Re: (larset.com -lampife.com - ferisod.com) Massive PE patch sale
James W Anderson
>
>
> TomezNet a écrit :
>
> > Spamvert:
> > www.larset.com Resolved to <snip>
> > www.larset.com IP Resolved to:
> <snip>
> > Let see whois:
> > Registrar: XIN NET TECHNOLOGY CORPORATION
> > DNS Servers:
> > NS2.BRYIDER.COM
> > NS2.TAREFER.COM
>
> This is weird (and a bit terriffic) I don't think it is really on
> topic in nanae.
> This looks like a whole trojan based network bloodsucker:
> All zombie run an apache-like webserver that meta-redirect to ???
> zombified hosts are lamp and the meta redirect is made by a php file
>
> $ dig @A.GTLD-SERVERS.NET www.larset.com in any
>
> ; <<>> DiG 9.3.2 <<>> @A.GTLD-SERVERS.NET www.larset.com in any
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18625
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;www.larset.com. IN ANY
>
> ;; AUTHORITY SECTION:
> larset.com. 172800 IN NS ns1.ferisod.com.
> larset.com. 172800 IN NS ns4.lampife.com.
>
> ;; ADDITIONAL SECTION:
> ns1.ferisod.com. 172800 IN A 83.84.12.23
> ns4.lampife.com. 172800 IN A 24.80.146.38
>
> ;; Query time: 127 msec
> ;; SERVER: 192.5.6.30#53(192.5.6.30)
> ;; WHEN: Mon Jun 5 19:05:45 2006
> ;; MSG SIZE rcvd: 116
>
> $ dig @A.GTLD-SERVERS.NET ns1.ferisod.com. in any
>
> ; <<>> DiG 9.3.2 <<>> @A.GTLD-SERVERS.NET ns1.ferisod.com. in any
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30150
> ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
>
> ;; QUESTION SECTION:
> ;ns1.ferisod.com. IN ANY
>
> ;; ANSWER SECTION:
> ns1.ferisod.com. 172800 IN A 83.84.12.23
>
> ;; AUTHORITY SECTION:
> ferisod.com. 172800 IN NS ns1.ferisod.com.
> ferisod.com. 172800 IN NS ns2.ferisod.com.
> ferisod.com. 172800 IN NS ns3.ferisod.com.
> ferisod.com. 172800 IN NS ns4.ferisod.com.
> ferisod.com. 172800 IN NS ns5.ferisod.com.
>
> ;; ADDITIONAL SECTION:
> ns1.ferisod.com. 172800 IN A 83.84.12.23
> ns2.ferisod.com. 172800 IN A 83.84.73.190
> ns3.ferisod.com. 172800 IN A 82.43.89.63
> ns4.ferisod.com. 172800 IN A 218.166.134.71
> ns5.ferisod.com. 172800 IN A 82.38.186.116
>
> ;; Query time: 128 msec
> ;; SERVER: 192.5.6.30#53(192.5.6.30)
> ;; WHEN: Mon Jun 5 19:06:26 2006
> ;; MSG SIZE rcvd: 215
>
> $ nslookup 82.38.186.116
> Server: 212.27.54.252
> Address: 212.27.54.252#53
>
> Non-authoritative answer:
> 116.186.38.82.in-addr.arpa name =
> 82-38-186-116.cable.ubr03.shef.blueyonder.co.uk.
>
> Authoritative answers can be found from:
>
> $ nslookup 218.166.134.71
> Server: 212.27.54.252
> Address: 212.27.54.252#53
>
> Non-authoritative answer:
> 71.134.166.218.in-addr.arpa name =
> 218-166-134-71.dynamic.hinet.net.
>
> Authoritative answers can be found from:
>
> $ nslookup 82.43.89.63
> Server: 212.27.54.252
> Address: 212.27.54.252#53
>
> Non-authoritative answer:
> 63.89.43.82.in-addr.arpa name =
> 82-43-89-63.cable.ubr08.croy.blueyonder.co.uk.
>
> Authoritative answers can be found from:
>
> $ nslookup 83.84.73.190
> Server: 212.27.54.252
> Address: 212.27.54.252#53
>
> Non-authoritative answer:
> 190.73.84.83.in-addr.arpa name = 535449BE.cable.casema.nl.
>
> Authoritative answers can be found from:
>
> $ nslookup 83.84.12.23
> Server: 212.27.54.252
> Address: 212.27.54.252#53
>
> Non-authoritative answer:
> 23.12.84.83.in-addr.arpa name = 53540C17.cable.casema.nl.
>
> Authoritative answers can be found from:
Spamless
> This looks like a whole trojan based network bloodsucker:
> All zombie run an apache-like webserver that meta-redirect to ???
> zombified hosts are lamp and the meta redirect is made by a php file
Yep ... currently (2.45 PM EDT 5 June 2006)
======================================================
For the host:
"www.larset.com"
NAMESERVERS listed in the root servers for larset.com:
------------------------------------------------------
larset.com NS ns1.ferisod.com
larset.com NS ns4.lampife.com
ns1.ferisod.com A 81.56.63.17
ns4.lampife.com A 83.84.173.140
[extract from dig]
------------------
dig @81.56.63.17
www.larset.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.larset.com A 84.220.106.171
www.larset.com A 83.179.190.114
www.larset.com A 24.80.146.38
www.larset.com A 81.56.66.8
www.larset.com A 84.220.106.171
dig @83.84.173.140
www.larset.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.larset.com A 84.220.106.171
www.larset.com A 83.179.190.114
www.larset.com A 81.56.66.8
www.larset.com A 84.220.106.171
www.larset.com A 24.80.146.38
======================================================
Name: S0106000d88e20617.vc.shawcable.net
Address: 24.80.146.38
Name: cpy94-2-81-56-63-17.fbx.proxad.net
Address: 81.56.63.17
Name: mic92-3-81-56-66-8.fbx.proxad.net
Address: 81.56.66.8
Name: 5354AD8C.cable.casema.nl
Address: 83.84.173.140
Name: d83-179-190-114.cust.tele2.fr
Address: 83.179.190.114
Name: host-84-220-106-171.cust-adsl.tiscali.it
Address: 84.220.106.171
The error message I got,
main(/home/users/aff/tserw.com/framework/functions.php):
failed to open stream
as tserw.com is also on a botnet.
=====================================================
For the host:
"tserw.com"
NAMESERVERS listed in the root servers for tserw.com:
-----------------------------------------------------
tserw.com NS ns1.ferisod.com
tserw.com NS ns4.lampife.com
ns1.ferisod.com A 81.56.63.17
ns4.lampife.com A 82.43.89.63
[extract from dig]
------------------
dig @81.56.63.17
tserw.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
tserw.com A 210.107.205.239
tserw.com A 83.84.213.185
tserw.com A 83.84.199.49
tserw.com A 81.36.204.140
tserw.com A 83.84.47.161
dig @82.43.89.63
tserw.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
tserw.com A 83.84.213.185
tserw.com A 83.84.199.49
tserw.com A 81.36.204.140
tserw.com A 83.84.47.161
tserw.com A 210.107.205.239
=====================================================