Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 31 March 2010

temerc.com and fluidhosting.com down

Not entirely sure why at the moment, but both temerc.com and fluidhosting.com (temerc.com hosting company) are down at present.

I'm still looking into why, and due to a very annoying difference in time (i.e. their being several hours behind us folk in the UK), is making contacting them a little difficult. I have ruled out an issue with DNS as they're resolving absolutely fine, and trying to load the site via IP instead of hostname, yields the same results.

Looking at a tracert result indicates the problem is inside the FluidHosting network as there's no timeouts or such.

If you've got contacts at FluidHosting that are available at this time of day, perhaps you'll have more luck contacting them than I'm having at present (as an aside, I verified the status via several routes, just to ensure the problem wasn't at this end).

/edit

Attempts to phone them via the number listed in their WhoIs (860-656-6191) results in a message telling me the number is not in service. Oh dear.

/edit 14:06 GMT London

Everything seems to be back up and running folks. A comment further down (thanks Mark_H! :o) ) suggests the problem was their entire DC going down. Again however, no idea this point as to what caused it to do so. Hopefully FluidHosting themselves will post information on what happened, to their site.

/edit 14:46 GMT London

I've just checked the FluidHosting forums and found this (posted by "FH-John"), which explains what happened;

The problem was caused by a temporary fault in our core switch. This fault resulted in the switch allowing ping, and intra-network traffic, while effecting other protocols such as HTTP from reaching our network.


The thread is at the URL below, though you've got to be registered on their forums to see it (not entirely sure why). There's nothing on their homepage about this issue.

http://forums.fluidhosting.com/showthread.php?t=4076

Tuesday, 30 March 2010

vURL Server downtime

Apologies for the vURL Online server downtime earlier folks. Sadly the PSU died (was busy at the time so didn't notice right away). I've popped in an older spare PSU until I can get to the shop for a new one.

Sunday, 28 March 2010

fSpamlist: New "profile" cards

Just a note folks, there's now "profile cards" available for the IP's/email addresses, listed in fSpamList.

Example

84.237.157.41
http://www.fspamlist.com/?c=profile&num=177292

c3@pradas.info
http://www.fspamlist.com/?c=profile&num=174253

Note: Additional information on the domains in the e-mail addresses, should be listed on e-mail address profile/report cards, in due course

Friday, 26 March 2010

fSpamList.com - New RSS feeds!

I am happy to announce, Josh at fSpamList has now added two RSS feeds;

Latest additions
http://www.fspamlist.com/feed.php

Most reported spammers
http://www.fspamlist.com/feed.php?most

Spambot Search Tool: v0.47

Due to a bug in the SBST UI, v0.47 has now been released. Sorry folks.

http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Thursday, 25 March 2010

Spambot Search Tool: v0.46R2

I've re-released v0.46 of the SBST that was released a couple or so hours ago, due to a bug in the script that produces a warning when the whitelist is empty.

http://forum.hosts-file.net/viewtopic.php?f=68&t=1955

Download:
http://support.it-mate.co.uk/?mode=Products&act=DL&p=spambotsearchtool

Friday, 19 March 2010

100webspace.net: A quick followup

Just an update to this folks.

100webspace.net never responded, the support@ address didn't bounce (so presumably they did actually receive it), but the postmaster@ address did.

errorsguru.com is no longer a Paretologic affiliate, but instead, is now peddling a much much worse "fully fledged" rogue - RegTool. And what have errorsguru.com' hosting company had to say? Well, disgustingly "Robert R., Abuse Coordinator" at DreamHost, had this to say;

Upon review of the \"regCure\" software we found none of the major anti-spyware/malware/virus providers identified the file as malicious. We will be keeping an eye on the domain errorsguru.com and account hosting it for any signs of malicious activity and take appropriate action when sufficient evidence is present.

As for the google search result, that is something google needs to be notified of to block the domains from their search results pages in a more permanent fashion.


FYI, I never said the site WAS peddling RegCure, I said it USED TO (until Paretologic killed it). Alas, he's evidently incapable of analysis, relying solely on VT results (presumably that's what he used, find it difficult to believe he used multiple scanners himself). Oh and Robert, NOD32 blocks regtool.com before the site even loads - so whilst the app itself may not yet be detected (nope, I don't know why it's taking so long either), the site certainly is ;o)



I am however, guessing our dear Robert, didn't check with Malwarebytes AntiMalware, else he'd have seen it is indeed detected by a pretty big player in the AM field;



Woops!

Naming and Shaming ‘Bad’ ISPs

Roughly two years ago, I began an investigation that sought to chart the baddest places on the Internet, the red light districts of the Web, if you will. What I found in the process was that many security experts, companies and private researchers also were gathering this intelligence, but that few were publishing it. Working with several other researchers, I collected and correlated mounds of data, and published what I could verify in The Washington Post. The subsequent unplugging of malware and spammer-friendly ISPs Atrivo and then McColo in late 2008 showed what can happen when the Internet community collectively highlights centers of badness online.

Fast-forward to today, and we can see that there are a large number of organizations publishing data on the Internet’s top trouble spots. I polled some of the most vigilant sources of this information for their recent data, and put together a rough chart indicating the Top Ten most prevalent ISPs from each of their vantage points. [A few notes about the graphic below: The ISPs or hosts that show up more frequently than others on these lists are color-coded to illustrate consistency of findings. The ISPs at the top of each list are the "worst," or have the most number of outstanding abuse issues. "AS" stands for "autonomous system" and is mainly a numerical way of keeping track of ISPs and hosting providers.


Read more
http://www.krebsonsecurity.com/2010/03/naming-and-shaming-bad-isps

Thursday, 18 March 2010

Avant Force: Development update

Avant Force, the team (well I say Team, last I knew there was actually only my friend, Anderson Che, developing both Avant Browser and Orca Browser), have published an update on the blog, giving outlines of what's going on, with regards to Avant Browser and the much anticipated v12, previously scheduled for release both in January, then February 2010.

Sadly, v12 is still not here, we're still with the 11 series (11.7 Build 46 SR3), and yes, this series has had it's problems, the biggest of which by far, being a memory leak that causes it to crash sporadically after several days of constant use (most notably when I've went upto 72 hours or so without sleep, it's got a tendancy to either crash whilst I'm finally getting sleep, or soon after I wake up). In saying this however, the latest build is by far, the most stable of the 11 series (just as well too, or I'd not be able to use it ....).

I've spoken with Anderson several times about v12, and some of the things I'm aware of, both during the course of speaking with him, and after reading the blog (yep, work/family/development/hardware issues and hpHosts etc has me busy), is v12 is a complete re-write from the ground up, complete with a re-write (obviously) of the skinning and plugin systems (themes are rumoured to be more along the lines of those that Firefox users are familiar with, though I don't have details on that yet).

I'm just rambling now though, so I'll just point you to the blog to read up on what's happening;

http://blog.avantforce.com/dev-update-avant/

Full disclosure: I've been the server/forum admin for Avant/Orca browser' forums, for a few years now, and have additionally been running the AB Archives (archive of old/current Avant/Orca releases) since 2003, and being a friend of Anderson' for years, am obviously a little biased when it comes to his projects.

Tuesday, 16 March 2010

Dear Avira: Errr, say it ain't so .....

Going on a little hunt for new stuffage whilst the test machines image was restored, I stumbled upon a thread on the Avira forums, referencing hpHosts, nothing wrong there.

http://forum.avira.com/wbb/index.php?page=Thread&postID=920112

The post was alerting the Avira folk, to a SpyEraser variant at spyeraser-security.com (post references a different IP (91.201.28.20,AS44107 91.201.28.0/22 Prombuddetal LLC), but a lookup a few seconds ago, showed it residing at 79.135.152.150 - 150.152.135.79.microlines.lv, AS2588 79.135.128.0/19 LATNETSERVISS-AS LATNET ISP).

