Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 31 May 2010

WARNING: Malware, scams and RedStation (AS35662, 81.94.192.0/20)

Remember the SMS fraud housed on the RapidSwitch range? Well, now we've got yet another network involved.

This time, it's the turn of RedStation, AS35662. I've already dropped them an e-mail, but the notice on their contact page suggests this is going to have been a completely pointless exercise.

Note to Solicitors

If you are a solicitor and you wish to communicate with us about a website hosted on the Redstation network, do not telephone as we will not be able to discuss it with you. All legal communication must be in writing and sent by recorded delivery to the company's address listed above and marked for the attention of the Company Secretary.

We do not accept legal communications by email or fax.


Wonder if they consider abuse reports to be "legal communications"?? We shall see.

In the meantime, this little lot is housed on at least 2 of their IPs. Namely 81.94.201.58 and 81.94.201.61.

3gpplayer-2010.biz
3gpplayer-2010.com
3gp-player-2010.com
3gpplayer-2010.info
3gpplayer-2010.net
3gp-player-2010.net
3gpplayer-2010.org
3gpplayernew.info
7zip-2010.biz
7zip-2010.info
7zip-2010.org
7zip-2010.us
7zip-be.info
7-zipnew.info
7-zipnew2.info
7zip-nl.net
7-zip--uk.com
activex-2010.biz
activex-2010.info
activex-2010.org
activex-be.net
activexdownloadcontrolnew.info
activexdownloadcontrolnew2.info
activexdownloadcontrol-uk.com
activex-nl.net
adobereadernew.info
adobereader--uk.com
antivirus-plus.biz
atubecatcher-2010.com
atubecatcher-2010.net
atubecatchernew.info
atubecatcher--uk.com
audacitynew.info
audacity-uk.com
audicity-2010.biz
audicity-2010.info
audicity-2010.org
audicity-be.com
audicity-nl.com
cccpcodecs-2010.biz
cccpcodecs-2010.com
cccpcodecs-2010.info
cccpcodecs-2010.org
cccpnew.info
cccpnew2.info
cccp--uk.com
ccleaner-2010.com
ccleaner-2010.net
ccleaner-2010.org
ccleaner-fr.com
ccleanernew.info
ccleaner--uk.com
cdburner-2010.biz
cdburner-2010.com
cdburner-2010.info
cdburner-2010.net
cdburner-2010.org
cdburner-it.com
cdburnernew.info
cdburnerxp-pro.com
cdburnerxp-pro.net
cdex-2010.com
cdex-2010.net
directx-2010.biz
directx-2010.info
directx-2010.org
directx-2010com.com
directxfr-be.com
directxfr-nl.com
directxnew.info
directxnew2.info
directx--uk.com
divxnew.info
divx--uk.com
dvd43-2010.biz
dvd43-2010.com
dvd43-2010.info
dvd43-2010.net
dvd43-2010.org
dvd43new.info
dvd-shrimk.biz
dvd-shrimk.com
dvd-shrimk.info
dvd-shrimk.net
dvd-shrimk.org
dvd-shrimknew.info
dvd-shrink-2010.com
dvd-shrink-2010.net
elisoftcodecpacknew.info
elisoftcodecpacknew2.info
elisoftcodecpack--uk.com
elisoftcodecs-2010.biz
elisoftcodecs-2010.com
elisoftcodecs-2010.info
elisoftcodecs-2010.org
eurotrucksimulator-2010.com
eurotrucksimulator-2010.net
explorer-2010.biz
explorer-2010.info
explorer-2010.org
explorer-be.net
explorernew.info
explorer-nl.net
firefox-2010.org
flashplayer-2010.biz
flashplayer-2010.com
flashplayer-2010.info
flashplayer-2010.net
flashplayer-2010.org
flashplayernew.info
formatfactory-2010.biz
formatfactory-2010.com
formatfactory-2010.info
formatfactory-2010.net
formatfactory-2010.org
formatfactorynew.info
foxitpdfreader-2010.com
foxitpdfreader-2010.net
freemp3-2010.biz
freemp3-wmaconverter.com
freemp3-wmaconverter.net
frostwine-2010.com
frostwine-2010.net
garageband-2010.com
garageband-2010.net
gimp2new.info
gimp2new2.info
gimp2--uk.com
glaryutilities-2010.com
glaryutilities-2010.net
guitarpro-2010.com
guitarpro-2010.net
incredimail-be.net
incredimail-nl.net
inkscape-2010.com
internetdownloadmanager-2010.com
internetdownloadmanager-2010.net
i-tunes-fr.com
jdownloader2010.info
jdownloader-be.net
jdownloadernew.info
jdownloader-nl.net
koyotefreevideoconverter-2010.com
koyotefreevideoconverter-2010.net
messengeres.org
movimaker-es.org


All of those I've checked thus far, have had their downloads coming from allbrowsers.net (81.94.201.61 - 61-201-94-81.rackcentre.redstation.net.uk ), for example;

hxxp://www.allbrowsers.net/gb/install_jdownloader.exe?a=

These are NSIS packed files, and the JDownloader file for example, contains two VBS scripts that hijack the Firefox homepage and search engine to point to;

Homepage: pucuy.com
Search: pucuy.com/google

With partner ID:

partner-pub-3546861938806019:fn51rv5o9ne




No great surprise as far as where pucuy.com is living - our old friends RapidSwitch;

Current IP: 78.129.142.38
IP PTR: Resolution failed
ASN: 29131 78.129.128.0/17 RAPIDSWITCH-AS RapidSwitch

3 comments:

Gate7Wizard said...

We do not accept legal communications by email or fax.
LOL what do they want? To have a paratrooper land on them and hand deliver it?


ccleanernew.info redirected me to:
twiwiz.com which is sitting on
IP: 188.165.201.32
PTR: ns210204.ovh.net
AS16276 - OVH
http://www.google.com/safebrowsing/diagnostic?site=AS:16276


Domains sharing A records with IP: 188.165.201.32

7zip-2010.com
7zip-2010.net
activex-2010.net
adobereader-2010.com
adobereader-2010.net
cccp-2010.com
cccp-2010.net
directx-2010.com
directx-2010.net
elisoftcodec-2010.com
elisoftcodec-2010.net
explorer-2010.com
explorer-2010.net
incredimail-2010.net
incredimail-2010.org
jdownloader-2010.com

Security Team said...

Redstation are a major Hack/spam Source...
2014-05-16 02:07:41 188.227.185.10 52736 80 HTTP/1.1 GET /phpTest/zologize/axa.php 400 - Hostname -
2014-05-16 02:07:41 188.227.185.10 52782 80 HTTP/1.1 GET /phpMyAdmin/scripts/setup.php 400 - Hostname -
2014-05-16 02:07:41 188.227.185.10 52830 80 HTTP/1.1 GET /pma/scripts/setup.php 400 - Hostname -
2014-05-16 02:07:41 188.227.185.10 52885 80 HTTP/1.1 GET /myadmin/scripts/setup.php 400 - Hostname -

Abuse contacts (not very helpful):
abuse@redstation.com
abuse@redstation.net.uk
abuse@ntlworld.com
abuse@redstation.co.uk
abuse@redstation.com
admin@redstation.co.uk

The best way is to block them out.

MysteryFCM said...

Feel free to send me any supporting logs you've got for this.

hphosts @ it-mate.co.uk