Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 1 September 2011

co.tv update: Sorry chaps, you're not doing enough

co.tv have had quite the history, with a plethora of abuse of their service. They've previously been responsive as far as takedowns, but lately there's been no response, and those reported over the past week, have remained active.

A lot of the domains are pointing to an IP that resolves to parking.co.tv, but this isn't actually a parking server - it is a redirector;

Query: fuqayisi.co.tv

HTTP/1.1 302 Found
Date: Fri, 02 Sep 2011 01:58:56 GMT
Server: Apache
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=5c2mjglhtfudm0sh7fccd4nc74; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://pharmacyas.com/?camp=root4snake
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

=========================
HTTP headers:

HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Fri, 02 Sep 2011 02:57:46 GMT
Content-Type: text/html; charset=ISO-8859-1
Connection: close
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=pfs66j960cmdrbu92riib1nnf1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 8742


Which results in;



This being one of the less "fully malicious" sites. They may have claimed to stop allowing free registrations, but it appears all of those previously created, are still active, and whilst only a suspicion, I've got a feeling they're still allowing the bulk creation of new free hostnames.

Bearing in mind, fake meds are the least of your problems when visiting a .co.tv created site. A lot of them are also leading to malware and exploits and such.

A small smattering of hostnames on 91.223.89.98 for example (known for exploits), includes;

amptlleg.co.tv
amtwwkmlo.co.tv
aofqgxpe.co.tv
asdphpun.co.tv
atlejlspzd.co.tv
bajwvvhh.co.tv
bieekuctbh.co.tv
bsbgbirj.co.tv
buhzrqidm.co.tv
cdyrcuecf.co.tv
cfturcu.co.tv
clkcohnxbs.co.tv
covaxli.co.tv
dbnlqzqxxy.co.tv
dhtppncyjj.co.tv
djxkzjpo.co.tv
drxdeinhua.co.tv
dyccczqwx.co.tv
eanaewswqi.co.tv
ebfheqymqf.co.tv
eggiqyo.co.tv
eglvjcifpt.co.tv
ejexqqdu.co.tv
ejjjtbep.co.tv
emmqqyfqo.co.tv
eqilfqfpb.co.tv
evudnymdv.co.tv
eyztbgqa.co.tv
fkjrapbpo.co.tv
ftjqyqac.co.tv
fxmgsdobk.co.tv
fzzcint.co.tv
ghclpsq.co.tv
gjyudfik.co.tv
gsezrvtjhr.co.tv
gtvinvr.co.tv
gzribvpxda.co.tv
hjoituyha.co.tv
hksmggkwm.co.tv
ifhfnbns.co.tv
illjnwaqg.co.tv
ingenlfycx.co.tv
isoocbom.co.tv
iuukaluv.co.tv
iwaqnubtr.co.tv
ixoqyxuvu.co.tv
jhumzvlbic.co.tv
jihxeoqenf.co.tv
jrlzcqnoqm.co.tv
jsxfkzwn.co.tv
juqmndzq.co.tv
khjpoylp.co.tv
klmijcjqig.co.tv
kqhijehv.co.tv
ktmvvdimz.co.tv
ljmvybkom.co.tv
lmeoqhni.co.tv
lnzgpypdtj.co.tv
lqfqsfii.co.tv
lvfqmawbl.co.tv
lxsefufi.co.tv
mclpkxij.co.tv
mdtslighu.co.tv
mfwcajijdn.co.tv
mgrrdvx.co.tv
mnigvch.co.tv
mpbrbngca.co.tv
msxtysmwnn.co.tv
nnstqjyb.co.tv
nxkgoasmu.co.tv
ooqprfyc.co.tv
oqgfgecup.co.tv
paplrngqf.co.tv
pclnbdtn.co.tv
peckvzqu.co.tv
pijshkz.co.tv
qepmzyuvpq.co.tv
qksxisf.co.tv
qyktctzgln.co.tv
qypgiizwx.co.tv
rbbqykeuui.co.tv
rcsazurd.co.tv
rdnvuwjhl.co.tv
rgdughuzgv.co.tv
roigofxewo.co.tv
rwkgrvbdx.co.tv
siyimga.co.tv
spwktbpiys.co.tv
tclkrur.co.tv
tmknsgk.co.tv
tohxozxqzo.co.tv
ualhxpxmd.co.tv
ucaityo.co.tv
ucekqxa.co.tv
veoaruzcyz.co.tv
vqcdqscuz.co.tv
vsnuvjmlyc.co.tv
vuxzxekapu.co.tv
vzdpuihj.co.tv
wfdlrzgup.co.tv
wpydsdlro.co.tv
xffoobsbvx.co.tv
xghvfwlme.co.tv
xwowhft.co.tv
ybbzczjx.co.tv
yjhzzfcuc.co.tv
yuznlub.co.tv
zbxejcla.co.tv
zlyfdkqnxk.co.tv
znxmipyy.co.tv
zsvbptrr.co.tv


And a little history from the past 9 months (and I'm confident there's a lot I'm not aware of) of the "everything and anything" collection, from fake meds to trojans and exploits (obviously a lot of these are now dead (hence the "history")), sorry about the file, Blogger didn't seem to like me embedding the list directly (400 Bad Request error);

http://temp.it-mate.co.uk/co.tv_history.txt

I realise of course, that there's others that are far far worse (co.cc, cz.cc, cx.cc etc etc), but as I've said before, either they get a grip and get this cleaned up, or those of us that are sick of having to deal with the rubbish from their service, are going to have their site taken off them (I've done that with others, and wouldn't have a problem having theirs taken off of them).

/update 13:38

Well, it looks like co.tv have seen the blog, as I've received 8 e-mails from them in quick succession this morning, to tell me the hostnames have now been suspended/taken out - time will tell (and I'll be re-testing them all to make sure).

As for you co.tv, re-active is good and all - but not good enough. If you can't be pro-active, you need to shut the service down *completely* until you can be. The same goes for those running cx.cc, co.cc, cz.cc, cu.cc, gv.vg et al.

As an aside for those wondering, a friend over at Malware Domains posted a list of these secondary sites for those that would like to pro-actively block the entire lot of them in one go.

http://www.malwaredomains.com/wordpress/?p=1991

References

Finally: co.tv cancels free "domain" registration service!
http://hphosts.blogspot.com/2011/08/finally-cotv-cancels-free-domain.html

No comments: