Translate

4/23/2014

MALICIOUS BLOGVISITOR FROM Hangzhou, CHINA
PHISHING:
billingcheckout.com (IP: 70.39.189.232) &
js.realypay.com (IP: 122.225.38.53)

DOMAIN 1:
China Telecomcenter
http://www.billingcheckout.com/
  • https://www.virustotal.com/de/url/d094721c14cdcebbee68aa9f08211ac1db05bee594e63e48667aaa6ba5c4ebcc/analysis/1398259763/ 
VISITING URL (on this BLOG)
http://www.billingcheckout.com/risk/index.js
  • https://www.virustotal.com/de/url/832c73b107ea273b0c1f89f78554f82c19824a74af820c6b71be41315ecaa39c/analysis/  
  • https://www.virustotal.com/de/file/dd6dc666f505f2f2d7664f13539a8dcb4537231c7350e0a468784da4035d7f64/analysis/1397057907/
IP:
China Telecomcenter
http://70.39.189.232/
  • https://www.virustotal.com/de/url/56f02705ec3f5dcf32c0f5b4d2f8371a514f2c2fb5c7f262b370c120e1171654/analysis/1398260122/ 
  • https://www.virustotal.com/de/ip-address/70.39.189.232/information/

REDIRECTS TO: --------------->  
(Reference See: http://wepawet.iseclab.org/view.php?hash=18cf2248ff8c66c0e25f36c34fc849d7&t=1392066256&type=js)

DOMAIN 2:
China Telecom Zhejiang
http://js.realypay.com/
  • https://www.virustotal.com/de/url/fe243629b072a3fbc0a2441bcbe6f47c5485ca2c5308e1d30e1623f2dc30bf82/analysis/1398261500/ 
REDIRECT LINK:
http://js.realypay.com/index2.js?ref=&url=http%3A%2F%2Fwww.billingcheckout.com%2Frisk%2Findex.js&w=1024&h=768&lx=IE7.0&auth=f2d9Pqacl20tqeAAq2ALsY7pxonRQq9w8T6J01rfr%2FNt98aDqte65aV%2FexcKt9mKFUYD3undAMCB   
  • https://www.virustotal.com/de/url/e717239f9c1ed65c250f8d024290d0f4605ba37a744495925135c67e970f5c7e/analysis/1398261822/
  • https://www.virustotal.com/de/file/0d23d902baf9638276780afdb9df44a26b748f775a350e1606b9472febee964f/analysis/1398261736/ 
IP:
China Telecom Zhejiang
http://122.225.38.53/
  • https://www.virustotal.com/de/url/5510f55d0eb200ce7673e5d94310cd473316d970a7d098c9c0df2541890b6fd6/analysis/1398262349/
  • https://www.virustotal.com/de/file/282c12070ea3254e26761b3dc58a7f342ac7e9f4c3b1f1630cf4d5c96bfce7de/analysis/1398262288/
  • https://www.virustotal.com/de/ip-address/122.225.38.53/information/

Category MALICIOUS IP: 203.153.99.142 (cds-id.com , dart.co.id)

"This IP is infected with a spam or malware forwarding link.
In other words the site has been hacked."


SPAMBOT & DICTIONARY ATTACKER
3 "Hacked" entries
46 "SPAM" entries
(INDONESIA)



The IP Address 203.153.99.142 is listed in the CBL (Composite Blocking List). This web site (IP) has a redirect that takes the user's browser to a spam or malware site. It's mainly fake russian pills or pornography.

The web server's host name is "www.dart.co.id", and this link has an example of the redirect: "http://www.dart.co.id/stylish.html?dijupiho".
http://www.dart.co.id/
  • https://www.virustotal.com/de/url/032f38a47d19c6c6e68793600ee7bdc011a82459e1a416079b208381566a4133/analysis/1398254023/
http://www.dart.co.id/stylish.html?dijupiho
  • https://www.virustotal.com/de/url/6f6fe170ab65546d0ee38ba507e945373c52e12d9de1b4edde3858dae7455fdd/analysis/1398254023/
Infected servers are usually shared web hosting environments running Cpanel, Plesk, Joomla or Wordpress CMS software that have become compromised either through a vulnerability (meaning the CMS software is out of date and needs patching), or users account information (userids/passwords) have been compromised, and malicious software/files are being uploaded by ftp or ssl.

We believe that these specific infections are frequently done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors. We would appreciate it if you can give us copies of the modifications that this infection has made to your system.



It probable that the change was made via SSL or ftp login using userid/password stolen from the "owner" of the hostname/domain. They should run anti-virus tools on their computers, and the password they use to access the web site should be changed immediately.

If you do not recognize the hostname www.dart.co.id as belonging to you, it means that some other account on this shared hosting site has been compromised, and there is NOTHING you (or we) can do to fix the infection. Only the administrator of this machine or the owner of www.dart.co.id can fix it.

--------------------------------------------------------------------------------------------------------------------------------------------

MALICIOUS IP FROM INDONESIA:
SPAMBOT, DICTIONARY ATTACKER
http://203.153.99.142/
  • https://www.virustotal.com/de/url/3eed7d8163d563a7f2cee883ca1b0627e6af286dcf89a63831ee311b14cb0f2f/analysis/1398250732/
  • https://www.virustotal.com/de/ip-address/203.153.99.142/information/
DOMAIN & HOSTNAME (See Senderbase as Reference):
http://cds-id.com/
  • https://www.virustotal.com/de/url/d58f4bda3839bea826584e8f98e3b0b1ed3ebeb72508f400a53770f60c1238af/analysis/1398252129/
HTML (406 Not Acceptable)
  • https://www.virustotal.com/de/file/390814aae53b4fe7b317f869b6bb97b242131cad27c8cdfd86e8ba70a677653f/analysis/1398252281/
NUMBER OF SPAM-MAILS RECEIVED FROM THIS IP: 174
DICTIONARY ATTACKS FROM THIS IP: 21
  • https://www.projecthoneypot.org/ip_203.153.99.142
LISTED AT SPAMHAUS (CBL):
  • http://www.spamhaus.org/query/bl?ip=203.153.99.142
LISTED AT CBL:
  • http://cbl.abuseat.org/lookup.cgi?ip=222.165.193.218&.pubmit=Lookup
LISTED AT SPAMCOP:

In the past 78.1 days, it has been listed 19 times for a total of 18.9 days

Causes of listing:
System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
  • http://spamcop.net/w3m?action=checkblock&ip=203.153.99.142
LISTED AT SORBS:
Current Listings (active)

  • 3 "Hacked" entries (01:08:09 16 Apr 2013 GMT)
  • 46 "Spam" entries (20:13:30 30 May 2013 GMT)
 
Historical Listings (inactive)
  • 22 "Spamvertised" entries (21:37:31 22 Apr 2013 GMT)
http://www.au.sorbs.net/lookup.shtml
LISTED AT CISCO SENDERBASE:

Fwd/Rev DNS Match: NO
EMAIL REP.: POOR
  • http://www.senderbase.org/lookup/?search_string=203.153.99.142
SEE ALSO:
NETCRAFT: 7/10
  • http://toolbar.netcraft.com/site_report?url=203.153.99.142

4/19/2014

RISKWARE: Win32/SecurityXploded.A from
securityxploded.com
(Windows Autorun Disable)


RISKWARE DETECTED:
Win32/SecurityXploded.A
http://securityxploded.com/download-file.php?id=1231
  • https://www.virustotal.com/de/url/3e6d1b6ccbf37664c71e92a76a4ccb23d6004d283541a19c51d50fa342b2a4a3/analysis/1397904253/
http://securityxploded.com/getfile_plus.php?id=1231
  • https://www.virustotal.com/de/url/34c9887456cdf35153f3a938a127e88fa06fb1c8c40f1ffe92a498d19ee58688/analysis/1397904283/
(WindowsAutorunDisable.zip) Win32/SecurityXploded.A
  • https://www.virustotal.com/de/file/45b799b53adf58fdd6ed78b9c2f59e4b3b9c929bf055becb5c83d9db57f2a609/analysis/1397904083/
(WindowsAutorunDisable.exe) Win32/SecurityXploded.A
  • https://www.virustotal.com/de/file/306da318050082d9e6b23120772f61aaaaac0fdcde0b10f3de6ab789c9c8ab94/analysis/1397904074/
  • http://zulu.zscaler.com/submission/show/a38523587f7f1912d01cea34d13e3782-1397904455
  • https://urlquery.net/report.php?id=1397904464200
IP:
http://64.150.191.172/
  • https://www.virustotal.com/de/url/774ec0fe019369938cf734a511ae4334b74f31e5c0202710934e0997df8a6e7f/analysis/

4/18/2014

Category MALICIOUS IP: 203.153.100.82

Infected with a spam sending trojan, proxy or some other form of botnet.
It HELOs as a bare IP address
(INDONESIA)

The IP Address 203.153.100.82 is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-04-18 18:00 GMT (+/- 30 minutes), approximately 1 hours ago.

