Blog for hpHosts, and whatever else I feel like writing about ....

Monday 5 April 2010

Crimeware friendly ISPs: Eveloz - A continuation

I said I'd get back to this, and I am (finally). If you read the previous article concerning Eveloz, you'll already be familiar with the back story concerning them, so lets continue.

I've been monitoring Eveloz for quite some time now, as they've seemingly decided to be rather open about their provision of a haven for criminals, and things haven't stopped, changed or errr, well gotten anything but worse really.

The latest domain to surface on their network, is longsignups.net, which is serving as a middle man, for the fake AV crowd. The domains registrar (Alantron BLTD, alantron.com) apparently doesn't want anyone accessing their WhoIs from anywhere except their own site, so although likely faked, the owner is listed as;

Domain name : longsignups.net
Administrator Contact: hidden
Technical Contact: hidden
Billing Contact : hidden
Creation date : 2010-01-08
Expiration date : 2011-01-08
Name Server : ns1.everydns.net
Name Server : ns2.everydns.net
Name : Alexander Kupalo
Address : ul.3-Proletarskaya d.201 kv.1 Slavyansk-na-Kubani Krasnodarskiy krai
Address : Russia 353560
Phone : +7.8612752650
Fax : +7.8612752650
Email : ion@fastermail.ru
Creation Date : 2010-01-08


Not surprisingly, "Alexander Kupalo" is tied to other domains, and other scams.

The domain is residing at 200.63.46.130, which you'll remember, also housed previous MITMs, such as;

protectcareone.net
roomafterhide.net
safetytripstyle.net
gosafezone.net

And yes, these are still active (the only one not actually redirecting at the time of writing, is roomafterhide.net, it is still resolving to the same IP however). At the time of writing, the redirection locations for the domains are;

URL: http://safetytripstyle.net/redirect/

-> http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
--> http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:48 GMT
Server: Apache/2
Location: http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:53 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D

HTTP/1.1 200 OK
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:53 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=74f4f86f3a65002399a5209d5f483c39; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache


--------------------------------------------------------------------------------

URL: http://safetytripstyle.net/redirect2/
Can we have the URLs?:

-> http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
--> http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirviit.html


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:48 GMT
Server: Apache/2
Location: http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:05:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: go=1; expires=Wed, 07-Apr-2010 02:05:54 GMT
Location: http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirviit.html
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:05:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://safetytripstyle.net/redirect3/
Can we have the URLs?:

-> http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
--> http://1b5f.win-protectionb1.com/a369e336b321/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjY2MjU0


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:50 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:05:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 02:05:55 GMT
Location: http://1b5f.win-protectionb1.com/a369e336b321/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjY2MjU0
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:05:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://safetytripstyle.net/redirect4/
Can we have the URLs?:

-> http://188.124.5.138/main.php?land=20&affid=92800


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:51 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=ipamn9au3vavq8lqehaj208du0; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 02:15:56 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 02:05:56 GMT
Server: lighttpd/1.4.22


--------------------------------------------------------------------------------

URL: http://protectcareone.net/redirect/
Can we have the URLs?:

-> http://goscandate.com/?uid=13400
--> http://anticrimeware.jewil.info/?uid=13400


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:52 GMT
Server: Apache/2
Location: http://goscandate.com/?uid=13400
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:57 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://anticrimeware.jewil.info/?uid=13400

HTTP/1.1 404 Not Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:57 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=0f7d0f114022917400c4fe83990de05c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache


--------------------------------------------------------------------------------

URL: http://protectcareone.net/redirect2/
Can we have the URLs?:

-> http://getamazondiscount.com/go.php?id=2004&key=ff0057594&d=1


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:52 GMT
Server: Apache/2
Location: http://getamazondiscount.com/go.php?id=2004&key=ff0057594&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 404 Not Found
Date: Tue, 06 Apr 2010 02:05:57 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1


--------------------------------------------------------------------------------

URL: http://protectcareone.net/redirect3/
Can we have the URLs?:

-> http://vimeotheroad.com/?pid=283s01&sid=2a15a0
--> http://db6cf0.win-protectionb1.com/a17af011/?gtyh=aXA9MjA0LjE%3DLTkyLjU1MXAwZD0yODNzMSZ0aW1lPTEyN2k1Jjk4NjA0


