bobbear Posted April 6, 2007 Share Posted April 6, 2007 The domain in question is ourhosting.cn Who is the sponsoring registrar? The whois data from a variety of tools returns a series of question marks for the sponsoring registrar (even CNNIC - which incidentally seems to be having whois access problems ATM). This obfuscation may well be intentional as the domain is being used in conjunction with criminal fraud. On another tack, for all botnet afficionados, here is an interesting variation on a theme that I'm getting at the moment from the United Cargo Solutions money laundering criminal: http://www.dnsstuff.com/tools/traversal.ch...info&type=A On the face of it, the crook seems to be using a 'pseudo-botnet' arrangement with a selection of Yahoo! Geocities IPs from 68.142.212.117 to 68.142.212.141 inclusive to host the site on a fast DNS rotation controlled by two Yahoo nameservers, but I'm not 100% convinced that the data is telling the whole truth, so any opinions valued from DNS experts... As per usual it's proving difficult to convince the Yahoo! abuse teams of the apparent situation although every IP in the data is reportable to them... Link to comment Share on other sites More sharing options...
Wazoo Posted April 6, 2007 Share Posted April 6, 2007 I gave up trying to tie what appears to be two separate issues together ..... Link to comment Share on other sites More sharing options...
bobbear Posted April 6, 2007 Author Share Posted April 6, 2007 You give up too easily, Wazoo... It is all related to the same criminal, United Cargo Solutions, but not obviously, I admit. Try the DNSstuff data on unicargo.hk in addition to the ucasol.info data link I posted above - same crook, different MO as Columbo might say... I could have started two threads, but I'm acutely aware of the need to save forum space & thus not get shouted at.... The first point is the issue as the title suggests. The second point is more of a (related!), point of interest to botnet aficionados as I said but I'm open to any feedback on it. [Edit] Re the second point: Yahoo have come up trumps and looped the DNS lookup result back to the root servers so it can be ignored. The data appeared to be accurate. Mind, it may well crop up again though, if it hasn't already as it was a novel way to create a 'pseudo-botnet' - using a selection of Geocities IPs as the rotating site hosts. It certainly created a fog factor that has got to baffle some abuse teams.... I'd still appreciate any suggestions on finding the sponsoring registrar for ourhosting.cn Link to comment Share on other sites More sharing options...
Wazoo Posted April 6, 2007 Share Posted April 6, 2007 You give up too easily, Wazoo... I was "taking a break" at the time I checked for traffic 'here' Maybe a dozen windows opened up working on the next version og this application, another couple working with Wiki data, the 'original' FAQ, the single-page version here, a couple of on-line manuals .... starting at the top of your post, another handful of windows/tools broight into play, a cople of Notepad instances to copy captured data, then moved down your post amd ran into what appeared to be left field, on the other side of the fence ... that's when I quit, went back to kicking code ..... If no one else jumps in, I'll be back .... Link to comment Share on other sites More sharing options...
bobbear Posted April 6, 2007 Author Share Posted April 6, 2007 I've put a false whois data report into CNNIC re ourhosting.cn, so hopefully something will happen... (or not...). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.