Compromised hosts

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Re: Compromised hosting service freekii.com

Postby Red Dwarf » Fri Feb 04, 2011 5:50 pm

Those have dried up, not surprisingly. A zero conversion rate :-)

The latest run has this sort of URL
    freekii.com/mii/9b.html
    freekii.com/mii/a6b908.html
    freekii.com/mii/a916ab.html
    freekii.com/mii/aca9cf.html
    freekii.com/mii/afcadb.html
    freekii.com/mii/bd92bd.html
    freekii.com/mii/bfc0b7.html
    freekii.com/mii/c5315e.html

freekii.com is registered through eNom's reseller Namecheap.com and has contact details at http://ads.freekii.com/contact_us.htm

These redirect to a URL shortening service, eg
    so.vg/623c07
    lnx.mx/?4e7fb8
    lnx.mx/?24f5
    wom.im/dcfea6
    wom.im/28a824
    lnx.mx/?5e5f87
    lnx.mx/?ac692d
    wom.im/037efe

The shortening service then redirects to the targets, eg
    wygyzacajy.healthdrugpharmacy.ru [Online Pharmacy]
    tezuhezyse.[url]healthdrugpharmacy.ru[/url]
    zupexewusa.healthdrugpharmacy.ru
    cuwebylyva.healthdrugpharmacy.ru

The target uses selective IP blocking and is registered at NAUNET-REG-RIPN. It uses 2 Russian name servers from the same registrar
ns1.lavinasrs.ru. ns2.gioserves.ru.
It is hosted in China on a China Telecom IP

HEALTHDRUGPHARMACY.RU
ns1.lavinasrs.ru.
ns2.gioserves.ru.
REGISTERED, DELEGATED, UNVERIFIED
Private Person
+7 927 9311274
admin@yourcheap.com
NAUNET-REG-RIPN
created: 2011.01.13
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby AlphaCentauri » Sun Feb 06, 2011 10:57 am

Red Dwarf wrote:Redirection meta HTTP-EQUIV="REFRESH" content="0; url=http://lentdoctor.com"
Pharmacy Express

They aren't even bothering with the redirection links. And lentdoctor.com is still alive and still hosted by eNom. LegitScript lists it as "Rogue," which is supposedly what they look at while they ignore our reports.

Of course, the one alternative to concluding that eNom is firmly in the pocket of organized criminals is that they are holding back at the behest of law enforcement agencies who have a very active investigation going on. Since Pharmacy Express is a Leo Kuvayev brand, and since Leo's in jail but has family and friends in the US and Canada, this is not so far fetched.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Compromised hosts

Postby Red Dwarf » Fri Feb 11, 2011 10:33 pm

Spammed in the last hour

Redirection to Pharmacy Express using
Code: Select all
meta HTTP-EQUIV="REFRESH" content="0; url=http://lentdoctor.com"

cre.ehc.hu/zgfwwej.html
kreed.home.nov.ru/c.html
qingye.50webs.com/ipt.html
remo.pittiglio.perso.sfr.fr/vjeqdsb.html
arquiveiring.kit.net/henucc.html
charlesleach.com/zaoviva.html
minouklim.com/vzechsa.html
pcxmda.com/jew.html
x.techninja.info/qucestf.html
yes007.by.ru/msatpt.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Amouse » Sun Feb 20, 2011 6:10 pm

There is a new twist to the php zombie network I am monitoring. The gang is now using the compromised machines to host bank phish web sites.

hXXp://7bazar.com/images/ads_images/just/mind.html > hXXp://www.tabletsfitnesspharmacy.at/ Also hXXp://7bazar.com/images/create.php = mailer & bank phishing. Several tar.gz
hXXp://avtotochka.com.ua/images/mail/tr ... cribe.html More bank stuff hXXp://avtotochka.com.ua/images/coco.tar.gz + others
hXXp://chinphone.linhow.com.tw/images/i ... /step.html Mailer mail11.php cmd11.php <HalT lnf.zip = bank stuff
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Previous

Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 1 guest