Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 12 August 2009

Yet more blackhat SEO from the Internet Service Team and NetDirekt

Following on from the previous documentation on the blackhat SEO campaigns going on in the search engines at present, I've noticed over the past few weeks, that those I previously documented, using filenames such as cadets.php, with the .js file, were mysteriously leading to 404 pages.

Thankfully (or disappointingly, depending on which way you want to look at it), they're still making it super easy to identify their malicious domains. Such as the following for example;

Host: received-latest-microsoft-update.alk.stromiko.com
Current IP: 95.168.191.96
IP PTR: 95.168.191.96.internetserviceteam.com

You'll no doubt have noticed our dear friends at the IST, or missed the fact that whilst the IP range is registered to V3SERVERS-NET-967806 (v3servers.net), it also just so happens to be on the NetDirekt AS - coinkydink? I don't think so.

Getting back to it. Feed this domain a Google referer (I've not tested it, but am 99% sure it'll also work if you feed it a Bing, Live or Yahoo etc referer too), and you're taken to triwoperl.com (IP: 95.168.191.19 - 95.168.191.19.internetserviceteam.com), which looks like an ordinary search page.


Alas however, you'll no doubt have guessed, that you're not actually taken to the domains it claims you'll be taken to - nope, instead, you're taken through;

GET /feed/click.php?u=aHR0cDovLzIwOC45NC4yMzMuNDAvZ28ucGhwP2RhdGE9czVuS3oxdDYzcGkyYTdjaFJpelZ3Tmo4UjV0TDY2biUyRkpTcVNyRXlFNURzMVhIeVNmJTJGQkVLYktyUFhSUTBabkxQeHg0YmxmViUyQm44JTJGU29wY0U2UVVCSGxuYzg5MkxieXFPMFA0MEkwVlZUT09jbnloV0VPUyUyQldZZHFtdiUyRkRRQVRjOTk4WUtzeE1wZFRMWDJJOTdNaFU0RUJuWTh2aXBoalFKZ0JocmtoWkhidkFnaWxIR2xhcTAwTHlkT2YlMkJBQTZxdHpNUnR0WTdMWSUyRm5BQyUyRnJTRHFUYnNvQTdDU0RiNHBQQjZxWnBDbWcyR1dMT3Vub0FYSUNGdiUyRjJraVlLcEx0JTJCc1ElMkZ3byUyQk96T2d1MiUyQlYzeUFQTVlpOXBVWFNJelMxalFRczFtWGJ5cEZLdWFhTjhnOWtFWjhWVFo5VFpyTSUyQlBrenBtMXFMMnZMSjUlMkZ4ZG02SSUyQjR5Vk82alJLZCUyQktTdGNsbEJqNUVTQmtUeEJ4aHUyOUJLQ2glMkZvSU5HYng4JTJCcW10eUdld3lzSm1Wc2JNbEFrVjhPZ2ZMN3E4UDZLdjA5aWNaSVRmbGxVeE9hMHV1WXVMRkRPT1lwYUxYJTJCaW5qY3dnNSUyQnZlMiUyQjViY2VpbjlWaGhWN2JUaFRkSDh2QlpNRkFzWHdMYzJDJTJCYU9CZXJ4Qlh3Nm5POW9iRndocWtybFRnQWRjUVdpT3VhUDJLR0VaUXFoQXdRTGZyVWVOc3F5UjRsTWJmc0xwZkh4QVBMVUViTjFDbW5TekY4UE9qYm9wdlBNTE5leEUwejlEbUpQdGZzOWRjbkE3emp2YXBJTUEzOGdBN0ltNWt5Mjd5VWxNVyUyRkJySktFZDR4Vml1NDVMNlk4WnVWTjZsMXpKNUpCUGt1RW5lSWMyRmN0MjFLYld3d1dabE1zRmlKcHdHNFNRdEVBbHU2V1ZiRlJoTUFJS2xpN3BjbGUlMkYlMkZ6Y05RS0s5THdBYW1rODZoa3V0bk5sUmxrWG5kaDNlS2x6M3JXMjFtZXZqSFpTd2FwbnlqcHZnZWkzVDJhVTVJOVVkUDVocG1lQUl2SzQlMkZTNXp4RTVqaHpxQWE0UnlNTUhLWkFKMlN2MU5YTzJiMXZUS2VHJTJCeHJVJTJGbklucHZsRm54N1RGMENMSmw2UUslMkJ5QldxcG9YNiUyRkJGUTZkQnhMY3U1ZkhNUDdSQnpWNVk3UklHalBraDVubUV0MXF4QktCQ3J6c2NtTEV3c3AzdFlZOVZTU0NxUXo= HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: triwoperl.com
Connection: Keep-Alive
Cookie: cook_aff=19362; cook_saff=200

