventbee.com/v/pharm/event?eid=870373203
http://www.eventbee.com/v/pharm/event?eid=859763382
http://www.eventbee.com/v/pharm/event?eid=809460493
http://www.eventbee.com/v/pharm/event?eid=809760381
http://www.eventbee.com/v/pharm/event?eid=818167303
http://www.eventbee.com/v/pharm/event?eid=868966304
http://www.eventbee.com/v/pharm/event?eid=849868292
http://www.eventbee.com/v/pharm/event?eid=859068362
http://www.eventbee.com/v/pharm/event?eid=899868282
http://www.eventbee.com/v/pharm/event?eid=899166292
http://www.eventbee.com/v/pharm/event?eid=809460493
http://www.eventbee.com/v/pharm/event?eid=879564391
http://www.eventbee.com/v/pharm/event?eid=880375301
http://www.eventbee.com/v/pharm/event?eid=829862392
http://www.eventbee.com/v/pharm/event?eid=859066273
http://www.eventbee.com/v/pharm/event?eid=869665383
http://www.eventbee.com/v/pharm/event?eid=899162271
http://www.eventbee.com/v/pharm/event?eid=879564391
http://www.eventbee.com/v/pharm/event?eid=809760381
http://www.eventbee.com/v/pharm/event?eid=809760381
http://www.eventbee.com/v/pharm/event?eid=809062362
http://www.eventbee.com/v/pharm/event?eid=848262303
http://www.eventbee.com/v/pharm/event?eid=879864263


These are redirecting to searchglobalsite.com, which lives at 88.214.202.129, which you'll recognize as HQHost/NatCoWeb (AS46636 88.214.192.0/20 NATCOWEB - NatCoWeb Corp.)

inetnum: 88.214.202.0 - 88.214.202.255
netname: hqhost-shared-NB-202
descr: Hqhost shared hosting block
country: GB
admin-c: HSLD1-RIPE
tech-c: HSLT1-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
mnt-by: hqhost
source: RIPE # Filtered

role: Hosting Solutions Ltd. DBM
nic-hdl: HSLD1-RIPE
org: ORG-RIBC1-RIPE
address: Hosting Solutions LTD
address: Sergiy Sabyetyev
address: 145-157 St John Street
address: 2nd Floor
address: EC1V 4PY LONDON
address: UNITED KINGDOM
phone: +16462333035
fax-no: +442032921594
abuse-mailbox: abuse@hqhost.net
admin-c: MS9776-RIPE
admin-c: EA2-RIPE
tech-c: MS9776-RIPE
tech-c: EA2-RIPE
mnt-by: hqhost
source: RIPE # Filtered

role: Hosting Solutions Ltd. Tech
nic-hdl: HSLT1-RIPE
org: ORG-RIBC1-RIPE
address: Hosting Solutions LTD
address: Sergiy Sabyetyev
address: 145-157 St John Street
address: 2nd Floor
address: EC1V 4PY LONDON
address: UNITED KINGDOM
phone: +16462333035
fax-no: +442032921594
abuse-mailbox: abuse@hqhost.net
admin-c: HSLD1-RIPE
tech-c: HSLD1-RIPE
mnt-by: hqhost
source: RIPE # Filtered


From searchglobalsite.com it then redirects to a variety of domains, including multifind24.com, which lives at 199.80.55.13 (AS40824 199.80.52.0/22 WZCOM-US - WZ Communications Inc.). From here, you're presented with a "search" result, helpfully listing some fake meds sites such as;

Domain    IP    Reverse    Registrant    Registrar    ASN    Country
buysoma.com    209.59.194.20    vip-vr20.tuk.trafficz.com.    Hong young jin (kukmin@gmail.com)    NET JUGGLER, INC.    6295    US
d-drugs.com    88.198.69.134    edl.pl.    Jakub Grabski / dns@home.pl    TUCOWS, INC.    24940    DE
lifestylesales.net    178.238.131.46    178-238-131-46.crowdcontrolonline.com.    Direct Privacy ID 265C4 / lifestylesales.net@domainnameproxyservice.com    DIRECTNIC, LTD    51377    GB
medicinestoreonline.net    70.38.31.180    tele1.telemedsbilling.com.    Direct Privacy ID 3C2F2 / medicinestoreonline.net@domainnameproxyservice.com    DIRECTNIC, LTD    32613    CA
medmaven.com    208.106.203.239    -    jeremysoca@hotmail.com    NAME.COM LLC    14992    US
pain-relief-pharm.biz    91.206.231.205    pain-relief-pharm.com.    / i9ihqp24e31dd9d8c589@oqjij874d9300d54bd95.privatewhois.net    INTERNET.BS CORP.    41947    RU
rxdrugs4u.com    208.73.210.29    -    contact@privacyprotect.org    REGISTERMATRIX.COM CORP.    33626    US
rxpharma24hs.us    184.107.182.202    rxpharma24hs.us.    Gunther Petzer / miriad@hushmail.com    INTERNET.BS.CORP    32613    CA
somecheap.com    62.116.181.25    25-181-116-62.rev.customer-net.de.    rixadwokatnomer@googlemail.com    PSI-USA, INC. DBA DOMAIN ROBOT    15456    DE
tophealthstore.net    70.38.40.69    -    Direct Privacy ID 95974 / tophealthstore.net@domainnameproxyservice.com    DIRECTNIC, LTD    32613    CA


Eventbee.com will be notified, but in the meantime, you'll want to block the domains involved, and of course, the IPs (in the case of NatCoWeb, you can safely blackhole the entire ASN).

/edit 07:55 19-01-2012

I am pleased to report, all of the pages on eventbee.com have now been removed.

References

Formspring.me: Second verse, same as the first
http://hphosts.blogspot.com/2012/01/formspringme-second-verse-same-as-first.html

Formspring.me abuse continuing
http://hphosts.blogspot.com/2012/01/formspringme-abuse-continuing.html

Alert: formspring.me abuse surge
http://hphosts.blogspot.com/2011/09/alert-formspringme-abuse-surge.html

Real International Business Corp = NatCoWeb (AS46636)
http://hphosts.blogspot.com/2009/11/real-international-business-corp.html
Posted by MysteryFCM at 21:01

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)