Translate

6/08/2014

Tennessee ONLINE CHILD PREDATORS 2011:
George Stephen Russell (67)
Sentenced to 97 Months in Prison for Possession of Child Pornography

Russell’s possession of an extensive collection of child pornography, which he made accessible via the Internet to others who wished to trade child pornography with him, was discovered through an online undercover investigation by the Federal Bureau of Investigation (FBI).

George Stephen Russell
The FBI executed a federal search warrant at Russell’s residence in Oak Ridge, Tennessee, and seized his computers. Forensic examination of the seized computers revealed that he had possessed 3.841 images and 33 videos of suspected child pornography.

The National Center for Missing and Exploited Children identified 48 known victims of child pornography among the images and videos that Russell had possessed.

SOURCE

SEE ALSO: 
http://www.gpo.gov/fdsys/pkg/USCOURTS-tned-3_11-cr-00079/pdf/USCOURTS-tned-3_11-cr-00079-0.pdf

6/07/2014

MALICIOUS UKRAINIAN BLOG VISITOR TO THIS SITE:
Domain: www.trustcombat.com
IP: 193.169.86.16
Both listed at SPAMHAUS (CBL & DBL)
Darkmailer, DirectMailer, r57shell



MALICIOUS UKRAINIAN BLOG VISITOR
DOMAIN:
http://www.trustcombat.com/
  • https://www.virustotal.com/de/url/2cf65d9d85697456c083934f86a3ff2ebe33957bdeb4a46bfcfade3757943dba/analysis/1402156166/
  • https://www.virustotal.com/de/file/7c480e29f808effb1f06aa2dfd0a97a3192fc649293ecb39679716f16c000a1a/analysis/1402155972/
SPECIFIC VISITING LINK:
http://www.trustcombat.com/faq.htm
  • https://www.virustotal.com/de/url/f82e2bab033491836777d7b66c735884473f12a8f2bc05cb94994411ab0729cc/analysis/
  • https://www.virustotal.com/de/file/dac8b8d3f068796c7eda0e4fc1e529c151fc069f0788ac2992f166f47a47b944/analysis/1402155861/
LISTED AT SPAMHAUS (DBL):
  • http://www.spamhaus.org/query/domain/trustcombat.com
SEE ALSO:
  • http://zulu.zscaler.com/submission/show/3c2cb0b556a921a810249fdbc9203e5a-1402155759
  • https://www.mywot.com/en/scorecard/trustcombat.com
ALSO:
Nginx Server SOFTWARE OUTDATED. VULNERABLE !
IP:
http://193.169.86.16/
  • https://www.virustotal.com/de/url/71b23f991cac80f7ca367f2d91c835c62b6b6bdb1e15965813640c1172e91429/analysis/1402157283/
  • https://www.virustotal.com/de/file/2c16cd2a73dd803fda6f64ad50e507d0d6e72474036008c13e01bbd188f22a75/analysis/1402157590/
  • https://www.virustotal.com/de/ip-address/193.169.86.16/information/

The IP Address 193.169.86.16 (IP LOCATION: Ukraine) is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy and/or some other form of botnet. It was last detected at 2014-06-06 07:00 GMT (+/- 30 minutes), approximately 1 days, 9 hours, 29 minutes ago.

It has been relisted following a previous removal at 2014-06-01 06:17 GMT (6 days, 10 hours, 21 minutes ago).

This IP is sending email in such a way to indicate that it is, or is NATting for a web server that is infected with a spam sending script, like Darkmailer, DirectMailer, r57shell, or some analogous Perl, PHP or CGI script.

IP LISTED AT SPAMHAUS (CBL):
  • http://www.spamhaus.org/query/bl?ip=193.169.86.16
  • http://cbl.abuseat.org/lookup.cgi?ip=193.169.86.16
EMAIL REP: POOR
  • http://www.senderbase.org/lookup/?search_string=193.169.86.16

New Jerseys ONLINE CHILD PREDATORS 2011:
Ronald Oshrin, 50, of Budd Lake, New Jersey
Sentenced to 15 years Federal Prison
for recording children with Hidden Cameras


Ronald Oshrin
A computer consultant from Budd Lake has been sentenced to 15 years in prison for installing hidden cameras in his Morris County home and then using the cameras to secretly record young girls who were nude or undressing. While admitting to his crime in December 2011, Ronald Oshrin, 50, pleaded guilty before U.S. District Judge Joseph H. Rodriguez to production of child pornography. Judge Rodriguez imposed the sentence in federal court in Camden.

Joseph H. Rodriguez
At the time the initial charges were brought in April 2012 against Oshrin – who is married with children – his lawyer said his client had 23 years of experience as a computer consultant with "the veteran's administration." Oshrin has admitted, according to authorities, that between 2007 and April 2012, he installed hidden cameras in a bedroom and a bathroom of his home in order to record nine young girls in various states of undress.

He's also admitted to editing the videos to produce still photographs, authorities say, as well as to distributing videos and the still photographs of the girls over the internet.

In addition, authorities said, Oshrin admitted to having sexual contact with certain minors.

According to an FBI-signed complaint made public in April 2012, agents spoke with Oshrin and he allegedly told them that he "regularly downloads child pornography from various websites on the internet.”


The complaint can be found here (.pdf):
http://www.justice.gov/usao/nj/Press/files/pdffiles/2012/Oshrin,%20Ronald%20Complaint.pdf

In addition, the complaint alleged that “he also regularly distributed child pornography through various methods including direct e-mail and posting on known child pornography sites and file sharing sites.”

The complaint also alleged that "when pre-pubescent girls were in the bathroom or bedroom, (Oshrin) would monitor the cameras and make video recordings of the girls ... disrobing, using the shower or using the toilet.

"Because he installed multiple cameras ... it allowed video production from various angles and allowed him to focus on specific areas of interest," the complaint said.

SOURCE: http://www.nj.com

ADDITIONAL LINKS:
  • http://www.fbi.gov/newark/press-releases/2012/man-who-allegedly-recorded-girls-with-hidden-camera-faces-federal-child-pornography-charge
  • http://www.nj.com/news/index.ssf/2012/04/morris_county_man_accused_of_u.html

6/01/2014

Category MALICIOUS IP: 217.106.230.143
Infected with CONFICKER Botnet & Dictionary Attacker
CBL Listed (Russian Federation)


The IP Address 217.106.230.143 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.


It was last detected at 2014-06-01 09:00 GMT (+/- 30 minutes), approximately 3 hours ago.

This IP is infected (or NATting for a computer that is infected) with the Conficker botnet.