HTTP/1.1 302 Found
Server: nginx/0.7.61
Date: Wed, 12 Aug 2009 14:01:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 12 Aug 2009 14:01:33 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Location: http://208.94.233.40/go.php?data=s5nKz1t63pi2a7chRizVwNj8R5tL66n%2FJSqSrEyE5Ds1XHySf%2FBEKbKrPXRQ0ZnLPxx4blfV%2Bn8%2FSopcE6QUBHlnc892LbyqO0P40I0VVTOOcnyhWEOS%2BWYdqmv%2FDQATc998YKsxMpdTLX2I97MhU4EBnY8viphjQJgBhrkhZHbvAgilHGlaq00LydOf%2BAA6qtzMRttY7LY%2FnAC%2FrSDqTbsoA7CSDb4pPB6qZpCmg2GWLOunoAXICFv%2F2kiYKpLt%2BsQ%2Fwo%2BOzOgu2%2BV3yAPMYi9pUXSIzS1jQQs1mXbypFKuaaN8g9kEZ8VTZ9TZrM%2BPkzpm1qL2vLJ5%2Fxdm6I%2B4yVO6jRKd%2BKStcllBj5ESBkTxBxhu29BKCh%2FoINGbx8%2BqmtyGewysJmVsbMlAkV8OgfL7q8P6Kv09icZITfllUxOa0uuYuLFDOOYpaLX%2Binjcwg5%2Bve2%2B5bcein9VhhV7bThTdH8vBZMFAsXwLc2C%2BaOBerxBXw6nO9obFwhqkrlTgAdcQWiOuaP2KGEZQqhAwQLfrUeNsqyR4lMbfsLpfHxAPLUEbN1CmnSzF8POjbopvPMLNexE0z9DmJPtfs9dcnA7zjvapIMA38gA7Im5ky27yUlMW%2FBrJKEd4xViu45L6Y8ZuVN6l1zJ5JBPkuEneIc2Fct21KbWwwWZlMsFiJpwG4SQtEAlu6WVbFRhMAIKli7pcle%2F%2FzcNQKK9LwAamk86hkutnNlRlkXndh3eKlz3rW21mevjHZSwapnyjpvgei3T2aU5I9UdP5hpmeAIvK4%2FS5zxE5jhzqAa4RyMMHKZAJ2Sv1NXO2b1vTKeG%2BxrU%2FnInpvlFnx7TF0CLJl6QK%2ByBWqpoX6%2FBFQ6dBxLcu5fHMP7RBzV5Y7RIGjPkh5nmEt1qxBKBCrzscmLEwsp3tYY9VSSCqQz
Content-Length: 0

------------------------------------------------------------------
GET /go.php?data=s5nKz1t63pi2a7chRizVwNj8R5tL66n%2FJSqSrEyE5Ds1XHySf%2FBEKbKrPXRQ0ZnLPxx4blfV%2Bn8%2FSopcE6QUBHlnc892LbyqO0P40I0VVTOOcnyhWEOS%2BWYdqmv%2FDQATc998YKsxMpdTLX2I97MhU4EBnY8viphjQJgBhrkhZHbvAgilHGlaq00LydOf%2BAA6qtzMRttY7LY%2FnAC%2FrSDqTbsoA7CSDb4pPB6qZpCmg2GWLOunoAXICFv%2F2kiYKpLt%2BsQ%2Fwo%2BOzOgu2%2BV3yAPMYi9pUXSIzS1jQQs1mXbypFKuaaN8g9kEZ8VTZ9TZrM%2BPkzpm1qL2vLJ5%2Fxdm6I%2B4yVO6jRKd%2BKStcllBj5ESBkTxBxhu29BKCh%2FoINGbx8%2BqmtyGewysJmVsbMlAkV8OgfL7q8P6Kv09icZITfllUxOa0uuYuLFDOOYpaLX%2Binjcwg5%2Bve2%2B5bcein9VhhV7bThTdH8vBZMFAsXwLc2C%2BaOBerxBXw6nO9obFwhqkrlTgAdcQWiOuaP2KGEZQqhAwQLfrUeNsqyR4lMbfsLpfHxAPLUEbN1CmnSzF8POjbopvPMLNexE0z9DmJPtfs9dcnA7zjvapIMA38gA7Im5ky27yUlMW%2FBrJKEd4xViu45L6Y8ZuVN6l1zJ5JBPkuEneIc2Fct21KbWwwWZlMsFiJpwG4SQtEAlu6WVbFRhMAIKli7pcle%2F%2FzcNQKK9LwAamk86hkutnNlRlkXndh3eKlz3rW21mevjHZSwapnyjpvgei3T2aU5I9UdP5hpmeAIvK4%2FS5zxE5jhzqAa4RyMMHKZAJ2Sv1NXO2b1vTKeG%2BxrU%2FnInpvlFnx7TF0CLJl6QK%2ByBWqpoX6%2FBFQ6dBxLcu5fHMP7RBzV5Y7RIGjPkh5nmEt1qxBKBCrzscmLEwsp3tYY9VSSCqQz HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: 208.94.233.40
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 14:01:34 GMT
Server: Apache
Set-Cookie: gkv-=1; expires=Thu, 13-Aug-2009 14:01:34 GMT
Set-Cookie: bkv-=1; expires=Tue, 11-Aug-2009 14:01:34 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 12 Aug 2009 14:01:34 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Location: /go.php?data=s5nKz1t63pi2a7chRizVwNj8R5tL66n%2FJSqSrEyE5Ds1XHySf%2FBEKbKrPXRQ0ZnLPxx4blfV+n8%2FSopcE6QUBHlnc892LbyqO0P40I0VVTOOcnyhWEOS+WYdqmv%2FDQATc998YKsxMpdTLX2I97MhU4EBnY8viphjQJgBhrkhZHbvAgilHGlaq00LydOf+AA6qtzMRttY7LY%2FnAC%2FrSDqTbsoA7CSDb4pPB6qZpCmg2GWLOunoAXICFv%2F2kiYKpLt+sQ%2Fwo+OzOgu2+V3yAPMYi9pUXSIzS1jQQs1mXbypFKuaaN8g9kEZ8VTZ9TZrM+Pkzpm1qL2vLJ5%2Fxdm6I+4yVO6jRKd+KStcllBj5ESBkTxBxhu29BKCh%2FoINGbx8+qmtyGewysJmVsbMlAkV8OgfL7q8P6Kv09icZITfllUxOa0uuYuLFDOOYpaLX+injcwg5+ve2+5bcein9VhhV7bThTdH8vBZMFAsXwLc2C+aOBerxBXw6nO9obFwhqkrlTgAdcQWiOuaP2KGEZQqhAwQLfrUeNsqyR4lMbfsLpfHxAPLUEbN1CmnSzF8POjbopvPMLNexE0z9DmJPtfs9dcnA7zjvapIMA38gA7Im5ky27yUlMW%2FBrJKEd4xViu45L6Y8ZuVN6l1zJ5JBPkuEneIc2Fct21KbWwwWZlMsFiJpwG4SQtEAlu6WVbFRhMAIKli7pcle%2F%2FzcNQKK9LwAamk86hkutnNlRlkXndh3eKlz3rW21mevjHZSwapnyjpvgei3T2aU5I9UdP5hpmeAIvK4%2FS5zxE5jhzqAa4RyMMHKZAJ2Sv1NXO2b1vTKeG+xrU%2FnInpvlFnx7TF0CLJl6QK+yBWqpoX6%2FBFQ6dBxLcu5fHMP7RBzV5Y7RIGjPkh5nmEt1qxBKBCrzscmLEwsp3tYY9VSSCqQz&an=1&f=1
Content-Length: 0
Connection: close
Content-Type: text/html