Given we already know SpyEraser is a rogue, I was surprised to find the following response from a member of staff on the forums;


Hang on a second .... you've admitted it's a rogue, and the program itself will be detected, but because the installer displays an EULA, the installer isn't going to be detected? Am I the only one surprised by this?

hpHOSTS - UPDATED March 16th, 2010

hpHOSTS - UPDATED March 16th, 2010

The hpHOSTS Hosts file has been updated. There is now a total of 126,051 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 16/03/2010 14:00
  2. Last Verified: 16/03/2010 13:00

Download hpHosts now!
http://hosts-file.net/?s=Download

Just a note folks, I am aware of the issues with the hpHosts website, and am working on resolving it (MySQL server keeps getting overloaded).

gtomart.com: A lesson in guaranteeing you'll be blacklisted

There's many many ways to ensure your site will be blacklisted;

1. Utilizing malware/exploits
2. Developing/distributing [1]
3. Using unethical means to promote a site or program
4. Utilizing hijacks
5. Utilizing blackhat SEO techniques
... etc etc etc etc

The list goes on and on and on.

Another method however, of ensuring you'll be blacklisted, is by spamming through compromised e-mail accounts. This is a method gtomart.com decided to use yesterday when either themselves, or someone associated with them, decided it a good idea to compromise my other halfs e-mail accounts (not a good idea, especially when you're going to spam everyone in her contacts list - as that includes me - woops!).

The two e-mails I received contained;

I would like to say that I am impressed with the quality and service.Always accommodating to you,please look 〖www.choogyy.info〗 <http://www.choogyy.info/>


And;

my boots came from εwww.nivanoland.infoε <http://www.nivanoland.info/> , they are wonderful will definatley use this site again.you can look too,sweetie.they are gr8.


Both of these sites have one thing in common - they both redirect to Chinese owned gtomart.com (174.36.234.114 - 174.36.234.114-static.reverse.softlayer.com, AS36351 174.36.192.0/18 SOFTLAYER - SoftLayer Technologies Inc).

WhoIs for gtomart.com;

Domain Name ..................... gtomart.com
Name Server ..................... dns21.hichina.com
dns22.hichina.com
Registrant ID ................... hc493605238-cn
Registrant Name ................. lei li
Registrant Organization ......... lilei
Registrant Address .............. taipingqu2haolou604
Registrant City ................. nanchang
Registrant Province/State ....... jiangxi
Registrant Postal Code .......... 521000
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.02063088768 -
Registrant Fax .................. +86.02063088768 -
Registrant Email ................ 287753202@qq.com
Administrative ID ............... hc493605238-cn
Administrative Name ............. lei li
Administrative Organization ..... lilei
Administrative Address .......... taipingqu2haolou604
Administrative City ............. nanchang
Administrative Province/State ... jiangxi
Administrative Postal Code ...... 521000
Administrative Country Code ..... CN
Administrative Phone Number ..... +86.02063088768 -
Administrative Fax .............. +86.02063088768 -
Administrative Email ............ 287753202@qq.com
Billing ID ...................... hichina001-cn
Billing Name .................... hichina
Billing Organization ............ HiChina Web Solutions Limited
Billing Address ................. 3/F., HiChina Mansion
No.27 Gulouwai Avenue
Dongcheng District
Billing City .................... Beijing
Billing Province/State .......... Beijing
Billing Postal Code ............. 100011
Billing Country Code ............ CN
Billing Phone Number ............ +86.01064242299 -
Billing Fax ..................... +86.01064258796 -
Billing Email ................... domainadm@hichina.com
Technical ID .................... hichina001-cn
Technical Name .................. hichina
Technical Organization .......... HiChina Web Solutions Limited
Technical Address ............... 3/F., HiChina Mansion
No.27 Gulouwai Avenue
Dongcheng District
Technical City .................. Beijing
Technical Province/State ........ Beijing
Technical Postal Code ........... 100011
Technical Country Code .......... CN
Technical Phone Number .......... +86.01064242299 -
Technical Fax ................... +86.01064258796 -
Technical Email ................. domainadm@hichina.com
Expiration Date ................. 2010-08-26 17:24:02

Thursday, 11 March 2010

100webspace.net: OI! Anyone awake over there?

Dear 100webspace.net,
I am writing this because you evidently couldn't be bothered to conform to the RFC's and have an active ABUSE@ address!!!

When will these companies realise, if they're offering a service such as hosting, connectivity, they MUST provide a WORKING abuse@ address for abuse complaints.

Ref:
http://www.faqs.org/rfcs/rfc2142.html

I've already had Paretologic kill off the errorsguru.com affiliate that was using blackhat SEO tactics to peddle the program, so the abuse report is a little irrelevant now, but the point isn't (I've re-sent the report to postmaster@ and support@, so we'll see if they get rejected too).

Crimeware friendly ISP's: VITAL TEKNOLOJI (AS44565)

Turkish based ISP, VITAL TEKNOLOJI (AS44565) have been appearing on my radar for quite some time, and not under the most flattering of terms - they've been and continue to be, home to a major source of badness. Namely, exploits and fake AV's.

They actually have several ranges under their control, the most active of which are;

79.171.16.0/21
93.186.112.0/20
188.124.0.0/19

I can't say which has been the worst of the lot, as there's been badness across every single one so far. 79.171.16.0/21 has been the least active of the 3 over the past week or three.

By far the biggest problem across these ranges has been with fake AV's and exploits, just some of which includes;

20100301005241     188.124.7.148     static.vitalhosting.com.tr     www1.free-scan-and-allcure.in     http://www1.free-scan-and-allcure.in/build6_195.php?cmd=sendFile&counter=1&p=p52dcWltbV%2FCj8bYboNuilik12qYVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaGXYmRhaGiammObZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2faGKUYJySlGNqYGubh9WemHGhqKykcmiQpNvdX5eco5mkyVvFn52VoMjF1ZSfcZ7RnsinWJWmpHOldZzJltDLXJWOpqag1aLDm5WRkczF0ZKZpK%2FGz4man6R0p6epqpzGlsijn5Gjl56hyZvWXZbMU8TR02ypnrCikqVseXuAgJeZppjAjLm5Y2NeWpOl1GjLlW27gamRm1eYn6agwtR2alqaoahvp6qeU9jZbmFfamlslGCbZmOModaWoGJpaG2ZkZZyaGdfl5txf3s%3D

20100303181740     188.124.5.165     static.vitalhosting.com.tr     188.124.5.165     http://188.124.5.165/index.html

20100303181745     188.124.5.165     static.vitalhosting.com.tr     188.124.5.165     http://188.124.5.165/hitin.php?land=20&affid=92800

20100303181748     188.124.5.165     static.vitalhosting.com.tr     188.124.5.165     http://188.124.5.165/downloader.php?affid=92800

20100304210208     188.124.3.233     static.vitalhosting.com.tr     188.124.3.233     http://188.124.3.233/a/go.php

20100304210221     188.124.5.170     static.vitalhosting.com.tr     188.124.5.170     http://188.124.5.170/index.html

20100304210229     93.186.127.201     static.vitalhosting.com.tr     93.186.127.201     http://93.186.127.201/hitin.php?land=20&affid=92800

20100304210232     188.124.5.170     static.vitalhosting.com.tr     188.124.5.170     http://188.124.5.170/hitin.php?land=20&affid=92800

20100304210234     93.186.127.201     static.vitalhosting.com.tr     93.186.127.201     http://93.186.117.22/2_2fb798.php?&affid=92800

20100304210237     188.124.5.170     static.vitalhosting.com.tr     188.124.5.170     http://188.124.5.170/2_2fb798.php?affid=92800

