Clicky
Last visit was: Sat Jul 05, 2014 5:10 pm
It is currently Sat Jul 05, 2014 5:10 pm

Taking out an IP address


All times are UTC - 5 hours [ DST ]


 [ 11 posts ] 
Author Message
 PostPosted: Mon Jun 09, 2014 4:28 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Sometimes you see hundreds of fraud domains hosted at the same IP address. In a campaign to combat fraud, there are advantages in taking such an IP address out of circulation.

    1. There will be a period of disruption while the fraud syndicate reassigns the hosts to a replacement IP address, and a period of down-time for the spammed domains affected.

    2. Once they are reassigned, there is still a second disruption. Any name servers that have been placed on Client Hold can still perform their function of resolving domain names due to caching within the DNS system of the Internet. When the access to the IP address is stopped, then this caching will fail.

    3. If the owners know that there is a compromised machine at that IP, they can locate it and clean it up, making it more robust and less likely to be compromised again.
Let's look at an example. On June 8, 2014 over 200 Eva Pharmacy fraud sites were detected on IP address 87.117.192.110
A WHOIS lookup on 87.117.192.110 shows that it belongs to RapidSwitch in the United Kingdom, with these contact details -
Code:
remarks:        ******************************************************
remarks:        * ABUSE REPORTS                                      *
remarks:        * https://myservers.rapidswitch.com/reportabuse.aspx *
remarks:        ******************************************************


Filling in the abuse report form at that web page lets them know of the issue
Quote:
IP Address: 87.117.192.110
Type of Abuse:Hacking
Affects Network:
Hacked server hosting hundreds of fraud pharmacies

Details:
Please null route the access to this IP address, used to host over 200 pharmacy fraud domains

Details are posted at
http://www.spamtrackers.eu/wiki/index.php/Netlynx#Sample_illegal_domains

Examples
adacarleen.com
adelheidines.com
adriannairina.com
aggidaffinan.com
albertakaterine.com
aloiseerica.com
annmariecharmane.com
arielchelsie.com
aureliechiarra.com
bettekassia.com
blanchekaja.com
clairgizela.com
claudehesther.com
connihannie.com

alanaheloise.in
alleneandree.in
anettekaterina.in
annelisenanniekai.in
ardithleyla.in
arlinazarla.in
aureliecoral.in
babrenelle.in
bambicorny.in
beagiuliagui.in

Evidence about the perpetrators can be seen at these links
http://spamtrackers.eu/wiki/index.php/EvaPharmacy
http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm358794.htm
http://www.cipa.com/fraudulent-sites/
http://scamfraudalert.org/2013/07/06/fda-warning-letter-eva-pharmacy/

Usually the host machine has been hacked and the server added.

Domain Name:spamtrackers.eu
Protocol:http
Port:80
Material:
http://spamtrackers.eu/wiki/index.php/EvaPharmacy


rapidswitch wrote:
Thank you for your abuse report regarding IP address 87.117.192.110.

We are a conduit for this IP address, and the party responsible for it according to our records is one of our clients. Your complaint has been passed to the client, who will deal with the matter accordingly. Their response will be passed back to you at the e-mail address you raised this report from.

If no response is received from our client, it will automatically be escalated to a member of our staff. We aim to get a respose to all abuse reports within five working days.

Regards,

RapidSwitch


A traceroute will show if the IP is still accessible:

https://www.ultratools.com/tools/lookingGlassTools allowing for 15 hops
Code:
Hop number:  12
Connected to:  87.117.212.38 ( 87.117.212.38 )
Roundtrip times:  82.22 ms
81.088 ms
83.048 ms
Country:  United Kingdom

Hop number:  13
Roundtrip times:  Timed out.

Hop number:  14
Roundtrip times:  Timed out.