------------------------------------------------------------------
GET /go.php?data=s5nKz1t63pi2a7chRizVwNj8R5tL66n%2FJSqSrEyE5Ds1XHySf%2FBEKbKrPXRQ0ZnLPxx4blfV+n8%2FSopcE6QUBHlnc892LbyqO0P40I0VVTOOcnyhWEOS+WYdqmv%2FDQATc998YKsxMpdTLX2I97MhU4EBnY8viphjQJgBhrkhZHbvAgilHGlaq00LydOf+AA6qtzMRttY7LY%2FnAC%2FrSDqTbsoA7CSDb4pPB6qZpCmg2GWLOunoAXICFv%2F2kiYKpLt+sQ%2Fwo+OzOgu2+V3yAPMYi9pUXSIzS1jQQs1mXbypFKuaaN8g9kEZ8VTZ9TZrM+Pkzpm1qL2vLJ5%2Fxdm6I+4yVO6jRKd+KStcllBj5ESBkTxBxhu29BKCh%2FoINGbx8+qmtyGewysJmVsbMlAkV8OgfL7q8P6Kv09icZITfllUxOa0uuYuLFDOOYpaLX+injcwg5+ve2+5bcein9VhhV7bThTdH8vBZMFAsXwLc2C+aOBerxBXw6nO9obFwhqkrlTgAdcQWiOuaP2KGEZQqhAwQLfrUeNsqyR4lMbfsLpfHxAPLUEbN1CmnSzF8POjbopvPMLNexE0z9DmJPtfs9dcnA7zjvapIMA38gA7Im5ky27yUlMW%2FBrJKEd4xViu45L6Y8ZuVN6l1zJ5JBPkuEneIc2Fct21KbWwwWZlMsFiJpwG4SQtEAlu6WVbFRhMAIKli7pcle%2F%2FzcNQKK9LwAamk86hkutnNlRlkXndh3eKlz3rW21mevjHZSwapnyjpvgei3T2aU5I9UdP5hpmeAIvK4%2FS5zxE5jhzqAa4RyMMHKZAJ2Sv1NXO2b1vTKeG+xrU%2FnInpvlFnx7TF0CLJl6QK+yBWqpoX6%2FBFQ6dBxLcu5fHMP7RBzV5Y7RIGjPkh5nmEt1qxBKBCrzscmLEwsp3tYY9VSSCqQz&an=1&f=1 HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: 208.94.233.40
Connection: Keep-Alive
Cookie: gkv-=1

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 14:01:34 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 12 Aug 2009 14:01:34 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Location: http://207.226.184.198/kkk.php?data=YlZ6kCc81cb2YNNzFp9%2F2Hj6kNZ6IHz1kbk3aJX4EuAb%2FoFe6J%2BK%2Bf3Sc5wSHFlqIoCxV04QKRiESX%2Bv5I%2FICloMTZCLouIYp845ajiqwgY%2BTdfUg0ovCJ6xvUli2I2S2Z1mjPqDb8FoBVRDQv%2ByDTJ8EKVi6YJ12%2Ff7JzDQoy4xLwoLIcYqjgE7TLB5kb0qXJu1775b5m8Sy9rE%2BdrYnIG33hUVAR7Yvijw3IaYuNraezY%2FLCQDBat3nYbpQBGktgNHuGcMyRui8kz6hCjwmBquxNoMfIWcv7baa6cHJuH%2Boc2yLZ1UN1me0ZcsoGBERZGs%2BG0e9FSzRR%2FawEIZc%2BZgk%2FoHaXIRrZMDevyQLxI47RyMr8fQA7QCsPAkKtUEKHX3bMLCX8miQ87BJkDhRD8qTs2%2FOZ0mYZsYrlHkhEvWdAMJzTrQvAeDmzFP%2BSbI7pQicghdw8IlNUyltoHPcoy3F0HuWJcETrDTao0IGkS3qCE7lzI%2F2xysfRdwYbhjv6gZOYQdzmM%3D
Content-Length: 0
Connection: close
Content-Type: text/html