20100304225141     93.186.117.22     static.vitalhosting.com.tr     93.186.117.22     http://93.186.117.22/index.html

20100304225147     93.186.117.22     static.vitalhosting.com.tr     93.186.117.22     http://93.186.117.22/hitin.php?land=20&affid=92800

20100304225149     93.186.117.22     static.vitalhosting.com.tr     93.186.117.22     http://93.186.117.22/2_21eb39.php?affid=92800

20100304225154     188.124.5.170     static.vitalhosting.com.tr     188.124.5.170     http://188.124.5.170/2_21eb39.php?affid=92800

20100305020416     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/exe/yamba.exe

20100305020418     188.124.16.18     static.vit.com.tr     huil.in     http://huil.in/x/severa.exe

20100305120736     93.186.118.48     static.vitalhosting.com.tr     convira.com     http://convira.com/px/

20100307203817     79.171.22.154     static.vitalhosting.com.tr     candlewq.com     http://candlewq.com/tst/porta/reastrn.pdf

20100307204211     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/exe/dogma.exe

20100307205413     188.124.9.69     static.vitalhosting.com.tr     arraysaw.net     http://arraysaw.net/files/goofybeautiful.pdf

20100307205448     188.124.16.35     static.vit.com.tr     bodeg.in     http://bodeg.in/x/pdfnew.php

20100307205825     188.124.16.35     static.vit.com.tr     itkornoval.in     http://itkornoval.in/x/pdfnew.php

20100307205902     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in/x/?html=1&id=992&hash=6339a5f067adeab2eb7cd0e942c81583

20100307210300     188.124.16.35     static.vit.com.tr     vesen.in     http://vesen.in/x/pdfnew.php

20100307210302     188.124.16.35     static.vit.com.tr     vesen.in     http://vesen.in/x/pdfnew.php?src=boss&id=bomba

20100307210455     188.124.16.35     static.vit.com.tr     www.vesen.in     http://www.vesen.in/x/pdfnew.php

20100307210651     188.124.16.35     static.vit.com.tr     bodeg.in     http://bodeg.in/x/pdf.php?src=tb&id=766

20100307210653     188.124.16.35     static.vit.com.tr     bodeg.in     http://bodeg.in/x/pdf.php?src=tb&id=887

20100307210656     188.124.16.35     static.vit.com.tr     bodeg.in     http://bodeg.in/x/pdfnew.php?src=tb&id=766

20100307210658     188.124.16.35     static.vit.com.tr     bodeg.in     http://bodeg.in/x/pdfnew.php?src=tb&id=887

20100307210905     188.124.16.35     static.vit.com.tr     landoftraffic.in     http://landoftraffic.in/x/?html=1&id=992&hash=6339a5f067adeab2eb7cd0e942c81583

20100307210907     188.124.16.35     static.vit.com.tr     landoftraffic.in     http://landoftraffic.in/x/pdfnew.php

20100307211215     79.171.22.154     static.vitalhosting.com.tr     ttcandle.com     http://ttcandle.com/kavo/nitbjs.php

20100307211217     79.171.22.154     static.vitalhosting.com.tr     ttcandle.com     http://ttcandle.com/kavo/stard/owareyo.pdf

20100307211542     93.186.127.45     static.vitalhosting.com.tr     93.186.127.45     http://93.186.127.45/downloader.php

20100307212047     188.124.16.19     static.vit.com.tr     huil.in     http://huil.in/x/pdfnew.php

20100307212111     188.124.16.35     static.vit.com.tr     itkornoval.in     http://itkornoval.in/x/pdf.php?src=tb&id=992

20100307212148     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in/x/pdf.php?src=tb&id=992

20100307212150     188.124.16.35     static.vit.com.tr     landoftraffic.in     http://landoftraffic.in/x/pdf.php?src=tb&id=992

20100307212548     188.124.16.35     static.vit.com.tr     vesen.in     http://vesen.in/x/pdf.php?src=tb&id=992

20100307212814     188.124.5.151     static.vitalhosting.com.tr     188.124.5.151     http://188.124.5.151/a_adc40d.php

20100307214641     188.124.5.155     static.vitalhosting.com.tr     188.124.5.155     http://188.124.5.155/1_1af700.php

20100307222224     188.124.9.53     static.vitalhosting.com.tr     analiticdirect.com     http://analiticdirect.com/n/g/index.php

20100307223719     93.186.127.53     static.vitalhosting.com.tr     93.186.127.53     http://93.186.127.53/a_ad3c19.php

20100307223738     188.124.9.69     static.vitalhosting.com.tr     arraysaw.net     http://arraysaw.net/files/g.i.surprise.pdf

20100307224321     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in:80/x/pdf.php?src=tb&id=766

20100307225037     188.124.5.156     static.vitalhosting.com.tr     188.124.5.156     http://188.124.5.156/2_27f754.php

20100307225335     188.124.9.69     static.vitalhosting.com.tr     arraysaw.net     http://arraysaw.net/newload.php?ids=MDAC

20100307225614     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in/x/?id=766&hash=a25144ea1f7195206c5f614241cd4844

20100307225616     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in/x/pdfnew.php

20100307230040     188.124.16.35     static.vit.com.tr     www.koren.in     http://www.koren.in/x/pdfnew.php

20100307230426     188.124.9.69     static.vitalhosting.com.tr     arraysaw.net     http://arraysaw.net/files/eccentricbamboo.pdf

20100307230817     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in/x/pdfnew.php?src=marcos&id=bomba

20100307230819     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in:80/x/pdfnew.php?src=marcos&id=bomba

20100307231337     188.124.16.35     static.vit.com.tr     vesen.in     http://vesen.in/x/pdf.php?src=boss&id=bomba

20100307233447     188.124.16.35     static.vit.com.tr     vesen.in     http://vesen.in/x/?html=1&id=992&hash=6339a5f067adeab2eb7cd0e942c81583

20100308145215     188.124.9.56     static.vitalhosting.com.tr     solaruploader.com     http://solaruploader.com/46.exe

20100309194542     93.186.118.53     static.vitalhosting.com.tr     getbonuszcheck.biz     http://getbonuszcheck.biz/crystal/help.exe

20100309195112     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/load.php?id=CNwdYyWTfvsmxDY&src=&requestID=sHVSkgmfwI

20100309195409     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/load.php?id=CNwdYyWTfvsmxDY&src=&requestID=tzrLKzfWDY

20100309195411     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/exe/severa.exe

20100309195414     188.124.16.18     static.vit.com.tr     kornoval.in     http://kornoval.in/counter/jar.jar

20100309195515     188.124.16.18     static.vit.com.tr     kornoval.in     http://kornoval.in/counter/pdf.php?src=

20100309195623     188.124.16.18     static.vit.com.tr     kornoval.in     http://kornoval.in/counter/exe.php?src=&x=jas

20100309195626     188.124.16.18     static.vit.com.tr     kornoval.in     http://kornoval.in/counter/exe.php?src=&x=mdac

20100309195628     188.124.16.18     static.vit.com.tr     kornoval.in     http://kornoval.in/counter/exe.php?src=&x=snap

20100309195745     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/load.php?id=CNwdYyWTfvsmxDY&src=&requestID=fdJhxQSJOF

20100309201412     93.186.117.25     static.vitalhosting.com.tr     93.186.117.25     http://93.186.117.25/7_7575fc.php

20100309231412     188.124.5.65     static.vitalhosting.com.tr     www2.asdsystemms.in     http://www2.asdsystemms.in/?uid=213&pid=3&ttl=e154c66797c

20100310142908     188.124.3.233     static.vitalhosting.com.tr     188.124.3.233     http://188.124.3.233/a/go.php?p=3778410

20100311010024     93.186.117.26     static.vitalhosting.com.tr     93.186.117.26     http://93.186.117.26/index1.html

20100311010035     93.186.117.26     static.vitalhosting.com.tr     93.186.117.26     http://93.186.117.26/hitin.php?land=20&affid=92800

20100311010038     93.186.117.26     static.vitalhosting.com.tr     93.186.117.26     http://93.186.117.26/d_d09259.php?affid=92800

20100311213244     93.186.117.30     static.vitalhosting.com.tr     93.186.117.30     http://93.186.117.30/hitin.php?land=20&affid=92800

20100311213247     93.186.117.30     static.vitalhosting.com.tr     93.186.117.30     http://93.186.117.30/5_52254f.php?affid=92800


Rather interestingly, I have noticed they've stopped bothering trying to make it a challenge to identify the payloads when it comes to the fake AV's. No longer do I have to actually decode anything or run anything, I just grab the source and look for a line such as the following;

dl_755e = '7_755eab.html';


Replace .html (also seen as .jpg and .php) with .php and voila, you've got your payload (had to point that out to Jerome at Paratologic last month incidentally).

They also seem to be keeping the redirection domains in place a little longer than previously. For example;

freshgetline.net/redirect/
freshgetline.net/redirect2/
freshgetline.net/redirect3/
freshgetline.net/redirect4/
safetytripstyle.net/redirect/
safetytripstyle.net/redirect2/
safetytripstyle.net/redirect3/
safetytripstyle.net/redirect4/
gosafezone.net/redirect/
gosafezone.net/redirect2/
gosafezone.net/redirect3/
gosafezone.net/redirect4/

All of which, still reside at 200.63.46.130, which I'm sure you'll recognize as being from the equally crimeware friendly Eveloz.

Annoyingly however, there's still a plethora of this to be found via the likes of Google (yep I know, surprise surprise).

Microsoft Tech Days: Are you going?

A week of free technology events for developers,
IT professionals and IT managers

What's on for Developers?

We'll be updating the agenda and session information over the coming days.
Follow @uktechdays to be the first in the know.

We're going back to basics and have hired two London cinemas during the week so we can deliver the kind of content you've been asking to hear about. Please note that we'll only be able to provide light refreshments during the day - so don't forget your pack lunch!

Featured speakers: Jason Zander, General Manager; Ingo Rammer, Thinktecture,
Ian Griffiths, Interact Software and Mike Taulty, Microsoft UK

What's on for IT Professionals and IT Managers?

We'll be updating the agenda and session information over the coming days.
Follow @uktechdays to be the first in the know.

We're going back to basics and have hired two London cinemas during the week so we can deliver the kind of content you've been asking to hear about. Please note that we'll only be able to provide light refreshments during the day - so don't forget your pack lunch!

Featured speakers: Chris Jackson, Microsoft Consulting Services, Corp; Gordon McKenna, Inframon; James O'Neill, Microsoft UK and Andrew Townhill, UK Technology Director, Microsoft.

Where is it?

The developer days are being held at;

Vue Cinema Fulham Broadway, Screen 6

And the IT Professional days are being held at;

Vue Cinema Shepherds Bush, Screen 9

You can find directions to both, over at the Microsoft website;

Developers
http://www.microsoft.com/uk/techdays/daydev.aspx

IT Professional
http://www.microsoft.com/uk/techdays/dayitp.aspx

Great!, where do I register?

You can register for attendance at;

http://www.microsoft.com/uk/techdays/registration.aspx

(the question nobody is asking) Are you going to be there?

I'm not, no. Work, family and finances dictate I can't go to this one. But do let me know how it goes!

Spambot Search Tool: Undisposable.net offline

I have had a few users telling me they were having problems both contacting me, and using the SBST. One user narrowed it down to undisposable.net, and I stupidly didn't think to check the site myself at the time.

Checking undisposable.net today shows the site is offline. It's still resolving to 64.202.189.170, but no content is there, so it's failing to connect. There's no contact information in the WhoIs for the site so I've no way of contacting the sites owner to find out whats going on.

Until the site is back, those of you using the Spambot Search Tool should disable the undisposable.net check by changing the following in config.php;

$bBlockDisposable = TRUE; // undisposable.net

To;

$bBlockDisposable = FALSE; // undisposable.net

Wednesday, 10 March 2010

Pinball Publisher Network: Yet more blackhat SEO goodness

Going through the latest Google results for new malicious goodness, I stumbled upon a URL I was fully expecting to be serving me with a fake AV (the last 10 or so I'd checked had done), but alas no, not this time. This time I was to be served a page that led me to a fake search results page (PPC fraud);


And from there, on to porntubevault.com, which leads you to Pinball Publisher Network.




Where we're offered the SeekMo toolbar, BarDiscover*, and ShopperReports.

* BarDiscover comes courtesy of topsearchsoft.com and bardiscover.com. Both sites live at 208.87.149.250 (AS40634 208.87.148.0/23 FIRSTLOOK-COM - FirstLook, Inc.) and also have a history tied to the infamous NewDotNet

The full redirection results (inclusive of my clicking all URL's on the adultsearchpage.net "results" page) are;

http://pferdesex.info/newporn/www-tube555-com.html
http://testim2.laimp4.info/cnstats/cnt-combined.php?i=2048712&e=1280.800&d=32&r=http%3A//www.google.co.uk/search%3Fhl%3Den%26lr%3D%26tbo%3Dp%26tbs%3Dqdr%3Am%26q%3D%2522hphosts%2522%26start%3D190%26sa%3DN&p=http%3A//pferdesex.info/newporn/www-tube555-com.html&t=
http://newsvr.info/1.jpg
http://newsvr.info/2.jpg
http://newsvr.info/3.jpg
http://newsvr.info/4.jpg
http://newsvr.info/5.jpg
http://pferdesex.info/newporn/www-tube555-com_1_newporn.jpg
http://testim2.laimp4.info/cnstats/cnt-combined.php?second=1&i=2048712&e=1280.800&d=32&r=http%3A//www.google.co.uk/search%3Fhl%3Den%26lr%3D%26tbo%3Dp%26tbs%3Dqdr%3Am%26q%3D%2522hphosts%2522%26start%3D190%26sa%3DN&p=http%3A//pferdesex.info/newporn/www-tube555-com.html&t=
http://sutra2s.info/in.cgi?16¶meter=sex+videos
http://www.adultsearchpage.net/?q=sex+videos&aid=1274&n=6
http://iwebimg.net/ifeed/thumb?url=FindStuff.com
http://iwebimg.net/ifeed/thumb?url=http://FindStuff.com
http://iwebimg.net/ifeed/thumb?url=%20www.adultphonechat.co.uk%20
http://iwebimg.net/ifeed/thumb?url=http://www.hottestlivecams.com
http://iwebimg.net/ifeed/thumb?url=http://www.porntubevault.com
http://iwebimg.net/ifeed/thumb?url=http://www.theredzone.com/xxx
http://www.adultsearchpage.net/click.php?id=c59e95c8cdabd1788fe72153c61f9c36
http://64.27.11.152/click/go.php?id=0da63cc7-bd37-4f2e-a316-9a5ca2cf1886&sid=f4f49792eaab43edad813d662a2ca121&n=ns-1
http://199.80.55.18/go.php?data=w20CvfPrP188v96I%2BcMzQ2RWelhvG%2FJJcFBPaiZwYzlqFu6Wc%2Bcz1GGwlARf%2BmTKObAc2m93ItoGnszGJwzGvkha8zIOye2QMSM2aC2RhpQMZFg765FQVApdbFDWKVYt9dAyH5Ga0FLmoOVyhppmsuBBWDjb3GO1hv6igcSXb6A5XP4%2FtUQdGNo4kof6%2BzWUXjde08a7B838CC084eOyt%2B%2FEuvQWVNEVE68gMx8BCHL8m%2By%2BQaxXNqq1GjbgP1UBBgphVYk%2B%2F87zzy8H7YtAZycXzKIRW4iXuS0Dh3oTWevCX2ziAf%2FHCrqn1MD2Elj0VFgNU9SUYWQGY9oKtaEA6j73bTECCO3lyi5oDeyY%2Bg3onCaUga4MALeAl9t%2Fns4J8iLX5Cx4%2B7%2FO0IUtXDbg9nExnyu9ErfJOLtjSzoWjZSCSE6LB%2BZQmCLtgArRbmvEeXYYw72DNtEyIkH3Bq%2F2l%2Fc7jfrCToR41K5CpduLt7ufb1cXOsH3jPe2UK5qdTP9Dhi6Vl7avFLLh5n00TrS96JNRIcIg0nN0xliFejvM7YuAFiFYGjATESFJ1zm5hagZrEylPF%2FRwsQ4rdHTjYpBHGoAJlRJU%2BNL%2FwQxw7PtC3y56A3gzgUPgPZfJdM%2BELCWMXyYqBSxVcVK5wENK5bAjD8eq8HAPNKdg1FkNoonZfzpc44j9kIG9SiVWInZtwg2m6Lnxwi2tw%3D
http://meta.7search.com/click/click.aspx?x=wczTilZgcgFauoNn7Rfm9A%3d%3d_EsWIalU7BeA4JXHZrcjzAShWMz6XSpcENSsES7md%2bn75LqMMzPJC6stOhJl5le22VDrAgQpz8JpFqqDgV8nXNc8SRxpKUBii6kBWmsCvb%2bfspKZf0OEgqMy9nQuHgMoN%2b1E1QdXikoo9hjLvXmDdxngZz0u08OsjnrBKfdg94qhotMn%2brhqdSRoAK1zdPrTT5TMAaZNsUuuH2DYZ6LkhrZNxIFBXnumcX1eqqhgmf4kyaxL89%2f6MlZxMlKUV%2bmUoiXjZm7Q2%2bPWVFpJyfxNq8w%3d%3d
http://www.porntubevault.com/freeporn.htm
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.pornpass.net/freeporn/exit.js
http://www.porntubevault.com/exitcon.js
http://www.porntubevault.com/popup.js
http://galleries.pinballpublishernetwork.com/87459ac3bd/854290c0b911/lc.js
http://www.porntubevault.com/freetag.jpg
http://static.pinballpublishernetwork.com/js/release/sp.js
http://origin-cached.licenseacquisition.org/44/1054645075.28332/kaiyalynnbgvid007.wmv_medium.jpg
http://preview.licenseacquisition.org/44/1056460336.54315/dahliadenylechristianbgvid_hd_medium.jpg
http://origin-cached.licenseacquisition.org/44/1054645088.4495/courtneysimpbgvid005.wmv_medium.jpg
http://preview.licenseacquisition.org/160/1055660353.61245/Veronique_medium.jpg
http://origin-cached.licenseacquisition.org/44/1055261761.70432/Naudia's%20First%20Scene_medium.jpg
http://preview.licenseacquisition.org/160/1055660363.44955/sasha_medium.jpg
http://origin-cached.licenseacquisition.org/160/091104131229/JustPoppedIn_LiquidPussy_bg_medium.jpg
http://preview.licenseacquisition.org/44/1056461863.68769/zeinajackbgvid_hd_medium.jpg
http://preview.licenseacquisition.org/160/1055660364.61884/Amber%20Rayne_medium.jpg
http://origin-cached.licenseacquisition.org/160/091104125110/TheNaturals_DDBlondeInPinkOutside_bg_medium.jpg
http://preview.licenseacquisition.org/160/1055660376.0031/Rebecca_medium.jpg
http://preview.licenseacquisition.org/44/1056461730.02733/sophialynnbgvid_hd_medium.jpg
http://origin-cached.licenseacquisition.org/160/1055310592.06691/Shy_Love_Is_Horny_medium.jpg
http://origin-cached.licenseacquisition.org/160/1055310473.66377/Three_Babes_&_One_Guy_medium.jpg
http://origin-cached.licenseacquisition.org/44/1054650682.73628/aria2bgvid014.wmv_medium.jpg
http://origin-cached.licenseacquisition.org/160/091104130520/JustPoppedIn_DeniseGetsCreampie_bg_5_medium.jpg
http://preview.licenseacquisition.org/160/1055660360.68259/Scene%204%20Katja_medium.jpg
http://preview.licenseacquisition.org/44/1056461154.32307/memphisstrip2vid_hd_medium.jpg
http://preview.licenseacquisition.org/160/1055689621.84023/Divorce_medium.jpg
http://preview.licenseacquisition.org/160/1055660367.97097/holly_medium.jpg
