Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 31 May 2010

WARNING: Malware, scams and RedStation (AS35662,

Remember the SMS fraud housed on the RapidSwitch range? Well, now we've got yet another network involved.

This time, it's the turn of RedStation, AS35662. I've already dropped them an e-mail, but the notice on their contact page suggests this is going to have been a completely pointless exercise.

Note to Solicitors

If you are a solicitor and you wish to communicate with us about a website hosted on the Redstation network, do not telephone as we will not be able to discuss it with you. All legal communication must be in writing and sent by recorded delivery to the company's address listed above and marked for the attention of the Company Secretary.

We do not accept legal communications by email or fax.

Wonder if they consider abuse reports to be "legal communications"?? We shall see.

In the meantime, this little lot is housed on at least 2 of their IPs. Namely and

All of those I've checked thus far, have had their downloads coming from ( - ), for example;


These are NSIS packed files, and the JDownloader file for example, contains two VBS scripts that hijack the Firefox homepage and search engine to point to;


With partner ID:


No great surprise as far as where is living - our old friends RapidSwitch;

Current IP:
IP PTR: Resolution failed
ASN: 29131 RAPIDSWITCH-AS RapidSwitch


Anonymous said...

We do not accept legal communications by email or fax.
LOL what do they want? To have a paratrooper land on them and hand deliver it? redirected me to: which is sitting on
AS16276 - OVH

Domains sharing A records with IP:

Security Team said...

Redstation are a major Hack/spam Source...
2014-05-16 02:07:41 52736 80 HTTP/1.1 GET /phpTest/zologize/axa.php 400 - Hostname -
2014-05-16 02:07:41 52782 80 HTTP/1.1 GET /phpMyAdmin/scripts/setup.php 400 - Hostname -
2014-05-16 02:07:41 52830 80 HTTP/1.1 GET /pma/scripts/setup.php 400 - Hostname -
2014-05-16 02:07:41 52885 80 HTTP/1.1 GET /myadmin/scripts/setup.php 400 - Hostname -

Abuse contacts (not very helpful):

The best way is to block them out.

MysteryFCM said...

Feel free to send me any supporting logs you've got for this.

hphosts @