------------------------------------------------------------------
GET /kkk.php?data=YlZ6kCc81cb2YNNzFp9%2F2Hj6kNZ6IHz1kbk3aJX4EuAb%2FoFe6J%2BK%2Bf3Sc5wSHFlqIoCxV04QKRiESX%2Bv5I%2FICloMTZCLouIYp845ajiqwgY%2BTdfUg0ovCJ6xvUli2I2S2Z1mjPqDb8FoBVRDQv%2ByDTJ8EKVi6YJ12%2Ff7JzDQoy4xLwoLIcYqjgE7TLB5kb0qXJu1775b5m8Sy9rE%2BdrYnIG33hUVAR7Yvijw3IaYuNraezY%2FLCQDBat3nYbpQBGktgNHuGcMyRui8kz6hCjwmBquxNoMfIWcv7baa6cHJuH%2Boc2yLZ1UN1me0ZcsoGBERZGs%2BG0e9FSzRR%2FawEIZc%2BZgk%2FoHaXIRrZMDevyQLxI47RyMr8fQA7QCsPAkKtUEKHX3bMLCX8miQ87BJkDhRD8qTs2%2FOZ0mYZsYrlHkhEvWdAMJzTrQvAeDmzFP%2BSbI7pQicghdw8IlNUyltoHPcoy3F0HuWJcETrDTao0IGkS3qCE7lzI%2F2xysfRdwYbhjv6gZOYQdzmM%3D HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Cookie: g-=1
Connection: Keep-Alive
Host: 207.226.184.198

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 14:01:34 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/4.4.6 mod_perl/1.29 FrontPage/5.0.2.2510
X-Powered-By: PHP/4.4.6
Set-Cookie: g-=1; expires=Thu, 13 Aug 2009 14:01:34 GMT
Set-Cookie: b-=1; expires=Tue, 11 Aug 2009 14:01:34 GMT
Location: http://207.226.184.198/kkk.php?data=YlZ6kCc81cb2YNNzFp9%2F2Hj6kNZ6IHz1kbk3aJX4EuAb%2FoFe6J%2BK%2Bf3Sc5wSHFlqIoCxV04QKRiESX%2Bv5I%2FICloMTZCLouIYp845ajiqwgY%2BTdfUg0ovCJ6xvUli2I2S2Z1mjPqDb8FoBVRDQv%2ByDTJ8EKVi6YJ12%2Ff7JzDQoy4xLwoLIcYqjgE7TLB5kb0qXJu1775b5m8Sy9rE%2BdrYnIG33hUVAR7Yvijw3IaYuNraezY%2FLCQDBat3nYbpQBGktgNHuGcMyRui8kz6hCjwmBquxNoMfIWcv7baa6cHJuH%2Boc2yLZ1UN1me0ZcsoGBERZGs%2BG0e9FSzRR%2FawEIZc%2BZgk%2FoHaXIRrZMDevyQLxI47RyMr8fQA7QCsPAkKtUEKHX3bMLCX8miQ87BJkDhRD8qTs2%2FOZ0mYZsYrlHkhEvWdAMJzTrQvAeDmzFP%2BSbI7pQicghdw8IlNUyltoHPcoy3F0HuWJcETrDTao0IGkS3qCE7lzI%2F2xysfRdwYbhjv6gZOYQdzmM%3D&data2=&an=1&f=1&ch=0
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

------------------------------------------------------------------
GET /kkk.php?data=YlZ6kCc81cb2YNNzFp9%2F2Hj6kNZ6IHz1kbk3aJX4EuAb%2FoFe6J%2BK%2Bf3Sc5wSHFlqIoCxV04QKRiESX%2Bv5I%2FICloMTZCLouIYp845ajiqwgY%2BTdfUg0ovCJ6xvUli2I2S2Z1mjPqDb8FoBVRDQv%2ByDTJ8EKVi6YJ12%2Ff7JzDQoy4xLwoLIcYqjgE7TLB5kb0qXJu1775b5m8Sy9rE%2BdrYnIG33hUVAR7Yvijw3IaYuNraezY%2FLCQDBat3nYbpQBGktgNHuGcMyRui8kz6hCjwmBquxNoMfIWcv7baa6cHJuH%2Boc2yLZ1UN1me0ZcsoGBERZGs%2BG0e9FSzRR%2FawEIZc%2BZgk%2FoHaXIRrZMDevyQLxI47RyMr8fQA7QCsPAkKtUEKHX3bMLCX8miQ87BJkDhRD8qTs2%2FOZ0mYZsYrlHkhEvWdAMJzTrQvAeDmzFP%2BSbI7pQicghdw8IlNUyltoHPcoy3F0HuWJcETrDTao0IGkS3qCE7lzI%2F2xysfRdwYbhjv6gZOYQdzmM%3D&data2=&an=1&f=1&ch=0 HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Cookie: g-=1
Connection: Keep-Alive
Host: 207.226.184.198

