InBoxRevenge KS Forum

Today, Eva Pharmacy moved 90% of their thousands of domains onto one IP - 193.105.245.8 managed in Saint Petersburg, Russia, located in the Ukraine.

This is very unusual, most of the time they are spread over 15-20 IPs at a time. When one IP goes down, the failing domains are usually switched to another IP within minutes.

But today has been an exception. For several hours, the address 193.105.245.8 has been failing to respond with web pages for our old favorites. Favorites like

RxExpressOnline
RxMedications
Canadian Health&Care Mall
Canadian Neighbor Pharmacy
My Canadian Pharmacy
Toronto Drug Store
Canadian Family Pharmacy

Whoever is meant to be minding the shop must be distracted by a local sporting event.

Mind you, there are other events creating a distraction in the Ukraine.

That IP address has been switched out, and a new one introduced - 107.6.41.96

The Eva Pharmacy network has about 2,000 domains hosted on this address right now.

It is owned by Peer1.net in the USA

Admin Name: Domain Admin
Admin Organization: PEER 1 NETWORK (USA), INC.
Admin Street: 101 Marietta Street Suite 500
Admin City: Atlanta
Admin State/Province: GA
Admin Postal Code: 30303
Admin Country: US
Admin Phone: +1.6046837747
Admin Fax: +1.6046834634
Admin Email: [email protected]

That IP address didn't last long. Today's basket has one big egg:

72.249.81.218

Name:TierPoint Texas Abuse Department
Email:[email protected]
Phone:214 6303100

I'm actually curious as to why they did this. I think you're right, Ukrainian instability possibly means they now want to cover some tracks in the event of "big changes" in their home environment. But... it's weird timing.

SiL

It's possible there have been changes in management. We didn't hear immediately when Stupin, Gusev or Kuvayev were arrested, though there were changes in how their business was conducted because other people had to take over. I wonder if we'll hear that someone at Eva has been arrested recently.

There are three distinctly different factions in the infrastructure of the Eva family.

1. One uses redirections on EvoPlus and DomainContext to one and one only bullet-proof site (currently newdiscountmedsstore.com on InterNetX). Both these registrars are run by Russians. They are quick to suspend the redirectors.

2. One uses disposable redirection domains on the usual range of registrars to a set of less bullet-proof servers:


3. The third uses domain names that are initially created with google.com as the name servers, then within a week the domain goes live (resolvable) by being switched to other name servers, before being spammed. The domain name is the web site, unlike the previous two cases.

Incidentally, the Peer1 IP address is back in use - 107.6.41.96 (report to [email protected])

The Eva group has their vast family of DNS servers set up to switch the prefered IP address at the flick of a switch.

All Eva name servers are authoritative for practically all of their domains.