Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 31 October 2013

ALERT: lnx.lu, downloadoney.com and secure.oinstaller.com

You'll be wanting to block these folks. lnx.lu is a bit.ly wannabe, but more importantly, with help from downloadoney.com and secure.oinstaller.com, it's leading straight to crapware from Tiny Installer (iBryte).

The file served: downloadmanager_Setup.exe, 49b56be1b64aea734e69e2a2bd482b78

GET /6N?http://depositfiles.com/files/lgde529fc HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Host: lnx.lu
DNT: 1
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.24 (Unix) PHP/5.4.15
X-Powered-By: PHP/5.4.15
Last-Modified: Fri, 1 Nov 2013 00:52:26 GMT
Expires: Fri, 1 Nov 2013 00:52:26 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4756
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

------------------------------------------------------------------
GET /script.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: lnx.lu

HTTP/1.1 200 OK
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.24 (Unix) PHP/5.4.15
Last-Modified: Sun, 17 Jun 2012 00:45:15 GMT
ETag: "1980aa1-1512-4c2a05cd71cc0"
Accept-Ranges: bytes
Content-Length: 5394
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/javascript

------------------------------------------------------------------
GET /images/logo.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: lnx.lu

HTTP/1.1 200 OK
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.24 (Unix) PHP/5.4.15
Last-Modified: Mon, 30 Apr 2012 08:20:32 GMT
ETag: "1980a82-41a-4bee120ad7400"
Accept-Ranges: bytes
Content-Length: 1050
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/gif

------------------------------------------------------------------
GET /images/skipadbtn.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: lnx.lu

HTTP/1.1 200 OK
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.24 (Unix) PHP/5.4.15
Last-Modified: Mon, 30 Apr 2012 08:25:47 GMT
ETag: "1980a4d-89c-4bee13373f8c0"
Accept-Ranges: bytes
Content-Length: 2204
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/gif

------------------------------------------------------------------
GET /click/i2VrnWecqZaOYWmWX8p6w4iQcphmn36ViZBqnF6bgJW3Z2uZYJypmJBqapVf?dp=7%20GB HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: network.adsmarket.com

HTTP/1.1 302 Found
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=7n8jsfdoq70hhrsn18po0n6693; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ce-visitor-jmNtl18=imGoy3zhes6qmIXJfq6fqYuEkdGfvXvam2OS1l6bepI; expires=Mon, 16-Dec-2013 00:52:26 GMT; path=/; domain=network.adsmarket.com
Set-Cookie: ce-click-jWhxlWSbe8OLZm-VYqF-l5Bi=jWhxlWSbe8OLZm-VYqF-l5Bi; expires=Sat, 02-Nov-2013 00:52:26 GMT; path=/; domain=network.adsmarket.com
Location: http://www.media970.com/click/i2Zslo2hgJWLkGnEXsp8m4tkcpiNnH-WjGSYnWKjfcOJaXGXYQ?dp=20ofNv0jRgLdPCUE3SXlqR1vC2Yq000.&SUB=_342891&ce_cid=20ofNv0jRgLdPCUE3SXlqR1vC2Yq000.
P3P: policyref="/w3c/p3p.xml", CP="NOI DEV PSA PSD IVA OTP OUR OTR IND OTC"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

------------------------------------------------------------------
GET /n4.g?login=lnxlu&d=1366x768&auto=y&pid=link&jv=true&c=32&l= HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: nht-3.extreme-dm.com

HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Fri, 01 Nov 2013 00:52:26 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Cache-Control: private,no-cache,no-store
Pragma: no-cache
Expires: Mon, 28 Sep 1970 06:00:00 GMT

------------------------------------------------------------------
GET /click/i2Zslo2hgJWLkGnEXsp8m4tkcpiNnH-WjGSYnWKjfcOJaXGXYQ?dp=20ofNv0jRgLdPCUE3SXlqR1vC2Yq000.&SUB=_342891&ce_cid=20ofNv0jRgLdPCUE3SXlqR1vC2Yq000. HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: www.media970.com

HTTP/1.1 302 Found
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=uim8ngts2iq7aljtn44arnmu56; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ce-visitor-kGVxmA=imFprm-ge62ZibK5ktm_tIuEkdGfvXvam2OS1l6bepI; expires=Mon, 16-Dec-2013 00:52:26 GMT; path=/; domain=www.media970.com
Set-Cookie: ce-click-iWhqmGWeqZeNZ2mZZJ99nIk=iWhqmGWeqZeNZ2mZZJ99nIk; expires=Sat, 02-Nov-2013 00:52:26 GMT; path=/; domain=www.media970.com
Location: http://www.downloadoney.com/direct/downloadmanager?&adprovider=Adperio&source=Adperi0_downloadmanager_GB_direct&ce_cid=200IA51IAXyTdnuP3SXlqR1vC2Yq000.
P3P: policyref="/w3c/p3p.xml", CP="NOI DEV PSA PSD IVA OTP OUR OTR IND OTC"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

------------------------------------------------------------------
GET /direct/downloadmanager?&adprovider=Adperio&source=Adperi0_downloadmanager_GB_direct&ce_cid=200IA51IAXyTdnuP3SXlqR1vC2Yq000. HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: www.downloadoney.com

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Fri, 01 Nov 2013 00:52:26 GMT
Location: http://secure.oinstaller.com/o/downloadmanager/downloadmanager_Setup.exe?filedescription=downloadmanager&subid=Adperi0_downloadmanager_GB_direct&user_id=18d33e43-0186-448d-90f2-2e2b29076dd6&thankYouUrl=http%3a%2f%2fwww.downloadoney.com%2fGo%2fFreeTVOnline%3fsource%3dthankyou_Adperi0_downloadmanager_GB_direct%26offer%3ddownloadmanager%26userid%3d18d33e43-0186-448d-90f2-2e2b29076dd6&cancelUrl=http%3a%2f%2fwww.downloadoney.com%2fGo%2fFreeTVOnline%3fsource%3dthankyou_Adperi0_downloadmanager_GB_direct%26offer%3ddownloadmanager%26userid%3d18d33e43-0186-448d-90f2-2e2b29076dd6&adprovider=adperio&subid2=&subid3=&cpixel=http%3a%2f%2fultimate-downloads.com%2fInstaller%2fConversion%3fadProvider%3dadperio%26context%3d200IA51IAXyTdnuP3SXlqR1vC2Yq000.%26countryCode%3dGB%26userID%3d18d33e43-0186-448d-90f2-2e2b29076dd6%26source%3dAdperi0_downloadmanager_GB_direct%26subid1%3d%26subid2%3d%26offer%3ddownloadmanager&useragent=ultimate-downloads.com%7cMozilla%2f5.0+(compatible%3b+MSIE+9.0%3b+Windows+NT+6.1%3b+WOW64%3b+Trident%2f5.0%3b+Avant+Browser)
Server: Microsoft-IIS/7.5
Set-Cookie: uid=18d33e43-0186-448d-90f2-2e2b29076dd6; domain=downloadoney.com; expires=Wed, 01-Nov-2023 00:52:27 GMT; path=/
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
X-Powered-By: ASP.NET
Content-Length: 1196
Connection: keep-alive