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 14:01:35 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/4.4.6 mod_perl/1.29 FrontPage/5.0.2.2510
X-Powered-By: PHP/4.4.6
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 12 Aug 2009 14:01:35 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Location: http://amgokz.net/in.cgi?16¶meter=hphosts&ur=1&HTTP_REFERER=19362
Keep-Alive: timeout=5, max=499
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

------------------------------------------------------------------
GET /in.cgi?16¶meter=hphosts&ur=1&HTTP_REFERER=19362 HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Connection: Keep-Alive
Host: amgokz.net
Cookie: SL_16_0000=_2_; SL_20_0000=_17_

HTTP/1.1 200 OK
Date: Wed, 12 Aug 2009 12:02:20 GMT
Server: Apache/2
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 923
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

------------------------------------------------------------------
GET /in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Connection: Keep-Alive
Host: amgokz.net
Cookie: SL_16_0000=_2_; SL_20_0000=_17_

HTTP/1.1 200 OK
Date: Wed, 12 Aug 2009 12:02:20 GMT
Server: Apache/2
Set-Cookie: SL_16_0000=_2_; domain=amgokz.net; path=/; expires=Thu, 13-Aug-2009 12:02:20 GMT
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 315
Keep-Alive: timeout=1, max=99
Connection: Keep-Alive
Content-Type: text/html

------------------------------------------------------------------
GET /Upload/index.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://amgokz.net/in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: morde.info
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 21:44:16 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.8
Set-Cookie: PREFIXvisited=27; expires=Mon, 17-Aug-2009 01:44:16 GMT
Location:
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=windows-1251
Content-Language: ru

------------------------------------------------------------------
GET /in.cgi?20¶meter=bank+online4&ur=1&HTTP_REFERER= HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://amgokz.net/in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: amgokz.net
Connection: Keep-Alive
Cookie: SL_16_0000=_2_; SL_20_0000=_17_

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 12:02:21 GMT
Server: Apache/2
Set-Cookie: SL_20_0000=_17_; domain=amgokz.net; path=/; expires=Thu, 13-Aug-2009 12:02:21 GMT
Location: http://tlupdate.info/hitin.php?land=20&affid=02909
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 172
Keep-Alive: timeout=1, max=98
Connection: Keep-Alive
Content-Type: text/html

------------------------------------------------------------------
GET /hitin.php?land=20&affid=02909 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://amgokz.net/in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 15:01:11 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
X-Powered-By: PHP/5.2.10
location: index.php?affid=02909
Content-Length: 0
Keep-Alive: timeout=20, max=120
Connection: Keep-Alive
Content-Type: text/html

------------------------------------------------------------------
GET /index.php?affid=02909 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://amgokz.net/in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 12 Aug 2009 15:01:11 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
X-Powered-By: PHP/5.2.10
Keep-Alive: timeout=20, max=119
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

------------------------------------------------------------------
GET /Upload/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://amgokz.net/in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: morde.info
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 21:44:17 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.8
Set-Cookie: PREFIXvisited=30; expires=Mon, 17-Aug-2009 01:44:17 GMT
Location:
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=1, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=windows-1251
Content-Language: ru

------------------------------------------------------------------
GET /js/jquery.js HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8996-d9c2-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:12 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=118
ETag: "8996-d9c2-45c848abe2c00"

------------------------------------------------------------------
GET /js/jquery-init.js HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8995-292-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:12 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=120
ETag: "8995-292-45c848abe2c00"

------------------------------------------------------------------
GET /Upload/ HTTP/1.1
Accept: */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Connection: Keep-Alive
Host: morde.info

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 21:44:18 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.8
Set-Cookie: PREFIXvisited=2; expires=Mon, 17-Aug-2009 01:44:18 GMT
Location:
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=windows-1251
Content-Language: ru

------------------------------------------------------------------
GET /js/flist.js HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Sat, 13 Jun 2009 10:00:00 GMT
If-None-Match: "8994-8017-46c37e3576800"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:13 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=117
ETag: "8994-8017-46c37e3576800"

------------------------------------------------------------------
GET /images/alert.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8978-3e0a-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:13 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=119
ETag: "8978-3e0a-45c84872aa500"

------------------------------------------------------------------
GET /images/page_progressbar.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8988-243-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:14 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=116
ETag: "8988-243-45c848abe2c00"