---------------------------------------------------------------------------------------------------------------------------------------------

IP:
http://217.106.230.143/
  • https://www.virustotal.com/de/url/2eec4640667c218ae8a6a9da97422083720b4477387dfcc59e569bd0d014d424/analysis/1401473689/
  • https://www.virustotal.com/de/ip-address/217.106.230.143/information/
Listed at SPAMHAUS (CBL):
  • http://www.spamhaus.org/query/bl?ip=217.106.230.143
Listed at CBL:
  • http://cbl.abuseat.org/lookup.cgi?ip=217.106.230.143
Listed at Weighted Private Block List:
  • http://www.wpbl.info/cgi-bin/detail.cgi?ip=217.106.230.143
Listed NiX-Spam
  • http://www.dnsbl.manitu.net/?language=en
Dictionary Attacker & SPAM Sender:
SPAM MAILS SENT FROM THIS IP: 3.233
  • https://www.projecthoneypot.org/ip_217.106.230.143 
SEE ALSO:
  • http://zulu.zscaler.com/submission/show/dddc53f4ec74d5076fc8be59977acc69
  • http://www.senderbase.org/lookup/?search_string=217.106.230.143
  • http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

5/27/2014

Password Protection and Glenn Greenwald:
"He (Edward Snowden) would often put a blanket over his head
when he wanted to enter his computer system
to prevent overhead cameras from picking
up the password to the encryption,"

It is not Funny Anymore:

Know what i am TALKing about ? See my (almost) very first Post on this BLOG from 2013:

Reference...: http://www.businessinsider.com/united-states-of-secrets-2014-5
http://stayaway2.blogspot.com/2013/11/password-protection.html



Dont we all think like that, sooner or LATER ?? Or will we sit ??? (like that)..


POTENTIALLY DAMAGING IP: 198.50.178.90
COMMENT SPAMMER & MORE
Montréal, CANADA




POTENTIALLY DAMAGING IP:
http://198.50.178.90/
  • https://www.virustotal.com/de/url/49af94681d256ad8f31faa479b1a97d576e162c723c0f894e11a7fac21042a4d/analysis/1401210067/
XML
  • https://www.virustotal.com/de/file/0a43cb9ab42a7a08ac796fc0f90cb28bdf063a8f1a84096754950f46db83cdbe/analysis/1401210229/
COMMENT SPAMMER:
  • https://www.projecthoneypot.org/ip_198.50.178.90
LISTED AT TORNEVALL:
  • http://dnsbl.tornevall.org/
Heartbleed OpenSSL Result: Vulnerable
  • http://zulu.zscaler.com/submission/show/974aa036407238e24522b1aa10d27646-1401210072
BESIDES THAT: OUTDATED APACHE SERVER SOFTWARE: VULNERABLE
  • http://httpd.apache.org/security/vulnerabilities_24.html
-------->
DOMAIN:
http://exe.moneyrobot.com/
  • https://www.virustotal.com/de/url/13158ea50cdf2e66bce90bd6845f2a496012338f90047900bf21e11cf29de56e/analysis/1401210907/
PUA MoneyRobot.exe (The digital signature of the object did not verify)
  • https://www.virustotal.com/de/file/c974e9923097b2bec307212a12b0165c263f03b3156bd7f735d5c628edb57611/analysis/
  • https://www.virustotal.com/de/file/4a5e038bc0bbd3e1e0ba7d4489eda42df6a6b4237aff1c489b4d6d2c760c5367/analysis/
  • https://www.virustotal.com/de/file/75976b46e7a286d49e9ac74a1f6090c95226495c655ac83d601b2f79a6cfe52e/analysis/
http://exe.moneyrobot.com/Data/bcdc096817213b207777e843e90e7767
  • https://www.virustotal.com/de/url/8e8a714041ac640b848c6157bfff80edc9b8f5366d34982efe15104ca2f63aba/analysis/1401210501/
BESIDES THAT: OUTDATED APACHE SERVER SOFTWARE: VULNERABLE
  • http://httpd.apache.org/security/vulnerabilities_24.html
IP:
http://67.205.81.45/
  • https://www.virustotal.com/de/url/ec13ba31f3a882856e43d75c7a15dc972e227201d8947815b532c5aa54c0ab5f/analysis/1401211771/
  • https://www.virustotal.com/de/file/752c03b6b7c5b46c8b2e2a0715b9847a3d9be43b1b1d5ba1484ef88d729d0464/analysis/1401211825/
  • https://www.virustotal.com/de/ip-address/67.205.81.45/information/
  • http://zulu.zscaler.com/submission/show/e729c788a7cca9552811c1ea8b13c430-1401212249
BESIDES THAT: OUTDATED APACHE SERVER SOFTWARE: VULNERABLE
  • http://httpd.apache.org/security/vulnerabilities_24.html
SPAM SERVER, BAD WEB HOST (18):
  • https://www.projecthoneypot.org/ip_67.205.81.45

5/25/2014

Corruption & Internet Gambling:
Joplin Councilman BILL SCEARCE
Admitted knowing about Gambling Operation

Source: www.facebook.com/joplinglobe/posts/10151657477837142

Councilman Bill Scearce said that he ultimately did know there was illegal gambling going on in an office he was renting to another man in the early 1990s in Joplin, Missouri.

BILL SCEARCE
Scearce, who had previously denied (to the Joplin Globe) having any knowledge that a illegal bookmaking operation was being carried out, said he did not know that was to be the use of the office at the time he agreed to rent it to Kenneth Lovett. But, he also said, that he did not do anything about it after he found out.

Scearce called the Globe and said he wanted to clarify earlier statements he made regarding his knowledge of bookmaking operations that had gone on in an office behind one of his former businesses, Olsten Staffing Services.

He is facing an investigation sought by the City Council into a previous FBI probe of gambling in Joplin. The council wants to know whether the FBI had turned up anything about Scearce that might have constituted a violation of council rules. In the same investigation, recent questions about property transactions involving Councilman Mike Woolston, a real estate agent, are to be scrutinized.
Councilman Mike Woolston

Mayor Melodee Colbert-Kean said Friday the council probe will continue.

“We’re going to let the investigation play out,” she said. “Maybe earlier it could have been waylaid or suspended but at this point it would behoove us to follow through to make sure everything is on the up and up.”

An FBI probe that started in Joplin in 2008 resulted in the firing of at least one Joplin Police Department officer and the indictments last year of three Joplin men on bookmaking charges.

Mayor Melodee Colbert-Kean (left)
Lovett, 73, and William Lisle, 58, were named in a Feb. 29, 2012, indictment with conducting illegal sports betting on the Internet from 2003 until 2011.

