Redirections to SaveTheChildren.org

This is transferred to the new board at http://fraudreports.prophpbb.com
Spammers should not profit, so post information here that hits their pockets.

Redirections to SaveTheChildren.org

Postby Red Dwarf » Mon Dec 21, 2015 2:01 am

Today there is a new development in the weight-loss fraud. Of the hundreds of site that were live yesterday, many are now redirecting to a SaveTheChildren.org web site.

The redirection is performed using a Java script <script language="javascript" type="text/javascript">

The target of the redirection is the Official USA site - savethechildren.org

Time will tell if this was a deliberate act by the scammers, or a hack of their infrastructure! If anyone can decode the javascript to see if there is any other malicious actions there, I would welcome the feedback.

Examples of redirections which were previously to The Doctors Weight-loss scam. * Items highlighted in red have been suspended by the registrar.

* epjsds.net*Save the Children*BIGROCK SOLUTIONS LIMITED
epu1nt.net*Save the Children*BIZCN.COM, INC.
icaty5.net*Save the Children*BIZCN.COM, INC.
nofugb.net*Save the Children*BIZCN.COM, INC.
* sozxeu.net*Save the Children*BIZCN.COM, INC.
* uvmmo.net*Save the Children*BIZCN.COM, INC.
vo93dv.net*Save the Children*BIZCN.COM, INC.
* auaooo.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* ayusx.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* bbumnf.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* blras.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* cozxon.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* crnrso.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* cvocac.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* ereznm.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* evmmna.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* firua.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* mnrmc.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* mogfea.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* nnvar.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* noesec.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* oenvrv.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* ooerrc.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* ormvr.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* phrjiv.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* soosu.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* sybuim.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* ujtmrz.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* usxoo.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* vrrzvo.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* vsvne.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* vsxvm.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* vvxzx.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* xmmuv.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.
* xrnzm.net*Save the Children*HICHINA ZHICHENG TECHNOLOGY LTD.


Russian ccTLDs on R01 and NAUNET are the same, such as
acjansoi.ru
ackjosiecs.ru
acnoacs.ru
acnosied.ru
ajncoisj.ru
ajncoisu.ru
akjnocis.ru
amcosigser.ru
ancodigssc.ru
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Redirections to SaveTheChildren.org

Postby Red Dwarf » Mon Dec 21, 2015 4:20 am

The redirection script:

Code: Select all
        < script language = "javascript"
        type = "text/javascript" >
            var ll0 = '==gCpkSKnw3JoQXasB3cucSZ0lmc3xXYzADM1x3N2ADM1xHfiNDMwUHfyFmd8VGchN2cl5Wd8ZjNwATd8Rnbl1Wdj9GZ8NzNwATd8FmNwATd8lzNwATd8VGchN2cl9FfhBDMwUHf0YDMwUHflNDMwUHf2cDMwUHf3cDMwUHfyIDMwUHf
        kNDMwUHf4cDMwUHfjNDMwUHfjZDMwUHf3IDMwUHflZDMwUHf5YDMwUHf4YDMwUHfycDMwUHfwIDMwUHfwcDMwUHfmZDMwUHf1YDMwUHfzgDflR2bDJXYoNUbvJnZ8VzM8RnbJV2cyFGc8JjN8NjNwATd8FjNwATd8ZmMwATd8RzNwATd8VmMwATd8xWY2VGfn5Way
        R3U8RXasB3c8dmbpJHdT9Gd8ZzM8dXZuxHc4V0ZlJFflNWYsBXZyxXZslGa3xnZpxnbvlGdj5WdmxnbyVHdlJHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8d
        CL3MTMsIjNscSKp03esADLpcCX8dCXoUXMucCXXFDfYFDfZFDfwIDfVFDfUFDfQFDfPFDfRFDfSFDfTFDfaFDf0IDfjJDfiJDf4IDfhJDf2IDfyIDfxIDf3IDfzIDf1IDfWFDfsFDfvFDftFDf3FDf1FDfuFDf0FDfxFDfyFDfwFDf6FDf5FDf4FDfBFDfNFDfJFD
        fCFDfKFDfLFDfMFDfIFDfOFDfzFDf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8x3JcxyRxwyQxwyJclSKpcCXcxFfnwFXchyUucCXcxVNxwnNxw3NxwHOxwHNxw3MxwXYxwXW8BTM8FTM8JTM8lTM8VWM8hWM8pWM8lWM8tWM8ZWM8dWM8JWM8NWM
        8 RWM8pFfNxHS8lEfKx3S8hFfHxnR8JEfDxHR8VEfMdCXcxFLBxSQscCXcx1OpkSboUHK45yd7cCXcxFXcxFXsVCMlUTJ0UiMlYTJkVyYlcWJvViel4WJ2ViMlIWJ4USZlMTJyUyalYWJ0USYlYTJzUSYlATJzUialkTJkVCOlcTJ3UyNlMWJjVSelUTJwUCMlEWJu
        VSMlkWJxUyclMTJyUSYlgTJlViYlQTJwUSOlYTJiViZlgTJ3UiYlsWJlVCNlcTJxUSMlETJxUyblwWJoVCMlUTJ0UiMlYTJkVSOloWJ5UCclMWJwUCdlMTJwUCalkWJzUSNlEXJwUSMlATJ1UCNlITJ2UCZlcWJnwFXcxFXcxVPtBicnwFXchSfwByV91XKdN2Wrx
        SKnwFXcd2JcxFXscCXcxlYcxFXcxFXcx1JcxFXrkSYoElLjtyJcxFXixFXcxFXcxFXnwFXchCUg8EKO5Cc9A3ep01YbtGKStXKt0yYoY1epQGLlxyasMGLhxCcoUFKUdCXo0HcgwWM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoEXMgIX
        MoAXMuAXPwtXKdN2WrhibxsXKt0yYo8WM70XM9M2O9dCXrcHXcxFXnwFbxsXKo0WM9U2Od1XXltFZgwWM7lSZo0WMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYo8WM7lSK2FDLv41LoAXMucCXnwVIo4WM70XKpMXMoQXMuMmOpkjMrMGKGFjL2FzPFFjPpEWJ
        j1zYogyKpkSKh9yYoQUMoUmOnw1Jc9TY8MGKsFzepMGKtFTPltXKkxSZssGLjxSYsAHKtFDK3FzJo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZu
        lmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ ';
function _0II(data){var I00lOI="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + /=";
        var o1,o2,o3,h1,h2,h3,h4,bits,i=0,enc='';
        do{h1=I00lOI.indexOf(data.charAt(i++);
        h2=I00lOI.indexOf(data.charAt(i++));
        h3=I00lOI.indexOf(
        data.charAt(i++));
        h4 = I00lOI.indexOf(data.charAt(i++));
        bits = h1 << 18 | h2 << 12 | h3 << 6 | h4;
        o1 = bits >> 16 & 0xff;
        o2 = bits >> 8 & 0xff;
        o3 = bits & 0xff;
        if (h3 == 64) {
            enc += String.fromCharCode(o1)
        } else if (h4 == 64) {
            enc += String.fromCharCode(o1, o2)
        } else {
            enc += String.fromCharCode(o1, o2, o3)
        }
        }
        while (i < data.length);
        return enc
        }

        function I00(string) {
            var ret = '',
                i = 0;
            for (i = string.length - 1; i >= 0; i--) {
                ret += strin
                g.charAt(i);
            }
            return ret;
        }
        eval(_0II(I00(ll0))); < /script>
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Redirections to SaveTheChildren.org

Postby Red Dwarf » Mon Dec 21, 2015 3:28 pm

Warnings about this redirection script:

https://sitecheck.sucuri.net/results/kjncoasng.ru#viewpayload1

securi.net wrote:Website: kjncoasng.ru
Status: Infected With Malware. Immediate Action is Required.
Web Trust: Blacklisted (10 Blacklists Checked): Indicates that a major security company (such as Google, McAfee, Norton, etc) is blocking access to your website for security reasons. Please see our recommendation below to fix this issue and restore your traffic.
Scan Result Severity Recommendation
Website Blacklisting Detected Critical CLEAN UP Clean Up & Remove Blacklisting
Malware Detected Critical GET YOUR SITE CLEANED

Your site appears to be hacked. Hacked sites can lose nearly 95% of your traffic in as little as 24 to 48 hours if not fixed immediately – losing your organic rankings and being blocked by Google, Bing and many other blacklists. Hacked sites can also expose your customers and readers private and financial information, and turn your site into a host for dangerous malware and illicit material, creating massive liability. Secure your site now with Sucuri.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Redirections to SaveTheChildren.org

Postby spamislame » Thu Dec 24, 2015 12:13 pm

[Edited. What a mess. I have added carriage returns to make it all more readable]

A fun little game decoding their triple-obfuscated javascript code just to perform a simple redirect.

