LITTLEBLACKDOG.COM

Stray Dog Joined: 19 Dec 2005 Posts: 70

This could also go into the Rants section, but anyways, it is at least affiliated to Networking.

Two days ago I got a call from one of my RoadWarriors stating that his AV (TrendMicro, btw.) found a virus on his laptop. The virus was identified as "spyw_spyquake.a", but couldn't be removed by the AV. So we removed it manually following a very good guide from www.spyware-removal-guideline.com.

Afterwards we tried to get rid of the browser redirection with CWShredder, manually plowing through all of the known places in the registry, hosts, etc.
Finally SpyBot S&D did the job.

But that's not the point. The point is, that this virus/spyware/malware whatever set "securitysafeguards.net" as the default page. That page is luring LUsers with obscure message about non existing infections and possible anti-spyware tools, "fresh & direct" as one might say. The site itself contains no harm (at least not in FF), just a friendly reminder that your computer is bustling with virii.

Sooo... I did a little research. WHOIS turned up this:

Code: Select all

Registrant:


    Pertennen


    Malcolm Deniakke        *****@nakedbodybabes.com)


    37 Seinaame st.


    Helsinki


    null,4821


    FI


    Tel. +359.482082716





Creation Date: 09-Jan-2006  


Expiration Date: 09-Jan-2007





Domain servers in listed order:


    ns1.securitysafeguards.net


    ns2.securitysafeguards.net

Admin-C, Tech-C and Bill-C are all on him. Nice, uh? He's got his own nameservers... And the email domain "nakedbodybabes.com" just fits to a security related internet website, dontcha think?

The server is hosted somewhere in the Ukraine at one "Inhoster Hosting Company". So thinking that even in the Ukraine someone could be responsible, morally straight and all the rest I wrote them an email about the website. Nothing happend. Not even a computer generated reply. Nothing. I just saw that the domain is also blacklisted as spam. What coincidence...

So the rant is: Let me have this guy's balls, let me have a decent talk with the sleepy, non-bothering ukrainians. I want my effin' time back, you bastiches! I want that website down by law & order.

Posted: Wed Apr 05, 2006 2:36 am Post subject:

check his rules and regs - is he required to have an email
check his whois list for email addresses

Quote:

<ip address/hostname>
85.255.115.130
securitysafeguards.net
Host reachable, 198 ms. average

<net block>
85.255.112.0 - 85.255.127.255

<owner>
Inhoster hosting company
OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
Abuse notifications to: abuse@inhoster.com

<administrative contact>
Andrei Kislizin
OOO Inhoster,
ul.Antonova 5, Kiev,
03186, Ukraine
phone: +38 044 2404332

<technical contact>
Fast Web Hosting Support
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 201.
UA
phone: +357 99 117759

<additional data>
inhoster
Source: whois.ripe.net

not the same as yours.
before you ring him at 2am, what did you look up ?

Posted: Wed Apr 05, 2006 2:40 am Post subject:

I hear Helsinki is nice this tyme of year...

/Akely

Posted: Wed Apr 05, 2006 5:03 am Post subject:

Quote:

check his rules and regs - is he required to have an email
check his whois list for email addresses

The IP scheme you put up is listed under Ripe NCC. I just went through a big spiel with them on a Chaser bank e-mail that was sent to me. Basically standard fishing. I almost deleted the e-mail but decided that I was bored so I did some fishing myself. Ripe NCC doesn't really care what their subscribers do was the impression that I got. If you have any complaints you have to take it up with the subscriber themselves.

I thought it was rather interesting and now I am curious if they divy out IPs to the states. evil

If they can do bad things to good people, then I can do good for people by doing bad things to retards. Very Happy

Normally I try and harass the main company that sends out the IP schemes, then just work your way down, call the actually subscribing company and then if all else fails call the owner of that IP, or as Akely so well put it

Quote:
I hear Helsinki is nice this tyme of year...