Lovett was fined $2,000 and ordered confined to his home for six months. He also was placed on probation for two years. Lisle received a similar sentence as did Clyde A. Jeffries, 77, who now lives in Las Vegas. See: http://www.fbi.gov/kansascity/press-releases/2012/former-joplin-man-indicted-for-internet-gambling

In court documents filed with the men’s cases, Scearce was listed as having been the person from whom Lovett rented an office in the early 1990s. Lovett was engaged in bookmaking during those years as well, according to court documents.

Scearce was asked by the Globe last year about the nature of his association with Lovett. He said Lovett had rented office space from him and that he was unaware of for what he used the office. He also said he resented the Globe asking him about it. He told the Globe again, in September of this year, that he had no knowledge of what transpired in the office he had rented to Lovett.

On Friday, Scearce said he did not know Lovett would use the office for gambling when he first rented it to him.

“I did later find out he was gambling,” Scearce said. “I did become aware that Kenney was a bookie. There were a lot of people going in and out of there.”

Scearce said he personally never gambled with Lovett. He said when he found out that was what was going on in the rental office, he sought advice from legal advisers. He said he was advised to do nothing and to stay out of Lovett’s office. He said he called a meeting of his staff members and told them “none of us was to have any association with them.”

Scearce said that he was questioned by the FBI at one time in regard to the operation.

“The FBI came and visited with me,” he said. “They asked if I gambled, and I said no, I didn’t. They didn’t charge me with anything.”

Scearce said the FBI also did not charge Lovett with any crime related to the time frame of the office rental, which was from 1991 to 1995. Lovett’s indictment was related to Internet gambling that had taken place since 2008.

Scearce, asked in a second conversation on Friday if he should keep his council seat in view of the changing statements, said, “I just wanted to make sure you understand I didn’t feel I had to do anything about it” when he learned of the gambling. “Why would it have any bearing on my ability to serve on the council? This happened in 1991. I was not on the council when this took place. I was a private citizen.”

The Globe, in September 2012, filed a formal request for the FBI reports regarding the gambling and public corruption probe it had conducted. Those reports have not so far been forthcoming. The council asked that its investigator obtain the reports.

5/23/2014

Potentially Malicious Host IP: 216.40.47.17
Combined attack from Part of Botnet
Toronto, Canada

Potentially Malicious IP:
  • See Comments Below: https://www.projecthoneypot.org/ip_216.40.47.17

ATTEMPTED ADMIN EXPLOIT HACK
(Attempt to access non existing admin area using known exploit)
Combined attack from Part of Botnet:

216.40.47.17 - Canada - Tucows International - Domain: theblackberrydiaries.com
216.154.213.199 - United States - Strategic Systems Consulting - Hostname: babygo.zeebu.com - Domain: zeebu.com - Resolve Host: brennix.com ,northernartglass.com, ryersontennisclub.com, megamenus.com, kathybuckworth.com, centos5.brennix.com, epixus.com,

COMMON USER-AGENT:
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"

SMALL SAMPLE:
theblackberrydiaries.com - - [16/Jan/2012:10:16:44 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 435 "-"
theblackberrydiaries.com - - [16/Jan/2012:10:16:44 +0000] "GET /ixxx/admin/xxx HTTP/1.1" 403 437 "-"
northernartglass.com - - [16/Jan/2012:10:16:44 +0000] "GET /admin/xxx HTTP/1.1" 403 411 "-"
ryersontennisclub.com - - [16/Jan/2012:10:16:44 +0000] "GET /admin/xxx HTTP/1.1" 403 413 "-"
megamenus.com - - [16/Jan/2012:10:16:45 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 429 "-"
kathybuckworth.com - - [16/Jan/2012:10:16:45 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 427 "-"
centos5.brennix.com - - [16/Jan/2012:10:17:03 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 437 "-"
brennix.com - - [16/Jan/2012:10:17:04 +0000] "GET /admin/xxx HTTP/1.1" 403 411 "-"
epixus.com - - [16/Jan/2012:10:17:04 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 439 "-"
demo.northernartglass.com - - [16/Jan/2012:10:17:04 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 435 "-"
demo.brennix.com - - [16/Jan/2012:10:17:05 +0000] "GET /admin/xxx HTTP/1.1" 403 413 "-"
old.northernartglass.com - - [16/Jan/2012:10:17:06 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 437 "-"
new.northernartglass.com - - [16/Jan/2012:10:25:20 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 439 "-"
m.brennix.com - - [16/Jan/2012:10:25:21 +0000] "GET /admin/xxx HTTP/1.1" 403 413 "-"

-----------------------------------------------------------------------------------------------------

The domain lvchildcareconnection.com is spamming really heavy pleas flag this IP as a dangerous IP.

-----------------------------------------------------------------------------------------------------
http://216.40.47.17/ 
  • https://www.virustotal.com/de/url/bc9a5dc68621a1bbff0dcd909b5519b839459e17816845554c105c06aa0e7e8f/analysis/1400862995/
  • https://www.virustotal.com/de/ip-address/216.40.47.17/information/
  • http://www.senderbase.org/lookup/?search_string=216.40.47.17

5/21/2014

Snowshoe Spam & PHISHING from
hintcontrol.com

"Recevez vos 2222Eur de B0nus" ("Receive a 2222 Euro Bonus)
Hamilton, CANADA IP: 68.66.63.47 (Listed at SPAMHAUS)


Recevez vos 2222€ de

bienvenue maintenant!

En plus de cela, nous offrons des bonus gratuits speciaux.

 Voici comment recevoir vos 2222€:

• Ouvrez un compte

• Allez sur le chat en direct en cliquant ici et ecrivez le code suivant: 2222

• Selectionnez un jeu auquel vous aimeriez jouer depuis les options disponibles

• Vous avez 48 heures pour prendre le bonus

Contactez-nous pour reclamer vos 2222€.

L'equipe chaleureuse du support est disponible 24/7.

Soyez rapide - Cette offre est valable pour une periode limitee!

Cordialement,
John F.

