InBoxRevenge KS Forum

Hi.

This thread could get depressing, but I thought I'd start it anyway and see what happens.

In the past several years I've been watching what several spammers are doing with regards to the use of hijacked, hacked, exploited or otherwise pwned servers for their own malicious use.

Two things happen when they take over these servers:

• They get free hosting and infrastructure
• They poison the reputation of that domain for a long, long time.

So when I see them - if I have the time - I report them to the site owner and their hosting company.

• Whois the domain - look for non-privatized contact info
• Look at the raw website. If it isn't completely taken over (rare) look for contact info on the site itself.
• Ping the domain to find the ip
• Whois the ip
• report to the hosting company.
• Rinse and repeat

This takes time. I created a tool that's only semi-ready for primetime called the Phishing Reporterator™, and it helps, but it's still quite a bit of manual work to get to that final report, and in most cases it falls on completely deaf ears all around.

So this appears to be the new "bullet-proof" hosting.

I'll itemize several methods these scumbags are routinely using to place each of the following on these hacked hosts, and we can maybe put our heads together regarding how we can effectively and quickly report this activity. I have my doubts lately as to how worthwhile it is because I find a lot of the hosting companies just do not care about this issue, and that's the most depressing part.

Is this of interest to all and sundry?

SiL

P.S. If this is in the wrong place, please feel free (admins) to put it in the right place.

It's of interest to me. I haven't had time to do that sort of thing lately, though. And you're right, it's amazing how little interest most people seem to have. Until their website gets a red donut from WOT, then they're all indignant about it.

So out of these EvaPharmacy hijacked urls from the past day:

http://acmusicdj.com/mentat_pills.html
http://agentu.com/levitra_jelly.html
http://eiteasy.com/veriee.html
http://kedaionline.zxq.net/armour.html
http://pinkiestyle.com/diarex.html
http://romebe.com/glucosamine.html
http://santosfm.com/pristiq.html
http://www.radioventura.com/cytoxan.html

These ones are still active after sending shutdown / cleanup requests:

http://eiteasy.com/veriee.html
http://santosfm.com/pristiq.html
http://www.radioventura.com/cytoxan.html

That's not a bad rate but the problem is how long it takes to get it through their hosting company's head that they're assistint criminals. They just don't see it htat way. They see these sites as nuisances and nothing more. Legall speaking they can't do more than warn the customer, and if they can't reach the customer, it ends there. This is the state of hijacked servers right now.

I have no idea what kind of exploit they're using to get these files onto these servers. They're not running wordpress or joomla, the two most popular ways to do this so far this year. (See: Canadian Pharmacy, doing both to get redirects up.) So I'm guessing it's a fairly old / typical Apache exploit.

Since nobody can be reached at these domains, I'd be intrigued to see how hard it is to get a simple text file on to the same servers.

Redirection targets:
[for eiteasy]
http://rfdy.welnessgentiva.pl/?cid=fld4 [dead]
http://osks.lxic.ru/?cid=fld3
http://yuim.thecareprescription.pl/?cid=fld2

[for santosfm and radioventura]
http://pwdwznib.pl/products/

This is the most common method they use to spam these sites now. Link to a hijacked site with MASSIVELY obfuscated javascript. Once decoded it redirects randomly to one of three domains that we assume are hosted on secondary hijacked servers, with bullet-proof domain registrars. (Though Red is fast disproving that definition.)

I want to work towards an EvaPharmacy "holocaust" where we can one day just focus hard on shutting down several dozen of these domains in one go, including the hosting and the hacked servers. That remains a dream at the moment.

SiL

Example redirection to Luxury Replicas on hinot.ru

bilbantourism.com



Same site redirects to Canadian Pharmacy, cobsdoctor.com
http://bilbantourism.com/bb.html

July 23 - 26 I received these, all from the same email ID - jdwild01 at yahoo.com
He also features at http://www.scamwarners.com/forum/viewtopic.php?f=7&t=61948



Some of these issue a redirection like