------------------------------------------------------------------
GET /o/downloadmanager/downloadmanager_Setup.exe?filedescription=downloadmanager&subid=Adperi0_downloadmanager_GB_direct&user_id=18d33e43-0186-448d-90f2-2e2b29076dd6&thankYouUrl=http%3a%2f%2fwww.downloadoney.com%2fGo%2fFreeTVOnline%3fsource%3dthankyou_Adperi0_downloadmanager_GB_direct%26offer%3ddownloadmanager%26userid%3d18d33e43-0186-448d-90f2-2e2b29076dd6&cancelUrl=http%3a%2f%2fwww.downloadoney.com%2fGo%2fFreeTVOnline%3fsource%3dthankyou_Adperi0_downloadmanager_GB_direct%26offer%3ddownloadmanager%26userid%3d18d33e43-0186-448d-90f2-2e2b29076dd6&adprovider=adperio&subid2=&subid3=&cpixel=http%3a%2f%2fultimate-downloads.com%2fInstaller%2fConversion%3fadProvider%3dadperio%26context%3d200IA51IAXyTdnuP3SXlqR1vC2Yq000.%26countryCode%3dGB%26userID%3d18d33e43-0186-448d-90f2-2e2b29076dd6%26source%3dAdperi0_downloadmanager_GB_direct%26subid1%3d%26subid2%3d%26offer%3ddownloadmanager&useragent=ultimate-downloads.com%7cMozilla%2f5.0+(compatible%3b+MSIE+9.0%3b+Windows+NT+6.1%3b+WOW64%3b+Trident%2f5.0%3b+Avant+Browser) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: secure.oinstaller.com

HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 1969448
Content-Type: application/octet-stream
Last-Modified: Fri, 01 Nov 2013 00:52:27 GMT
Server: Microsoft-IIS/7.5
Content-Disposition: attachment; filename=downloadmanager_Setup.exe
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Fri, 01 Nov 2013 00:52:27 GMT
Connection: close

------------------------------------------------------------------

iLivid: Via Filerio.in

The previous one felt lonely I guess.

hxxp://yads.zedo.com/ads2/c?a=1666218;x=7177;g=171;c=2051000058,2051000058;i=0;n=2051;s=15;1=7;2=1;tg=1383266793;vr=2;m=9;w=4;os=3;ct=1;p=6;h=1581182;f=1812475;b=10;u=lmHiuGsWSN2jYetyZhTVcw**~081213;z=0.12588476478823873;ainfo=;k=http://lp.sharelive.net/?sysid=406&appid=842 hxxp://d2.zedo.com/OzoDB/4/x/1666218/V1/202039_iLivid_800x440_MediaPlayerMSG.gif

iLivid: Yet more very misleading badness

Still not getting responses from them and still coming across yet more highly misleading crap from them - the latest of which is this one, auto-loaded in popup via one of the ad networks (was just while general research on something else this time, didn't catch which ad network it came through unfortunately);

hxxp://lp.sharelive.net/?sysid=406&appid=420&lpid=2949&subid=0020047485637829949

Wednesday, 30 October 2013

Like spam? Like fraudulent based spam? So does reliablechat@gmail.com/ReputationRewards@gmail.com

Taking a break from work, and looking for something, I came across this amongst the thousands of emails in the junk folder (I get thousands of new ones every day). I couldn't help but laugh at how blatantly he (presuming based on the domains registration info) is offering fraudulent/blackhat services.

Got Bad Reviews? Need good Reviews?

We Post Good Reviews.
We do Reputation Repair.
We do Blog Advertising.
We do MYSQL and PHP Web Development and Scripts.

We can help you defend your company by posting positive Reviews, blogs and creating Websites to take over Search Results and control what people see about your company.

361-444-3559

http://www.ReviewShowcase.com for Paid Review Posting Service

How does posting positive reviews help in your businesses Google ranking?

1. Positive reviews increase your business rank by linking important and relevant websites to your website.

2. A constant stream of positive reviews improves your online reputation.

3. Positive reviews drive traffic to your business.

4. Positive reviews restore a tarnished reputation by pushing down negative reviews and links.

5. Helps protect against competitors or anyone else from attempting to ruin your ranking.

361-444-3559 ReputationRewards@gmail.com

We also do MYSQL and PHP work at http://Programskills.com and Server Administation at Http://SupportGator.com


Little FYI for anyone considering using this guys "services" - spamvertising positive reviews that are blatantly fake, is fraud - plain and simple. Instead, perhaps asking your ACTUAL customers for reviews would be more appropriate?

The headers for this email;

Return-Path: <no-reply@gmail.com>
Delivered-To: <[REMOVED]>
Received: from [REMOVED]
    by [REMOVED] (Dovecot) with LMTP id DxZrBcqWNlJVEAAAZ1oeBA
    for <[REMOVED]>; Mon, 16 Sep 2013 13:32:09 +0100
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=x tagged_above=-9999 required=1.3 WHITELISTED
    tests=[] autolearn=unavailable
Message-ID: <ODMKTLIZNOEKMHZLOVDBDAUK@yahoo.com>
From: "PHP MYSQL Work" <no-reply@gmail.com>
Reply-To: "PHP MYSQL Work" <no-reply@gmail.com>
To: [REMOVED]
Subject: Your Reputation
Date: Mon, 16 Sep 2013 15:49:54 +0300
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="--8643230795254350"
X-Priority: 3
X-MSMail-Priority: Normal

Tuesday, 29 October 2013

dot-opt-out.com (meishengchang@163.com), fraudster with fingers in many pies

I got an email a few minutes ago, which led via;

hxxp://tr.im/4jkmt

To;

hxxp://dot-opt-out.com/Email-sms/Main_Page.html

A quick look shows this particular fraudster has quite the colorful history, showing fingers in pies such as Waledac and illegal pharma, amongst other things;

db.aa419.org/fakebanksview.php?key=48997
http://www.phishtank.com/technical_details.php?phish_id=1486320
http://knujon.com/domains/pillrxshop24.com.html‎
http://lastwatchdog.com/wp/wp-content/uploads/100815_Microsoft_Waledac_motion.pdf (PDF)


Email content (I've replaced the "http" with "hxxp"):

Greetings,

My name is Giovanni Fiorellino and I am a marketing manager of an advertising agency. Should your business of selling products or services require services of an advertising agency, we are glad to offer you our help. We can help you to make sure that your products and\or services are well-known around the globe help you build loyalty, trust, and brand awareness and ensure that your commercial message is delivered to millions of potential or current customers in your target country markets, providing you and your clients with the assurance you need.

It iv very easy to get a consultancy from us, simply fill in the form on our website

hxxp://tr.im/4jkmt

Looking forward to hearing from you.

Best regards,

Giovanni Fiorellino



Return-Path: <maudeao10@list.ru>
Delivered-To: <adb@[REMOVED]>
Received: from [REMOVED]
    by [REMOVED] (Dovecot) with LMTP id IV2ZBPi7b1LBewAA4wGEVw
    for <adb@[REMOVED]>; Tue, 29 Oct 2013 20:06:33 +0000
Received: from [REMOVED]
    by [REMOVED] with LMTP id lUSuMeUQcFK+IAAAiShP7w
    ; Tue, 29 Oct 2013 20:06:33 +0000
X-Spam-Flag: YES
X-Spam-Score: 13.873
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.873 tagged_above=-9999 required=1.3
    tests=[BAYES_50=0.8, CK_HELO_DYNAMIC_SPLIT_IP=0.152,
    CK_HELO_GENERIC=0.25, HELO_DYNAMIC_IPADDR2=3.607,
    RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886,
    RAZOR2_CHECK=0.922, RCVD_IN_BL_SPAMCOP_NET=1.347,
    RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_RP_RNBL=1.31,
    RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.982, SPF_SOFTFAIL=0.665,
    TVD_RCVD_IP=0.001, URIBL_BLOCKED=0.001] autolearn=spam
Received: from [38.168.37.67] (helo=xnovtawdabfiaek.zyvtanrbgcsauyr.ua)
    by 114-36-46-48.dynamic.hinet.net with esmtpa (Exim 4.69)
    (envelope-from )
    id 1MMW2X-1497dk-JY
    for adb@[REMOVED]; Wed, 30 Oct 2013 04:06:39 +0800
From: =?koi8-r?B?IvDB18XMIOTB19nEz9ci?= <maudeao10@list.ru>
To: <adb@[REMOVED]>
Subject: RE: Advertising quote request
Date: Wed, 30 Oct 2013 04:06:39 +0800
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: jivszbzbb 24
Message-ID: <6112801139.RRBHMOZG437240@ydmzyhb.jdhdmhlllgqrijf.org>


Friday, 25 October 2013

Microsoft: Update available for Windows 8, 8.1 and Server 2012 R2

Update improves the reliability of Internet Explorer 11 in Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2:

http://support.microsoft.com/kb/2901549/en-us

Hat tip to my friend Susan Bradley for the heads up!