MAIL SCREENSHOT
 --------------------------------------------------------------------------------------------------------------------------------------------

PHISHING, SPAM & SCAM DOMAIN:
http://hintcontrol.com/
  • https://www.virustotal.com/de/url/d08035f592b89fcc08f095f6223461b8398777c25df0021def4233588d6d0577/analysis/1400676550/
OTHER LINKS IN THE MAIL:
http://hintcontrol.com/link.php
  • https://www.virustotal.com/de/url/a4e0ade9db3e028e094bf4969ce3b7cb80783d9d3f6ecf1478f780aae2dc235c/analysis/1400676704/
  • https://www.virustotal.com/de/file/22fc373d3b3ab36009613adfd7bb60f7135a4f510aa31808856e721dd5799d0c/analysis/1391621840/
http://hintcontrol.com/open.php
  • https://www.virustotal.com/de/url/7da87cb951f0d660fc77ec4729444510a0306b278147b9baeef07553f0b39f58/analysis/1400676746/
  • https://www.virustotal.com/de/file/dd5bdccb831d1b19c505bd3e67553f6049cea2e20dba7eb231a02ed0103e521f/analysis/1400396318/
http://hintcontrol.com/unsubscribe.php
  • https://www.virustotal.com/de/url/4b68e4d1860ce9b98bbf19294b988dede6aa7c34ef59a64241698795940def92/analysis/1400676787/
  • https://www.virustotal.com/de/file/fb18ec2dc45858efd8a69d17873eb1a92801a4af8e6b6a44b03e9e7a69d11ffd/analysis/1391621799/
BLACKLISTS:
  • http://www.spamhaus.org/query/domain/hintcontrol.com
  • https://www.mywot.com/en/scorecard/hintcontrol.com
  • http://www.surbl.org/lists
  • http://zulu.zscaler.com/submission/show/4e639b2311aa3e474bcb1eba327a1e3a-1400676384
DOMAIN-IP (ANALYSIS MOMENT):
http://68.66.63.47/
  • https://www.virustotal.com/de/url/fc053947e300bbe62a101a18295c553058b0ff9912a9c414cb539a19f512d509/analysis/1400677067/
  • https://www.virustotal.com/de/ip-address/68.66.63.47/information/
SNOWSHOE SPAM BLACKLISTED AT:
  • http://www.spamhaus.org/query/bl?ip=68.66.63.47
  • http://www.spamhaus.org/sbl/query/SBL218662
  • http://www.spamhaus.org/sbl/listings/networxhosting.com
  • http://networxhosting.com/
  • https://www.virustotal.com/de/url/7d49824dde2a6c1f3bf7794240fb4638a87c1c1e420a2a65720a791662f96543/analysis/1400677424/
  • http://www.senderbase.org/lookup/?search_string=68.66.63.47
  • http://zulu.zscaler.com/submission/show/ec6dd530622db7ec31301159b81b7e9c-1400676906
MAIL ORIGINATING IP(s):
http://14.4.22.14/ (SOUTH KOREA)
  • https://www.virustotal.com/de/url/b4587224cb226aefacab1ed4e70d2e0695db607469fdb4c0f5c2084182957e5b/analysis/1400677788/
LISTED AT SPAMHAUS (SBL & DROP)
  • http://www.spamhaus.org/query/ip/14.4.22.14
  • http://www.spamhaus.org/sbl/query/SBL187947
  • http://www.senderbase.org/lookup/?search_string=14.4.22.14
http://68.66.63.122/
  • https://www.virustotal.com/de/url/379fe4b9d56b57279031e9cf4f00f5452269914c30abdc837c567845c0dd49cb/analysis/1400678183/
LISTED AT SPAMHAUS (SBL):
  • http://www.spamhaus.org/query/bl?ip=68.66.63.122
  • http://www.spamhaus.org/sbl/query/SBL218662
  • http://www.senderbase.org/lookup/?search_string=68.66.63.122

IP RANGE INCLUDES THE FOLLOWING BLACKLISTED DOMAINS (IPs):
68.66.63.2    sightsetup.com    listed
68.66.63.3    setuplevel.com    listed
68.66.63.4    setupidea.com    listed
68.66.63.5    setupgrade.com    listed
68.66.63.6    directsetup.com    listed
68.66.63.7    setuphint.com    listed
68.66.63.8    ranklevel.com    listed
68.66.63.9    hintrank.com    listed
68.66.63.10    sightbusiness.com listed
68.66.63.11    officelevel.com    listed
68.66.63.12    sortideas.com    listed
68.66.63.13    steadysort.com    listed
68.66.63.14    guidehint.com    listed
68.66.63.15    sightlead.com    listed
68.66.63.16    steadylead.com    listed
68.66.63.17    leadsetup.com    listed
68.66.63.18    setuplead.com    listed
68.66.63.19    managesight.com    listed
68.66.63.20    managestatus.com listed
68.66.63.21    managesetup.com    listed
68.66.63.22    hintcontrol.com    listed
68.66.63.23    controlimage.com listed
68.66.63.24    pointsteady.com    listed
68.66.63.25    setupoint.com    listed
68.66.63.26    channelidea.com    listed
68.66.63.27    sightsetup.com    listed
68.66.63.28    setuplevel.com    listed
68.66.63.29    setupidea.com    listed
68.66.63.30    setupgrade.com    listed
68.66.63.31    directsetup.com    listed
68.66.63.32    setuphint.com    listed
68.66.63.33    ranklevel.com    listed
68.66.63.34    hintrank.com    listed
68.66.63.35    sightbusiness.com listed
68.66.63.36    officelevel.com    listed
68.66.63.37    sortideas.com    listed
68.66.63.38    steadysort.com    listed
68.66.63.39    guidehint.com    listed
68.66.63.40    sightlead.com    listed
68.66.63.41    steadylead.com    listed
68.66.63.42    leadsetup.com    listed
68.66.63.43    setuplead.com    listed
68.66.63.44    managesight.com    listed
68.66.63.45    managestatus.com listed
68.66.63.46    managesetup.com    listed
68.66.63.47    hintcontrol.com    listed
68.66.63.48    controlimage.com listed
68.66.63.49    pointsteady.com    listed
68.66.63.50    setupoint.com    listed
68.66.63.51    channelidea.com    listed
68.66.63.52    sightsetup.com    listed
68.66.63.53    setuplevel.com    listed
68.66.63.54    setupidea.com    listed
68.66.63.55    setupgrade.com    listed
68.66.63.56    directsetup.com    listed
68.66.63.57    setuphint.com    listed
68.66.63.58    ranklevel.com    listed
68.66.63.59    hintrank.com    listed
68.66.63.60    sightbusiness.com listed
68.66.63.61    officelevel.com    listed
68.66.63.62    sortideas.com    listed
68.66.63.63    steadysort.com    listed
68.66.63.64    guidehint.com    listed
68.66.63.65    sightlead.com    listed
68.66.63.66    steadylead.com    listed
68.66.63.67    leadsetup.com    listed
68.66.63.68    setuplead.com    listed
68.66.63.69    managesight.com    listed
68.66.63.70    managestatus.com listed
68.66.63.71    managesetup.com    listed
68.66.63.72    hintcontrol.com    listed
68.66.63.73    controlimage.com listed
68.66.63.74    pointsteady.com    listed
68.66.63.75    setupoint.com    listed
68.66.63.76    channelidea.com    listed
68.66.63.77    sightsetup.com    listed
68.66.63.78    setuplevel.com    listed
68.66.63.79    setupidea.com    listed
68.66.63.80    setupgrade.com    listed
68.66.63.81    directsetup.com    listed
68.66.63.82    setuphint.com    listed
68.66.63.83    ranklevel.com    listed
68.66.63.84    hintrank.com    listed
68.66.63.85    sightbusiness.com listed
68.66.63.86    officelevel.com    listed
68.66.63.87    sortideas.com    listed
68.66.63.88    steadysort.com    listed
68.66.63.89    guidehint.com    listed
68.66.63.90    sightlead.com    listed
68.66.63.91    steadylead.com    listed
68.66.63.92    leadsetup.com    listed
68.66.63.93    setuplead.com    listed
68.66.63.94    managesight.com    listed
68.66.63.95    managestatus.com listed
68.66.63.96    managesetup.com    listed
68.66.63.97    hintcontrol.com    listed
68.66.63.98    controlimage.com listed
68.66.63.99    pointsteady.com    listed
68.66.63.100    setupoint.com    listed
68.66.63.101    channelidea.com    listed
68.66.63.102    sightsetup.com    listed
68.66.63.103    setuplevel.com    listed
68.66.63.104    setupidea.com    listed
68.66.63.105    setupgrade.com    listed
68.66.63.106    directsetup.com    listed
68.66.63.107    setuphint.com    listed
68.66.63.108    ranklevel.com    listed
68.66.63.109    hintrank.com    listed
68.66.63.110    sightbusiness.com listed
68.66.63.111    officelevel.com    listed
68.66.63.112    sortideas.com    listed
68.66.63.113    steadysort.com    listed
68.66.63.114    guidehint.com    listed
68.66.63.115    sightlead.com    listed
68.66.63.116    steadylead.com    listed
68.66.63.117    leadsetup.com    listed
68.66.63.118    setuplead.com    listed
68.66.63.119    managesight.com    listed
68.66.63.120    managestatus.com listed
68.66.63.121    managesetup.com    listed
68.66.63.122    hintcontrol.com    listed
68.66.63.123    controlimage.com listed
68.66.63.124    pointsteady.com    listed
68.66.63.125    setupoint.com    listed
68.66.63.126    channelidea.com    listed