UPDATE JUNE 13, 2014
RapidSwitch wrote:
The RapidSwitch abuse team have returned your abuse ticket to the client who
was hosting the material you complained about. They should respond to the
ticket shortly. The comment added by the abuse team follows:

Ticket escalated to staff due to no response within 4 days. Please provide an update and confirm if the issue has been resolved. Thanks


All of the over 200 domains have been relocated onto another IP address, 107.6.41.96

Anyone want to try this one in the same fashion?


Top
 Profile WWW  
 PostPosted: Mon Jun 09, 2014 4:38 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
The WHOIS LOOKUP for the contact details for 107.6.41.96 are found at

http://whois.domaintools.com/107.6.41.96

RAbuseHandle: NSA-ARIN
RAbuseName: Peer 1 Network AUP Enforcement
RAbusePhone: +1-604-484-2588
RAbuseEmail: abuse@peer1.net

EVIDENCE
* https://www.virustotal.com/en/ip-address/107.6.41.96/information
* https://www.mywot.com/en/scorecard/107.6.41.96

UPDATED June 20 2014
Traceroute ends at 107.6.40.157

Code:
Hop number:  10
Connected to:  107.6.40.157 ( 107.6.40.157 )
Roundtrip times:  2965.855 ms
Country:  United States


Top
 Profile WWW  
 PostPosted: Mon Jun 09, 2014 5:59 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Another IP with over 140 fraud pharmacy domains is on 188.68.249.213

EVIDENCE
https://www.virustotal.com/en/ip-addres ... formation/

Contact
SPRINT in Poland - olsztyn@sprint.pl

Sample domains
bplispills.com
canadafamilydrugstore.com
canadafamilypharm.com
contabcanada.be
fmggvexb.eu
marsiellamelicent.com
maxygretna.com
myherbalpills.net
mymedicaretab.eu
pharmacycanadainc.com
pharmacyhealthgroup.eu
pharmedicares.eu
theprescriptiongenerics.be
us-online-pharmacy.com
welnesshealthcarecenter.eu

veglax.ru
viagrapharmaceuticals.ru
walgreenpharm.ru
walgreenspharmacyrx.ru
walgreenspills.ru
welnessdietpills.ru
yourcapsules.ru
yourpharmacytech.ru
yuants.ru
zigier.ru

UPDATE JUNE 13 2014
From https://www.ultratools.com/tools/lookingGlassTools with 15 hops
Code:
Hop number:  10
Connected to:  n16h14.rev.sprintdatacenter.pl ( 46.29.16.14 )
Roundtrip times:  112.564 ms
Country:  Poland

Hop number:  11
Roundtrip times:  Timed out.

Hop number:  12
Roundtrip times:  Timed out.


Top
 Profile WWW  
 PostPosted: Fri Jun 13, 2014 6:14 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
IP address 192.69.90.43

List of detected fraud domains
https://www.virustotal.com/en/ip-address/192.69.90.43/information/

Traceroute successful at https://www.ultratools.com/tools/traceRoute

WHOIS lookup at http://www.dnsstuff.com/tools#whois|type=ipv4&&value=192.69.90.43

OrgName: VolumeDrive
Address: 1143 Northern Blvd
City: Clarks Summit
StateProv: PA
PostalCode: 18411
Country: US

OrgAbuseHandle: VOLUM1-ARIN
OrgAbuseName: VolumeDrive POC
OrgAbusePhone: +1-862-266-1083
OrgAbuseEmail: info@volumedrive.com

Sample Russian pharmacy fraud domains on 6/14/2014
Code:
leluce.ru
levitrapillsdrug.ru
luckydrugseshop.ru
luckygenericsale.ru
luckywelnessstore.ru
magichealthcaremall.ru
magicmedicativemall.ru
magicmedstrade.ru
medicalsafereward.ru
medicarespharmacy.be
medicatingbesttrade.ru
medicatingherbstore.ru
medicatingsafemart.ru
medicativeherbsmall.ru
medicativehotmall.ru
medicinalbestmarket.ru
mycuringinc.ru
myherbquality.com
mymedicatingstore.ru
mypharmaceuticgroup.ru
mypharmservices.ru
myremedialdeal.ru
mytabsbargain.ru
naturaldrugsstore.ru
naturalfirstgroup.in
naturalglobalinc.ru
naturalmedicaresale.ru
naturalsmartreward.ru
newmedicinaleshop.ru


