trobbins wrote:Do you believe the servers are abandoned, and or possibly on shared hosting?
trobbins wrote:If the IP of a spammed link goes to a shared hosting company, maybe contacting that company can get the machine shutdown or at least fixed.
trobbins wrote:EDIT: I guess if I had read your other posts, my response would have been answered.
to: [site owner], [hosting company abuse email]
Your web server has been hacked by EvaPharmacy [ip.add.re.ss]
The subject says it all.
I've been investigating a Russian rogue online pharmacy group known as EvaPharmacy since 2005.
EvaPharmacy host all of their illicit rogue pharmacy websites on other people's servers, like yours, by performing scans and attempting to find servers with very weak Root passwords. A server you control - at IP address ip.add.re.ss - is now under their control. I know this because your IP address shows up when I perform a "dig" command on a recently spammed domain of theirs.
; <<>> DiG 9.8.3-P1 <<>> roguedomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9530
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;roguedomain.com. IN A
;; ANSWER SECTION:
roguedomain.com. 600 IN A ip.add.re.ss
;; AUTHORITY SECTION:
roguedomain.com. 600 IN NS ns1.roguedomain.com.
roguedomain.com. 600 IN NS ns2.roguedomain.com.
;; ADDITIONAL SECTION:
ns1.roguedomain.com. 172800 IN A other.ip.add.ress
ns2.roguedomain.com. 172800 IN A other.ip.add.ress
How can you tell your server has been taken over?
Using SSH, run the following command:
ps w | grep tirqd
If infected, you will be shown at least one running instance of the binary program "tirqd", which is EvaPharmacy's web-mirroring and DNS software.
You may also notice that one or all of the following commands are now missing from your server, as they usually remove them when they take your server over:
Your server is now being used to host at least one domain for a rogue pharmacy website. The one I was sent (via spam) today was "roguedomain [dot] com".
This server needs to be taken offline and repaired, and obviously the root password needs to be changed, but as mentioned you may not be able to do that.
This is obviously a criminal act. I thought you should be aware.
National Computer network Emergency Response technical Team/Coordination Center of China
Red Dwarf wrote:For a) and c)
After supplying convincing evidence of criminal abuse, the terminology is usually a request to "null route or blackhole" the IP address
spamislame wrote:Red Dwarf wrote:For b)
I presume you have addressed a similar "null route or black-hole" request to Sloane Park Property Trust in Prague
No. How would I have found that out?! How do I tell them I found the relationship between Pavel Suk and their company?
inetnum: 188.8.131.52 - 184.108.40.206
descr: V - data s.r.o., Vysoke Myto
status: ASSIGNED PA
source: RIPE # Filtered
person: Pavel Suk
address: V - data s.r.o.
address: Fugnerova 4
address: Vysoke Myto
address: Czech Republic
phone: +420 465 421 760
% Information related to '220.127.116.11/17AS29113'
descr: Sloane Park Property Trust, a.s.
Slunecni namesti 2588/14
Prague, 158 00
Founded in 1998
Phone: 420 2 4241 5111
Fax: 420 2 4241 5555
name: LubomA-r Otec
address: LuÅ_nA¡ 2/716
address: Praha 6 - Vokovice
created: 29.06.2004 16:15:00
etcSLOANE PARK Property Trust, a.s. provides wholesale telecommunications services to operators in the Czech Republic and internationally. The company operates optical fiber cables that use DWDM, CWDM, GE, and SDH technologies to provide services, such as IP connectivity;