It has been relisted following a previous removal at 2014-04-09 01:07 GMT (9 days, 17 hours, 55 minutes ago).

The listing of this IP is because it HELOs as a bare IP address (A bare ip address looks like: "54.33.33.5"). It is not HELO'ing as itself ("203.153.100.82"). Not only is this a violation of RFC2821/5321 section 4.1.1.1, it's even more frequently a sign of infection.




These listings are often a sign of a compromised SSH account. If you are running a SSH service (especially on Linux), please check your ssh server logs (often/var/log/auth.log) for logins from unusual IP addresses not normally associated with that login id. If you find any, secure the associated account. This usually means changing the password or disabling the account.

If it's a mail server, see naming problems for details on how to diagnose and fix the problem. If you are running Symantec Protection Center, this appeared to be a known issue in the past. See this Knowlege Base item. Their KB item was updated October 18, 2010 to indicate that they now understand the issue. The KB item indicates that the problem will be resolved in a "future build", but no ETA was provided. If you have SPC's email notification feature turned on, we recommend checking through the Knowledge Base item to see if your version has this issue fixed. If not we recommend turning SPC's notification feature off before delisting your IP address as a temporary workaround.

--------------------------------------------------------------------------------------------------------------------------------------------

MALICIOUS IP:




Heuristic.LooksLike.HTML.Suspicious-URL.K
SPAMBOTSERVER, COMMENT SPAMMER, DICTIONARY ATTACKER, MALWARE
http://203.153.100.82/
  • https://www.virustotal.com/de/url/4d0bf7e41c8dceaebbafa1bf0c70c8b1560a49ce397a92df5a1913a979f70f37/analysis/1397848027/
  • https://www.virustotal.com/de/ip-address/203.153.100.82/information/
Heuristic.LooksLike.HTML.Suspicious-URL.K
  • https://www.virustotal.com/de/file/8822bad3d62e9fbc8dc272644c42f81e4fec540ef7f05c9fd7bcaa26aee7a61b/analysis/
HOSTNAME:
http://ip-82-100-static.velo.net.id/
  • https://www.virustotal.com/de/url/85f9e6aa401e85da826c0d9590b8b671a24afac3000580f79754982b0f9ffadf/analysis/1397850756/

IP BLACKLISTED AT:
1) SPAMHAUS (CBL):
  • http://www.spamhaus.org/query/ip/203.153.100.82
2) COMPOSITE BLOCKING LIST:
  • http://cbl.abuseat.org/lookup.cgi?ip=203.153.100.82
3) SPAMCOP:
  • http://www.spamcop.net/w3m?action=checkblock&ip=203.153.100.82
4) CISCO SENDERBASE:
  • http://www.senderbase.org/lookup/?search_string=203.153.100.82
5) BLOCKLIST.DE:
  • http://www.blocklist.de/en/view.html?ip=203.153.100.82
6) PSBL.ORG:
  • http://psbl.org/listing?ip=203.153.100.82
7) WPBL.INFO:
  • http://www.wpbl.info/cgi-bin/detail.cgi?ip=203.153.100.82
8) PROJECT HONEYPOT:
  • https://www.projecthoneypot.org/ip_203.153.100.82
9) SORBS:
  • http://www.au.sorbs.net/lookup.shtml
10) NiX SPAM:
  • http://www.dnsbl.manitu.net/lookup.php?language=en&value=203.153.100.82
------------------------------------------

SEE ALSO:
  • https://urlquery.net/report.php?id=1397848399616
  • http://zulu.zscaler.com/submission/show/0d60892bc9e925ace8bf7a1c422b7358-1397848147
http://203.153.100.82/winbox/winbox.exe
  • https://www.virustotal.com/de/url/2e48031a59a5f99f23b91508988285232203405cb8640f3c8c40c24e1a702284/analysis/1397848218/
  • https://www.virustotal.com/de/file/eabfa1fd55a53367b901364486f5a5607b9ab04ad94403b7d0fc12509ad85321/analysis/

Obama.exe: Hoax.Win32.BadJoke.Agent.nlz
NEW MALWARE CODE found @ demonx.org

(IP: 70.32.97.245 - UNITED STATES)


MALICIOUS LINK:

http://demonx.org/Obama.exe
  • https://www.virustotal.com/de/url/32cdf34a986b807db7b0fddd2acb3214f4c4ee0a8b00e07802504fbcb083e27f/analysis/1397739518/
Hoax.Win32.BadJoke.Agent.nlz
  • https://www.virustotal.com/de/file/0be76fb84d1b6f4fae6b5f38d4d5f58fcfd313fe6b48e9a1a5c5f17f6dab280c/analysis/1397739348/

4/17/2014

Comment SPAMMER: 37.59.88.251 = Malicious IP from Roubaix, France



MALICIOUS IP: COMMENT SPAMMER (FRANCE)
FOUND ON A CnC BOTSERVER ROUNDUP LIST

IP seen with 30 user-agents
21 web post submissions sent from this IP
  • https://www.projecthoneypot.org/ip_37.59.88.251
http://37.59.88.251/
  • https://www.virustotal.com/de/url/8054a21ddb8f63f903b056ccad3527d3ebc27bdb9799de478cb0b5cdf3aad5b4/analysis/1397725938/
  • https://www.virustotal.com/de/ip-address/37.59.88.251/information/
https://www.virustotal.com/de/file/f85e4b5b4089a91599c87da17d10eba5c1535fcc83fce58231b85cbf55bd376d/analysis/1397726108/

4/16/2014

Illegal gambling over the Internet 2011/2012:
William Lisle, 57, and Kenneth B. Lovett, 72 of Joplin, Missouri Sentenced

Was Dürer a Gambler...?

William Lisle, 57, of Joplin, MISSOURI, was sentenced on October 31st, 2012, by U.S. District Judge Richard E. Dorr to two years of probation (including six months of home detention) and ordered to pay a fine of 2.000 USD. As a condition of his probation, Lisle may not enter any gambling establishment or engage in any type of gambling, including off-shore or Internet gambling. Lisle must forfeit to the government almost 100.000 USD (98.263 USD) that was seized from his residence by law enforcement, which was the proceeds of gambling activity.

Judge Dorr
Co-defendant Kenneth B. Lovett, 72, also of Joplin, received the same sentence on October 18th, 2012.

Lisle and Lovett each pleaded guilty to using the Internet to transmit wagering information, including placing bets on sporting events, as part of their gambling business from January 1st, 2003, until to February 8th, 2011. Lovett, who was primarily engaged in wagering on National Football League events, took on Lisle as a partner in 2006. Lisle and Lovett shared income and expenses equally until 2010, when Lisle’s share of income and expenses increased to 60 percent.

Lisle and Lovett utilized two Internet websites, with servers located in Costa Rica, to administer the bookmaking operation. Their gambling operation flourished when they began using the off shore gambling Web sites in 2006. The number of their customers and the amounts they wagered increased. For example, according to the plea agreement, one gambler would wager as much as 35.000 USD on a single weekend during the American football season.

Lisle also pleaded guilty to money laundering. Lisle sent cashier’s checks, payable to a false name in an effort to conceal the transfer, to the Costa Rican company that operated the websites. Lisle’s plea agreement cites 15 instances in which he sent cashier’s checks (totaling 72.000 USD) to Costa Rica via Federal Express as part of his scheme to launder money obtained from the gambling enterprise.

SOURCE: http://www.highbeam.com/

PUA.Phishing.Bank @ www.sinaafra.com
PHISHING URLs FROM Sanayi, TURKEY
(IP: 212.68.50.31)

PHISHING LINKS: 
PUA (PHISHBANK)

DOMAIN:
http://www.sinaafra.com/
  • https://www.virustotal.com/de/url/918c5ec31a6f15e91d44cd1aa9cd40efa5b93e44dac77b212f4faf471d9f8894/analysis/1397667269/
PHISHING URLs:
1)
http://www.sinaafra.com/detroit-ve-istanbul-aslinda-birbirine-cok-yakin
  • https://www.virustotal.com/de/url/7ffa8b6b95e71ee3cac62063009b0d0f70c9f0f1770070208d9e8fa772895682/analysis/1397667413/
PUA.Phishing.Bank
  • https://www.virustotal.com/de/file/b0be1f8cf908f6ac5e508c4d1a0386c890193655bd419c4b88a74cfbda37f483/analysis/1397666858/
  • http://virusscan.jotti.org/de/scanresult/f439c8d1c4cdf2efb3ae8c6b4448ed0175c1f538