UPDATED June 14 2014
No longer routed:
Code:
Hop number:  6
Connected to:  xe-0-0-0.cr1.phl1.us.nlayer.net ( 69.22.142.163 )
Roundtrip times:  9.886 ms
27.029 ms
9.878 ms
Country:  United States

Hop number:  7
Roundtrip times:  Timed out.

Hop number:  8
Roundtrip times:  Timed out.


Above examples now resolving to new address 213.155.190.76 in Poland


Top
 Profile WWW  
 PostPosted: Sat Jun 14, 2014 6:48 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
IP address 213.155.190.76

List of detected fraud domains
https://www.virustotal.com/en/ip-address/213.155.190.76/information/

Traceroute successful at https://www.ultratools.com/tools/traceRoute
Code:
Hop number:  10
Connected to:  tunneliinges.com ( 213.155.190.76 )
Roundtrip times:  115.644 ms
Country:  Poland


WHOIS lookup at http://www.dnsstuff.com/tools#whois|type=ipv4&&value=213.155.190.76

role: Academic Centre of Computer Science
org: ORG-AMAN1-RIPE
address: Zachodniopomorski Uniwersytet Technologiczny w Szczecinie
address: Akademickie Centrum Informatyki
address: al. Piastow 41
address: 71-065 Szczecin
address: POLAND
remarks: Akademicka Miejska Siec Komputerowa - AMSK Szczecin
phone: +48.914495858
abuse-mailbox: abuse@man.szczecin.pl

Sample Russian pharmacy fraud domains on 6/14/2014
Code:
leluce.ru
levitrapillsdrug.ru
luckydrugseshop.ru
luckygenericsale.ru
luckywelnessstore.ru
magichealthcaremall.ru
magicmedicativemall.ru
magicmedstrade.ru
medicalsafereward.ru
medicarespharmacy.be
medicatingbesttrade.ru
medicatingherbstore.ru
medicatingsafemart.ru
medicativeherbsmall.ru
medicativehotmall.ru
medicinalbestmarket.ru
mycuringinc.ru
myherbquality.com
mymedicatingstore.ru
mypharmaceuticgroup.ru
mypharmservices.ru
myremedialdeal.ru
mytabsbargain.ru
naturaldrugsstore.ru
naturalfirstgroup.in
naturalglobalinc.ru
naturalmedicaresale.ru
naturalsmartreward.ru
newmedicinaleshop.ru


Top
 Profile WWW  
 PostPosted: Sun Jun 15, 2014 12:38 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Red Dwarf wrote:
Sample Russian pharmacy fraud domains on 6/14/2014
Code:
leluce.ru
levitrapillsdrug.ru
luckydrugseshop.ru
luckygenericsale.ru
luckywelnessstore.ru
magichealthcaremall.ru
magicmedicativemall.ru
magicmedstrade.ru
medicalsafereward.ru
medicarespharmacy.be
medicatingbesttrade.ru
medicatingherbstore.ru
medicatingsafemart.ru
medicativeherbsmall.ru
medicativehotmall.ru
medicinalbestmarket.ru
mycuringinc.ru
myherbquality.com
mymedicatingstore.ru
mypharmaceuticgroup.ru
mypharmservices.ru
myremedialdeal.ru
mytabsbargain.ru
naturaldrugsstore.ru
naturalfirstgroup.in
naturalglobalinc.ru
naturalmedicaresale.ru
naturalsmartreward.ru
newmedicinaleshop.ru
I have noticed their migration to IP address 95.84.156.43
NCNET Broadband customers
National Cable Networks
Moscow


Top
 Profile  
 PostPosted: Mon Jun 16, 2014 2:56 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
IP address 189.197.62.153