------------------------------------------------------------------
GET /images/i5000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8984-421-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:14 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=118
ETag: "8984-421-45c84872aa500"

------------------------------------------------------------------
GET /images/i7000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8986-41e-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:15 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=115
ETag: "8986-41e-45c848abe2c00"

------------------------------------------------------------------
GET /images/i1000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8980-42f-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:15 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=117
ETag: "8980-42f-45c84872aa500"

------------------------------------------------------------------
GET /images/box_top_.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8979-5c9-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:15 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=114
ETag: "8979-5c9-45c84872aa500"

------------------------------------------------------------------
GET /images/i3000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8982-418-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:15 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=116
ETag: "8982-418-45c84872aa500"

------------------------------------------------------------------
GET /images/i4000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8983-41f-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:16 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=113
ETag: "8983-41f-45c84872aa500"

------------------------------------------------------------------
GET /images/inf20000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8987-1a1-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:16 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=115
ETag: "8987-1a1-45c848abe2c00"

------------------------------------------------------------------
GET /images/hdd.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "897e-77c-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:16 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=112
ETag: "897e-77c-45c84872aa500"

------------------------------------------------------------------
GET /images/dvd.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "897c-78e-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:16 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=114
ETag: "897c-78e-45c84872aa500"

------------------------------------------------------------------
GET /images/window1.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "898d-32b3-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:17 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=111
ETag: "898d-32b3-45c848abe2c00"

------------------------------------------------------------------
GET /images/hrline.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "897f-316-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:17 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=113
ETag: "897f-316-45c84872aa500"

------------------------------------------------------------------
GET /images/progressbar.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8989-160-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:17 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=110
ETag: "8989-160-45c848abe2c00"

------------------------------------------------------------------
GET /images/i6000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8985-43e-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:17 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=112
ETag: "8985-43e-45c84872aa500"

------------------------------------------------------------------
GET /images/folder.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "897d-560-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:18 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=109
ETag: "897d-560-45c84872aa500"

------------------------------------------------------------------
GET /images/qicon.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "898b-407-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:18 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=111
ETag: "898b-407-45c848abe2c00"

------------------------------------------------------------------
GET /images/progressbar_green.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "898a-c5-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:19 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=108
ETag: "898a-c5-45c848abe2c00"

------------------------------------------------------------------
GET /images/i2000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8981-431-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:19 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=110
ETag: "8981-431-45c84872aa500"

------------------------------------------------------------------
GET /images/alert.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8978-3e0a-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:23 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=107
ETag: "8978-3e0a-45c84872aa500"

------------------------------------------------------------------


Which you've no doubt guessed, leads you to the usual scareware infection.


The actual infection itself, is loaded from tlupdate.info (IP: 89.149.210.147 - 89.149.210.147.internetserviceteam.com);

tlupdate.info/download.php?affid=02909

Which gives you a file called install.exe (563K - 206ca7574b8cf634f3b4add5e8d96e09)

http://www.virustotal.com/analisis/28204e54cdf4c7e495bf7ec93b261cffab4ac6b0243ead9d341611606b3a2368-1250087886

You'll no doubt have noticed Sunbelt's flagging it as Waledac, which means you're getting a whole host more than just scareware.

One of these days, NetDirekt will learn that the longer they're allowing this on their IP ranges, the longer it's going to take for those such as myself to stop blackholing all NetDirekt ranges I come across (including several I'm currently processing for addition as I write this (95.168.185.0-95.168.191.255).

/edit 13-08-2009 16:15

As of August 13th, the stromiko.com domain appears to have been deleted as it's no longer registered and thus, no longer active.

References:

hpHosts - Stromiko
http://hosts-file.net/?s=stromiko

hpHosts - Internet Service Team
http://hosts-file.net/pest.asp?show=internetserviceteam

hpHosts - 95.168.*
http://hosts-file.net/?s=95.168.&view=matches

2 comments:

Kristie said...

HELP PLEASE
I am constantly getting pop up/new tabs with http://208.94.233.40/go.php and http://78.140.143.83/go.php in the address bar.. I have no idea what this is or how to stop it happening ... nor how it started... help please

MysteryFCM said...

Kristie,
Apologies for taking so long.

Pop over to the Malwarebytes forums and we'll assist you in getting cleaned up;

http://forums.malwarebytes.org/index.php?showtopic=9573