Thursday, 24 October 2013

Updated: Outlook Export v0.1.14

Needed a break from work, and this needed updated, so here you go folks.

1. Fixed: Runtime error when selecting "Export this e-mail" and clicking cancel
2. Fixed: Save All Links and Save All Subjects were inadvertently saved in the "Export\{DATE}\{FROM}\Attachments" folder instead of "Export\{DATE}\{FROM}\"
3. Modified: Couple of typos corrected in Readme (mea culpa)
4. Modified: About dialog/disclaimer updated

Download
http://support.it-mate.co.uk/?mode=Products&p=outlookexport

Note: I've not yet tested this on Office 365 or Outlook 2013 (test machines are otherwise indisposed at present). Please let me know if you find any issues.

Info: Email issues

It seems to be the day for email issues. Both incoming and outgoing.

The issue with the incoming email is being worked on by Domain Monster (it's a known issue with their mail server), and should be resolved within 24 hours, but obviously means, I can't receive emails at present.

The outgoing mail issue should be resolved within the next few hours (hopefully).

Tuesday, 22 October 2013

ALERT: 7install - Yet more fake Flash badness

Here we have yet another crapware company, this time US based, 7install, using highly deceptive and outright malicious methods to peddle their rubbish.


The IPs in this case, is;

209.126.131.87
ASN: 10439 209.126.128.0/17 CARINET - CariNet, Inc.

7install.com - marianog61@gmail.com GODADDY.COM, LLC
7install.info - marianog61@gmail.com GODADDY.COM, LLC
7searchbox.com - marianog61@gmail.com GODADDY.COM, LLC
analytic-login.com - marianog61@gmail.com GODADDY.COM, LLC
cerberav.us - marianog61@gmail.com GODADDY.COM, LLC
freedownlodenow.com - marianog61@gmail.com GODADDY.COM, LLC
incomeinstall.net - marianog61@gmail.com GODADDY.COM, LLC
installmonster.com - marianog61@gmail.com GODADDY.COM, LLC
megafreedownload.com - marianog61@gmail.com GODADDY.COM, LLC


91.214.201.126
ASN: 49527 91.214.200.0/22 ROXNET-COM-AS SRL ROXNET-COM

unsecuredconnection.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updatedflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC


91.214.201.148
ASN: 49527 91.214.200.0/22 ROXNET-COM-AS SRL ROXNET-COM

brosertie.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
fenretosit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
forotesit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jaterisok.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
moguleroc.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
mongolero.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
brosertie.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
fenretosit.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
forotesit.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
mongolero.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
brosertie.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
fenretosit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forotesit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
jaterisok.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
moguleroc.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
mongolero.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
ventupri.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
brosertie.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
fenretosit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forotesit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jaterisok.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jerenkoli.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
moguleroc.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
mongolero.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
ventupri.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry


198.199.65.137
ASN: 46652 198.199.64.0/20 SERVERSTACK-ASN - ServerStack, Inc.

alwaysdownloads.com - Admin / 14E08F8D78D1412A945F67F34DC204D5.PROTECT@WHOISGUARD.COM ENOM, INC.


8.29.133.130
ASN: 30152 8.29.128.0/21 BEYOND-HOSTING - Beyond Hosting, LLC

freegiveawayoffers.com - Admin / ADMIN@SLHOST.COM ENOM, INC.


8.29.133.189
ASN: 30152 8.29.128.0/21 BEYOND-HOSTING - Beyond Hosting, LLC

javainstalls.com - Admin / ADMIN@SLHOST.COM ENOM, INC.


184.105.178.69
ASN: 6939 184.104.0.0/15 HURRICANE - Hurricane Electric, Inc

yesdownloads.com - Admin / support@383media.com GODADDY.COM, LLC
dl.yesdownloads.com
adobeflashfreedownload.com - Admin / support@383media.com GODADDY.COM, LLC
avgantivirusforfree.com - Admin / support@383media.com GODADDY.COM, LLC
downloadmessengerfree.com - Admin / DOWNLOADMESSENGERFREE.COM@domainsbyproxy.com GODADDY.COM, LLC
installjavafree.com - Admin / support@383media.com GODADDY.COM, LLC
yahoomessengerforfree.com - Domain Administrator / domainadmin@yahoo-inc.com Markmonitor.com


141.101.125.155
ASN: 13335 141.101.125.0/24 CLOUDFLARENET - CloudFlare, Inc.

getsoftfree.com Admin / 806AB1DA379142F7A89D556D1FB6E33E.PROTECT@WHOISGUARD.COM ENOM, INC.


If you have a gander through the domains, you'll no doubt notice the likes of "AVG" being impersonated, but there's also another one - cerberav.us, impersonating cerberav.com (Spanish AV company).

Funny thing is, the companies involved in the use of the fake Flash/Java etc deception, are still trying to convince me that they're not doing anything wrong. On that subject, iLivid, are STILL not responding, and still using things like this;


As you've no doubt already guessed, AirInstaller, who I wrote about previously, are still using the very same tactics. For example;

hxxp://trkur.com/trk?o=7945&p=71676 -> hxxp://globalpromotions.kidsclothingstore.org/?sov=226078602&hid=fvjnhjjfnffphfhr&noflu=noflu&id=XNSX.71676%3A%3APEERFLY%3A%3AUK%3A%3A29%3A%3A7945 --> hxxp://globalpromotions.kidsclothingstore.org/AIRAdobeRS2filenameGB.html


globalpromotions.kidsclothingstore.org in case you're wondering, is housed at;

208.87.34.151 - 208-87-34-151.securehost.com - 15146 - 15146 208.87.32.0/21 CABLEBAHAMAS - Cable Bahamas
23.20.106.130 - ec2-23-20-106-130.compute-1.amazonaws.com - 14618 - 14618 23.20.0.0/15 AMAZON-AES - Amazon.com, Inc.
5.199.171.205 - hst-171-205.digital-forex.net - 16125 - 16125 5.199.168.0/22 DC-AS UAB Duomenu Centras
75.101.216.99 - ec2-75-101-216-99.compute-1.amazonaws.com - 14618 - 14618 75.101.128.0/17 AMAZON-AES - Amazon.com, Inc.




Not surprisingly, some of the companies have resorted to trying to block me seeing the sites on their IPs (they're about as successful at this, as the skiddies, and a few hosts/ASNs have been - not realising I've got far more than one or two IPs at my disposal - woops!).

If you see any more fake Flash, Java, Chrome, Firefox, Windows, Skype etc etc etc sites, please do feel free to either drop me an email, or drop by the hpHosts forums.

Sunday, 20 October 2013

Alert: Lunacom Interactive Ltd and fake Java sites

Seems we've got another Israel based crapware company, this one is involved in the use of fake Chrome and Java sites, to push their files (all digitally signed FYI).


Offending IPs;

66.55.92.88 - AS32181 66.55.88.0/21 ASN-GIGENET - GigeNET
146.185.156.77 - AS46652 146.185.128.0/19 SERVERSTACK-ASN - ServerStack, Inc
54.218.7.114 - awstrack01.tguhost.com - 16509 54.218.0.0/17 AMAZON-02 - Amazon.com, Inc.
146.185.156.77 - AS46652 146.185.128.0/19 SERVERSTACK-ASN - ServerStack, Inc.
54.244.6.207 - AS16509 54.244.0.0/18 AMAZON-02 - Amazon.com, Inc.