|* fidnaevqui.com||My Canadian Pharmacy||ACTIVE REGISTRAR, INC.|
|* medsmedicinedisease.com||Canadian Family Pharmacy||CLOUD GROUP LIMITED|
|* evsqnfny.com||Canadian Health&Care Mall||CLOUD GROUP LIMITED|
|* sabonatabmed.com||Canadian Health&Care Mall||CLOUD GROUP LIMITED|
|* thegenericspills.com||Canadian Health&Care Mall||CLOUD GROUP LIMITED|
|* healthcarecarerx.com||My Canadian Pharmacy||CLOUD GROUP LIMITED|
|* isvlhnvo.com||My Canadian Pharmacy||CLOUD GROUP LIMITED|
|* outlooksale.com||My Canadian Pharmacy||CLOUD GROUP LIMITED|
|* hyrnuzham.com||Canadian Health&Care Mall||ENOM, INC.|
|* jozejhyqn.com||Canadian Health&Care Mall||INTERNET.BS CORP.|
|* labwydehyj.com||Canadian Health&Care Mall||MAILCLUB SAS|
|* rxcatholic.com||Canadian Health&Care Mall||NAMESILO, LLC|
|* remedycutrxpills.ru||Canadian Health&Care Mall||NAUNET-REG-RIPN|
|* rxdrugstoremedicines.ru||Canadian Health&Care Mall||NAUNET-REG-RIPN|
|* nutritiondrugstorepharmacy.ru||Canadian Neighbor Pharmacy||NAUNET-REG-RIPN|
|* rxpharmacycaremeds.ru||Canadian Neighbor Pharmacy||NAUNET-REG-RIPN|
|* rxpharmacytabletspharmacy.ru||Canadian Neighbor Pharmacy||NAUNET-REG-RIPN|
|* rxpharmacytechmeds.ru||Canadian Neighbor Pharmacy||NAUNET-REG-RIPN|
|* rxpharmacytreatments.ru||Canadian Neighbor Pharmacy||NAUNET-REG-RIPN|
|* pillsdrugstoredrugs.ru||My Canadian Pharmacy||NAUNET-REG-RIPN|
|* pillsdrugstorepills.ru||My Canadian Pharmacy||NAUNET-REG-RIPN|
|* garciniaherbal.com||Canadian Health&Care Mall||NETLYNX, INC.|
|* medmedsepub.com||Canadian Health&Care Mall||NETLYNX, INC.|
|* healthcaremedprescription.com||My Canadian Pharmacy||NETLYNX, INC.|
|* healthcarelnessmedical.net||Canadian Health&Care Mall||PSI-USA, INC. DBA DOMAIN ROBOT|
|* herbalwelgarcinia.net||Canadian Health&Care Mall||PSI-USA, INC. DBA DOMAIN ROBOT|
|* ipadiet.net||Canadian Health&Care Mall||PSI-USA, INC. DBA DOMAIN ROBOT|
|* pharmacycialismeningitis.net||Canadian Health&Care Mall||PSI-USA, INC. DBA DOMAIN ROBOT|
|* ewggesaj.net||My Canadian Pharmacy||PSI-USA, INC. DBA DOMAIN ROBOT|
|* kbcbhgdw.com||My Canadian Pharmacy||PSI-USA, INC. DBA DOMAIN ROBOT|
|* kidneyprescriptiondiet.com||My Canadian Pharmacy||PSI-USA, INC. DBA DOMAIN ROBOT|
|* outlooklnessasale.com||My Canadian Pharmacy||PSI-USA, INC. DBA DOMAIN ROBOT|
|* drugenericsmeds.com||Toronto Drugstore||PSI-USA, INC. DBA DOMAIN ROBOT|
|* cliffpharmacy.com||Canadian Health&Care Mall||PSI-USA, INC. DBA DOMAIN ROBOT|
|* romneyrx.net||Canadian Health&Care Mall||PSI-USA, INC. DBA DOMAIN ROBOT|
|* benghazilispharm.com||Canadian Health&Care Mall||REGISTRYGATE GMBH|
|* retailersmeds.com||Canadian Health&Care Mall||REGISTRYGATE GMBH|
|* medicinerxpharmacy.ru||Canadian Health&Care Mall||REGRU-REG-RIPN|
|* rxwellbeing.ru||Canadian Health&Care Mall||REGRU-REG-RIPN|
|* tabletdropsrx.ru||Canadian Health&Care Mall||REGRU-REG-RIPN|
|* pilltabletsfitness.ru||Canadian Neighbor Pharmacy||REGRU-REG-RIPN|
|* reliablerxpillstablets.ru||Canadian Neighbor Pharmacy||REGRU-REG-RIPN|
|* healthpills.ru||My Canadian Pharmacy||REGRU-REG-RIPN|
|* medicinecutrxpills.ru||My Canadian Pharmacy||REGRU-REG-RIPN|
|* pharmacydrugstablets.ru||My Canadian Pharmacy||REGRU-REG-RIPN|
|* pillmedshealth.ru||My Canadian Pharmacy||REGRU-REG-RIPN|
|* pillspharmacyrx.ru||My Canadian Pharmacy||REGRU-REG-RIPN|
|* patientswelnesshealthcare.com||Canadian Health&Care Mall||TRUNKOZ TECHNOLOGIES PVT LTD.|
|* mydrugstorerx.com||My Canadian Pharmacy||TRUNKOZ TECHNOLOGIES PVT LTD.|
Users browsing this forum: No registered users and 1 guest