[SIRT#196808] DiscoverTotal.com, FreeCreditReports360.com

 CastleCops -> SIRT Reports
Author: AlphaCentauri PostPosted: Sun Jul 06, 2008 2:45 pm    Post subject: [SIRT#196808] DiscoverTotal.com, FreeCreditReports360.com
Spam Alert
 
 Full Report: CastleCops Link/DiscoverTotal_com_spam196808.html
 
 Changed status to confirmed spam.When entered in a browser, http://bestrockbottom.com/scw/kpnkmyphpblrbrq/ph redirects to https://www.freecreditreports360.com/ppc/creditreport/aff40.aspxIP Converted: 64.191.83.119

dword = 1086280567
hex1 = 0x40bf5377
hex2 = 0x40.0xbf.0x53.0x77
oct = 0100.0277.0123.0167
IP Converted: 72.32.107.99

dword = 1210084195
hex1 = 0x48206b63
hex2 = 0x48.0x20.0x6b.0x63
oct = 0110.040.0153.0143
View CIDR AS21788 Report: http://www.cidr-report.org/cgi-bin/as-report?as=21788

"21788 | US | arin | 2001-06-21 | NOC - Network Operations Center Inc."<br />
Extended information for AS21788:
State/Province: pa
Country: us
Responsible Domain: hostnoc.net
Abuse Email: abuse@hostnoc.net
IP Converted: 66.151.248.186

dword = 1117255866
hex1 = 0x4297f8ba
hex2 = 0x42.0x97.0xf8.0xba
oct = 0102.0227.0370.0272
View CIDR AS33070 Report: http://www.cidr-report.org/cgi-bin/as-report?as=33070

"33070 | US | arin | 2004-09-24 | RMH-14 - Rackspace.com, Ltd."<br />
Extended information for AS33070:
State/Province: tx
Country: us
Responsible Domain: rackspace.com
Abuse Email: noc@rackspace.com
IP Converted: 64.191.83.101

dword = 1086280549
hex1 = 0x40bf5365
hex2 = 0x40.0xbf.0x53.0x65
oct = 0100.0277.0123.0145
View CIDR AS12179 Report: http://www.cidr-report.org/cgi-bin/as-report?as=12179

"12179 | US | arin | 1999-04-13 | INTERNAP-2BLK - Internap Network Services Corporation"<br />
Extended information for AS12179:
State/Province: ga
Country: us
Responsible Domain: internap.com
Abuse Email: abuse@internap.com
Quote:
http://bestrockbottom.com/scw/kpnkmyphpblrbrq/ph
Author: tembow PostPosted: Sun Jul 06, 2008 8:31 pm    Post subject:
Reference: [ThePlanetAbuse-C24400082K]

To Whom It May Concern:

Please note that neither the below-referenced [IP address or URL or e-mail] nor the domain name that is being advertised is within our network as of the date stamp .in this email

Regards,
Abuse Department
The Planet
Author: AlphaCentauri PostPosted: Mon Jul 07, 2008 5:05 am    Post subject:
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FREECREDITREPORTS360.COM

Domain servers in listed order:
NS1.THEPLANET.COM
NS2.THEPLANET.COM

ThePlanet.com has the nameservers, not the spammed domain.
Author: dabugLocation: USA PostPosted: Wed Jul 23, 2008 10:09 pm    Post subject:
discovertotal scans the net for 404 - unused domains - old domains - ( by my spam count 100+) but where there is a http server still running. They then upload a short redirect script and hijack the server. You then get spam for travel, training, etc that points you at olddomain.com/wodkvjlatlkaklsdf. The origional owner of olddomain, who doesn't use it any more never knows the difference. If you curl http://olddomain.com you get 404 error but curl olddomain.com/wodkv.... you get "... refresh=0 http://discovertotal.com/[base64-string].

Isn't it a crime to hack into someone computer?

discovertotal is registered by
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260

DomainsByProxy.com is:
Administrative Contact:
GoDaddy.com, Inc., GoDaddy.com, Inc. dns@jomax.net
GoDaddy.com, Inc.
14455 N Hayden Rd #226
Scottsdale, Arizona 85260

jomax is:
Administrative Contact:
GoDaddy.com, Inc., GoDaddy.com, Inc. dns@jomax.net
GoDaddy.com, Inc.
14455 N Hayden Rd #226
Scottsdale, Arizona 85260

and from what I can tell: jomax.net is GoDaddy.com
http://www.aboutus.org/Jomax.net


Rolling Eyes
Author: AlphaCentauri PostPosted: Wed Jul 23, 2008 11:29 pm    Post subject:
dabug wrote:
discovertotal scans the net for 404 - unused domains - old domains - ( by my spam count 100+) but where there is a http server still running. They then upload a short redirect script and hijack the server. You then get spam for travel, training, etc that points you at olddomain.com/wodkvjlatlkaklsdf. The origional owner of olddomain, who doesn't use it any more never knows the difference. If you curl http://olddomain.com you get 404 error but curl olddomain.com/wodkv.... you get "... refresh=0 http://discovertotal.com/[base64-string].

Isn't it a crime to hack into someone computer?


That's very significant information if you can document it. I can't track down the owner of this particular spammed domain (bestrockbottom.com) from the registration information in the whois. There is no name, the zip code doesn't exist, and the phone number is a land line in Texas though the address in the registration is in Colorado. Having such a scammy looking registration would tend to argue against the theory that an innocent but neglectful website owner has had his website hacked.

The "404 not found" home page is a typical feature of sites that mail links that encode the ID of the affiliate that spammed you as well as maybe encoding your email address, so they know you clicked through. They don't want traffic from people who ask too many questions and try to view the home page. Other sites like that will put a generic unsubscribe form on the home page. In many cases, it can be quite difficult to view the content without revealing your email address.
CastleCops -> SIRT Reports

All times are GMT

Page 1 of 1


Powered by phpBB © 2001 phpBB Group