List of detected fraud domains
https://www.virustotal.com/en/ip-addres ... formation/

Traceroute successful at https://www.ultratools.com/tools/traceRoute
Code:
Hop number:  17
Connected to:  customer-TGZ-62-153.megared.net.mx ( 189.197.62.153 )
Roundtrip times:  76.365 ms
Country:  Mexico


WHOIS lookup at http://whois.domaintools.com/189.197.62.153

ownerid: MX-MSCV17-LACNIC
responsible: Orencio Meza
address: Av. Lazaro Cardenas, 1694, Del Fresno
address: 44900 - Guadalajara - JA
country: MX
phone: +52 3337500020 []
contact: nic_tech@megacable.com.mx

Sample Russian pharmacy fraud domains on 15 June 2014
Code:
acalk.ru
antulb.ru
apocts.ru
bestpillstrade.ru
bioportfoliopill.ru
biotechhealthcarepills.ru
bplispills.com
bprxmedspills.ru
brennanlispharmacy.ru
caloriesdietpill.ru
canadafamilydrugstore.com
canadafamilypharm.com
perpills.ru
pharmacycanadainc.com
pharmacydrugstoreprescriptions.ru
pharmacyherbaldrugs.ru
pharmacylevitraprescription.ru
pharmacymedicinesdrugstore.ru
pharmacytabdrugstore.ru
pharmacytabletsomma.ru
pharmbioportfolio.ru
pharmedicine.ru
phlort.ru
pillbioportfolio.ru
pillcareprescription.ru
pilldrugpharmacy.ru
pilldrugstorepharmacy.ru
pilldrugstorerx.ru
pillhealthplans.ru
pillhealthsupplements.ru
pillmedicalvitamin.ru
pillmedicineprescription.ru
pillmediterranean.ru
pillshealthcarerx.ru
pillsherbaldrug.ru
prescriptiondrugstorepills.ru
prescriptionhealthdrug.ru
prescriptionpharmacylevitra.ru
remedyriprxtablets.ru


Top
 Profile WWW  
 PostPosted: Sun Jun 22, 2014 12:15 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
IP address 31.193.132.18

List of detected fraud domains
https://www.virustotal.com/en/ip-address/31.193.132.18/information/

Traceroute successful at https://www.ultratools.com/tools/traceRoute
Code:

Hop number:  8
Connected to:  a.9.magic-hex.as29550.net ( 213.229.85.162 )
Roundtrip times:  87.864 ms
Country:  United Kingdom

Hop number:  9
Connected to:  31-193-132-18.static.as29550.net ( 31.193.132.18 )
Roundtrip times:  82.844 ms
Country:  United States (?)


Updated July 23
Code:
Hop number:  10
Connected to:  po-1.r00.londen03.uk.bb.gin.ntt.net ( 129.250.4.134 )
Roundtrip times:  250.288 ms
244.842 ms
202.853 ms
Country:  United States

Hop number:  11
Roundtrip times:  Timed out.


WHOIS lookup at http://whois.domaintools.com/31.193.132.18

role: AS29550 Operators
address: Simply Transit
address: Unit 2
address: Smallmead Road
address: Reading
address: Berkshire
address: RG2 0QS
remarks: For abuse please contact abuse@as29550.net
phone: +44 (0)1628 777730

Sample Russian pharmacy fraud domains as seen on 21 June 2014
Code:
asvyaaaq.com
bestherbsquality.ru
bestpillgroup.ru
biologicalfaststore.ru
boispy.ru
canadianpillsmarket.ru
canadiansecuremall.in
curativehealthmall.ru
curativemedsshop.ru
curativesmartmart.ru
curingbetterbargain.com
curingmedsquality.ru
curingpillsquality.ru
curingrxmall.com
dietpillsmed.ru
dkriexyz.com
doserxpharmacy.ru
drugherbalpharmacy.ru
drugsdrugstorepills.ru
drugsherbalpill.ru
drugstoreviagrawalgreen.ru