Sites identified thus far;

googlechromeup.com
securejavaupdate.com
latestjavas.com
eu.latestjavas.com
new.latestjavas.com
securejavadownload.com
eu.securejavadownload.com
new.securejavadownload.com
upjavadownload.com
securejavafiledownload.org
securejava.org
eu.securejava.org
new.securejava.org
eu.securejavafiledownload.org
new.securejavafiledownload.org
ttb.123mediaplayer.com
dlp.123mediaplayer.com
dtrack.secdls.com
dtrack.sslsecure1.com




The MD5 for the file I got served is;

6539515369f76e50c670f663debb0c37

However, I am aware that the MD5s appear to be different for each access, so you're going to want to detect the files on their sig instead.

/Edit

2 more IPs and 2 more hostnames added.

/Edit 2

Few more hostnames added.

Alert: Compromised sites housing iFrame to *.sytes.net hostnames

Been seeing quite a bit of yet more compromised sites of late (yep, it never stops), leading to *.sytes.net hostnames, all housed on a single IP;

IP: 130.0.238.15 AS: 15626 130.0.232.0/21 ITLAS ITL Company

Path on the hostnames;

/atb/counter.php

Hostnames seen thus far;

acnmtwyd.sytes.net
addbweys.sytes.net
adjgrezyr.sytes.net
adrlnnu.sytes.net
aeghzfr.sytes.net
agnzjycwl.sytes.net
ahiwwwhe.sytes.net
aitnsglw.sytes.net
aizxemx.sytes.net
ajyeepnh.sytes.net
amavbpn.sytes.net
amwwzesm.sytes.net
anbumvt.sytes.net
anrhrsl.sytes.net
aobxnbo.sytes.net
aqkjdxhlb.sytes.net
asicbjpnr.sytes.net
asmpbbqj.sytes.net
atchaexapf.sytes.net
avpohxjt.sytes.net
avppggjxz.sytes.net
avqzbjiwv.sytes.net
avvoignwy.sytes.net
awlpynqd.sytes.net
awstzub.sytes.net
azsgiyao.sytes.net
azwhoreojk.sytes.net
azzhwgcmne.sytes.net
basabmn.sytes.net
bbveuac.sytes.net
behgnpr.sytes.net
benhwxnl.sytes.net
bhovmjn.sytes.net
bhrztuan.sytes.net
bijvpztx.sytes.net
bkdcivj.sytes.net
bkmxpvqxr.sytes.net
blhifgcn.sytes.net
bmgslcjzn.sytes.net
bolqxvcqan.sytes.net
boutjojjg.sytes.net
bpkeyhcni.sytes.net
bquedzerpe.sytes.net
bremmfukm.sytes.net
bscyrbgmad.sytes.net
btrakkqrst.sytes.net
bvlmvygu.sytes.net
bwjpsyyph.sytes.net
bwlvkhe.sytes.net
bxbywzgz.sytes.net
bxjstvazx.sytes.net
bxkiaai.sytes.net
bxwuoxig.sytes.net
bytpufoea.sytes.net
byuwgwgpi.sytes.net
byvvzicwhp.sytes.net
bzfucvgvj.sytes.net
cataehsb.sytes.net
caujtfeey.sytes.net
cawjhwfd.sytes.net
cbtdzmgqby.sytes.net
cesckfd.sytes.net
cfhvfytv.sytes.net
cfsjhiocq.sytes.net
cfvnmdwo.sytes.net
cggammhx.sytes.net
cirsboc.sytes.net
cjqihwwm.sytes.net
cjwalux.sytes.net
ckofoiz.sytes.net
clajeoq.sytes.net
cmuhstt.sytes.net
cmuuaciltf.sytes.net
cmxkmnt.sytes.net
cobvstkyns.sytes.net
cpupjblwm.sytes.net
crdrmvx.sytes.net
cslynwfqp.sytes.net
ctdlioxv.sytes.net
cuthldkp.sytes.net
cvbreqh.sytes.net
cvpyzlihyq.sytes.net
cvxeyiqy.sytes.net
cwzepme.sytes.net
cxmkuju.sytes.net
cxvtmaojp.sytes.net
cyfxovrn.sytes.net
cyhyovzd.sytes.net
dahwxbvq.sytes.net
dauuctusx.sytes.net
davhtailhb.sytes.net
dbytvkcpi.sytes.net
dcopciquu.sytes.net
dcxbadvp.sytes.net
ddaaamlwh.sytes.net
ddvdtekh.sytes.net
dfdbtaxbsb.sytes.net
dfpbuhsb.sytes.net
dggzyfkfdm.sytes.net
dgugnixqf.sytes.net
dhwrdjsr.sytes.net
dipgaxcsfc.sytes.net
diyicuiezh.sytes.net
djgzyomdd.sytes.net
dkllzrnj.sytes.net
dlglypx.sytes.net
dmligrsla.sytes.net
dnepqxopzh.sytes.net
dnrlztvjs.sytes.net
dntmtay.sytes.net
dpenkggvj.sytes.net
dsudwgvec.sytes.net
dsuiezmkoy.sytes.net
duklgwi.sytes.net
dumpqqod.sytes.net
dvujzhsgtu.sytes.net
dxgegxkb.sytes.net
dykcgxek.sytes.net
dysguqf.sytes.net
dzcdwcucsu.sytes.net
ebbpolkf.sytes.net
ecixdnyzp.sytes.net
eeiqzjm.sytes.net
efxmykilnl.sytes.net
egqzhiuctl.sytes.net
ehlkhnn.sytes.net
ehqfzijkds.sytes.net
eizglfx.sytes.net
ejlogrur.sytes.net
ejyvpgidbg.sytes.net
elavmxw.sytes.net
elescpf.sytes.net
eloneyzch.sytes.net
eofobmct.sytes.net
eolwjdlk.sytes.net
eqfaykyfdc.sytes.net
eqycmjb.sytes.net
ermechdvrp.sytes.net
esixejp.sytes.net
etbyscryk.sytes.net
eugyuizzjy.sytes.net
euucbfzt.sytes.net
euwmcluiql.sytes.net
evgnpyy.sytes.net
ewtmmsn.sytes.net
faearrv.sytes.net
fauzimodlp.sytes.net
fbahwqrbhv.sytes.net
fbdyuwsdyx.sytes.net
fbzdvjm.sytes.net
fewhwxk.sytes.net
ffenxhn.sytes.net
fhdbzfz.sytes.net
fhgeukfdm.sytes.net
fhhouboah.sytes.net
fidbvek.sytes.net
fieoovhkx.sytes.net
fiesfjzd.sytes.net
fiqcyho.sytes.net
fisztleg.sytes.net
fncfyxz.sytes.net
fovgzrtzn.sytes.net
fqvirlk.sytes.net
frerelkdx.sytes.net
frlkcex.sytes.net
fsukzcgz.sytes.net
ftwzufw.sytes.net
fwfmjmspq.sytes.net
fxmfoudq.sytes.net
fzwdcepjq.sytes.net
gcrfzjdu.sytes.net
gdqglpfgy.sytes.net
geruakjn.sytes.net
gesbcukva.sytes.net
gewlbsak.sytes.net
ggmpahygy.sytes.net
ggxqrmypkd.sytes.net
giwmtjsyq.sytes.net
gkdnzadty.sytes.net
glcztgoyd.sytes.net
glfsjmd.sytes.net
glvtybpxmy.sytes.net
goqguclotk.sytes.net
govuftnx.sytes.net
gpfobkz.sytes.net
gqpveoyra.sytes.net
grnnmrrc.sytes.net
gtnmrmk.sytes.net
gttspuih.sytes.net
gveojjoznj.sytes.net
gvpbotic.sytes.net