5/20/2014

SSH Rootkit Ebury
Category MALICIOUS IP: 203.153.108.227 (INDONESIA)
Listed at SPAMHAUS (CBL)
Linux, FreeBSD or some other form of UNIX

The IP Address 203.153.108.227 is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-05-20 07:00 GMT (+/- 30 minutes), approximately 10 hours ago.

Screenshot of 203.153.108.227


We have detected that this IP is NATting for, or is infected itself, with a Linux (or possibly some other Unix-like system such as FreeBSD) Trojan spam mailer script. This is no joke. This infection is extremely dangerous as it can download anything it wishes, and needs to be removed ASAP.

We do not know how the malware got installed onto the machine, but we know a lot of what it does. The main thing we've seen it doing is sending staggering large volumes of email spam. But it can do a lot more than that, and that is the real danger.

NEW

Of late some of these infections are facilitiated by a SSH Rootkit called "ebury". See this link for more detail.

In most cases, this IP address would be that of a shared hosting environment. If you are a customer of this environment, you will almost certainly not be able to do anything about it, only the administrators of the hosting environment itself can. Please contact your administrators, and refer them to this page. If the administrators are reluctant to do anything please try to convince them, because there is nothing you can do to fix this problem.

For further Info, please read the Screenshots made earlier in the Day (at the End of this Post).

----------------------------------------------------------------------------------------------------------------------------------------------

Analysis:

MALICIOUS IP (PHISH RISK: RouterOS router configuration page):

Heuristic.LooksLike.HTML.Suspicious-URL.E
http://203.153.108.227/
  • https://www.virustotal.com/de/url/0a964415fc55b5cdc18c0d36636601c5510eb3646d5ecf9a7513698add2a9817/analysis/1400587343/
Heuristic.LooksLike.HTML.Suspicious-URL.E
  • https://www.virustotal.com/de/file/e23ec81b12a8af1412ab02d126086162b758908f1cf3e26a3f9797c3da242a74/analysis/1400587434/
  • http://quttera.com/detailed_report/203.153.108.227
  • http://zulu.zscaler.com/submission/show/4b322c1b6dd9f1d6b3f50243c20b5c37-1400587353
  • http://www.wpbl.info/cgi-bin/detail.cgi?ip=203.153.108.227

SPAMSERVER & DICTIONARY ATTACKER:
  • https://www.projecthoneypot.org/ip_203.153.108.227
  • http://www.senderbase.org/lookup/?search_string=203.153.108.227
LISTED AT SPAMHAUS (CBL):
  • http://www.spamhaus.org/query/bl?ip=203.153.108.227
CBL LISTED:
  • http://cbl.abuseat.org/lookup.cgi?ip=203.153.108.227
OTHER MALICIOUS FILE:
http://203.153.108.227/winbox/winbox.exe
  • https://www.virustotal.com/de/url/d2563f5885fbe8174154ed20d776233135b80220e97d21b3b42b231c38e69311/analysis/1400602467/
  • https://www.virustotal.com/de/file/dcc31d4643e17d31db636c8ccc7e34d004876f18b5d48828ea37e2e8e5e19bcf/analysis/1400068690/
----------------------------------------------------------------------------------------------------------------------------------------------


5/16/2014

Washington State ONLINE CHILD PREDATORS 2011:
Leif O’Neil Christensen

Sentenced to 13 Years in Federal Prison
For Child Pornography And Gun Possession


Defendant Had 2006 State Convictions for Possession of Child Pornography

A Skagit County felon was sentenced today in U.S. District Court in Seattle to 13 years in prison for possession of child pornography and being a felon in possession of a firearm, announced U.S. Attorney Jenny A. Durkan. Leif O’Neil Christensen, 32, of Anacortes, Washington, had been convicted in 2006 in Snohomish County of possession of child pornography. Due to that conviction, Christensen faced a 10-year mandatory minimum sentence and was prohibited from possessing a firearm. U.S. District Judge James L. Robart imposed 20 years of supervised release following the prison term.

Jenny A. Durkan
Christensen came to the attention of law enforcement in February 2010 when an FBI agent working online in an undercover capacity identified an Internet protocol (IP) address that was using peer-to-peer file sharing software to distribute child pornography. The IP address was linked to Christensen. As officers were preparing search warrants, Christensen was arrested for failing to register as a sex offender.

In December 2010, a second investigation led to a different IP address associated with Christensen in Anacortes, Washington. In March 2011, law enforcement searched that home and found both child pornography and a Ruger firearm in Christensen’s living space. Christensen was arrested. He was indicted in October 2011 and pleaded guilty in January 2012.

