Spamhuntress

Someone e-mailed me an example of a hacked site (the hack is currently offline, with the hacked version set up on a hidden page for me to check).

Update: Lots of homepages affected. Check this google search.

It was the homepage of the company that was hacked, with a few links added at the bottom. In addition to those two visible links, there are some hidden links that are identical to the links you’ll find if you follow the .txt links. The links are only visible if you check the source code, so I believe the txt files are meant as includes in the hacked php file.

The first link is: buybeer4me.info/scr/18.txt

It’s got some obfuscated javascript that actually points to the second link:

bestrezult.com/scr/1.txt

The links in that document point to another hacked site:

dinuba.ca.gov/minutes/agendas/.~ss/

When I loaded one of the pages referenced in the spam, I got this. Keep in mind that I had images disabled, so the page might look somewhat …different in reality:

It’s obviously malicious, and I found a post referring to the site it’s loaded from:

mvsps

I wondered what the heck this was about. Had myself half convinced it was a Firefox issue, then saw the same behavior in IE. Check out this Myspace profile: April. The only thing on there that points anywhere is the “view” on the extra music player.
The whole profile is obscured by an image from toironorfold.com, which is owned by the band Making April, which also has a Myspace profile. Even the domain name points to the myspace profile. They have an amazing number of friends.

I don’t know what the heck the point is, but I don’t like being played.

Whatever their point is, they’re misusing the system.

Yep, I know I sound like a spoil sport…

I maintain a “sleeper profile” on myspace for a friend of mine, who’s a guy. It’s not yet in use, except for sending the occasional message.

Today I got a friend request from Edda, who had a Gorilla for a profile picture. I checked the profile out, thinking it was legit.

At first it looked unremarkable - she had 16 friends. But then a gif file loaded, saying she’d moved her profile to Adultfriendfinder.

The file was on Photobucket (see here), but was served through a 302 redirect from this domain:

synchrism.info

The image links to that website as well. The domain was registered yesterday, and although it worked a few hours ago, by now it only serves up a socket error. I didn’t have a look at the website when I first found this, and the whois data is protected.

Either way, this is spam, pure and simple.

Tom just announced that they’d employed solutions against the spam on myspace a few days ago, but this might be rather hard to fight against. I’m sure other guys have seen it before, but since I’m female, and that profile is rather hard to find, this was my first time to see the “fake myspace profile”. And get this, she had 17 friends now, so people are unfortunately falling for this.

Well, in case the spammers read this, here’s another report (from Tom), about the legal success Myspace has in fighting spammers.

I went by a website today that had a rather nasty payload. After a search on the site that delivered a search result, the page disappeared and a page from amaena.com loaded instead. I’m always very careful when those appear. I close the windows that pop up (I use Firefox with pop up protection) with Alt-F4. Even so, the Winfixer exe file started downloading and was caught by my anti-virus.

The ad was delivered by ad2profit.com

I’ve never in the past experienced a forced download of Winfixer, so I’m wondering what’s up?

Someone added a new page to my wiki today. The name of the page was “Alcohol Intervention”. The content of the page seemed perfectly reasonable. If it had been on topic, it would have passed superficial inspection. But the link to the page was added first, and it was added many link breaks below the content on another page. So… the method was suspect from the get go.

So, here’s someone who made an effort to write a perfectly reasonable page on alcohol addiction, with some credible links at the bottom, mainly to edu and authority sites. Yes, and the spammer’s own domain at the beginning of the article.

But here are some domains associated with this spammer - he’s got links to several at the bottom of the website he spamvertized on my wiki:

druginterventions.net - 205.234.132.159
drugrehabprogram.net - 72.34.32.176
heroin.org - 205.234.146.222
addictiontreatmentcenter.com - 205.234.140.184
floridadrugrehab.com - 205.234.253.132
helpaddicts.com - 75.126.44.60
drugrehabcenter.com - 66.113.130.222
dual-diagnosis.net - 75.126.44.69
addictionsearch.com - 66.225.219.7
detox-center.com - 75.126.44.71

All of these appear to have an 800 number as a payoff. I couldn’t figure out how that worked, until I found evidence that they have a treatment center. I suppose if you called for a free consultation, you might get a hard sell for coming to the treatment center.

This one appears to be owned by someone else, and has a different payoff, but has links to the same network of websites. Incidentally, the website is owned by someone with the same last name as a therapist employed by the same center as the other websites, and a press release about said therapist is pointing to this site:
enhancedhealing.com - 72.41.61.196

But the main bulk of websites either have whois protection, or the whois tends to point to this guy:

(Whois of two domains removed. The owner of the domains says he got scammed by someone he paid to submit to articles directories. He now says this post comes up as the number one result on Google when searching for his name. If you’re curious, his full name is associated with many of these domains anyway, but let’s just assume he’s learned his lesson, and no need to permanently embarass him)
Another domain associated with Gerald, is kgolf.net. It’s been extensively spamvertized, including one January 2006 sighting, here.
It’s a scraper site with Adsense as payoff. The site is currently owned by Gerald, though I can’t say how long he’s owned it without looking at whois history (anyone?).

And the fact that this is probably a real person, is underscored by this press release:

Drug Rehab Launches New Drug and Alcohol Addiction Talk Show

So, who did the spamming? I don’t know. The IP address is from the Phillipines. 61.9.75.136. Also associated with this spam:61.9.75.189 and the username Shamra.

I occasionally find ways to monitor IP space for spam, viruses etc. Here’s one such new way to monitor your IP space:

Project Honeypot’s IP space monitoring

You know, I once notified my neighbor that his machine was compromised because of one of those services. Turns out he had a pirated version of windows (I believe it was windows 2000?). Because of that he didn’t get updates. Let’s just say that machine was doomed. Format c: /s - or something like that.

I woke up today to a quite massive attack on my wiki. Large edits to lots of pages. The links spamvertized are all to free forums, misused forums belonging to other people and various other non-hacker exploits.

So far the exploited pages all redirect to one domain:

diving-deep.net
216.255.179.196

That’s in Intercage space - they’ve been notified.

The whois is interesting, it points to Norway. The person is allegedly:

Billy Fulkerson (geojon@care2.com)

And the address and phone number points to the Neptun hotel in Haugesund, Norway. Yep, the address and phone number is legit, but I doubt it has anything to do with the spammer. The registrar is KLIK MEDIA GMBH. Remember them?

The IP numbers used for the spam run are all proxies.

The spammer is affiliate number 35vm5c with evoplus.

—————

Update:

Intercage nullrouted them, and they immediately switched to 85.255.115.213 at inhoster. Intercage is upstream, and immediately nullrouted them again, and now they’re on 212.176.41.8 which I believe is on equant.ru. Unfortunately that website is entirely in Russian, and I have trouble figuring out who to contact. Some help would be appreciated? I sent an e-mail to the contact for the IP numbers. And then I contacted the DNS provider as well. Awaiting reply.

Update May 4:

No response from either the current webhost or the DNS provider. And the spamming has started up again - two new wiki diffs on a wiki I own today.

I just got an e-mail from Matthew Prince, the guy spearheading Project Honey Pot. They’ve just started tracking comment spammers. Here’s the announcement:

Project Honey Pot Begins Tracking Comment Spammers 

Looks like they’ve got more up their sleeve. I’ll be checking back tomorrow!

I contacted Myspace April 13th with this text:

This guy has fake login code on his profile:
(link to the profile I was talking about)

I’ve contacted him multiple times about it, and he doesn’t care.

Today I got this response from Myspace UK:

Thank you for contacting MySpace Customer Support.

The issue seems to be resolved now. If you are still experiencing difficulties please reply to this e-mail.

Sincerely,

MySpace

I then immediately checked the profile in question. No change. Still got fake logins all over it, so I sent this as a reply:

He’s still got rogue code on his profile. Like I said, he doesn’t care.

My beef right now, is with that particular Myspace employee for not even recognizing a profile with fake login code on it.

Hey, maybe *I* should work for them? At least I can recognize bad code when I see it?

BTW, that was his profile I analyzed in the Anatomy of a hacked myspace page post.

I finally goe on Bloglines again, and read IncrediBILL’s blog - which I usually do when I remember to read bloglines. Anyway, I discovered I’d been tagged a few days ago (why didn’t you e-mail me, Bill? I DO read my e-mail, you know. I should probably enable my referrer script again, so I don’t have to figure this out long after the fact.

So, why do I blog?

1) When I started blogging, I had planned on writing mostly about theology. That’s my education, and I knew I had something to say. Problem is, in order to constantly have something new to say, it takes a LOT of thinking, so I haven’t blogged about that as much as I did in the beginning. But THAT was what got me started blogging on my old website.
2) Then I found I had something to say about several topics, and found that a blog is an easier way to say it than constantly making new pages on my website. I’ll still make pages for especially interesting topics, but a blog is a more personal medium than a page, and I enjoy the form.
3) Then I woke up to a massive spam run, and got irked enough to write something about it. I realized fairly quickly that I had a natural bent towards finding stuff out in that field, and continued.

4) I enjoy being thought of as an authority on this or that topic. It’s not that I take advantage of every opportunity, but without the spamhuntress blog, I wouldn’t have had the chance to go to Holland last year.

5) I like researching and investigating. That’s the driving force between what I do. I don’t usually get irked about stuff. One person recently took a look at the spamhuntress blog in my presence and immediately toldl me that I’m vindictive and negative. I looked dumbfounded before I found my voice and told him that isn’t true. I realized then that I probably need to tell people here: I don’t hate spammers, and I don’t do any of this out of a need for revenge. I actually don’t believe in hate or revenge. I believe it’s something that will damage the holder of the feeling more than the recipient, though it’s certainly not a good thing to be hated or the victim of a vengeful act. My ideal in doing what I do on spamhuntress, is to do it objectively, without getting hot under the collar.

Let’s see, who shall I tag?

Richi Jennings - curious about him

Joe - not much from you lately?
Matt Cutts - just because he didn’t do it last time

Can’t think of anyone else right now. I’ll take suggestions for the last two spaces…