gxwthwhcnx.sytes.net
gzrpslpweb.sytes.net
hbjzjzg.sytes.net
hczpaqkq.sytes.net
hdlseuoqzo.sytes.net
hdosqesfkd.sytes.net
heuiqrhd.sytes.net
hguxljh.sytes.net
hhfqgewdql.sytes.net
hhztnslqp.sytes.net
hiiqjjz.sytes.net
hjkxskvbry.sytes.net
hjshivs.sytes.net
hlleaclgk.sytes.net
hmemwgni.sytes.net
hmushidlmv.sytes.net
hoknjvahb.sytes.net
hsgyxhwxhl.sytes.net
htehtcj.sytes.net
hugyautjk.sytes.net
hvwvxcl.sytes.net
hwduyml.sytes.net
hxexxeoh.sytes.net
hyhhoghxh.sytes.net
ibcbeqblx.sytes.net
ibdjobduds.sytes.net
ibfpslrinf.sytes.net
ibfryysdub.sytes.net
idibhrwy.sytes.net
idtqnad.sytes.net
idytfhqbv.sytes.net
ifwuhcdek.sytes.net
ifxctxorbc.sytes.net
iiypddm.sytes.net
ikhvtebddy.sytes.net
ilxbepofnv.sytes.net
inrfjont.sytes.net
ioflgdym.sytes.net
ionwywwen.sytes.net
ipjsnwdb.sytes.net
iprrcjbbp.sytes.net
ipwzbykfrf.sytes.net
iqeyhohzy.sytes.net
isfmmhvgg.sytes.net
ismlzkf.sytes.net
ispsrooo.sytes.net
iularlp.sytes.net
iviujibmz.sytes.net
iwjqlgluc.sytes.net
ixmkuvwqes.sytes.net
ixnehkkg.sytes.net
ixrmjsct.sytes.net
iyfqfawsr.sytes.net
izyyhuvxw.sytes.net
jccnmnl.sytes.net
jdabtbiwtq.sytes.net
jdllrtzdv.sytes.net
jekkimcpun.sytes.net
jeqmeupa.sytes.net
jfbeiqfe.sytes.net
jfjsoajsri.sytes.net
jfkcfzwo.sytes.net
jftqfsvx.sytes.net
jgtsifc.sytes.net
jhufribzgu.sytes.net
jofqqxfry.sytes.net
jomrgjorg.sytes.net
jotlfphys.sytes.net
jpssefcve.sytes.net
jqbgypu.sytes.net
jqvciffvjl.sytes.net
jrogzyutef.sytes.net
jrykwtfyf.sytes.net
jwrbtla.sytes.net
jwsqiqhmal.sytes.net
jzfcfya.sytes.net
jzsaignke.sytes.net
kbjdjhtmsb.sytes.net
kbxcpqjve.sytes.net
kchplzuj.sytes.net
kcuhkil.sytes.net
kdluhhuw.sytes.net
kexcxilqpx.sytes.net
kgzdnhx.sytes.net
khyyvry.sytes.net
kixlcjrh.sytes.net
kjcepogk.sytes.net
kjrngpvijf.sytes.net
kkalffgo.sytes.net
kldmpcdv.sytes.net
klgvcjmn.sytes.net
kmwrniwkvx.sytes.net
knpbntx.sytes.net
kplbyroxga.sytes.net
kplcrunqce.sytes.net
krkwbgd.sytes.net
ksodetusbg.sytes.net
kszmrvhm.sytes.net
kutljvvfgw.sytes.net
kvxiuby.sytes.net
kwaiqhhojc.sytes.net
kwmjzicbz.sytes.net
kwpteoeh.sytes.net
kxhhjpfrg.sytes.net
kyozuqo.sytes.net
kzfgzlfjjw.sytes.net
kzfsueptj.sytes.net
lawomrrew.sytes.net
lbnyigm.sytes.net
lbwmjobznk.sytes.net
lcwqbmhy.sytes.net
ldbowlzr.sytes.net
ldnrpwu.sytes.net
lfuiszps.sytes.net
lfxlzmkp.sytes.net
lhurfstzwb.sytes.net
liburnirlc.sytes.net
liwikzywv.sytes.net
ljeptfubm.sytes.net
ljxachipe.sytes.net
llydedd.sytes.net
lnxipernv.sytes.net
lofruiqtoq.sytes.net
lpauiixay.sytes.net
lptkvilbbn.sytes.net
lteescktc.sytes.net
lubtvueiaa.sytes.net
luvdqiutm.sytes.net
lwaqdul.sytes.net
lwgktizn.sytes.net
lwrnvct.sytes.net
lxuschhdd.sytes.net
madfmac.sytes.net
mbbtzmhsk.sytes.net
mdfovmq.sytes.net
mftsfgn.sytes.net
mghqaumqok.sytes.net
mgkuedp.sytes.net
mgylduvn.sytes.net
mhaayla.sytes.net
mhuvfnoqpm.sytes.net
mjfumkiiuo.sytes.net
mkbvlpvl.sytes.net
mkisthgnuo.sytes.net
mkqtvzxw.sytes.net
mlbppxpma.sytes.net
mnakeqr.sytes.net
mnlnkvg.sytes.net
mnmypnzv.sytes.net
moxlrthnz.sytes.net
mozxjrv.sytes.net
mqgprggdp.sytes.net
mqmvjdql.sytes.net
mqwmyxw.sytes.net
mrkmwxj.sytes.net
mrtscwptfj.sytes.net
mucktuijay.sytes.net
muljmnuf.sytes.net
muqkmdl.sytes.net
mwtywcx.sytes.net
mwtzgtl.sytes.net
mxxhtndgyi.sytes.net
mzlmbwbqgc.sytes.net
nbtrrjszy.sytes.net
nbuhjmop.sytes.net
ncdmyuln.sytes.net
nckgewjp.sytes.net
nczwpdnt.sytes.net
ndhhnch.sytes.net
ndsvgqu.sytes.net
neanprn.sytes.net
neaygyt.sytes.net
nheghxgkrm.sytes.net
njlgpunoto.sytes.net
njrebavfx.sytes.net
nkghnrprga.sytes.net
nlkilxxv.sytes.net
nmahqhzmr.sytes.net
nnawqblz.sytes.net
nnycbvbobo.sytes.net
norgoty.sytes.net
npcckba.sytes.net
nrdnetxbp.sytes.net
nrhmrbyjq.sytes.net
nsgmnexwv.sytes.net
ntfsqny.sytes.net
nurvsngxk.sytes.net
nvhwghlxo.sytes.net
nzsjzrix.sytes.net
oagiedhf.sytes.net
oalpjye.sytes.net
ocfrlknzh.sytes.net
oczqjqpazs.sytes.net
odbrsogvt.sytes.net
oeokxycqo.sytes.net
oeoshody.sytes.net
oeyenlndhf.sytes.net
offmscylu.sytes.net
ofpcfgm.sytes.net
ofrfvgir.sytes.net
ogjlffw.sytes.net
ohqsugrwl.sytes.net
oicaqarxso.sytes.net
oiklkxna.sytes.net
oizxhitonp.sytes.net
okiaaynfz.sytes.net
okwkwei.sytes.net
ologvkyc.sytes.net
olyjbaxiws.sytes.net
omysuxn.sytes.net
onmqlxix.sytes.net
oohjatm.sytes.net
oowcdtwesd.sytes.net
opumwew.sytes.net
opzsputh.sytes.net
oqfxyffok.sytes.net
oqnzdxpt.sytes.net
orysfzhlx.sytes.net
ovnfhyc.sytes.net
owquryprwp.sytes.net
oxntyjq.sytes.net
oyevofpb.sytes.net
oymzjnvgil.sytes.net
ozacxeru.sytes.net
oziiwyzr.sytes.net
ozlygre.sytes.net
papxloop.sytes.net
pbfznyw.sytes.net
pbgupuusi.sytes.net
pbtfemy.sytes.net
pdtzgrlve.sytes.net
pdubxeajwg.sytes.net
pdxdgfm.sytes.net
pfqvaxjc.sytes.net
pgetpbcprs.sytes.net
pglldlxa.sytes.net
phrwuuq.sytes.net
pjapdnbe.sytes.net
pljaxvyvmd.sytes.net
pnibuvfn.sytes.net
pntczrel.sytes.net
poqrnmscvg.sytes.net
pplvzzumv.sytes.net
ppooapzg.sytes.net
ppsaxsasxu.sytes.net