Top
 Profile WWW  
 PostPosted: Sun Jun 22, 2014 6:57 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
The WHOIS LOOKUP for the contact details for 123.63.204.183 are found at

http://whois.domaintools.com/123.63.204.183

role: VODAFONE ESSAR SPACETEL LIMITED
address: C48 Okhla Industrial Estate, New Delhi-110020
country: IN
phone: +91-20-71714178
fax-no: +91-22-2498 6789
e-mail: uday.joshi@vodafone.com
abuse-mailbox: antiabuse.ipnoc@vodafone.com

EVIDENCE
* https://www.virustotal.com/en/ip-address/123.63.204.183/information
* https://www.mywot.com/en/scorecard/123.63.204.183

Traceroute successful at https://www.ultratools.com/tools/traceRoute
Traceroute ends in China via India

Code:

Hop number:  16
Connected to:  vodafone-india-gw.lns.cw.net ( 195.59.77.70 )
Roundtrip times:  83.18 ms
Country:  Europe

Hop number:  17
Connected to:  (123.63.85.253) ( 239.424 )
Roundtrip times:  Timed out.

Hop number:  18
Connected to:  (123.63.85.253) ( 243.397 )
Roundtrip times:  239.84 ms
242.908 ms

Hop number:  19
Connected to:  123.63.204.183 ( 123.63.204.183 )
Roundtrip times:  240.51 ms
Country:  China


Sample Russian EVA Pharmacy fraud domains as seen on June 22, 2014

Code:
capricecyndia.in
cariottajorey.in
carlyngoldie.in
carmelitaeryn.in
carmenelverabel.in
carmonsaundra.in
casibrandea.in
cassigayla.in
cassyaigneis.in
cathiblake.in
tamole.ru
thelevitrapill.ru
themedicarepill.ru
togirs.ru
treatmentspills.ru
us-online-pharmacy.com
veglax.ru
welnessdietpills.ru
yuants.ru
zigier.ru


Top
 Profile WWW  
 PostPosted: Sun Jun 22, 2014 8:09 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
The WHOIS LOOKUP for the contact details for 50.115.164.56 are found at
http://whois.domaintools.com/50.115.164.56

Abuse reporting is at https://myvirpus.com/submitticket.php
AbuseHandle: NETWO2357-ARIN
AbuseName: Virpus Network Operations
AbusePhone: +1-877-484-7787
AbuseEmail: abuse (at) myvirpus.com

EVIDENCE
* https://www.virustotal.com/en/ip-address/50.115.164.56/information
* https://www.mywot.com/en/scorecard/50.115.164.56

Traceroute successful at https://www.ultratools.com/tools/traceRoute
Traceroute ends at 50.115.164.56

Code:

Hop number:  14
Connected to:  199.180.135.16 ( 199.180.135.16 )
Roundtrip times:  33.401 ms

Hop number:  15
Connected to:  50.115.164.56 ( 50.115.164.56 )
Roundtrip times:  33.437 ms


UPDATED JUNE 26
Code:

Hop number:  14
Connected to:  38.100.182.58 ( 38.100.182.58 )
Roundtrip times:  33.685 ms
Country:  United States

Hop number:  15
Roundtrip times:  Timed out.


Code:
Pinging 50.115.164.56 with 32 bytes of data:
Request timed out.


Sample Russian EVA Pharmacy fraud domains observed on June 22, 2014

Code:
ailinatiffi.in
biankajulianna.in
brettdasie.in
guillemettedaryl.in
gwendolenmadlen.in
janenepansy.in
kelilaedythmyra.in
margaretteconstancy.in


Top
 Profile WWW  
 PostPosted: Tue Jun 24, 2014 11:20 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
The domain status of guillemettedaryl.in and gwendolenmadlen.in is "HOLD" :silthumb:


Top
 Profile  
 [ 11 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Ahrefs, Wayback machine, Yahoo [Bot] and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008