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:53 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?pid=283s01&sid=2a15a0
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:05:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 02:05:57 GMT
Location: http://db6cf0.win-protectionb1.com/a17af011/?gtyh=aXA9MjA0LjE%3DLTkyLjU1MXAwZD0yODNzMSZ0aW1lPTEyN2k1Jjk4NjA0
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:05:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://protectcareone.net/redirect4/
Can we have the URLs?:

-> http://188.124.5.138/main.php?land=20&affid=92800

HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:53 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=gjlcg9vk43kmpgu0glsnc7fum6; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 02:15:58 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 02:05:58 GMT
Server: lighttpd/1.4.22


--------------------------------------------------------------------------------

URL: http://roomafterhide.net/redirect/
Can we have the URLs?:

[NO REDIRECTION]


HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1


--------------------------------------------------------------------------------

URL: http://roomafterhide.net/redirect2/
Can we have the URLs?:

[NO REDIRECTION]


HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1


--------------------------------------------------------------------------------

URL: http://roomafterhide.net/redirect3/
Can we have the URLs?:

[NO REDIRECTION]


HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1


--------------------------------------------------------------------------------

URL: http://roomafterhide.net/redirect4/
Can we have the URLs?:

[NO REDIRECTION]


HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1

--------------------------------------------------------------------------------

URL: http://longsignups.net/redirect/
Can we have the URLs?:

-gt; http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
--gt; http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:56 GMT
Server: Apache/2
Location: http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:13:01 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D

HTTP/1.1 200 OK
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:13:01 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=257e774dbc872bc7e3c105778204b312; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache


--------------------------------------------------------------------------------

URL: http://longsignups.net/redirect2/
Can we have the URLs?:

-gt; http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
--gt; http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirvior.html


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:56 GMT
Server: Apache/2
Location: http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:06:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: go=1; expires=Wed, 07-Apr-2010 02:06:01 GMT
Location: http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirvior.html
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:06:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://longsignups.net/redirect3/
Can we have the URLs?:

-gt; http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
--gt; http://e1219d2.win-protectionb1.com/a874059bb71/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjYyMjY0


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:57 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:06:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 02:06:02 GMT
Location: http://e1219d2.win-protectionb1.com/a874059bb71/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjYyMjY0
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:06:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://longsignups.net/redirect4/
Can we have the URLs?:

-gt; http://188.124.5.138/main.php?land=20&affid=92800


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:58 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=jbkjdcviqd77upb10tsvdekkp6; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 02:16:03 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 02:06:03 GMT
Server: lighttpd/1.4.22

--------------------------------------------------------------------------------

URL: http://gosafezone.net/redirect/
Can we have the URLs?:

-gt; http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
--gt; http://safety.com.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:09 GMT
Server: Apache/2
Location: http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 05:33:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://safety.com.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D

HTTP/1.1 200 OK
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 05:33:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=34940ba021b2c4b01d0eabf4ac403e91; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache


--------------------------------------------------------------------------------

URL: http://gosafezone.net/redirect2/
Can we have the URLs?:

-gt; http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
--gt; http://insight-scanner8.com/content1/axxt/ckmrtmtoou/ramxiatumt.html


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:09 GMT
Server: Apache/2
Location: http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 03:26:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: go=1; expires=Wed, 07-Apr-2010 03:26:14 GMT
Location: http://insight-scanner8.com/content1/axxt/ckmrtmtoou/ramxiatumt.html
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 03:26:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://gosafezone.net/redirect3/
Can we have the URLs?:

-gt; http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
--gt; http://ed9c.win-protectiont1.com/a48d5651/?gtyh=aXA9MjA0LjEwLjk0LSM1MnAwZD0yODMmdGltZT0xMjdpNjY2Mjc0


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:11 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 03:26:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 03:26:16 GMT
Location: http://ed9c.win-protectiont1.com/a48d5651/?gtyh=aXA9MjA0LjEwLjk0LSM1MnAwZD0yODMmdGltZT0xMjdpNjY2Mjc0
Connection: close
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 03:26:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html


--------------------------------------------------------------------------------

URL: http://gosafezone.net/redirect4/
Can we have the URLs?:

-gt; http://188.124.5.138/main.php?land=20&affid=92800


HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:12 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=sh0bcvrotsdvbl6ucjucud15p4; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 03:36:17 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 03:26:17 GMT
Server: lighttpd/1.4.22


Looking over this /24, there appears to be only 1 IP (200.63.46.108) that's actually housing legit websites. The rest are either malware related or phishing related. One rather interesting phishing domain is beverified.org, which claims to, well let's see what they say shall we;

"Beverified.org is the premier free age verification service used by safe adults in the area"

Age verification? Really? How is this done then? Well actually it isn't (as if you were surprised). All it actually does, is submit your information to;

https://securejoinsite.com/join.php

Note: Accessing join.php directly results in an error stating invalid input parameters. You can view what it actually contains using the following URL;

http://securejoinsite.com/join.php?act=el3122.&siteid=elx_fbook&tnum=839&iframe=y


A site with no homepage, and registered to a company that evidently can't decide where they are (address is Cyprus, but telephone number has a +44 (UK) dialing code).

Registration Service Provided By: NEOTIKA CAPITAL LTD
Contact: +44.2076917819

Domain Name: SECUREJOINSITE.COM

Registrant:
Neotika Capital Ltd
Constantinos Ellinas (legal@neotikacapitalltd.com)
Flat/Office 2, 8 Georgiou Seferi
Nicosia
Nicosia,1076
CY
Tel. +044.2076917819

Creation Date: 05-May-2009
Expiration Date: 05-May-2011

Domain servers in listed order:
dns2.allnetservers.net
dns1.allnetservers.net


dns2.allnetservers.net resides at 208.94.64.126 (AS36529 208.94.64.0/24 RACKCO). RACKCO also has several other /24's and based on the sites hosted there, all of them need blackholed.

A little further digging, showed a plethora of similar phishing sites housed at;

209.44.111.0/24 - AS10929 Netelligent
69.60.198.0/24 - AS11696 Simlab Bell Atlantic Global Networks Madison, NJ
206.223.183.0/24 - AS21949 BEANFIELD-AS Beanfield Technologies inc. 77 Mowat Ave. Toronto, ON M6K3E3
64.38.198.0/24 - AS19181 CWIE Cavecreek Wholesale Internet Exchange, LLC
64.154.5.0/24 - AS19181 CWIE Cavecreek Wholesale Internet Exchange, LLC

Getting back to Eveloz however, I've tried numerous times to reach both themselves, and their upstreams, and to date, no response has been received, so personally, I'm still recommending they be blackholed.

References:

Crimeware friendly ISP's: Eveloz (AS27716, 200.63.40.0/21, 200.63.48.0/23, 190.5.224.0/22)
http://hphosts.blogspot.com/2009/12/crimeware-friendly-isps-eveloz-as27716.html

2 comments:

John Biddleston said...

Hi.

I cant seem to stop my business getting spammed from autogenerated Hotmail accounts linking to the WHOIS below.

Not sure how to report or stop this.

There seems to be no way from my email junk filters to parse these autogenerated accounts, and they contain only gibberish and a link to forwarding sites to really shit porn sites. How do i report or stop this???

Best regards,
John


Whois lookup for xxxdatebook.com:
Registration Service Provided By: NEOTIKA CAPITAL LTD
Contact: +44.2076917819 begin_of_the_skype_highlighting +44.2076917819 end_of_the_skype_highlighting

Domain Name: XXXDATEBOOK.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676 begin_of_the_skype_highlighting +45.36946676 end_of_the_skype_highlighting

Creation Date: 17-Feb-2010
Expiration Date: 17-Feb-2011

Domain servers in listed order:
dns2.allnetservers.net
dns1.allnetservers.net


Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676 begin_of_the_skype_highlighting +45.36946676 end_of_the_skype_highlighting

Technical Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676 begin_of_the_skype_highlighting +45.36946676 end_of_the_skype_highlighting

Billing Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676 begin_of_the_skype_highlighting +45.36946676 end_of_the_skype_highlighting

Status:LOCKED

MysteryFCM said...

Please feel free to forward them to me (please ensure you include the original e-mail headers);

spam@it-mate.co.uk