ppxcsna.sytes.net
ppzdrfexs.sytes.net
pqgpmveue.sytes.net
prlnhtd.sytes.net
puyzrumbfe.sytes.net
pxodqqtey.sytes.net
pxrqrpk.sytes.net
qafhbbag.sytes.net
qbpvdapc.sytes.net
qcblabdut.sytes.net
qckcdvngwt.sytes.net
qcmfjnm.sytes.net
qeevmuoyr.sytes.net
qevdqzieb.sytes.net
qfnkvojz.sytes.net
qftutkz.sytes.net
qfznugkd.sytes.net
qghxgwbhk.sytes.net
qiercahtra.sytes.net
qiklmgaoka.sytes.net
qjsseqvhd.sytes.net
qkcfzfr.sytes.net
qmvoaztw.sytes.net
qnmpucffr.sytes.net
qoavgbelin.sytes.net
qoreqnfns.sytes.net
qowiziepbf.sytes.net
qrluvblcr.sytes.net
qtrlbwukxs.sytes.net
qwktxxehy.sytes.net
qxouceo.sytes.net
qxytdsf.sytes.net
ragnblqk.sytes.net
ravgfpbk.sytes.net
rcenglqyre.sytes.net
rcfnbxsjx.sytes.net
rcoqnqgm.sytes.net
rfabxfty.sytes.net
rgiyuitm.sytes.net
rgsoyznczz.sytes.net
rhwfgly.sytes.net
ricpiewbc.sytes.net
ridjrbv.sytes.net
rjpabdgz.sytes.net
rntmygab.sytes.net
roltcezwrw.sytes.net
romdhxci.sytes.net
rotchedko.sytes.net
rpcovkimb.sytes.net
rpknxwtgrc.sytes.net
ruqpcioktj.sytes.net
rvhgpua.sytes.net
rwiaetqyr.sytes.net
rwofekkfw.sytes.net
rwseswvp.sytes.net
rwubmwsxu.sytes.net
rxxtlrfgfo.sytes.net
sbblczke.sytes.net
sbbnwssku.sytes.net
scgfiytcpa.sytes.net
sdgaqizc.sytes.net
sfdlhfeco.sytes.net
shghrypc.sytes.net
shoqcgr.sytes.net
sjfivkvrys.sytes.net
skhsarl.sytes.net
sopleuivd.sytes.net
spnixrgy.sytes.net
stmpwmp.sytes.net
sumdylylav.sytes.net
sunffil.sytes.net
suylefnkig.sytes.net
svchjue.sytes.net
svjsimm.sytes.net
svrsahmqqo.sytes.net
sweiozime.sytes.net
swpurmruc.sytes.net
sxozrvq.sytes.net
syfynenagh.sytes.net
sztrosuc.sytes.net
tasbwrfz.sytes.net
tciggxirjo.sytes.net
tdgsrknuci.sytes.net
tdnosyj.sytes.net
tdrrxbyujv.sytes.net
thtzaddxo.sytes.net
tkjhaiey.sytes.net
tlqpiwvq.sytes.net
tluqscdc.sytes.net
tmaqrjjv.sytes.net
tmtfctujzq.sytes.net
tofkihpuy.sytes.net
tqighcicu.sytes.net
ttbnkqp.sytes.net
ttgllaujry.sytes.net
tusutmy.sytes.net
tvkmuukk.sytes.net
txvjcvapit.sytes.net
tykpqmfsw.sytes.net
tynyohp.sytes.net
tztegklind.sytes.net
ubojfziask.sytes.net
ucnnvgv.sytes.net
ucrosjnl.sytes.net
udsgfry.sytes.net
udsueae.sytes.net
ufxhvzsglc.sytes.net
ugggiou.sytes.net
ugzxiwxns.sytes.net
uhjvqkbx.sytes.net
uhkbhlkqt.sytes.net
uitzenro.sytes.net
ujfwyps.sytes.net
ulvmtswpv.sytes.net
ulwyrevvj.sytes.net
ungxazh.sytes.net
unhjrygyhk.sytes.net
unrvtvq.sytes.net
uonelhtqyo.sytes.net
uqxfqrnz.sytes.net
usdzxpqd.sytes.net
ushyudp.sytes.net
utlxboj.sytes.net
utrzqkto.sytes.net
uvqmlxfd.sytes.net
uvwijntuwz.sytes.net
uyscpcq.sytes.net
uytpoltiy.sytes.net
uzifkfq.sytes.net
uzoeeuscd.sytes.net
uzxhukkfz.sytes.net
vaurybbn.sytes.net
vdklkwomm.sytes.net
vfomgvb.sytes.net
vjoritcwww.sytes.net
vkchqkm.sytes.net
vkjbdsrxt.sytes.net
voccqqxx.sytes.net
voismrfoqs.sytes.net
vpprkczttw.sytes.net
vqertvjt.sytes.net
vqiuzlbtkh.sytes.net
vqtqcki.sytes.net
vqttgjt.sytes.net
vrpvqefon.sytes.net
vrsbzmihlx.sytes.net
vtsjylwpn.sytes.net
vtxuovx.sytes.net
vufmyutaa.sytes.net
vuqwotxjzh.sytes.net
vuszrrxgz.sytes.net
vvmlhwqdyf.sytes.net
vvqhtcqlag.sytes.net
vwpllgrzyi.sytes.net
vztxvnbvcm.sytes.net
waqogzx.sytes.net
wazeuamub.sytes.net
wbczcqvyqy.sytes.net
wberlpcamv.sytes.net
wcazyteltl.sytes.net
wcrutow.sytes.net
wcrzaay.sytes.net
wdrqinhog.sytes.net
wdxbkbkvfb.sytes.net
weerlmvf.sytes.net
wfcwdjpns.sytes.net
wfgdmeyh.sytes.net
wjpidxm.sytes.net
wkbxbphc.sytes.net
wkkonmr.sytes.net
wlcyxyset.sytes.net
wlwkpviaxo.sytes.net
wmjtzgvh.sytes.net
wnabpopd.sytes.net
wncvzmc.sytes.net
wnnobbrg.sytes.net
wopsxkr.sytes.net
wpjayns.sytes.net
wqbfspc.sytes.net
wqdmvidq.sytes.net
wqwotaff.sytes.net
wrksngvww.sytes.net
wwnvban.sytes.net
wwojxgft.sytes.net
wyosismir.sytes.net
wzngkbrnd.sytes.net
xaeyszyqb.sytes.net
xbjfnkh.sytes.net
xcrfxuwj.sytes.net
xdceqpmicv.sytes.net
xdunbolwp.sytes.net
xfkfvhlop.sytes.net
xftimelou.sytes.net
xifdigshb.sytes.net
xlqjuqjbu.sytes.net
xmghaiejgg.sytes.net
xmrooxov.sytes.net
xnijvhf.sytes.net
xnzfkga.sytes.net
xoyaxychfl.sytes.net
xpbulfwwzq.sytes.net
xpygkqywr.sytes.net
xrovnig.sytes.net
xrvmhqr.sytes.net
xsczctw.sytes.net
xsgxbpq.sytes.net
xsndilgqeo.sytes.net
xsrtmss.sytes.net
xtrxecn.sytes.net
xuszvcnrx.sytes.net
xxonpsjfp.sytes.net
xxqmbikoe.sytes.net
xzyvjkpsp.sytes.net
yasuwllnr.sytes.net
yaxxqlaeq.sytes.net
ybmsxldkxn.sytes.net
ydbzfswl.sytes.net
yftgcckpo.sytes.net
ygmiwtfo.sytes.net
yinhvdqypq.sytes.net
yjcwhlsoem.sytes.net
yjlcnxldea.sytes.net
yklnwbe.sytes.net
ymyslhqpu.sytes.net
ynmuveq.sytes.net
yntumiarur.sytes.net
yscpjyr.sytes.net
ywiqdkzn.sytes.net
yxcdcir.sytes.net
yyptzpia.sytes.net
yzzzjjhkd.sytes.net
zacioknthc.sytes.net
zaixfhag.sytes.net
zbuchkkire.sytes.net
zdrekdml.sytes.net
zemyqkhh.sytes.net
zigtkmwpi.sytes.net
zkybqqy.sytes.net
zkzldcyt.sytes.net
zmycttq.sytes.net
zosrtgxrgv.sytes.net
zsefjuub.sytes.net
zuwiipeyt.sytes.net
zuxjnyvdv.sytes.net
zzfcleki.sytes.net


The latest compromised site has been taken down (was cleaned, then got re-compromised - oh the joys), but be careful folks, as we all know, those found are likely just a very small portion to those actually housing malicious compromised. If you do find anymore leading to these, or any other malicious content, please do drop me an email or drop by the hpHosts forums, and let me know.

Friday, 18 October 2013

Alert: Malvertisement from 8.29.133.140

Investigating a new malicious site (reason7crack.com) led to zippyshare.com URLs, which once again, has led to malvertisements. This time from cpadominator.com (8.29.133.140).

The path for this little bit of badness was;

hxxp://reason7crack.com
-> hxxp://reason7crack.com/download/
--> hxxp://4j4.me/reason7crackmac.php
---> hxxp://a4caed69.linkbucks.com
--> hxxp://www30.zippyshare.com/v/80240661/file.html
---> hxxp://8.29.133.140/download/download5adcuk.php?src=ADC&kw=125524&lp=4
----> hxxp://cpadominator.com/campaigns/index.php?g=adcuk&src=ADC&kw=125524
-----> hxxp://cpadominator.com/campaigns/index.php?g=mplayeradcuk&src=ADC&kw=125524&lp=4
------> hxxp://secure.oi-installer7.com/o/flashproplayer_flashproplayer/Setup.exe?subid=flashproplayer_ADCUK-4-125524&filedescription=Setup&adprovider=flashproplayer&
--> hxxp://www57.zippyshare.com/v/65769005/file.html
---> hxxp://8.29.133.140/download/download5adcuk.php?src=ADC&kw=125524&lp=4
----> hxxp://cpadominator.com/campaigns/index.php?g=adcuk&src=ADC&kw=125524
-----> hxxp://cpadominator.com/campaigns/index.php?g=mplayeradcuk&src=ADC&kw=125524&lp=4
------> hxxp://secure.oi-installer7.com/o/flashproplayer_flashproplayer/Setup.exe?subid=flashproplayer_ADCUK-4-125524&filedescription=Setup&adprovider=flashproplayer&

Depending on the browser you're using, you'll see one of the following. The first was with the Gecko engine, and the second, with the Trident engine;



So iBryte/Optimum Installer - still want to try and tell me you're a fully ethical and legit, and non-adware company?

In both cases by the by, the offending ad network as usual (and as with almost all previous cases), was adscash.com. A few refreshes of the page, led to one of the other major offenders of fake Flash player etc pages, Performersoft LLC, courtesy of;

hxxp://clkmon.com/adServe/sa?pid=3092&cid=125524
-> hxxp://www.noyapps.com/lp/codecperformer/v17/?cid=3975&clickid=0038245225419101508&orig_client=ADCASHDWN-125524
--> hxxp://www.softologicsb.com/download/$qPo%2BRZlsIQYpuQgO?exename=CodecPerformerSetup&cid=3975&clickid=0038245225419101508&orig_client=ADCASHDWN-125524



Not surprisingly, these chaps (along with AirInstaller as it happens, who are protesting at their host (SingleHop) that they aren't malicious at all, and these documented accounts of malicious and otherwise misleading and unethical behaviour, are "spurious complaints" - of course they are - NOT!) are also swearing blind that they're legit.

Well sorry to burst your obviously opaque bubble, but as far as I am concerned, and there's plenty of evidence (such as the above) to support this, you're about as legit as Zango were, and the sooner your respective companies are shut down, the better for everyone (and as iLivid (aka iMesh, BearShare etc) have stopped responding to complaints, the same goes for them too).

Thursday, 17 October 2013

Alert: Fake Barclays email leads to banking trojan

This lovely little bit of maliciousness just arrived in my inbox, and isn't for a change, a phishing scam. Instead, it links to a banking trojan housed on Amazon's EC2 platform.



The image is the only thing displayed in the email, for those of you still keeping HTML email enabled (really should be using plain text only folks!), links to;

WARNING: FILE IS A TROJAN!!!!, NO CLICKITY ACTION UNLESS YOU KNOW WHAT YOU ARE DOING PLEASE!

hxxps://s3-us-west-2.amazonaws.com/ffg4t4/Co-operative_Safeguard.exe

MD5: 0f285aef13f5aa65487036019d5b6e38
SHA1: 9623e81b516995155d6584dd07bcfdc873f5a601
SHA256: baceb49fa853b536f460703f081c8ce05cd5a16403ad8b70de0a2cfe1a50d731

Sadly, only 3 detections are showing on VT for this at the time of writing

The headers for this one are;

Return-Path: <security@co-operative.co.uk><br> Delivered-To: <[REMOVED]><br> Received: from controller2.emailconfig.com ([109.68.33.145])<br>     by mailserver2.emailconfig.com (Dovecot) with LMTP id QQJhG2uGYFK0VgAAZ1oeBA<br>     for <[REMOVED]>; Fri, 18 Oct 2013 07:19:25 +0100<br> Return-Path: <security@co-operative.co.uk><br> Received: from mailserver2.emailconfig.com ([109.68.33.147])<br>     by controller2.emailconfig.com (Dovecot) with LMTP id 24VhE41tYFI2EwAAH46cUA<br>     ; Fri, 18 Oct 2013 07:19:25 +0100<br> X-Spam-Flag: YES<br> X-Spam-Score: 2.362<br> X-Spam-Level: **<br> X-Spam-Status: Yes, score=2.362 tagged_above=-9999 required=1.3<br>     tests=[BAYES_05=-0.5, HTML_IMAGE_ONLY_12=2.059, HTML_MESSAGE=0.001,<br>     HTML_SHORT_LINK_IMG_1=0.001, MPART_ALT_DIFF=0.79,<br>     RCVD_IN_DNSWL_NONE=-0.0001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001]<br>     autolearn=no<br> Received: from p3plsmtpa09-02.prod.phx3.secureserver.net (p3plsmtpa09-02.prod.phx3.secureserver.net [173.201.193.231])<br>     by mailserver2.emailconfig.com (Postfix) with ESMTP id A89304C050F<br>     for <[REMOVED]>; Fri, 18 Oct 2013 07:19:24 +0100 (BST)<br> Received: from xza3 ([168.61.24.93])<br>     by p3plsmtpa09-02.prod.phx3.secureserver.net with <br>     id eWKM1m00X20WsiG01WKPcm; Thu, 17 Oct 2013 23:19:23 -0700<br> x-spam-cmae: v=2.0 cv=atZs/1lV c=1 sm=1 p=miGKQwDS5fvxS68D:21<br> a=Gr/uMxE52D6c40cXNo6YQw==:17 a=268azE3ZuWQA:10 a=Eeb08FW8mmMA:10<br> a=EbKJ-zwr8X8A:10 a=M8Rd8IaqAAAA:8 a=g6oVcqyqMw4A:10 a=zSRKy_izAAAA:8<br> a=njwu2AU39EesGh8cbpQA:9 a=wPNLvfGTeEIA:10 a=WT9NgGiw_BEA:10<br> a=POmh68JVvv0A:10 a=w5t1Vozl0l2GyijLDsUA:9 a=_W_S_7VecoQA:10<br> a=Gr/uMxE52D6c40cXNo6YQw==:117<br> x-spam-account: ma844@vrnmtnef32982.com<br> x-spam-domain: vrnmtnef32982.com<br> From: "The Co-operative Bank" <security@co-operative.co.uk><br> Subject: The Co-operative Bank Security Module<br> To: [REMOVED]<br> Content-Type: multipart/alternative; boundary="uo4gwIAL9R7TXK=_WQ9msmDvC6vwWm595u"<br> MIME-Version: 1.0<br> Reply-To: security@co-operative.co.uk<br> Date: Fri, 18 Oct 2013 06:19:23 +0000<br> Message-Id: <20131018061921C32741A96F$1A61A32843@XZA><br> <br>

419: Fraudulent FedEx emails

The lads (and lasses) from Lagos are still alive and kicking, or rather, alive and spamming the crap out of everyone. Not that this is news - it's not stopped, they still come in daily, in their droves. The latest I've received arrived a few minutes ago, in the form of a fraudulent FedEx email.