http://static.pinballpublishernetwork.com/images/sp/lc/red_btn.gif
http://www.adultsearchpage.net/click.php?id=7c9a233f518def0fefbee262bd5a99df
http://64.27.11.152/click/go.php?id=601182ad-e749-4e25-8266-b4269f43d3e2&sid=f4f49792eaab43edad813d662a2ca121&n=ns-1
http://199.80.55.18/go.php?data=HmhrKvBFa6z8RW%2Bc139LJr4n%2B07B0jm%2FqWdhbB3tp8lB9rVlE%2BA%2B1qwlz5qwcQSRzGQj1176tVN5JDQUO3SuBN4aEk%2B3u6F%2Ba4TIPTJocJAQZgmk80NzwYt4P4yIG7INEdI3rN%2F3jTyiqtD7IN7pLuEU6m%2BaENeb4qSWoGd12cGrIuzWMIV6Wx%2B%2Fw3NR91ryaviSD9H6axTHI6i%2BFhUOSeI3Zm5iLLSFN5w5SMecGsoBIndfzvK87DqA27sBUrsjNcI%2BEocxwD8yH2q8Gtwr9URs3RkAV5rH%2FDm5wRyffQfLK7hGN1sUNSbkocBrf3924MCSUeUj3B9rm59qgc83zZpYOHopnATp5sdHpaKUijRjTBaTjdmhPsblr8%2Fgpaegc2IAIIEEXSGFyhUuDpCpYKXVwroAEiQroj1pHW8iF%2Fmb2ElZkxcWHd81us%2B4IyWKoAGNZW5Anyuuq8zOqcj2LgDrj71wJEeaYt9ou%2BcF%2BRrkHas67RAqW1Gy%2FY25demVBaltzgiq1zKMDjyOBOSjfc3WXj80HXXCmcuV9AHqBC9NHnRVorcaA8ljKbSabtQCD5LDz4xOpe2UO7y5Rmbsy1bzgShQ%2BH6ZO7qiiR4yxQUkk5ZzjN%2BMIqfip3I6%2BKV%2BTsprQm0i4y1WEfTcEOOKSYHOsvziLxnEpN0Hrvzp4aCyPHFOvRBnXAWVH8I6vPt8
http://meta.7search.com/click/click.aspx?x=wczTilZgcgFauoNn7Rfm9A%3d%3d_EsWIalU7BeA4JXHZrcjzASTaarFXkPmb0iV3ZE5GzID07E3HFUMCyE37DtB%2bGN7IUQVuWp1CvNZoJXoMd4wTB6w1IzsYxw0I2s%2fq6FIq%2bGuIIs1F8H7lYho88Zi5kaix%2ffW6dShWnVTGrJs0zOGHCLbd6pXofoGQX0NDGWAXTaA2A4wo5BuWeqV%2bJ1dJmdmygwn1kb7qO3fV40FwTRbMmZy9wFvqrA4zcrgRAVvvr0gsmfrfwrN4%2f28djS4Y75en%2bGuOMVPZN5UOcGrS93zrdQ%3d%3d
http://www.theredzone.com/cgi-bin/xxxbrowse.cgi
http://feeds.feedburner.com/avantforce
http://www.theredzone.com/images/prev.gif
http://ads.adbrite.com/mb/text_group.php?sid=423238&br=1&dk=6164756c7420706572736f6e616c735f365f335f776562
http://www.theredzone.com/images/rzbiologo.gif
http://www.theredzone.com/images/next.gif
http://pcash.imlive.com/banners/eros_bannersnew4.gif
http://www.theredzone.com/rzbanners3/IBPS468x80_1.gif
http://www.theredzone.com/rzbanners3/kod125x125.gif
http://4.adbrite.com/mb/text_group.php?sid=164024&br=1
http://www.searchfeed.com/rd/feed/JavaScriptFeed.jsp?cat=porn&trackID=E8033481375&pID=59267&nl=3&excID=
http://www.searchfeed.com/rd/feed/JavaScriptFeed.jsp?cat=sex&trackID=E8033481375&pID=59267&nl=3&excID=
http://www.searchfeed.com/rd/feed/JavaScriptFeed.jsp?cat=xxx&trackID=E8033481375&pID=59267&nl=3&excID=
http://www.searchfeed.com/rd/feed/JavaScriptFeed.jsp?cat=viagra&trackID=E8033481375&pID=59267&nl=3&excID=
http://www.statcounter.com/counter/counter_xhtml.js
http://www.theredzone.com/xxx/video.gif
http://www.theredzone.com/xxx/free.gif
http://www.theredzone.com/xxx/snatches/thumbb.jpg
http://www.theredzone.com/xxx/tinygwen/thumbb.jpg
http://www.theredzone.com/xxx/live.gif
http://www.theredzone.com/xxx/liveanal/thumbb.jpg
http://www.theredzone.com/xxx/sexandsubmission/thumbb.jpg
http://www.theredzone.com/xxx/machines/thumbb.jpg
http://www.theredzone.com/xxx/clubcherries/thumbb.jpg
http://www.theredzone.com/rzbanners1/newviagra.gif
http://impression.7search.com/scripts/impression.asp?affiliate=40105&keyword=hardcore+porn&s=ppt
http://impression.7search.com/scripts/impression.asp?affiliate=40105&keyword=xxx+video&s=ppt
http://www.theredzone.com/tor/royaltyladies/banner.gif
http://iframes.awempire.com/?t_id=theredzone01
http://c.statcounter.com/t.php?sc_project=1759998&resolution=1280&h=800&camefrom=http%3A//www.adultsearchpage.net/%3Fq%3Dsex+videos%26aid%3D1274%26n%3D6&u=http%3A//www.theredzone.com/cgi-bin/xxxbrowse.cgi&t=The%20RedZone%20XXX%20Listings&java=1&security=2eeca6db&sc_random=0.6822608784921682&sc_snum=1&invisible=1
http://static.awempire.com/Scripts/tmbrotator.js
http://static.awempire.com/imgs/lpr/iframes/templates/public/32/ani.gif
http://s0.img.awempire.com/lpr/jessylove4u/mimage.jpg
http://s1.img.awempire.com/lpr/PrincesswetX/mimage.jpg
http://s2.img.awempire.com/lpr/PoshTitss/mimage.jpg
http://s0.img.awempire.com/lpr/Ariana18/mimage.jpg
http://static.awempire.com/imgs/lpr/iframes/templates/public/32/name.gif
http://s1.img.awempire.com/lpr/36FFBUSTYBBW/mimage.jpg
http://www.theredzone.com/xxx/tinygwen
http://www.theredzone.com/xxx/tinygwen/
http://www.theredzone.com/cgi-bin/xxxcreate.cgi?id=1212
http://www.theredzone.com/css/bios.css
http://www.theredzone.com/images/b_nav.gif
http://www.theredzone.com/images/btn_cityhome.gif
http://www.theredzone.com/images/btn_search.gif
http://www.theredzone.com/images/btn_home.gif
http://www.theredzone.com/images/btn_advertise.gif
http://www.theredzone.com/images/b_nav-15.gif
http://www.theredzone.com/images/spacer.gif
http://www.theredzone.com/images/prev.gif
http://www.theredzone.com/images/next.gif
http://www.theredzone.com/images/rzbiologo.gif
http://www.theredzone.com/xxx/tinygwen/thumb1.jpg
http://www.theredzone.com/xxx/tinygwen/thumb2.jpg
http://www.theredzone.com/xxx/tinygwen/thumb3.jpg
