[nsp-sec] iframe on OpenX server: similar experiences exploit experiences with AS6851

Thu Aug 19 01:03:25 EDT 2010

On Wed, Aug 18, 2010 at 9:57 PM, Chris Morrow <morrowc at ops-netman.net>wrote:

> On 8/19/10 12:52 AM, Peter Moody wrote:
> > ----------- nsp-security Confidential --------
> >
> > On Wed, Aug 18, 2010 at 9:45 PM, Zane Jarvis <zane at auscert.org.au>
> wrote:
> >
> >> Hi all,
> >>
> >>>> Abuse mailbox is a gmail account. If it is feasible, anyone from
> Google
> >>>> could take a look into this?
> >>>>
> >>>
> >>> abuse contact for an iffy AS/domain is too thin of a reason for the
> gmail
> >>> folks to act on an account.
> >>>
> >>
> >> We've seen quite a few dodgy domains registered using that email
> address.
> >
> >
> > Can you give me anything more than the fact that it's the abuse contact?
> >  being an abuse contact (even for *lots* of domains/AS's) doesn't really
> > violate any TOS.
>
> aka: "And these domains are being used in SPAM campaigns which send out
> zeus trojan zip files."
>
> I think pete means this, yes?
>

Yes, sorry. Give us an excuse to get shut this account and it will (most
likely) be shut.  there's a left-hand/right-hand thing going on here, where
it takes some convincing of the left hand by the right hand that an account
really is bad and of late, the left hand has been on vacation and its
(temporary) replacements have needed extra convincing.

> -Chris
>
> >
> >> Here is a list dating back to 21 May 2010, where that email address has
> >> been
> >> listed as the abuse contact. This list is from the stuff we have seen
> and
> >> may
> >> not be exhaustive.
> >>
> >> hxxp://01.coolw.in/
> >> hxxp://01.yxian.in/
> >> hxxp://06.anirp.in/
> >> hxxp://79.135.152.180/
> >> hxxp://79.135.152.181/
> >> hxxp://79.135.152.190/
> >> hxxp://85.234.190.12/
> >> hxxp://85.234.190.14/
> >> hxxp://85.234.190.43/
> >> hxxp://85.234.190.45/
> >> hxxp://85.234.190.62/
> >> hxxp://85.234.191.101/
> >> hxxp://85.234.191.111/
> >> hxxp://85.234.191.191/
> >> hxxp://91.188.59.134/
> >> hxxp://91.188.59.135/
> >> hxxp://91.188.60.152/
> >> hxxp://91.188.60.226/
> >> hxxp://adingurj.com/
> >> hxxp://alterparadigma.net/
> >> hxxp://atgoal.in/
> >> hxxp://barei.info/
> >> hxxp://basiccontrol.in/
> >> hxxp://bliman.com/
> >> hxxp://bravqwer.com/
> >> hxxp://cated.in/
> >> hxxp://cogoo.in/
> >> hxxp://downloadfreenow.in/
> >> hxxp://drovent.com/
> >> hxxp://dusute.in/
> >> hxxp://engineonline.in/
> >> hxxp://esvictory5.ru/
> >> hxxp://fortuna1.info/
> >> hxxp://jL.chura.pl/
> >> hxxp://leninvgorkax.net/
> >> hxxp://livench.com/
> >> hxxp://macromediasetup.com/
> >> hxxp://necice.in/
> >> hxxp://networksportsgo.com/
> >> hxxp://ozlink.in/
> >> hxxp://qsfgyee.com/
> >> hxxp://senderdata.co.cc/
> >> hxxp://solaruploader.net/
> >> hxxp://solaruploaderz.com/
> >> hxxp://ssdssds.co.cc/
> >> hxxp://staticportal.in/
> >> hxxp://subyq.info/
> >> hxxp://sunn.in/
> >> hxxp://totalsystem.in/
> >> hxxp://trafficcdata.co.cc/
> >> hxxp://www.fast-scanneronline.org/
> >> hxxp://www.premiaa.com/
> >> hxxp://ytoimneyqawernmkla.deswelt.net/
> >>
> >> Regards,
> >> Zane
> >>
> >> --
> >> Zane Jarvis
> >> Senior Information Security Analyst  | Hotline: +61 7 3365 4417
> >> AusCERT, Australia's Leading CERT    | Fax:     +61 7 3365 7031
> >> The University of Queensland         | WWW:     www.auscert.org.au
> >> QLD 4072 Australia                   | Email:   auscert at auscert.org.au
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
>
>

-- 
Peter Moody      Google    1.650.253.7306
Network Security Engineer  pgp:0xC3410038