Trojan dropping from Inhoster
I started out reporting a comment spammer to Intercage. He was spamming from 216.255.190.66.
The spam contained a URL at mytcentral.com, which is at 216.255.185.10.
I checked the URL in my browser, and my anti-virus woke up and nuked a trojan.
So I checked some more. Can’t say for sure I found the infectious stuff, but here’s what I think I found:
There was an advertizing banner at se-v.com (69.50.177.38), which among other things, produced an iframe of one pixel width and height. That one was on
ps500.com (85.255.116.246)
From then on, I found a string of 302 redirects on the same domain: 24hwebsex.com (85.255.116.246), ending up at a very risky looking (nb, I’ve munged it to avoid accidental infections):
http://24hwebsex.com*/demo.php
I tried that URL directly anyway, and got this (blank) URL in return:
http://www.24hwebsex.com*/cgi-bin/ie0606.cgi?type=MS06-006
When I try that with a text browser and redact the type, I get this- munged both code and some detail:
Web-Attacker Control panel
Your IP is: (munged)
Your Browser is: Firefox 1.5.0.6
Your Operation System is: Windows XP
Current Date and Time: 31-Aug-2006 12:8
Please enter the password to access the statistics
FORM action - http://24hwebsex.com*/cgi-bin/ie0606.cgi
INPUT type “password” name “password”
INPUT type “submit” value “Enter”
I found mention of this software at the Bleedingedge forums.
And it might be the same software Sophos wrote about in March. Wikipedia entry.
——————
Whois:
08/31/06 12:22:27 whois mytcentral.com
Registration Service Provided By: ESTDOMAINS INC
Registrant:
none
Serg (serg78@pisem.net)
Lesnay 1-54
Pushkino
msk,687120
RU
Tel. +321.96478521
Creation Date: 21-Feb-2006
Expiration Date: 21-Feb-2007
Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com
08/31/06 12:23:09 whois se-v.com
whois -h whois.estdomains.com se-v.com …
Registration Service Provided By: ANUNAH LLC
Registrant:
N/A
Abdula Khaled-Mamed Dzibah (glac@crybits.com)
Shaytanhasy Obdukurlasy 2
Islamabad
Islamabad,54000
PK
Tel. +763.2784936
Creation Date: 17-Mar-2006
Expiration Date: 17-Mar-2007
Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com
08/31/06 12:21:21 whois ps500.com
Registration Service Provided By: ESTDOMAINS INC
Registrant:
none
Alex Zudov (work@vnukovo.net)
Uralskay 14
Zarechensk
Msk,095437
RU
Tel. +78.63798524
Creation Date: 03-Aug-2006
Expiration Date: 03-Aug-2007
Domain servers in listed order:
ns1.dns-parking.com
ns2.dns-parking.com
08/31/06 12:20:46 whois 24hwebsex.com
Registration Service Provided By: ESTDOMAINS INC
Registrant:
n/a
Alex Ferietko (websex24hour@yahoo.com)
Hrushevsky str 16, ap 26
Ivano-Frankivs
Ivano-Frankivs’ka Oblast’,252033
UA
Tel. +38.0342225216
Creation Date: 16-Jul-2006
Expiration Date: 16-Jul-2007
Domain servers in listed order:
ns2.24hwebsex.com
ns1.24hwebsex.com
Update: Check out the Spamhaus record for 85.255.116.246
December 6th, 2006 at 3:03 pm
It would appear that they are still up to their tricks, after spamming my article system multiple times I added an anti-robot image script as well as an IP Tracer to the person who was posting the comments. As i found out it was these people (after i did a trace route) this problem has been ongoing for some time now but atleast I know it is a physical person doing this and not a robot.
I have contacted the company and will post my findings here.