http://www.theredzone.com/xxx/tinygwen/thumb4.jpg
http://www.theredzone.com/xxx/tinygwen/thumb5.jpg
http://www.theredzone.com/xxx/tinygwen/thumb6.jpg
http://www.theredzone.com/xxx/tinygwen/thumb7.jpg
http://www.theredzone.com/xxx/tinygwen/thumb8.jpg
http://www.theredzone.com/xxx/tinygwen/thumb9.jpg
http://www.theredzone.com/xxx/tinygwen/main.jpg
http://www.theredzone.com/xxx/tinygwen/thumba.jpg
http://www.theredzone.com/xxx/tinygwen/thumb.jpg
http://www.theredzone.com/xxx/tinygwen/banner.gif
http://www.theredzone.com/rzbanners3/ht468x60_01.gif
http://www.theredzone.com/images/bottom.gif
http://www.theredzone.com/images/top_side1.gif
http://www.theredzone.com/images/bottom_side.gif
http://www.adultsearchpage.net/click.php?id=7809e9323867e6640c315389bfeee79f
http://64.27.11.152/click/go.php?id=334a6367-57dd-4415-9a97-7a3aa1819797&sid=f4f49792eaab43edad813d662a2ca121&n=ns-1
http://64.111.196.114/c.php?s=eNpVkkmyokAARA9EhNRAFbL4C5VJRUBUsNl0FBQ4MCODGBy-_cuOjMzcvOV7zFCRZfhdOh_OW2yvfn5msAAYwN-jMgBkRgACgL9ViCTBOUa-tDXDOjT8IR6_vJxKEEMqQw6RxGSIWMolAClnMKIcJX-JJHPMUgxoTCCPGMCKzCGO4kRKaAKXM0IznBO78p9K4TTZ6nivRSNY-oamkelQ6KujycwoWTlG8WCeH65Tt66zrG4EWWFTWfYigQ6VqyT4jEWjDht5eDRnWV2_VKm4iKUwDaI7xF4tPOLxtVFzc1Ky7m2WY1OBVxvsL1r82Yp75yB3p84tyWhbgt6fxFGDdYVvxtkx6sHMVuvgiATbo7HGWlPpnpmKqnvPtdp4rS1qovw6RpZzc7fO9czJcKlAk9MMiXGeNmfjeWxu_d7UNSdknbs_O8i69D2Vivx268c_ze5WfabYU1PPUXiQvSfQZ2W6R2vV0HGv7nLLNujukrsaAVeerCU3v149pzfQSE-plghaJrw3TsYGotmnnJXL6ux12hBhIxeIHTe0L19M84Nrqe7K4H0tplaV1ltB2-5sTfJAC6IdCUAqruus7MZhGe2eYyfUtVzw6Zm-x20kanYYRu6geKZuAeGV8BVQYx0bQQiZLlHV2TP3M6IyO7WfGmP7T8uB_3Vj58re5hmQy_SIHItRWxKy7nU7WJO84cpjefDc_HwI2upopJp4U_EnlNsZQbQgdKGQBSJ4_hVVWWBpARFcQAXPYJ7RzDHHVqFnPHiD2LgPUeE_maEDq7AHq_TbL_WbGf9PIv8eF3YVG3oZnkgfXo8_cwIijhUpgQmNEKQopkQBJKZ8iRnmsfQPYxwFSg
http://76.9.16.151/c.php?re=1&r=eNpVkkmyokAARA9EhNRAFbL4C5VJRUBUsNl0FBQ4MCODGBy-_cuOjMzcvOV7zFCRZfhdOh_OW2yvfn5msAAYwN-jMgBkRgACgL9ViCTBOUa-tDXDOjT8IR6_vJxKEEMqQw6RxGSIWMolAClnMKIcJX-JJHPMUgxoTCCPGMCKzCGO4kRKaAKXM0IznBO78p9K4TTZ6nivRSNY-oamkelQ6KujycwoWTlG8WCeH65Tt66zrG4EWWFTWfYigQ6VqyT4jEWjDht5eDRnWV2_VKm4iKUwDaI7xF4tPOLxtVFzc1Ky7m2WY1OBVxvsL1r82Yp75yB3p84tyWhbgt6fxFGDdYVvxtkx6sHMVuvgiATbo7HGWlPpnpmKqnvPtdp4rS1qovw6RpZzc7fO9czJcKlAk9MMiXGeNmfjeWxu_d7UNSdknbs_O8i69D2Vivx268c_ze5WfabYU1PPUXiQvSfQZ2W6R2vV0HGv7nLLNujukrsaAVeerCU3v149pzfQSE-plghaJrw3TsYGotmnnJXL6ux12hBhIxeIHTe0L19M84Nrqe7K4H0tplaV1ltB2-5sTfJAC6IdCUAqruus7MZhGe2eYyfUtVzw6Zm-x20kanYYRu6geKZuAeGV8BVQYx0bQQiZLlHV2TP3M6IyO7WfGmP7T8uB_3Vj58re5hmQy_SIHItRWxKy7nU7WJO84cpjefDc_HwI2upopJp4U_EnlNsZQbQgdKGQBSJ4_hVVWWBpARFcQAXPYJ7RzDHHVqFnPHiD2LgPUeE_maEDq7AHq_TbL_WbGf9PIv8eF3YVG3oZnkgfXo8_cwIijhUpgQmNEKQopkQBJKZ8iRnmsfQPYxwFSg&u=4496044dd8fc86e746eb9ddfaba3fca5&cid=c96630984b7d5d274100c57d86c2dd45&rc=0&pa=&ref1=&ref2=
http://www.mirago.co.uk/click.ashx?e=tpD8JKzVLiADezTW6yrieAwGlFNwCcKgt5C9PPtSDYyUeq63UyVeX2Sb3LfnV5fTH9M%2fc5ycnJp21gwUZOrVdQ0l98CgKJV9DgmuaBL62p%2b9bxmakrH0bHEK78701%2f2mHvgYPCFWFNpb0MZONNFkks60V42NZ%2f6YeWsCSaKoSOHae2mKM3Ij2OccY4I5%2b%2fShgbMCi1vHy99iqjN4JoAE%2f6%2bd%2fPWsFSc3Zguaz%2fH5jUqhMO%2fpIki78wYdokonLY0kh8GtdyjWeGqvU%2bYAVdDCAxZGYvyTyo3XVdTFmvczyi%2fEjnMZ%2f8lFQSc9vZkiFm9eRGP%2fTpQI822CO%2f8NTMjfPPgoPhY1QPlFjCEKBtWjwo7iz%2fDR3G0rSYhFMieN8mZZsxC6q6chWmsd%2fLg0UsfrJg%3d%3d
http://www.adultphonechat.co.uk/js/preload.js
http://tracking.dc-storm.com/px.gif
http://tracking.dc-storm.com/dcv4/jslib/sid1252_4.003.js
http://tracking.dc-storm.com/dcv4/logpv.aspx?sid=1252&uid=1268233366723.1596387485.0079655.1252.1115930941.6&uts=1&uvc=1&pgn=/livewebcam.html&pgc=1&iuid=&flv=WIN%2010.0.45.2&col=32&res=1280%7C800&utc=0&tfs=6140&rdm=adultsearchpage.net&rpt=&rqs=q%3Dsex+videos%26aid%3D1274%26n%3D6&rns=&nts=1&cst=1&cvn=0&cmp=0&sby=www.adultphonechat.co.uk&jsv=79&tsr=http%253A//www.adultphonechat.co.uk/livewebcam.html%253Futm_source%253DPartner%25252BNet%25252BJuly%2526utm_medium%253DPartner%25252BNet%25252BJuly%2526utm_term%253DPartner%25252BNet%25252BJuly%25252BWEBCAMS%2526utm_campaign%253DPartner%25252BNet%25252BJuly%25252BWEBCAMS&tsq=http%253A//www.adultsearchpage.net/%253Fq%253Dsex+videos%2526aid%253D1274%2526n%253D6&hfb=0&prtcl=http%3A&pqs=
http://www.adultsearchpage.net/click.php?id=51706061cdbfcbe0a494eda062bd254f
http://64.27.11.152/click/go.php?id=0bbbdc53-5ef0-4e2f-9924-efb9f51d15e6&sid=f4f49792eaab43edad813d662a2ca121&n=ns-1