2)
http://www.sinaafra.com/sosyal-ticaretin-kirilma-noktasi-daha-ufukta-gozukmuyor
  • https://www.virustotal.com/de/url/e40dd9a4b165bd4a8e274017f30c18141289ca4d5aec039424874af6788a490d/analysis/1397667642/
PUA.Phishing.Bank
  • https://www.virustotal.com/de/file/d60d5d52ffbd6bf038b5dc5ba8b6ef004a4914a68dd6d2b9f7928f3880af1e09/analysis/1397667089/
  • http://virusscan.jotti.org/de/scanresult/1904fa37af41fe728a89a251a6097700ffc3e3d7
IP:
http://212.68.50.31/  (Sanayi, TURKEY)
  • https://www.virustotal.com/de/url/8741b7d59e97bedf742d7fe933fa278819d651ba8d295931f093146c3a8f5e6e/analysis/1397668079/
  • https://www.virustotal.com/de/ip-address/212.68.50.31/information/

UPDATES: Massive (Java) Oracle Critical Patch Update Advisory - April 2014

 

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:
Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 104 new security fixes across the product families listed below.

Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.
This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below.  The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column.   Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

For further Information, go to:

The ingredients are:
2 for Oracle Database Server
20 for Oracle Fusion Middleware
  3 for Oracle Hyperion
10 for Oracle Supply Chain Products Suite
  8 for Oracle PeopleSoft Products
  1 for Oracle Siebel CRM
  1 for Oracle iLearning
37 for Oracle Java SE
  3 for Oracle and Sun Systems Products Suite
  5 for Oracle Virtualization
14 for Oracle MySQL

PHISHING MAIL from:
www.med-equip.com.tn (IP: 193.95.93.62)
HTML:Script-inf

(THAILAND & TUNESIA)
"!Keep It Simple In The Bed retread"
gaecaoro@totbb.net



PHISHING SPAM & MALWARE:
HTML:Script-inf
ROGUE MEDICATIONS (THAILAND & TUNESIA)

DOMAIN:
http://www.med-equip.com.tn/
  • https://www.virustotal.com/de/url/b9fb02cf988d929e6a2c86e2570c607bf20bce182b931092f2afdb72cc30a153/analysis/1397659999/
HTML
  • https://www.virustotal.com/de/file/c6b1a536e10e685f7eb2e7875e1385070f1381d3c7142d6bf35cdd99f464baea/analysis/1397660454/
E-MAIL LINK:
http://www.med-equip.com.tn/geriforte.html
  • https://www.virustotal.com/de/url/403d17cc13d16d4f05fde4699d1fbb319c5aad5af693f5526c82a0d4558455e8/analysis/1397659995/
HTML:Script-inf
  • https://www.virustotal.com/de/file/af51c501f333a7a1c81a7e64f09850d249a22283e6731df4482a58bd9134838d/analysis/1395389479/
SREENSHOT PHISHING MAIL

IP:
http://193.95.93.62/
  • https://www.virustotal.com/de/url/4842c7f2236d8e6fb467f709bf7833ffbd3907a913681c44dddb94a0ce54293b/analysis/1397662127/
  • https://www.virustotal.com/de/ip-address/193.95.93.62/information/
LISTED AT SPAMHAUS (SBL):
  • http://www.spamhaus.org/query/bl?ip=193.95.93.62
  • http://www.spamhaus.org/sbl/query/SBL204400
WEB-REP: POOR
EMAIL-REP: POOR
  • http://www.senderbase.org/lookup/?search_string=193.95.93.62

www.med-equip.com.tn/geriforte.html REDIRECTS TO:
http://triptabletspharmacy.ru/
  • https://www.virustotal.com/de/url/9a59b27ab7899a59763aed3092d887621a3a55c684227a7471fd05f2803da02d/analysis/1397661510/
IP triptabletspharmacy.ru:
http://107.182.164.141/
  • https://www.virustotal.com/de/url/ed96c08ef5482160f445fcd3665d2e8991ff0ba2a0f74d73c063227b5a59b89d/analysis/1397662386/
  • https://www.virustotal.com/de/ip-address/107.182.164.141/information/
  • http://www.senderbase.org/lookup/?search_string=107.182.164.141

