Spam Alert
Full Report:  /Geocities_redirect_My_Canadian_Pharmacy_spam201387.html
Consumed following related reports:
[201388] http://distrinct.net
IP Converted: 61.144.19.90
dword = 1032852314
hex1 = 0x3d90135a
hex2 = 0x3d.0x90.0x13.0x5a
oct = 075.0220.023.0132
View CIDR AS4134 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4134
"4134 | CN | apnic | 2002-08-01 | CHINANET-BACKBONE No.31,Jin-rong Street"<br />
Extended information for AS4134:
State/Province:
Country: cn
Responsible Domain: chinanet.cn.net
Abuse Email: cncert@cert.org.cn
Changed status to confirmed spam.PART I
GEOCITIES/YAHOO
Redirection abuse that breaks the Geocities Terms of Service
geocities.com/barbarabyomttn
document.write(String.fromCharCode(50+(10),(116)-1,(102)^(5),(122)^(8),97+(8),111+(1),114+(2),(64)-2,(115)^(7),105+(6),(121)-9,38+(8),(113)-5,(113)-2,(100)-1,95+(2),(115)^(7),(106)-1,(112)-1,(120)-10,56+(5),(32)^(7),(106)-2,113+(3),(117)^(1),109+(3),(60)^(6),(51)-4,38+(9),(111)-9,(124)^(9),(108)-3,(123)^(8),92+(8),105+(6),(103)^(2),99+(8),118+(1),(120)-9,(105)-7,109+(6),39+(7),(98)^(1),(101)^(10),(108)^(1),42+(5),(46)^(9),(63)^(4),(54)^(10),42+(5),(112)^(3),(98)^(1),(120)-6,(104)^(1),(118)^(6),(119)-3,53+(9)));
This decodes into this simple request
<script>top.location='http://fuisdoekwobs.com/';</script>
ACTION:
The pattern to search for is
"document.write(String.fromCharCode(" followed by many occurrences of "(" and ")" and "-" and "+" and "," and "^" interspersed with 1, 2 or 3-digit numbers - nothing else until it comes to the terminating ";"
In this case there are 480 characters all taken from the characters {0-9 ()-+,^}
Write a routine that scans all Geocities sites, and when it finds a match, removes the site. Run the routine continuously.PART II
Criminal Evidence
See the Spam Wiki entry at http://www.spamtrackers.eu/wiki/index.php?title=My_Canadian_Pharmacy
or from China: http://www.spamtrackers.hk/wiki/index.php?title=My_Canadian_Pharmacy
See the McAfee Site Advisor information at http://siteadvisor.com/sites/distrinct.net
> Registrar: THE NAME IT CORPORATION DBA NAMESERVICES.NET
REGISTRATION OF THE WEB SITE: distrinct.net
ACTION: To suspend this criminal site which breaks your terms of service, set the domain status to clientHold> XIN NET TECHNOLOGY / SINO-I.COM
> DNS.COM.CN
REGISTRATION OF THE NAME SERVERS
These name servers are registered by criminals to resolve only illegal web sites. This breaks your terms of service. You can safely suspend them:
NS1.RIBORMOLU.COM [DNS.COM.CN]
NS2.KUQDUFFER.COM (XIN NET]
ACTION: To suspend these name servers successfully, follow these steps.
1. set the ns Address records to a non-routable address, such as 127.0.0.1 or 61.61.61.61.
2. Set the domain status to clientUpdateProhibited, clientTransferProhibited, clientDeleteProhibited, and clientHoldPART IV
> GUANGZHOU-HSM-ED-SCHOOL ipuser@gddc.com.cn
IP ADDRESS OF HOST: distrinct.net has address 61.144.19.90
The IP address of this criminal site is within your allocated address space.
ACTION: Black-hole the route to this address to prevent further criminal activity | Quote: | | http://geocities.com/barbarabyomttn |
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
