Clicky
Last visit was: Sat Jul 05, 2014 3:15 pm
It is currently Sat Jul 05, 2014 3:15 pm

The Hijacked Web Server Thread


All times are UTC - 5 hours [ DST ]


 [ 5 posts ] 
Author Message
 PostPosted: Wed Aug 07, 2013 4:38 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Hi.

This thread could get depressing, but I thought I'd start it anyway and see what happens.

In the past several years I've been watching what several spammers are doing with regards to the use of hijacked, hacked, exploited or otherwise pwned servers for their own malicious use.

Two things happen when they take over these servers:

  • They get free hosting and infrastructure
  • They poison the reputation of that domain for a long, long time.

So when I see them - if I have the time - I report them to the site owner and their hosting company.

  • Whois the domain - look for non-privatized contact info
  • Look at the raw website. If it isn't completely taken over (rare) look for contact info on the site itself.
  • Ping the domain to find the ip
  • Whois the ip
  • report to the hosting company.
  • Rinse and repeat

This takes time. I created a tool that's only semi-ready for primetime called the Phishing Reporteratorâ„¢, and it helps, but it's still quite a bit of manual work to get to that final report, and in most cases it falls on completely deaf ears all around.

So this appears to be the new "bullet-proof" hosting.

I'll itemize several methods these scumbags are routinely using to place each of the following on these hacked hosts, and we can maybe put our heads together regarding how we can effectively and quickly report this activity. I have my doubts lately as to how worthwhile it is because I find a lot of the hosting companies just do not care about this issue, and that's the most depressing part.

Is this of interest to all and sundry? :)

SiL

P.S. If this is in the wrong place, please feel free (admins) to put it in the right place.


Top
 Profile  
 PostPosted: Thu Aug 08, 2013 12:07 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
It's of interest to me. I haven't had time to do that sort of thing lately, though. And you're right, it's amazing how little interest most people seem to have. Until their website gets a red donut from WOT, then they're all indignant about it. :roll:


Top
 Profile  
 PostPosted: Thu Aug 08, 2013 12:05 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
So out of these EvaPharmacy hijacked urls from the past day:

http://acmusicdj.com/mentat_pills.html
http://agentu.com/levitra_jelly.html
http://eiteasy.com/veriee.html
http://kedaionline.zxq.net/armour.html
http://pinkiestyle.com/diarex.html
http://romebe.com/glucosamine.html
http://santosfm.com/pristiq.html
http://www.radioventura.com/cytoxan.html

These ones are still active after sending shutdown / cleanup requests:

http://eiteasy.com/veriee.html
http://santosfm.com/pristiq.html
http://www.radioventura.com/cytoxan.html

That's not a bad rate but the problem is how long it takes to get it through their hosting company's head that they're assistint criminals. They just don't see it htat way. They see these sites as nuisances and nothing more. Legall speaking they can't do more than warn the customer, and if they can't reach the customer, it ends there. This is the state of hijacked servers right now.

I have no idea what kind of exploit they're using to get these files onto these servers. They're not running wordpress or joomla, the two most popular ways to do this so far this year. (See: Canadian Pharmacy, doing both to get redirects up.) So I'm guessing it's a fairly old / typical Apache exploit.

Since nobody can be reached at these domains, I'd be intrigued to see how hard it is to get a simple text file on to the same servers.

Redirection targets:
[for eiteasy]
http://rfdy.welnessgentiva.pl/?cid=fld4 [dead]
http://osks.lxic.ru/?cid=fld3
http://yuim.thecareprescription.pl/?cid=fld2

[for santosfm and radioventura]
http://pwdwznib.pl/products/

This is the most common method they use to spam these sites now. Link to a hijacked site with MASSIVELY obfuscated javascript. Once decoded it redirects randomly to one of three domains that we assume are hosted on secondary hijacked servers, with bullet-proof domain registrars. (Though Red is fast disproving that definition.)

I want to work towards an EvaPharmacy "holocaust" where we can one day just focus hard on shutting down several dozen of these domains in one go, including the hosting and the hacked servers. That remains a dream at the moment.

SiL


Top
 Profile  
 PostPosted: Thu Aug 08, 2013 6:58 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Example redirection to Luxury Replicas on hinot.ru

bilbantourism.com


Quote:
15% Discount
Rolex Sports / Explorer II / Black Dial 89$
Rolex Sports

Rolex Dress

Louis Vuitton

Breitling

Click here versia 2[Links to http://bilbantourism.com/repl2.html]


Same site redirects to Canadian Pharmacy, cobsdoctor.com
http://bilbantourism.com/bb.html


Top
 Profile WWW  
 PostPosted: Sun Aug 11, 2013 8:10 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
July 23 - 26 I received these, all from the same email ID - jdwild01 at yahoo.com
He also features at http://www.scamwarners.com/forum/viewtopic.php?f=7&t=61948

Code:
Fw: - Hi! http://211.20.97.26/cnn.com.today.html
Fw: - Hi! http://fonio-bio.org/cnn.com.today.html
Fw: - Hi! http://pliki.doskomp.jst.pl/cnn.com.today.html
Fw: - Hi! http://thehindufestivalssociety.com/cnn.com.today.html
Fw: - Hi! http://www.gradinitafranklin.ro/cnn.com.today.html
Re: - Hi! http://elastomer-kazan.ru/google.com.offers.html
Re: - Hi! http://eztech.ae/google.com.offers.html
Re: - Hi! http://france24.com/google.com.offers.html
Re: - Hi! http://marseille-provence.fr/google.com.offers.html
Re: - Hi! http://melansonwebdesign.com/cbs.com.network.html
Re: - Hi! http://mt01.hu/cnn.com.today.html


Some of these issue a redirection like
Code:
http://195.3.145.94/redirict/resource/site_rand/redirict.php


Top
 Profile WWW  
 [ 5 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Ahrefs, Wayback machine and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008