In asking for a 15-year sentence, prosecutors wrote to the court that Christensen’s criminal history “reveals a combustible mix of sexual deviancy, violence, poor impulse control, and drug abuse and addiction. He has admitted to molesting three boys when he was in his late teens and early 20s.

The abuse he suffered as a child undoubtedly affected him and most likely contributed to his current criminal history and the instant offense. Understanding his background may help explain his situation somewhat, but it does not mitigate the danger that he poses now, to the community at large, and to young children that he might meet. The overriding concern is that the defendant be prevented from molesting another boy.”

Direct Link Source

5/15/2014

District of Columbia ONLINE CHILD PREDATORS 2011:
Richard Evans
, 25, Sentenced to 9 Years in Prison
for Distribution of Child Pornography

Search of Defendant’s Residence Yields Hundreds
of Images of Child Pornography


Richard Evans, 25, of Washington, D.C., was sentenced today to nine years in prison on a federal charge of distributing child pornography, announced U.S. Attorney Ronald C. Machen, Jr..

US Attorney Ronald C. Machen, Jr.
Evans pled guilty to the charge in March 2012 in the U.S. District Court for the District of Columbia. He was sentenced by the Honorable Gladys Kessler.

Following completion of his prison term, Evans will be placed on a 10 year supervised release, with numerous conditions. Among other things, Evans must restrict his use of the Internet, undergo sex offender treatment, register as a sex offender for 25 years, and refrain from contact with children.


Gladys Kessler
According to a factual proffer of evidence presented during the court proceedings, on November 15, 2011, Evans contacted an undercover agent with the FBI’s Child Exploitation Task Force on a social network site.

Over those next two weeks, EVANS engaged in multiple online conversations with the undercover officer, during which he expressed an interest in meeting an underaged girl and engaging in sexual contact with her.

Evans also sent the undercover officer multiple images of child pornography and acknowledged that he actively traded child pornography with other individuals online. In the course of the online communications, Evans further expressed interest in watching the undercover performing sexual acts with the under-aged girl via web camera over the Internet and in having the undercover send him a video of the underaged girl engaged in sexual acts.

Law enforcement obtained an arrest warrant for Evans and a search warrant for his residence in Washington, D.C. On November 30, 2011, Evans was arrested. A forensic analysis of computer equipment inside Evans’ residence confirmed that he possessed approximately 560 images and 102 videos of child pornography, which were organized into various subfolders according to the category of sexual genre, fetish, and/or sexual acts.

BAD DOMAIN
adr-design-ol.com
PLUS Malicious IPs:
14.4.16.3 - 181.174.168.6 - 181.174.168.81

SPAM, SCAM, PHISHING DOMAIN: Snowshoe Spam Operation

Salut 
Combien de fois par heure cliquez-vous sur le bouton de la souris dans votre navigateur? 
Je pane que c'est des centaines et des centaines de lois! 
Ne le dites a personne, mais it y a une facon ties cool de faire de l'argent 83% du temps, en cliquant sur ce bouton comme vous le faites en ce moment. 
Le gain moyen avec ce logiciel est de 106€/heure depuis Novembre 2013. 
Je l'ai testa moi-meme pendant 7 mois quand Veronique me ra recommandee, et vraiment c'est incroyable! 
Prenez quelques minutes de votre temps, coupez votre telephone et regardez entierement la video, tout est explique dessus. 
==> Lien ici

SCREENSHOT PHISH MAIL
SPAM, SCAM, PHISHING DOMAIN: Snowshoe Spam Operation
http://adr-design-ol.com/
  • https://www.virustotal.com/de/url/2b72114a732cd699f581e06564480300a8e302d06bfcccbce7ac8166cabd8fa4/analysis/1400167170/
http://adr-design-ol.com/link.php
  • https://www.virustotal.com/de/url/37c07091a8879066a884f332cd885e019cafd2b99790b2f11bdc80e3ef9442b6/analysis/1400167420/
  • https://www.virustotal.com/de/file/22fc373d3b3ab36009613adfd7bb60f7135a4f510aa31808856e721dd5799d0c/analysis/1391621840/

http://adr-design-ol.com/unsubscribe.php
  • https://www.virustotal.com/de/url/11c22e4e1090edcf585d900f1dd4dffdc8a44ed6ed8783daf7a62ec4bc6c0d6f/analysis/1400167493/
  • https://www.virustotal.com/de/file/fb18ec2dc45858efd8a69d17873eb1a92801a4af8e6b6a44b03e9e7a69d11ffd/analysis/1391621799/

http://adr-design-ol.com/open.php
  • https://www.virustotal.com/de/url/6c2dbb922e3e30f2a112a725319a00d259a8507e3c31126f530f0e2704f4dce6/analysis/1400167554/
  • https://www.virustotal.com/de/file/dd5bdccb831d1b19c505bd3e67553f6049cea2e20dba7eb231a02ed0103e521f/analysis/1399916678/
SITE LISTED AT WOT & SURBL:
  • https://www.mywot.com/en/scorecard/adr-design-ol.com
  • http://www.surbl.org/lists
  • http://zulu.zscaler.com/submission/show/2a4986454e03241629220d8e376781b9-1400167304
ORIGINATING IPs:
http://14.4.16.3/
  • https://www.virustotal.com/de/url/666d33f841a4e4c68a52e81a9141ea242811e09efcf13f6cecf461500af3a310/analysis/1400167686/
LISTED AT SPAMHAUS (SBL & DROP)
  • http://www.spamhaus.org/query/bl?ip=14.4.16.3
  • http://www.spamhaus.org/sbl/query/SBL187947
  • http://www.senderbase.org/senderbase_queries/detailip?search_string=14.04.16.03

http://181.174.168.6/
  • https://www.virustotal.com/de/url/63c86d785b7b16c99eb6fb4aca044191870a6b15de26cb708870377346a8b7d3/analysis/1400168023/
LISTED AT SPAMHAUS (SBL) Snowshoe Spam Operation
  • http://www.spamhaus.org/query/bl?ip=181.174.168.6
  • http://www.spamhaus.org/sbl/query/SBL217862
  • http://www.senderbase.org/lookup/?search_string=181.174.168.6
http://181.174.168.81/
  • https://www.virustotal.com/de/url/3df9b921c5e89393664e0be0cfc58137e2396acaf30688aad56f12a79daaeff6/analysis/1400168541/
LISTED AT SPAMHAUS (SBL) Snowshoe Spam Operation
  • http://www.spamhaus.org/query/bl?ip=181.174.168.81
  • http://www.spamhaus.org/sbl/query/SBL217862
  • http://www.senderbase.org/lookup/?search_string=181.174.168.81

