http://www.matchent.com/wpress/ , “closed” in 2014.
And I don’t have much clue how it happened.
A shell (GNY.Shell – findex.php) and a proxy (proxy.php) was uploaded, but where the weakness was (is?) is not known to me.
I would not be very much surprised if this turned out to be a part of the christmas hacking at evilzone.org.
In that aspect it fits in with the previous posting here.
If you can read Norwegian, there is also something here:
hxxp://skriblerier. adesign. no/index.php?q=node/63 (not alive anymore, shut down in 2014)
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:188.8.131.52) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)
I think I got mail set up right.
And the redirect to this one on wordpress.com.
Update some hours later
The shell that was uploaded:
Goes by various names: Backdoor.PHP.C99Shell.y, probably a variant of PHP/Rst.S, PHP.ShellBot.K, Trojan.Script.212277.
“Score” at virustotal is 16/41.
Update December 25, 2009
A few other interesting IPs:
184.108.40.206 <—– “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html”?
Umm, don’t think so. More likely a pimplefaced teenager from Trondheim in Norway. Seen on at least three of my domains.
Also using the UA string “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:220.127.116.11) Gecko/20091102 Firefox/3.5.5”.
18.104.22.168 <—– Telenor in Norway. I have seen one very close one earlier, 22.214.171.124 (and 126.96.36.199, perhaps 188.8.131.52 too).
Now, how many Telenor users are skiddies? Quite a lot probably. But I’ll bet my money on that this is the one who used 184.108.40.206 to log in to h4cky0u as Volume earlier this year. Now admin at evilzone.org and nationalhacker.org. If anyone is interested, they can check out how the Christmas hacking over at evilzone.org is going. I have not registered to have a look. But I trust that Andreas Ringstad Hansen, phone 470 42 073, is doing a good job in herding his “crew”.
Also admin at the former 1nj3ct.org. Which went down when he got a bit nervous after a little slap on the wrist from the police. nordicws.org is another one of his “masterpieces”. Oh, he changed that one. I can throw up a screenshot or two. Or five. When I figure out how to do it here on wordpress.com.
I’ll give it a try, it is supposed to be below this text:
220.127.116.11 <—- Right now I have forgotten why this one is interesting.
18.104.22.168. Hits in logs at atleast two of my domains. 22.214.171.124 is also hosting nordicws.org.
Lots of coincidences here.
I wonder about the quality of the Viral Spiral idiots records:
Our records indicate you may be struggling to make your
mortgage payments, and may be falling behind on your payments.
If your income has dropped or you have another hardship that is
causing you financial difficulty, we may be able to help you get
financial relief from your home loan lender. Complete the form
to get a free financial evaluation to determine if you qualify
for payment relief. I look forward to working with you
With a link to bratchaeal. com.
The spam ends like this (sligthly edited):
Thank you for signing up with us with the email address of [deleted].
All of us here with MSC. will continue to do our best in
bringing you the best and most exciting offers we can on a weekly
http://www.bratchaeal. com/transmissions no
thanks, no more ads or offers please
565 S. Mason Rd, Unit 233,Katey, tx. 77450
All typical fingerprints of James Carner, formerly known as the “Viral Spiral” idiot. Well, on this blog, that is.
Unless it is a copycat. Or a catfight between Carner and Pirro. Or maybe they are still in bed. Or he could be cooperating with Gregory Williams.
I don’t have a clue. Someone is spamming, whoever it is.
This guy ( scamspam.org ) is better than me to document his spam:
I’ve been wondering a bit about the mails I get from girls who’d like to meet me. The ones from Eastern Europe dominate.
I got an email from Africa a couple of days ago (I think) and some of the content went like this:
ADD my yahoo id below to your yahoo messenger and lets chat and please respect your respect as you come.
Somewhat later followed by:
i will only welcome who talk nice and talk like honest human if your going to add me for free or trying to ripp your wasting your wasting your please i need honest human and understanding human please do as you say and dont get embarssed.
If you read this, I hope you don’t see how embarssed I am.
Read the rest of this entry »
Fresh in one of my inboxes:
You have received this e-mail because of the launching of State Vaccination H1N1 Program.
You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.
Create your Personal H1N1 Vaccination Profile using the link:
Create Personal Profile
Centers for Disease Control and Prevention (CDC) · 1600 Clifton Rd · Atlanta GA 30333 · 800-CDC-INFO (800-232-4636)
The link goes to:
The download file, vacc_profile.exe is, according to Virustotal.com only recognized by 5 vendors/programs as I write this:
AntiVir (“TR/Crypt.XPACK.Gen”), Kaspersky (“Packed.Win32.Krap.ae”), McAfee+Artemis (“Artemis!C2B6CB233320”), McAfee-GW-Edition (“Heuristic.BehavesLike.Win32.Trojan.H”)and NOD32 (“a variant of Win32/Kryptik.BFV”).
Hosted on a botnet. One example of overlapping with alliance-leicester phishing according to bfk.de:
online.cdc.gov.yttt4l.org.im A 126.96.36.199 online.cdc.gov.yttt4r.org.im A 188.8.131.52 online.cdc.gov.yttt4l.im A 184.108.40.206 online.cdc.gov.yttt4l.com.im A 220.127.116.11 online.cdc.gov.yttt4r.com.im A 18.104.22.168 www.mybank.alliance-leicester.co.uk.iksadh.co.im A 22.214.171.124 online.cdc.gov.yttt4l.co.im A 126.96.36.199 online.cdc.gov.yttt4r.co.im A 188.8.131.52 online.cdc.gov.yttt4r.im A 184.108.40.206 online.cdc.gov.yttt4l.net.im A 220.127.116.11 online.cdc.gov.yttt4r.net.im A 18.104.22.168
Phishtank has seen irs phishing today:
Several other “overlaps” as well, ally is another example.
See also the InboxRevenge Forum: