[nsp-sec] enom security POC?

Nicholas Ianelli ni at cert.org
Mon Oct 27 17:39:55 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oh hell no, this guy is also involved in a domain that was pushing the
malicious AntiVirus 2009:

hxxp://quick-live-scan.com/2009/1/freescan.php?id=880147

Registrant:
  Shestakov Yuriy alexeyvas at safe-mail.net +7.9218839910
  Shestakov Yuriy
  Lenina 21 16
  Mirniy,MSK,RU 102422


Domain Name:quick-live-scan.com
Record last updated at 2008-10-22 10:56:19
Record created on 2008/10/22
Record expired on 2009/10/22


Domain servers in listed order:
  ns1.freefastdns.com   ns2.freefastdns.com


quick-live-scan.com.    600     IN      A       216.240.134.211
quick-live-scan.com.    600     IN      A       78.159.118.217
quick-live-scan.com.    600     IN      A       89.149.253.215


Modified .htaccess files for a number of compromised sites look like this:

120
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A
HREF="hxxp://89.28.13.200/in.html?s=sb">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.31 Server at www.<compromiseddomain>.com Port
80</ADDRESS>
</BODY></HTML>

- --------------
- ---------
- ---------------

Bulk mode; whois.cymru.com [2008-10-27 21:37:44 +0000]
7796    | 216.240.134.211  | ATMLINK - ATMLINK, INC.
28753   | 78.159.118.217   | NETDIRECT AS NETDIRECT Frankfurt, DE
28753   | 89.149.253.215   | NETDIRECT AS NETDIRECT Frankfurt, DE
31252   | 89.28.13.200     | STARNET-AS SC StarNet SRL



v4-peer.whois.cymru.com
The server returned 17 lines.

Bulk mode; peer-whois.cymru.com [2008-10-27 21:37:44 +0000]
174     | 78.159.118.217   | COGENT Cogent/PSI
174     | 89.149.253.215   | COGENT Cogent/PSI
2828    | 216.240.134.211  | XO-AS15 - XO Communications
3356    | 216.240.134.211  | LEVEL3 Level 3 Communications
3549    | 78.159.118.217   | GBLX Global Crossing Ltd.
3549    | 89.149.253.215   | GBLX Global Crossing Ltd.
3561    | 216.240.134.211  | SAVVIS - Savvis
6695    | 78.159.118.217   | DECIX-AS DE-CIX, the German Internet Exchange
6695    | 89.149.253.215   | DECIX-AS DE-CIX, the German Internet Exchange
7018    | 216.240.134.211  | ATT-INTERNET4 - AT&T WorldNet Services
10310   | 78.159.118.217   | YAHOO-1 - Yahoo!
10310   | 89.149.253.215   | YAHOO-1 - Yahoo!
12989   | 78.159.118.217   | HWNG Highwinds Network Group, Inc.
12989   | 89.149.253.215   | HWNG Highwinds Network Group, Inc.
25973   | 216.240.134.211  | MZIMA - Mzima Networks, Inc.
27524   | 216.240.134.211  | XEEX-COMMUNICATIONS - Xeex
2914    | 89.28.13.200     | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
8708    | 89.28.13.200     | RDSNET RCS & RDS S.A.




NIck

Chris Morrow wrote:
> ----------- nsp-security Confidential --------
> 
> 
> looks like enom is being phished :(
> 
> <snip spam content>
> For access your account follow this link - http://www.enom.com.sys82.net
> </snip spam content>
> 
> something about 'we are doing maintenence...' spam sample available upon
> request.
> 
> -Chris
> (note that the sys82.net domain is owned by:
> 
> Administrator:
>      Name-- Shestakov Yuriy
>  EMail-: (alexeyvas at safe-mail.net)
>  tel --: +7.9218839910
>      org: Shestakov Yuriy
>      Lenina 21 16
>      Mirniy,MSK,RU 102422
> 
> Domain Name:sys82.net
> Record last updated at 2008-10-25 23:13:18
> Record created on 2008/10/25
> Record expired on 2009/10/25
> 
> 
> with NS hosts:
>      ns1.kolberacn.com      ns2.kolberacn.com
> 
> or hosts:
>    Name Server: NS1.KOLBERACN.COM
>    Name Server: NS2.KOLBERACN.COM
>    Name Server: NS3.KOLBERACN.COM
>    Name Server: NS4.KOLBERACN.COM
>    Name Server: NS5.KOLBERACN.COM
> 
> 209.60.226.164 - Mediaworks - Riverbend (via paetec)
> 70.112.103.237 - roadrunner host?
> 
> other hosts are also broadband-ish things...
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkkGNSsACgkQi10dJIBjZICg2gCg0YbgOfkVhjreZ+e9zuiCX0fN
PK4An1O77i4goAAbr60ddylStTpD8Q3J
=6V+2
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list