Jump to content

Joe Job


dabug
 Share

Recommended Posts

I noticed I was getting a lot of new spam so I started keeping track and disecting the source and here is what I've found

a href=http://baptistlighthousechurch.com/alongstringofletters CLICK HERE

Ok,, whois baptistlighthousechurch.com - ok, nslookup, arin etc

curl http://baptistlighthousechurch.com - "404 server error" however

curl http://baptistlighthousechurch.com/alongstringofletters returns

meta http-equiv="refresh" content="0;url=http://www.discovertotal.com/andanotherlongstring//r?a=medicaltranscription-abotus

-065432-04448 - MedTranscription" target="_top"

whois of DT.com returns MYOB - Godaddy / DomainsByProxy

So far I have 83 different domains, and I'd guess I've dropped 1/2 doz, that redirected me to discovertotal.com.

I contacted an owner of one domain and - "foo.com?.... foo.com? ... gawd we haven't used foo for 2 years, we moved to fee.com. I'd guess that foo hasn't expired yet." Another one of the domains happened to be on my hosting service so I opened a ticket, explaining the situation. Couple of hrs later they replied back "Prob solve". I replied back "What did you find?" They replied "Some redirect code."

So what DT.com is doing is finding domains with an IP (all linux/bsd from what I can tell) that have been abandoned, hacking in with some ?php? code that says IF (URL < length(N)) echo "404 error" else redirect to DT.com with a base64Encode string of who & what. Once at DT.com decode the who/what, I would guess log, and from the what refresh=0 to travel, training, sex, drugs, etc. Also Nmap on the hacked sites reports ports 22, 25 & 80 open - L, what else could DT ask for?

Anyone know any of the following:?

arenarapidtransit.com bc.americanheartsite.com bestmarketpro.com bestpineappleplant.com brightideateam.com cdv.thesageworld.com col.cherrystreetonline.com co.mangochionline.com cqc.homewellbeingguide.com de.teapartygal.com directideasite.com dme.superrockwall.com dorwaywebpage.com effectsplus.com emz.pineapplewineexperiment.com ere.maillinkdirect.com financialmediaworks.com fjo.greatmediaidea.com fk.epeoplepro.com fl.greatmediaidea.com jl.teapartygal.com jm.netportcable.com ko.brightideateam.com kp.bestmarketpro.com leadpapersite.com linknewmedia.com ljk.alarmpiece.com longjumpace.com lph.bestdrivecycling.com lw.alarmpiece.com mangofruitrecipe.com mangopicturesfruit.com mangosportsworld.com markettechpro.com mediamusicsystem.com midcoastwind.com mtt.theprotec.com mw.thesagepipe.com netideateam.com nomiring.com nq.peopleproonline.com observesales.com oj.directnotion.com organizationsales.com pc.mangopicturesfruit.com pd.markettechpro.com qd.metrobanna.com qd.soundadviseguide.com qgm.newideasplus.com qg.newideasplus.com qh.persondirect.com qt.replacementunit.com rf.landairsear.com rt.fromthemango.com samsunherbs.com sg.ideacogroup.com sgm.themobilemango.com solutionsmore.com so.solutionslarger.com spe.greenmangoe.com straightidea.com sunbowvilla.com sunginworld.com thedirectpro.com theeaglelake.com theideapages.com theinformpage.com themobilemango.com theprotec.com thewangtea.com ton.recordstape.com tqd.spannabanna.com truenorthdigital.com videoseemail.com villaredsun.com wcl.thesagesoftware.com webideateam.com wellbalanceworld.com wr.leadsheetgiant.com yee.eaglenestinc.com yn.theeaglelake.com yourhillsgolf.com yourscissors.com

Link to comment
Share on other sites

Interesting - sounded for a minute to be similar to a particular variety of bulletin board spammer but no, the only similarity is the site entry page looks unused to simple probes. On all of those (few) checked, McAfee SiteAdvisor comes back with a "Our analysis found that this site may be promoted through spammy e-mail." - AFTER suggesting the site for analysis. This doesn't actually mean the site has been unprobed until that point (I'm not sure what it means but it surely doesn't mean that it hasn't been probed already) and it probably means (certainly implies) - despite the neat 404 trick - that there is some known spam-type signature.

Re the "abandoned" domains thing (the similarity with the bulletin board spammers), whois for those checked (via robtex) shows "Registrar: PLANET ONLINE CORP", with very recent registration, another common thing - NS0. and NS1. as subdomains of the domain name and registrants are mostly cloaked by PrivacyProtect.org (the latter being another comonalilty with the board spammers come to think of it but many other spammers of assorted type too) - though not baptistlighthousechurch.com where the registrant is supposedly ensconced at 361 S. Camino Del Rio #285, Durango Co which may house some species of tardis since there seems, on a hurried look, to be a great deal resident there.

Link to comment
Share on other sites

baptistlighthousechurch.com where the registrant is supposedly ensconced at 361 S. Camino Del Rio #285, Durango Co which may house some species of tardis since there seems, on a hurried look, to be a great deal resident there.

No residents...just private PO boxes. It's a Mailboxes, Etc./UPS Store location, the kind of location typically used by spammers. The GMail address used to register the domain is associated with over 100 other domains, and is identified on this CastleCops® page and mentioned on this AbuseButler page. As for the status of the domain "baptistlighthousechurch.com," it appears to have been taken down. The nameservers no longer are answering and so the spammer's forwarding trick is no longer working. They are using other formerly-dead domains for the same purpose, however.

DiscoverTotal is mentioned all over the place as a scam, and was listed on the URIBL Wed, 09 Jul 2008 15:01:38 +0000, but no longer seems to be listed.

DT

Link to comment
Share on other sites

Hello Cal,BAFD73BDAE4ED1F85E5CA1230F2FA5DADE56E12A7B2CB1B7

Looking for a Career that Matches Your Values?

Are you ready to Earn Up to $10k every month?

Would you like to work for the largest, Christian-Based American

company in America? Receive the fellowship you need to Succeed!

Join us now.

curl http://firstplanmade.com/bob

This document may be found a HREF="http://firstplanmade.com/bob/

REFRESH" CONTENT="0;URL=http://www.gainingyourmiracle.com/cgi/pr/index.php?aff=1005

I think they've added IF (referer == firstplanmade) continue else blank.

via curl gym.com returns nothing - however clicking on the link gives you

(full color web page) Are you looking for a second career?

Domain name: gainingyourmiracle.com

Administrative Contact:

ADS, Inc.

Dns Administrator (adsinc500[at]yahoo.com)

+1.8019997211

3540 W. Sahara Unit 6E, #683

Las Vegas, NV 89102

US

----------- and ah-ha - turns out ADS Inc owns both sites.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...