Posted: Wed Apr 05, 2006 5:10 am Post subject:

Some domain registrars allow for "private" or guarded registrations. Why? Off the top of my head…. fear of retributuion and SPAM avoidance. Even though it is illegal some very well known companies troll through Domain records and use them for sales purposes Confused

This has been tested by yours truly, several of my web sites were registered to a pseudo name. This person only existed in a Domain Record. It took a little time but this "person" eventually got emails, snail mail & phone calls pretending to know this FAKE person. Dirty bastards.

You may as well let this one go, personally I'll get worked up over similar issues but you're going to spend a ton of time hunting down the real culprit. No only is it in another country but it's probably a shell company hidden inside of 10-15 other companies.

Russian Dolls anyone Rolling Eyes

Something other than windows [*nix] would help, prob not for sales drones. We all know the routine: patch Windows, 3rd party firewall, GOOD spyware client [MS or webroot] A/V & endpoint security if your daring & that will cut down your stress just a bit.

We feel your pain.

Posted: Wed Apr 05, 2006 5:29 am Post subject:

REboot. Reformat. Reinstall.

Guide Dog Joined: 08 Nov 2003 Posts: 8419 Location: MN

fear_nothing wrote:
Something other than windows [*nix] would help, prob not for sales drones. We all know the routine: patch Windows, 3rd party firewall, GOOD spyware client [MS or webroot] A/V & endpoint security if your daring & that will cut down your stress just a bit.

We feel your pain.

funny I do tech support FOR sales drones...

my dad's laptop has a proxy setup for IE in the group policy so he can't change it, and he can't "get on the web" with out connecting to the vpn and going through their proxy (firefox would have gotten around this nicely...)

we've accepted that there is nothing we can do to keep these people from going to spy ware sites, so we install ad-aware on every machine before we send it out, so we can have them run it in the field, and when it is to busted up for that, we have them ship it back to us... they whine about how they can't be with out it, we tell them next time to not let their "kids" use our laptop. (cause they always blame their kids.)

Stray Dog Joined: 19 Dec 2005 Posts: 70

Dave Rave wrote:
check his rules and regs - is he required to have an email
check his whois list for email addresses

Quote:

<ip address/hostname>
85.255.115.130
securitysafeguards.net
Host reachable, 198 ms. average

<net block>
85.255.112.0 - 85.255.127.255

<owner>
Inhoster hosting company
OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
Abuse notifications to: abuse@inhoster.com

<administrative contact>
Andrei Kislizin
OOO Inhoster,
ul.Antonova 5, Kiev,
03186, Ukraine
phone: +38 044 2404332

<technical contact>
Fast Web Hosting Support
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 201.
UA
phone: +357 99 117759

<additional data>
inhoster
Source: whois.ripe.net

not the same as yours.
before you ring him at 2am, what did you look up ?

I posted just the domain info, but wrote that I emaild the hoster (the ukrainian f*ck-heads you quoted. I thought it was self-explanatory that I also got this info you got. So with your lookup the story is complete. I don't bother to call either one. The finish one is pretty sure fake and the ukrainians don't give a shit.

Posted: Thu Apr 06, 2006 1:15 am Post subject:

Inhoster is a known spam hosting ISP.

Spamhuntress covered these guys a while ago. If you can block the entire range in a hosts file you'd be doing yourself a favor.

I'm thinking that might be an idea, you could do this in your local DNS too, or in your router, just redirect the entire IPblock to 127.0.0.1 or something. I'm beginning to think this is the way to go for a lot of these evil empires.

Butt Sniffer Joined: 09 Nov 2000 Posts: 1883

You can put the domains in the host file pointed to 127.0.0.1 as pointed above but also, you can block the IP range on each individual computer as well. I would block the whole subnet, you can always narrow it down or expand it if the need arises. If your users connect back to you through a VPN before they get on the net you can block the ip range in the proxy/router.