The first code snippet decodes a base64-encoded string:

Code: Select all
ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4oYzxhPycnOmUocGFy
c2VJbnQoYy9hKSkpKygoYz1jJWEpPjM1P1N0cmluZy5mcm9tQ2hhckNvZGUoYysyOSk6Yy50b1N0cmlu
ZygzNikpfTt3aGlsZShjLS0pe2lmKGtbY10pe3A9cC5yZXBsYWNlKG5ldyBSZWdFeHAoJ1xcYicrZShj
KSsnXFxiJywnZycpLGtbY10pfX1yZXR1cm4gcH0oJzF3KDFtKHAsYSxjLGssZSxkKXtlPTFtKGMpezFs
KGM8YT9cJ1wnOmUoMUQoYy9hKSkpKygoYz1jJWEpPjFFPzF2LjFGKGMrMjkpOmMuMXQoMXMpKX07MW4o
IVwnXCcuMXAoL14vLDF2KSl7MW8oYy0tKXtkW2UoYyldPWtbY118fGUoYyl9az1bMW0oZSl7MWwgZFtl
XX1dO2U9MW0oKXsxbFwnXFxcXHcrXCd9O2M9MX07MW8oYy0tKXsxbihrW2NdKXtwPXAuMXAoMXIgMXEo
XCdcXFxcYlwnK2UoYykrXCdcXFxcYlwnLFwnZ1wnKSxrW2NdKX19MWwgcH0oXCdUKFUocCxhLGMsayxl
LGQpe1YoYy0tKXtSKGtbY10pe3A9cC5OKE8gUChcXFwnXFxcXFxcXFxiXFxcJytjLlEoYSkrXFxcJ1xc
XFxcXFxcYlxcXCcsXFxcJ2dcXFwnKSxrW2NdKX19VyBwfShcXFwnciBtPVxcXFxcXFwnJWclZCU2JTIl
NCU1JTAlMSUwJXElNSUzJWklaCUwJTMldCUwJWMlcCU5JWolOSVkJTYlMiU0JTUlMCVoJWwlbyUxJTEl
MSUxJTclNCVlJWslYiU3JTglZiViJTYlOSUwJTQlYiVlJTglYSUyJTMlcyUxJWklMSVuJWElMCUwJTUl
eSVjJWMlNyU3JTclOCVkJTklaiUzJTAlYSUzJTYlYSU0JWYlayUyJTMlZSU4JWIlMiV2JW4leiVvJWcl
YyVkJTYlMiU0JTUlMCVsXFxcXFxcXCc7dy54KHUobSkpO1xcXCcsQSxBLFxcXCdMfEV8RHxDfEJ8RnxH
fFh8S3xKfEl8SHxNfFp8MWR8MWN8MWJ8MWd8MWZ8MWt8MWl8MWp8MWh8MWV8MTl8MTJ8MTF8MTB8WXwx
YXwxM3wxNHwxOHwxN3wxNnwxNVxcXCcuUyhcXFwnfFxcXCcpKSlcJywxQywxRyxcJ3x8fHx8fHx8fHx8
fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fDFzfDFOfDFIfDFMfDFLfDFKfDFCfDFJfDFNfDFBfDF4fDF5
fDF6fDFwfDFyfDFxfDF0fDFufDF1fDF3fDFtfDFvfDFsfDFWfDI1fDIzfDI3fDIxfDIyfDI2fDJhfDI4
fDJifDJjfDI0fDFafDFTfDFSfDFRfDFPfDFQfDFUfDFVfDIwfDFZfDFYfDFXXCcuMXUoXCd8XCcpLDAs
e30pKScsNjIsMTM3LCd8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8
fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHJldHVybnxmdW5jdGlvbnxpZnx3aGls
ZXxyZXBsYWNlfFJlZ0V4cHxuZXd8MzZ8dG9TdHJpbmd8c3BsaXR8U3RyaW5nfGV2YWx8dTAwMmV8dTAw
NzR8dTAwMmZ8dTAwNjF8dTAwNjN8NjJ8cGFyc2VJbnR8MzV8ZnJvbUNoYXJDb2RlfDgzfHUwMDY1fHUw
MDZmfHUwMDcwfHUwMDIwfHUwMDcyfHUwMDY4fHUwMDY5fHUwMDZlfHUwMDI3fHUwMDZjfHUwMDNjfHUw
MDc4fHUwMDNkfHUwMDIyfHUwMDc3fHUwMDc2fHUwMDNlfHUwMDY0fHUwMDBhfF9lc2NhcGV8dTAwNzl8
dTAwNmF8dTAwNzN8ZG9jdW1lbnR8dTAwNjZ8dW5lc2NhcGV8dmFyfHUwMDNifHx1MDA2N3x1MDAzYXx3
cml0ZScuc3BsaXQoJ3wnKSkpCg==

Which returns a typical "packed" Javascript encoded segment:

Code: Select all
eval(function(p, a, c, k, e, d) {
            e = function(c) {
                return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
            };
            while (c--) {
                if (k[c]) {
                    p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
                }
            }
            return p
        }('1w(1m(p,a,c,k,e,d){
            e = 1 m(c) {
                1 l(c < a ? \'\':e(1D(c/a)))+((c=c%a)>1E?1v.1F(c+29):c.1t(1s))
                };
                1 n(!\'\'.1p(/^/,1v)){
                    1 o(c--) {
                        d[e(c)] = k[c] || e(c)
                    }
                    k = [1 m(e) {
                        1 l d[e]
                    }]; e = 1 m() {
                        1 l\ '\\\\w+\'
                    }; c = 1
                };
                1 o(c--) {
                        1 n(k[c]) {
                            p = p.1 p(1 r 1 q(\'\\\\b\'+e(c)+\'\\\\b\',\'g\'),k[c])
                                }
                            }
                            1 l p
                        }(\'T(U(p,a,c,k,e,d){
                            V(c--) {
                                R(k[c]) {
                                    p = p.N(O P(\\\'\\\\\\\\b\\\'+c.Q(a)+\\\'\\\\\\\\b\\\',\\\'g\\\'),k[c])
                                        }
                                    }
                                    W p
                                }(\\\'r m=\\\\\\\'%g%d%6%2%4%5%0%1%0%q%5%3%i%h%0%3%t%0%c%p%9%j%9%d%6%2%4%5%0
                                %h%l%o%1%1%1%1%7%4%e%k%b%7%8%f%b%6%9%0%4%b%e%8%a%2%3%s%1%i%1%n%a%0%0%5%y%c%c
                                %7%7%7%8%d%9%j%3%0%a%3%6%a%4%f%k%2%3%e%8%b%2%v%n%z%o%g%c%d%6%2%4%5%0%l\\\\\\\';
                               
                                w.x(u(m));\\\',A,A,\\\'L|E|D|C|B|F|G|X|K|J|I|H|M|Z|1d|1c|1b|1g|1f|1k|1i|1j|1h|
                                1e|19|12|11|10|Y|1a|13|14|18|17|16|15\\\'.S(\\\'|\\\')))\',1C,1G,
                                \'||||||||||||||||||||||||||||||||||||1s|1N|1H|1L|1K|1J|1B|1I|1M|1A|1x|1y|1z|1p
                                |1r|1q|1t|1n|1u|1w|1m|1o|1l|1V|25|23|27|21|22|26|2a|28|2b|2c|24|1Z|1S|1R|1Q|1O|
                                1P|1T|1U|20|1Y|1X|1W\'.1u(\'|\'),0,{
                                }))

                        ',62,137,'|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
                        return|function|if|while|replace|RegExp|new|36|toString|split|String|eval|u002e|u0074|u002f|
                        u0061|u0063|62|parseInt|35|fromCharCode|83|u0065|u006f|u0070|u0020|u0072|u0068|u0069|u006e|u0027
                        |u006c|u003c|u0078|u003d|u0022|u0077|u0076|u003e|u0064|u000a|_escape|u0079|u006a|u0073|document|u0066|unescape|
                        var|u003b||u0067|u003a|write'.split('|'))
)

Which in turn produces a second "packed" Javascript encoded segment:

Code: Select all
eval(function(p, a, c, k, e, d) {
    while (c--) {
        if (k[c]) {
            p = p.replace(new RegExp('\\b' + c.toString(a) + '\\b', 'g'), k[c])
        }
    }
    return p
}('r m=\'%g%d%6%2%4%5%0%1%0%q%5%3%i%h%0%3%t%0%c%p%9%j%9%d%6%2%4%5%0%h%l%o%1%1%1%1%7%4
      %e%k%b%7%8%f%b%6%9%0%4%b%e%8%a%2%3%s%1%i%1%n%a%0%0%5%y%c%c%7%7%7%8%d%9%j%3%0%a%3%6%a
      %4%f%k%2%3%e%8%b%2%v%n%z%o%g%c%d%6%2%4%5%0%l\';w.x(u(m));', 36, 36, 'u0074|u0020|u0072
      |u0065|u0069|u0070|u0063|u0077|u002e|u0061|u0068|u006f|u002f|u0073|u006e|u006c|u003c
      |u0022|u003d|u0076|u0064|u003e|_escape|u0027|u000a|u006a|u0079|var|u0066|u0078|unescape\
      |u0067|document|write|u003a|u003b'.split('|'))
)

Which finally decodes to:

Code: Select all
<script type="text/javascript">
    window.location.href = 'http://www.savethechildren.org';
</script>

If somebody *has* sabotaged their code it's great work, but I don't know if that's actually the case.

How would anybody put any quality control on that? It's not obvious from any of these bits what has changed.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5058
Joined: Tue May 09, 2006 9:18 am

Re: Redirections to SaveTheChildren.org

Postby Red Dwarf » Thu Dec 24, 2015 5:10 pm

Fantastic! Thanks for this Christmas present.

This wholesale redirection of about 300 live weight-loss fraud domains (I've got about 5000 dead ones too) from a scam to a charitable organisation has seemingly gone unnoticed.

The mystery surrounding this change is - did the scammers do it, or was it done to them?

The .net domains typically have 2, 3 or 4 host IP addresses

  epu1nt.net has address 51.254.244.153
  epu1nt.net has address 83.167.253.210

  epjsds.net has address 119.81.153.170
  epjsds.net has address 31.170.107.170
  epjsds.net has address 31.170.107.167

  cvocac.net has address 179.43.147.220
  cvocac.net has address 118.193.13.207
  cvocac.net has address 118.193.12.134
  cvocac.net has address 79.124.13.21

The .ru domains each have one host IP address

  ciouniuns.ru has address 118.193.13.210

  cjnisjgfn.ru has address 178.175.140.35

  cmosige.ru has address 213.169.148.35

  cnvvoisuje.ru has address 85.143.218.145

For all those redirections to be put in place, there must surely be a central gateway.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Redirections to SaveTheChildren.org

Postby Red Dwarf » Thu Dec 24, 2015 5:19 pm

Here is an example of what was used as the redirection to the weight-loss scam

curl -v 33u5oo.net/
Code: Select all
* Adding handle: conn: 0x2315b90
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x2315b90) send_pipe: 1, recv_pipe: 0
* About to connect() to 33u5oo.net port 80 (#0)
*   Trying 51.254.244.153...
* Connected to 33u5oo.net (51.254.244.153) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.33.0
> Host: 33u5oo.net
> Accept: */*
>
< HTTP/1.1 302 Found
* Server nginx is not blacklisted
< Server: nginx
< Date: Thu, 24 Dec 2015 13:22:02 GMT
< Content-Type: text/html
< Content-Length: 48
< Connection: keep-alive
< X-Powered-By: ARR/2.5(afa142edf)
< Set-Cookie: AFFID=370969; expires=Sat, 23-Jan-2016 13:22:02 GMT; path=/; domain=.33u5oo.net
< Set-Cookie: SID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.33u5oo.net
< Location: http://113-health.33u5oo.net/garcinia-cambogia/
<
http://113-health.33u5oo.net/garcinia-cambogia/* Connection #0 to host 33u5oo.net left intact
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Redirections to SaveTheChildren.org

Postby Red Dwarf » Sun Jan 10, 2016 4:28 pm

This puzzle is getting "curiouser and curiouser". :?:

Fresh domains are still being created which redirect to the Savethechildren.org web site. Something is amiss here. Some examples, with creation dates
Code: Select all
xkrhl.net   Creation Date: 05-jan-2016
aiztc.net   Creation Date: 06-jan-2016
ckbbu.com   Creation Date: 06-jan-2016
etati.net   Creation Date: 06-jan-2016
mjsvna.com   Creation Date: 06-jan-2016
rtkso.com   Creation Date: 06-jan-2016
suyube.com   Creation Date: 06-jan-2016


It is not credible that the weight-loss fraud people are unaware that their domains are being hijacked. So why do they create more?
Is it possible that they have instead hijacked the bank account used for donations?
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Redirections to SaveTheChildren.org

Postby AlphaCentauri » Sun Jan 10, 2016 7:03 pm

Some of Save The Children's actions could be considered political. Might this be a politically-motivated joe job?

They recently called for an end to the siege of Madaya, a town in Syria. That particular siege is enforced by Russian-supported Syrian government forces:
http://www.savethechildren.org/site/app ... 85&notoc=1
https://www.amnesty.org/en/latest/news/ ... -in-syria/

(Other civilians in other towns are suffering from sieges enforced by other groups in The War With No Good Guys.)
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Redirections to SaveTheChildren.org

Postby Red Dwarf » Tue Jan 12, 2016 5:33 pm

Recent additions to the redirection list:

Domain - - - - - - - - - Registrar
sxngzf.netHICHINA ZHICHENG TECHNOLOGY LTD.
tjlbt.netHICHINA ZHICHENG TECHNOLOGY LTD.
utzsby.netHICHINA ZHICHENG TECHNOLOGY LTD.
xveik.netHICHINA ZHICHENG TECHNOLOGY LTD.
yaluk.netHICHINA ZHICHENG TECHNOLOGY LTD.
ygzcv.netHICHINA ZHICHENG TECHNOLOGY LTD.
ykxdjf.netHICHINA ZHICHENG TECHNOLOGY LTD.
ylush.netHICHINA ZHICHENG TECHNOLOGY LTD.
ymhbl.netHICHINA ZHICHENG TECHNOLOGY LTD.
zccebe.netHICHINA ZHICHENG TECHNOLOGY LTD.
zlbrsd.netHICHINA ZHICHENG TECHNOLOGY LTD.
zxgaie.netHICHINA ZHICHENG TECHNOLOGY LTD.
vafhme.netINTERNET DOMAIN SERVICE BS CORP
tpxla.comJIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD
xkmrac.comJIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD
smosiecse.ruNAUNET-RU
sngosiiec.ruNAUNET-RU
tgngasec.ruNAUNET-RU
vkjjmu.comPDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
* suyube.comREGTIME LTD.
* xkrhl.netREGTIME LTD.
* xucme.netREGTIME LTD.
vevxzm.comTURNCOMMERCE, INC. DBA NAMEBRIGHT.COM
szabcl.comXIAMEN NAWANG TECHNOLOGY CO., LTD
yurxpx.comXIAMEN NAWANG TECHNOLOGY CO., LTD
zylcm.netZHENGZHOU ZITIAN NETWORK TECHNOLOGY CO., LTD.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Redirections to SaveTheChildren.org

Postby Red Dwarf » Tue Jan 12, 2016 5:36 pm

Save The Children were unaware of this, until notified this week:

twitter wrote:@SavetheChildren is your donation system hacked or hijacked? Who benefits from this? http://bit.ly/22U9f57

Save the Children US wrote:Save the Children US Verified account
‏@SavetheChildren
This is the first I've seen of this. Thanks for sharing. I will share with our web development team. Best.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Redirections to SaveTheChildren.org

Postby Red Dwarf » Fri Jan 15, 2016 3:38 am

For the past few hours:

Save the Children front page wrote:This web site is currently undergoing planned maintenance for system upgrades and enhancements.
Normal service will be restored by 4:00 A.M. EST January 15th, 2015 or 12:00 A.M. PST on January 15th, 2015.
We apologize for this inconvenience and look forward to your return visit.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Redirections to SaveTheChildren.org

Postby Red Dwarf » Fri Jan 15, 2016 6:23 am

The site is up and running again.
It is taking redirections, and presumably taking charitable donations.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am


Return to Fight Spammers

Who is online

Users browsing this forum: Google [Bot] and 1 guest

cron