SEE ALSO:
  • http://zulu.zscaler.com/submission/show/b6bc817a43647a0fa89d3e68a44e696b-1397660255
  • http://zulu.zscaler.com/submission/show/8d1a7645f4d5da4e722e8c11b95b4e9c-1397660264
  • https://urlquery.net/report.php?id=1397660035929
MAIL SENT "FROM":
http://totbb.net/
  • https://www.virustotal.com/de/url/dfc051bf8979828be83f9b5b0ffe9d372302dc7d88bb2aa8ebc289437bcd6a23/analysis/1397660871/
IP totbb.net:
http://203.113.9.20/

  • https://www.virustotal.com/de/url/c62bc82dab5ac1d2100e2fc5fc26972ca6bd86d8b55925645540eadeff8279f7/analysis/1397662629/
  • https://www.virustotal.com/de/ip-address/203.113.9.20/information/
ORIGINATING IP ADRESS FROM MAIL:
http://111.84.115.252/
  • https://www.virustotal.com/de/url/9b7ee547d226d4fc171a124b383f6528b8308ad493efb984a6d9a0dd7a637440/analysis/
  • https://www.virustotal.com/de/ip-address/111.84.115.252/information/
LISTED AT SPAMHAUS (PBL):
  • http://www.spamhaus.org/query/bl?ip=111.84.115.252
EMAILREP: POOR
  • http://www.senderbase.org/senderbase_queries/detailip?search_string=111.84.115.252

4/15/2014

www.ensemble-berlin.de
infected with SEO SPAM (Viagra & Co.)
ROGUE MEDICATIONS PHISHING
IP: 80.67.31.164 & 5.61.42.211
GERMANY



MALICIOUS RUSSIAN PILLS PHISHING URL:
TDS URL pattern
http://www.ensemble-berlin.de/
  • https://www.virustotal.com/de/url/fa621d60d52c535f849c29fe9327a46e2248dedcc24fbe3ccf58388cad5c5c85/analysis/1397567841/
http://www.ensemble-berlin.de/viagra-rezeptfrei-lander.html
  • https://www.virustotal.com/de/url/c516b883ef52e0fef2b2884bcad2b97ecb7db4c9cd1037a847e1d082523cc5a7/analysis/1397566470/
TDS URL pattern
  • https://urlquery.net/report.php?id=1397566888166

  • https://urlquery.net/report.php?id=1397566887262

  • https://urlquery.net/report.php?id=1397566892018
---->
http://tds.cigarettescheap.net/
  • https://www.virustotal.com/de/url/108ea225a2cbc221f9a087fbcc49495921fa191d9fb0358385673df27b0a805d/analysis/1397567431/
TDS URL pattern
  • https://urlquery.net/report.php?id=1397567579389
----->
http://apharmshop.com/
  • https://www.virustotal.com/de/url/a0cf825561616bba65374be8a7b676cbfeb2964a47b08a7a566c186b4d511158/analysis/1397567650/
------>
http://edapotek.eu/
  • https://www.virustotal.com/de/url/796f23f603e37c30c96323a5a17e9240452213df055795e53fc2d94b4965c37c/analysis/1397567302/

Category MALICIOUS IP:
14.4.10.21 BLACKLISTED
Hijacked Netblock from Seoul, South Korea
(SBL & Don't Route Or Peer Lists)

A "hijacked netblock" is a netblock brought back from the dead, often by a spammer, also called a "zombie netblock." (The term "zombie" later became widely applied to the infected PC drones in a botnet.) The original owner of the block may have left it derelict for any number of reasons. Squatters then reclaim it with various ploys including registering an abandoned domain name to accept email to the point-of-contact domain contact, or printing up bogus letterhead, or doing a bit of human engineering over the telephone. Some hijackers even outright steal IP-space allocated to someone else just by announcing it under their BGP Autonomous System Number. Continue Reading...