http://199.80.55.18/go.php?data=bIiO9qAkLFnKl20mtWeajHjKfV1J9zAVg5pdr11hUjIm4H0Qr0bTc4QWjnyy%2FXvs9QqAJFh8Zh4yPVFt3QgrvaAqygN%2FTLrAplwRD182unOtAk%2BPrgKNY1Q0DIF8OnI2HZiEpIUhVEziHCISiZo1EhC%2BZzFKmIyeoNPbNLeVmvePX7G0cv8kZ30RqIs1%2FzX1E2%2Bs4Gv%2BF8dZ7jA7p0OpQI5te3uxAfAiLONJCFzjgE0UI7bXdsIXNXfqaLTpdNNZ%2FS%2BpIVHC%2Bc8CCw1MGstTgXYlapPBJAeihJbMUJjW0Xg3MTLzubT5Q3f6t8VAiZaj6d8mBMQ25aROZd56qZre7nedaEE7bkhHCXAc0axyRI3n3%2B0uHAsrLDTQWRPhi8RClLr6p3YOSZyJMvnkExa6lHP21PtPHHTRHvyzAHPgs27R3EYYOgwBhHwIH2sFnnDThRTL74xjkDx%2BYbQdsH2evwEEacm8D%2BoWqKl9yfegGYRDkvIcM6p%2BDl4lM6ROUfR1%2BUn9M2P9cOQFN2lPuLwSh0Vjk8NaZNYgBFgbdQMJNzFsAk6P%2BVBN54iDdFDAJIDKooVsx6xcBc09xtKff%2BENsfiJ41lbMi44KgjF7k0f%2FH7aY8ZE85BUjjeqaaYuHQfpUjfYCCQ9yZvmmAqMCt7AfiM3n6E%2FTmkmNj4Jg6yL1nkBHu%2Fv0V7xFJkPuFlg43gpdTWGnzwISkFYbtPSJPRmOn3LD2VyYO6mPQRthir0fR%2FPqga24xt1Fb2Ao2jE7VGPXtDTsNhTdkYc5YNWwqZeJ24v1YIqn3lPNTyGhLIPRM1h78wBtTue5hiitXI5DKczKVmDUtPM1S3s2c%2BZcB2a2J%2Bl9PFU9REYr4DuyMRYcigwZqM5QsK6OYgNEDyvTHItPo3MCr4m1dfeey5H%2FrPLsjFX3dDZYPnORaL4xTvUkeQXeEnnX8XJfgtdpjE6jCp%2FqYThW06AVjkY6GoOuZfAKO9cMOAZ%2B2q649QnBtqZnw0S8wwsHBvkzMty1i%2FX%2FyUOay4cHMXH0O8NHmsIy8BlcLDrcs%2Fous9KQLWej9A71NzEHGHE1dWzzneWmnqemrhO50R%2BpmsiE3BkOZERxTyVnXTO1pLv6EXy6OtgxGzOL3NiaUqSuTo8gSuVDfOIcxOpQueFpBtDNyzmIpHnUBcbaoVo%2F8Gv5MUKS%2B45cN9FAMLPnFogFVA5ogEU%2F9%2BRGcEN7PAVwWinH9FKk15%2BJJEtT5xZt%2BbbJ6yU1z6l8KF1L6vRVMD%2FMdml%2BVs9GspfvKJ8NMjux%2BaUxxqauhPndUy9QCTS2nsUQ3bZk%2BukhvLC9A9yey8tpbmBu7kZDZjgLs7rQi%2FYnrAYOw6PF4xeMUJ0eTLPYL7U8nKowuF4p1rP%2F6DhQNNFRcbJo58cit61jl8uS8dFW5IU1ZbkgXBQal1zy9Kk01gFFUuXcV8eTyuU5iDvUKzdfSKLUw%3D%3D
http://efp.ns3.bidsystem.com/c/AAi8GvS-eeMTlQ8Fken-f0EzrgQh0VAu0Zp83QUj29x-V9-JmELRsZTYh8GwwSnxy_aQ698DOw4BW5SA62fMZ8PsgqonlXGih_ZN-kFjfCiEwCagbDbMTcKL_244NKHmQThoHAKJVK35_hj6-8QZhllaWqN83JWHRwA9mzyaU7AyZ0cO80xoflk7y-G1lqf8b5hTvJPe8wsq5pekFew5wa8Pr9pOT0WqGtvPwMGv9c3oAqL1_jhaGw4-CxLrGl8rOJ4x_Z_2a9Uuntxw895G0sPY-oU-2wVHxy5kmK9nABPjW4vUq6avZ9XCpbjDHKG06R9dWuw8JfIpNH-U70jyQHflMy8S9Q0dIRd8d-wGdshMa2gu-PE2Z7Pj2VuveAPA-ai6pbFqWpqUfAiaNlgRS2C112KkVZbZzuzA_xBmtbnqcFWLRUMQPZwkjXBILjY0MASNvQp3XP1FzszvDzSUkGqzCYz-Wm5NYJV1J2cu0JCLHZB05-8ZMZ2oW1nJCiIUEGSth2yDlzVt6Y4Fj1aSUpX70PU53OgYL8_hSNm8ArJzCPsqkk3AkoFpG6aoijMTjay8Gz_eRDwhl-JfEtruS_XGoE0i3HRqhMQ_HGCj-b5TgVYIBQSgzzLoxuWj7tm9X0JyZ_dDuEGW6_TH7mr27XwevH6xhjhnGwuGtJoChEitvY07hiMYECS_aSNsqtBJMbSdh0vQYV8HKv2TYVxHKLEgde43QVbphcgi-W58EpkkvkLuKw9o9Ju3PXWqnE3gQCMONPaNNzRgpCtAYeyrbYK9PronYikmhowuBv_YT6vZZIqQXF6Mf7hFMSiYxdgTGnwU_VMAVxGLaGqgi3MtaXBRw2yVBP0BddqWvc9eRuUlkiHEBXIe3ndwd1uwqu5t4XHIvtvRWygjFNVNrekxBsZPeNP-KD9rQUh47gmPzYmC5ZLHAmAttoFGb3dT_Fx70pcInqdlaLH0_WGATNhn14ZR27pmyU65y8j9F7uFDka838FOPcfoFZgMyE7dtbm-lUGBpiviT2-6jJmTWcvEEDZWQOsYrHWSQejZ2g
http://r.looksmart.com/og/pr=Psr;ro=1;rc=2;digest=5b589ef2c2186c2b7999a55fc2752b62;kid=4af930d14d071dbe0ed7bafa3af48e34;t=1268232880;v=8;data=bZ5ZpZGpHISrP1CBWo6cn6PvDaLpEra8VwW1tLpU_fg4r01Nve51dwTCHUZG5z8ju2T0rcBJj_z80-7ck4Ai53fUIzG26lYkQSQcIShxIBKkPaIglMO9DdALNFkLge4Rno5MnrC10-YHvs-_mvkcDZoTQqP2PWYm93oyfB95v8jpeShe0vb30A;uh=156x1141429177654101675;la=770129;lm=1016658;ad=667108128;ag=667108128;kw=504643474;qt=sex%20videos;vr=1;lt=BM;ip=212.56.95.253;pt=;st=20.14.4.0.0.0.0;os=326.44.10.0.2.38.2.3;sy=keyword;my=smart;geo=894269;vid=0;subid=176132-3360601274;opi=adks1;ii=9c4.1eff.4b97b2b0.16a3;pn=;to=;tc=2;po=1;pc=2;pi=adks1:adult;ts=;rm=|http://uk.findstuff.com/uksearch.php?query=sex+video&source=kuk&adgroupid=UKterms1k&Look_id=60671-176132-3360601274&LSclick=504643474-9c4.1eff.4b97b2b0.16a3
http://uk.findstuff.com/uksearch.php?query=sex+video&source=kuk&adgroupid=UKterms1k&Look_id=60671-176132-3360601274&LSclick=504643474-9c4.1eff.4b97b2b0.16a3
http://uk.findstuff.com/search.php?query=sex+video&source=kuk&adgroupid=UKterms1k&Look_id=60671-176132-3360601274&LSclick=504643474-9c4.1eff.4b97b2b0.16a3&mkt=uk
http://uk.findstuff.com/home/search/index?query=sex+video&source=kuk&adgroupid=UKterms1k&Look_id=60671-176132-3360601274&LSclick=504643474-9c4.1eff.4b97b2b0.16a3&mkt=uk
http://uk.findstuff.com/home/search/index?uvx=JwUTKY_xNTlyXgSbVxm13N7HWD_Zc7PGBBfcPkeSe4jTJHI2sYOOlHu1uLc3Pm0nd7KNnQh8KzGzZ-HETknCQsZKTiUcwtnyAxjdjXKF1nCMaInIdfh08GAtLNe1ZKHShyWjZ1L2RM3h0ibM3ZJuf6akGEgr4z2_zlS1CA0KlpI-lK6i0535S9wSNbYt6ahf0k6rA8ZgcZUZTeHdVFyrsxVJC7_zoL9Fb9s2WSvW0BHy3g1f05LfGYAMrm1dm-aF
http://uk.findstuff.com/home/htdocs/includes/js/jquery/jquery.js
http://uk.findstuff.com/home/htdocs/includes/css/adlayouts/v1inv2.css
http://uk.findstuff.com/includes/styles-optomized.css
http://uk.findstuff.com/images/logo-3.jpg
http://uk.findstuff.com/images/menu-bar.jpg
http://uk.findstuff.com/images/sponsored-results.jpg
http://snip.uk.findstuff.com/includes/images/pixel.gif?&start=0&show=10&name=test&site=FS&source=kuk&adgroupid=UKterms1k&phpsessionid=cqif892dbn82brdm05ripnstv5
http://www.findstuff.com/images/graybox.gif


As an aside, 7search.com and ukfindstuff.com have been appearing in quite a few blackhat campaigns over the last few month or so. Perhaps it's time they got a kick in the behind too.

Tuesday, 2 March 2010

Server downtime

Sorry for the downtime folks. 89.15.156.197 (kobz-590f9cc5.pool.mediaWays.net) decided it would be fun to constantly flood the server.

/edit 01:20 03-03-2010

This little bugger is back, this time using 83.14.243.106 (efj106.internetdsl.tpnet.pl)