5/14/2014

Category MALICIOUS IP: 74.91.17.228
Comment Spammer & RULE BREAKER
(LISTED AT TornevallNET)
Kansas City, MISSOURI, United States

MALICIOUS IP: COMMENT SPAMMER & RULE BREAKER
http://74.91.17.228/ (Kansas City, MISSOURI)
  • https://www.virustotal.com/de/url/fbcd5088b580dd9c07b2de9601c20618756c1e90c68bc42f974d0e3747a11f5f/analysis/1400100618/

LISTED AT TornevallNET
  • http://dnsbl.tornevall.org/
  • http://www.ipvoid.com/scan/74.91.17.228/
Form Posts: 2771

RULE BREAKS: 3 web page navigation rules broken by this IP
  • https://www.projecthoneypot.org/ip_74.91.17.228
Network Owner:
http://www.datashack.net/
  • https://www.virustotal.com/de/url/613dddb1e1ba69a8a8808dafe1b1e237bf5b5ca6d56c04260eb7279e12b35c09/analysis/
IP DATAShack:
http://108.162.203.173/
  • https://www.virustotal.com/de/url/bfa1f2179b4602f74892918accbb1fdd6147a1046e98f1a7554cbd49be015485/analysis/1400102035/

New Mexico ONLINE CHILD PREDATORS 2010:
Adam Goodsell
, 29, of Albuquerque
sentenced to 10 Years Federal Prison

A U.S. child porn distributor collared by the efforts of Winnipeg police and a local civilian tipster has been handed a 10-year prison term.

Adam Pedophile
Adam Goodsell, 29, was sentenced to the lengthy term in a New Mexico federal court, according to the Associated Press. Goodsell was charged in the U.S. after a Winnipeg woman complained about being sent sick images depicting child abuse or exploitation after striking up an online relationship with Goodsell. She reported the incident to Cybertip.ca in August 2010.

That tip was passed off to the Winnipeg Police Service's Internet Child Exploitation unit and she assisted detectives in the investigation. A Winnipeg undercover Agent managed to access Goodsell's computer through a file-sharing program and found more than 80.000 child-porn files available for distribution to others.

Investigators with the Albuquerque Police Department obtained a warrant to search the man's house. They seized and searched computer equipment, finding a number of illegal images.

"Goodsell admitted that while the search warrant was being executed he participated in a recorded interview during which he admitted having more than 1,000 child pornography files 'from babies on up' on his computers," the U.S. Department of Justice said in a statement announcing his plea to a distribution charge last October.

5/09/2014

SPAM: Jennifer Woodard (woodardjennifer27@yahoo.com)
DOMAIN: darwinistneleridusunmez.com
IP: 180.180.146.4 Bankok, THAILAND




DOMAIN:
http://darwinistneleridusunmez.com/
  • https://www.virustotal.com/de/url/51ee5532251a6a564ea561ab27211e864beec50df216a0827b1bb1052c369a5a/analysis/1399629448/
http://darwinistneleridusunmez.com/lsy/view.php
  • https://www.virustotal.com/de/url/9d8251b452e80791bae691d8eebe0681a092719cf553c5e80c6b1784793c0928/analysis/1399629579/
DOMAIN IP:
http://54.247.100.110/
  • https://www.virustotal.com/de/url/e1792fc59ff57735b91d13358c35cf0028ecf8516e36fbe23060b1eb8db96e10/analysis/1399631113/
  • https://www.virustotal.com/de/ip-address/54.247.100.110/information/
IP LISTED AT SPAMHAUS (CBL)
  • http://www.spamhaus.org/query/bl?ip=54.247.100.110
  • http://cbl.abuseat.org/lookup.cgi?ip=54.247.100.110
  • http://www.senderbase.org/lookup/?search_string=54.247.100.110

MAIL IPs:
1)
http://180.180.146.4/ (THAILAND)
  • https://www.virustotal.com/de/url/dff9af04709b5bc1aec3f2705bafe872a9a57b8a23d9b29f75c117c0a5aba04a/analysis/1399629695/
SPAMMAILSERVER & DICTIONARY ATTACKER:
  • https://www.projecthoneypot.org/ip_180.180.146.4
LISTED AT SPAMHAUS (PBL):
  • http://www.spamhaus.org/query/bl?ip=180.180.146.4
E-MAIL-REP: POOR
  • http://www.senderbase.org/lookup/?search_string=180.180.146.4
2)
http://66.147.244.82/ (UNITED STATES)
  • https://www.virustotal.com/de/url/d60b98e987232df8a76c2aadaa8982b3d03a2b4a1a2cc91d829c296f513b13f1/analysis/1399630027/
  • https://www.virustotal.com/de/ip-address/66.147.244.82/information/
BHA: 19
  • https://www.projecthoneypot.org/ip_66.147.244.82
3)
http://14.4.4.6/ (SOUTH KOREA)
  • https://www.virustotal.com/de/url/ea36277fb5e01f8d0713c1937c952433fa0d3e3d11956f161dd989b3a6a07219/analysis/1399630197/
LISTED AT SPAMHAUS (SBL & DROP)
  • http://www.spamhaus.org/query/bl?ip=14.4.4.6
  • http://www.spamhaus.org/sbl/query/SBL187947
  • http://www.senderbase.org/lookup/?search_string=14.4.4.6
4)
http://69.89.23.228/
  • https://www.virustotal.com/de/url/f15acfaf6680089b7af8ce6db92c64f2420b0f92e1bcb14af18e2420b2d5de79/analysis/1399631488/

5/08/2014

ANGLER EXPLOIT KIT (& HEUR:Trojan.Script.Generic)
Newly Detected Malicious DOMAINS from FRANCE:
black-salope.photos-films-x.com
www.photosx-videosx.com
belles-noires.photosx-videosx.com

IPs: 23.239.17.30 & 194.150.236.81



FRENCH MALWARE DOMAIN(s): 
LINKS TO INFECTED DOMAINS (HEUR:Trojan.Script.Generic / ANGLER EXPLOIT KIT)

SITE:
http://black-salope.photos-films-x.com/
  • https://www.virustotal.com/de/url/afd7b2909fd81c0403dcd2d7751966ce255d6011b4217b857f102f0bd02b1d7d/analysis/1399550506/
SPECIFIC MALICIOUS URL:
http://black-salope.photos-films-x.com/black-salopes.html
  • https://www.virustotal.com/de/url/dd6f70d37f067050a8e9e7c9a902ed98e18697b125206252d2f9ab8ee4e44e80/analysis/1399550918/
  • http://quttera.com/detailed_report/www.photosx-videosx.com
INFECTED LINKS FOUND HERE:

1)
http://www.photosx-videosx.com/
  • https://www.virustotal.com/de/url/304eacef10ded96e02de6a8c7377facaf6fe00fa0f7abfb4916e509406caa0b0/analysis/1399551145/
HEUR:Trojan.Script.Generic
  • https://www.virustotal.com/de/file/8eb3907b32e45e38453b56a05aed6b0132f31e7db511e14da383c2e0821b55ea/analysis/1399551334/
  • Malicious iframe injection
  • Angler exploit kit URL pattern
  • https://urlquery.net/report.php?id=1399551228285
--->
http://promo.vador.com/js/tc_loader.js
  • https://www.virustotal.com/de/url/8cc9be1632fafa63070ba909501c2c1253363913f508c68ca851e53d3e997082/analysis/1399553305/
  • https://www.virustotal.com/de/file/017051c711d3cd4e1dfdfba7976237e86bcbf1841b8c4e96627c929403ea9a20/analysis/1397006857/
---->

DOMAIN:
http://consciousnesszone.com/
  • https://www.virustotal.com/de/url/ac7d259785dcda43ec1ec46b60d5be4f6850e7f516a35007fff1a3c34df8daee/analysis/1399553019/
  • http://sitecheck.sucuri.net/results/consciousnesszone.com
MALICIOUS URL (DOCWRITE)
http://consciousnesszone.com/wp-content/plugins/InstaBuilder/zE1ZWXxV.php?id=1707269
  • https://www.virustotal.com/de/url/e389ae2a547adde57bd8665fd45aa84307e994f550e08c11e2b3b125cdef3ee4/analysis/1399552408/
DOMAIN:
http://socialmediahelpforbusinesses.com/

  • https://www.virustotal.com/de/url/bb5f27c3c682dcde39769b673429d69f6ba7bb293824ffa555807aaafa16ee25/analysis/1399552046/
EXPLOIT URL (in this case (random)):
http://socialmediahelpforbusinesses.com/o5a8oheam8
  • https://www.virustotal.com/de/url/98ba770ce401bfc84286efaed8dd08e614c1c8f74198fb2f429bb91ebf6fed55/analysis/1399552020/
EXPLOIT ANGLER
  • https://www.virustotal.com/de/file/59831c7074ce6fb3cad1c442da9d8f943340909375e156ce988d3b6a5cbf86ee/analysis/1399551862/
---------------------------------------------------

2) SAME FOR
http://belles-noires.photosx-videosx.com/
  • https://www.virustotal.com/de/url/356c31acbf7f736f50a26783583632d2754b8a0094339ed70d4c1703d941f164/analysis/1399553987/
HEUR:Trojan.Script.Generic
  • https://www.virustotal.com/de/file/37ccdabc9e5d4dc17f00af44f311417577ab1dfe884634e663ae15184e37de0e/analysis/1399554228/
  • http://urlquery.net/report.php?id=1399554055463
---------------------------------------------------
IPs:

1)
http://194.150.236.81/
  • https://www.virustotal.com/de/url/090783f03563157938a2c276a895517863727923085fe8723335e188fbe0efd3/analysis/1399554601/
  • https://www.virustotal.com/de/ip-address/194.150.236.81/information/
2)
http://23.239.17.30/
  • https://www.virustotal.com/de/url/698f78c8e171958c4fe2e9090202804a5ec63d5b1a03bb31abae5094a7bef84c/analysis/1399554712/

U.S. NAVY MILITARY HACK 2012:

Nicholas Paul Knight & Daniel Trenton Krueger

charged with Hacking US Navy Computer Systems & Sites


Daniel Trenton Krueger, 20, of Salem, Illinois and Nicholas Paul Knight, 27, of Chantilly, Virginia, were accused of conspiring "to hack computers and computer systems as part of a plan to steal identities, obstruct justice, and damage a protected computer" from April 2012 to June 2013, court documents and prosecutors said.

USS Harry S. Truman

Knight, a former systems administrator in the nuclear reactor department of the USS Harry S. Truman, was the self-proclaimed leader and publicist of "Team Digi7al," prosecutors said. He used the names Inertia, Iner7ia, Logic and Solo and has been a hacker since the age of 16, charging documents say. He was discharged from the Navy after he was caught trying to hack a Navy database while at sea.

In an interview with a reporter for the website Softpedia, parts of which are quoted in charging documents, "Iner7ia" said that he was originally a White hat hacker, who found and reported security vulnerabilities. But he became bored and said "the people I did work for were ungrateful and sometimes they wouldn't take me seriously."

He admitted being a member of the United States Navy, and said that he worked for the people of the U.S. hacking primarily government sites, not the government. "I believe that if we can't protect ourselves against a cyber attack, then how can we trust the government to protect against anything else?"


He said that he uses a separate computer to avoid being caught, and at one point said, "I just hope that I can retire knowing I was never caught and arrested. Haha"

Krueger, who was studying network administration at an undisclosed college, did the hacking "out of boredom," prosecutors said. He went by the names Thor, Orunu, Gambit and Chronus.

Charging documents say that in June of 2012, the Naval Criminal Investigative Service (NCIS) detected a breach of a Naval database located in Oklahoma that contains the Social Security numbers, names, and birth dates of roughly approximately 220.000 members of the military.


"The Navy quickly identified the breach and tracked down the alleged culprits through their online activity, revealing an extensive computer hacking scheme committed across the country and even abroad," said U.S. Attorney Danny C. Williams of the Northern District of Oklahoma.

U.S. Attorney Danny C. Williams
The NCIS and Defense Criminal Investigative Service identified Knight and Krueger as the hackers of the Navy database as well as systems belonging to the U.S. National Geospatial-Intelligence Agency, the Department of Homeland Security, AT&T U-verse, Universities, Police Departments in Toronto and Alabama and the entire email account of the Peruvian ambassador to Bolivia.

They posted links to the data via Team Digi7al's Twitter account, and one co-conspirator said they released the data because they were "somewhat politically inclined to" but also because it was "fun, and we can," prosecutors said.

The U-verse hack compromised the personal information of 3.500 customers. The June 2012 Navy hack left 700 overseas military members unable to access the system and get "logistical support" for their transfers for more than 10 weeks and cost the Navy more than 500.000 US-Dollars documents say.

The U.S. National Geospatial-Intelligence Agency

After the NCIS searched Knight's Virginia home in February of 2013, he admitted "many" of his Team Digi7al activities and agreed to cooperate, but told a juvenile co-conspirator to delete data, documents say.

That juvenile and two others who hacked for Team Digi7al were not charged.