MALICIOUS IP: SEOUL, SOUTH KOREA
Hijacked Netblock
http://14.4.10.21/
  • https://www.virustotal.com/de/url/3520dd867e8371847c08460ac094cb5d6e216f0c7bae7dbb98864e9d79201af6/analysis/1397564100/
LISTED AT SPAMHAUS (SBL & Don't Route Or Peer Lists (DROP))
  • http://www.spamhaus.org/sbl/query/SBL187947
  • http://www.spamhaus.org/drop/
EMAILREP: POOR
WEBREP: POOR
  • http://www.senderbase.org/senderbase_queries/detailip?search_string=14.04.10.21
  • http://zulu.zscaler.com/submission/show/77cd2213cfd2699ec4e1d264d01de591-1397564244

CHILD MOLESTERs MUGSHOTs NOT FORGOTTEN:
Marcelo Alejo Desautu (MAD)
Sentenced to 17 Years in Prison for Sex Trafficking of a Minor

“Mr. Desautu gave drugs and alcohol to a 12-year-old girl and then prostituted her to adult men,” 

“He will now, appropriately, spend the next 17 years of his life paying for his horrific crimes. While no prison sentence can repair the harm caused by such appalling conduct, today’s sentence sends a strong message that we will pursue child sex traffickers to the fullest extent of the law.” 

Marcelo Alejo Desautu
http://www.justice.gov/opa/pr/2012/March/12-crm-354.html

4/14/2014

CATEGORY MALICIOUS IP:
118.249.108.152 = COMMENT SPAMMER

from Changsha, CHINA


CATEGORY MALICIOUS IP FROM 
Changsha, CHINA:

COMMENT SPAMMER - LISTED AT SPAMHAUS (PBL)
FOUND ON A CnC BOTSERVER (EXPLOIT) ROUNDUP LIST
http://118.249.108.152/
  • https://www.virustotal.com/de/url/6ed60ee1803bdf1832b1b82f44411076a2b118bcafcda2e48d4610d2a9baf2e8/analysis/1397506802/
PBL SPAMHAUS LISTED:
  • http://www.spamhaus.org/query/bl?ip=118.249.108.152

LISTED AT Tornevall:
  • http://www.ipvoid.com/scan/118.249.108.152/
EMAIL-REP: POOR
  • http://www.senderbase.org/lookup/?search_string=118.249.108.152
ROUNDUP:
  • https://www.projecthoneypot.org/ip_118.249.108.152

NEW POTENTIALLY RISKWARE DETECTED:
not-a-virus:PSWTool.Win32.Agent.wi

from securityxploded.com
(SX Password Remover Suite - PASSWORDSTEALER)


NEW POTENTIALLY RISKWARE DETECTED:
SX Password Remover Suite - PASSWORDSTEALER
not-a-virus:PSWTool.Win32.Agent.wi
http://securityxploded.com/download-file.php?id=1175
  • https://www.virustotal.com/de/url/e16f4432398839be81b26f99bd1383feb414f05f5a2a87c7a44b76ac835b72b1/analysis/1397489175/
http://securityxploded.com/getfile_plus.php?id=1175
  • https://www.virustotal.com/de/url/208ae819b9936e31aebe61a1f8109006c352819503e642d4dd7af3e28a554ca6/analysis/1397489192/
(SXPasswordRemoverSuite.zip) not-a-virus:PSWTool.Win32.Agent.wi
  • https://www.virustotal.com/de/file/39122c76f0ed46174644d507eb28d40050d2954f49a0cb4cdceeb3b4be7aec10/analysis/1397488622/
(Setup_SXPasswordRemoverSuite.exe) not-a-virus:PSWTool.Win32.Agent.wi
  • https://www.virustotal.com/de/file/b24cbff70b29b2da22dfb510fd446abcb302db15fdd373823d7aca59b58cabef/analysis/1397488631/
WEPAWET: SUSPICIOUS
  • http://wepawet.iseclab.org/view.php?hash=7e7933fe50b94cc98b071cd4f3cf0c3d&t=1397488890&type=js
  • http://zulu.zscaler.com/submission/show/e15f2d9e3452820d3e013e126d29424d-1397488901
IP:
http://64.150.191.172/
  • https://www.virustotal.com/de/url/774ec0fe019369938cf734a511ae4334b74f31e5c0202710934e0997df8a6e7f/analysis/
BESIDES THAT, FOLLOWING SUSPICIOUS/MALICIOUS LINK HAS BEEN FOUND (HIDDEN IFRAMES):
http://securityphresh.com/index.html
  • https://www.virustotal.com/de/url/560aa2ab68e0ab1713b590a4df8096afe6b7efcb072defb901c7d02446a75cd9/analysis/1397489696/
HIDDEN LINKS

HIDDEN IFRAMES TO:
http://2014.confidence.org.pl/
https://www.virustotal.com/de/url/c121b7f7adb198511ce3ff8be6daf221595296fa01e03a8d76fc0cf8f1894b97/analysis/1397491597/