We have been waiting for you to contact us for your Confirmable Package that is registered with us for shipping to your residential location.We had thought that your sender gave you our contact details.It may interest you to know that a letter is also added to your package.

We understand that the content of your package itself is a Bank Draft worth of $450,000.00 USD, FedEx do not ship money in CASH or in CHEQUES but Bank Drafts are shippable.The package is registered with us for mailing by your colleague, and your colleague explained that he is from the U.S.A but he is currently in Asia for a three (3) months Surveying Project as he works with a consultant firm in India, We are sending you this email because your package is been registered on a Special Order.

For your information,the VAT & Shipping charges as well as Insurance fees have been paid by your colleague before your package was registered. Note that the payment that is made on the Insurance, Premium & Clearance Certificates, are to certify that the Bank Draft is not a Drug Affiliated Fund (DAF) neither is it funds to sponsor Terrorism in your country. This will help you avoid any form of query from the Monetary Authority of your country.

However, you will have to pay a sum of $185USD to the FedEx Delivery Department being full payment for the Security Keeping Fee of the FedEx company as stated in our privacy terms & condition page. Send your Postal address ,telephone and your name in full this is mandatory to reconfirm your Postal address and telephone. Please note that packages are not shipped nor delivered on Saturday, Sunday and on holidays. If your order has been placed on any of these days, then it may be shipped the following business day.

Kindly complete the below form and send it to the FEDEX DELIVERY POST with the below information.This is mandatory to re-confirm your Postal address and telephone numbers.
FULL NAMES:
TELEPHONE:
POSTAL ADDRESS:
SEX:
AGE:
OCCUPATION:
CITY:
STATE:
COUNTRY:

FEDEX DELIVERY POST
Email:fedexdeliveryservicec@live.com
Phone number:+918587934306
Contact Person: Mr. Oscar J. Pinto

**ALL PACKAGES ARE SIGNATURE REQUIRED.
If you have any other questions or concerns, please feel free to contact
us between Monday ? Friday: 9:00am ? 9:00pm EST
Saturdays: 10:00am ? 5:00pm EST
Sundays: 10:00am - 4:00pm EST

Have a great day!

Federal Express Co-operation.
FedEx Online Team Management.
All rights reserved. © 1995-2013.



Headers:

Return-Path: <info@fedEx.com><br> Delivered-To: <[REMOVED]><br> Received: from controller1.emailconfig.com ([109.68.33.144])<br>     by mailserver2.emailconfig.com (Dovecot) with LMTP id eftgG2uGYFK0VgAAZ1oeBA<br>     for <[REMOVED]>; Fri, 18 Oct 2013 06:37:02 +0100<br> Return-Path: <info@fedEx.com><br> Received: from mailserver1.emailconfig.com ([109.68.33.146])<br>     by controller1.emailconfig.com (Dovecot) with LMTP id wEHXKXSiYFKicgAAm9UGAw<br>     ; Fri, 18 Oct 2013 06:37:02 +0100<br> X-Spam-Flag: YES<br> X-Spam-Score: 11.473<br> X-Spam-Level: ***********<br> X-Spam-Status: Yes, score=11.473 tagged_above=-9999 required=1.3<br>     tests=[ADVANCE_FEE_2_NEW_FORM=1.855, ADVANCE_FEE_2_NEW_FRM_MNY=0.098,<br>     ADVANCE_FEE_2_NEW_MONEY=2.665, BAYES_00=-1.9, DKIM_ADSP_DISCARD=1.8,<br>     FILL_THIS_FORM=0.001, FILL_THIS_FORM_LONG=3.404,<br>     FREEMAIL_FORGED_REPLYTO=2.095, LOTS_OF_MONEY=0.001, MONEY_FORM=0.001,<br>     RCVD_IN_BRBL_LASTEXT=1.449, SPF_FAIL=0.001,<br>     TO_EQ_FM_DOM_SPF_FAIL=0.001, TO_EQ_FM_SPF_FAIL=0.001,<br>     URIBL_BLOCKED=0.001] autolearn=no<br> Received: from mail.ranksitt.net (mail.ranksitt.net [202.40.176.66])<br>     by mailserver1.emailconfig.com (Postfix) with ESMTP id 9456A3408B9<br>     for <[REMOVED]>; Fri, 18 Oct 2013 06:37:01 +0100 (BST)<br> X-Virus-Scanned: amavisd-new at ranksitt.net<br> Received: from mail.ranksitt.net ([127.0.0.1])<br>     by localhost (mail.ranksitt.net [127.0.0.1]) (amavisd-new, port 10024)<br>     with ESMTP id LhmgMIKMbeko; Fri, 18 Oct 2013 11:35:18 +0600 (BDT)<br> X-Virus-Scanned: amavisd-new at ranksitt.net<br> Received: from mail.ranksitt.net ([127.0.0.1])<br>     by localhost (mail.ranksitt.net [127.0.0.1]) (amavisd-new, port 10026)<br>     with ESMTP id DrSzsycnA_6X; Fri, 18 Oct 2013 11:35:18 +0600 (BDT)<br> Received: from [101.63.190.85] (unknown [101.63.190.85])<br>     by mail.ranksitt.net (Postfix) with ESMTPSA id C107020EBDC;<br>     Fri, 18 Oct 2013 11:35:12 +0600 (BDT)<br> Content-Type: text/plain; charset="iso-8859-1"<br> MIME-Version: 1.0<br> Content-Transfer-Encoding: quoted-printable<br> Content-Description: Mail message body<br> Subject: You have a package with us<br> To: Recipients <info@fedEx.com><br> From: FedEx Delivery Service <info@fedEx.com><br> Date: Fri, 18 Oct 2013 06:36:41 +0100<br> Reply-To: fedexdeliveryservicec@live.com<br> Message-Id: <20131018053512.C107020EBDC@mail.ranksitt.net><br> <br>


Tuesday, 8 October 2013

Info: Attention Windows 7 (SP1) users

Microsoft have released an article and hotfix, that allows Windows 7 SP1 users to remove outdated (updates that have been superseded by newer updates) updates from their systems.

This article describes an update for the Disk Cleanup wizard in Windows 7 Service Pack 1 (SP1).

This update adds a new plugin to the Disk Cleanup wizard. After you install this update, you can use the Windows Update Cleanup option to delete Windows updates that you no longer need.

Notes

The Windows Update Cleanup option is available only when the Disk Cleanup wizard detects Windows updates that you do not need on the computer.

To enable you to roll back to previous updates, updates are stored in the WinSxS store even after they are superseded by later updates. Therefore, after you run the Disk Cleanup wizard, you may be unable to roll back to a superseded update. If you want to roll back to a superseded update that the Disk Cleanup wizard deletes, you can manually install the update.


Update is available that enables you to delete outdated Windows updates by using a new option in the Disk Cleanup wizard in Windows 7 SP1
http://support.microsoft.com/kb/2852386

Friday, 4 October 2013

hpHosts: Updated 04-10-2013

The hpHOSTS Hosts file has been updated. There is now a total of 246,284 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 04/10/2013 18:10
  2. Last Verified: 01/10/2013 13:00
Download hpHosts now!
http://hosts-file.net/?s=Download