Re: Malicious PHP site(s)?

[Wilhelm Wijkander <elrond94 () gmail com>]

On 2011-06-08 09:22, Sean G wrote:
> OK, for sometime now, I have been receiving odd emails from someone
> whom I do not know at all.. "Seth Spangler" his email address changing
> on an irregular basis. Basic it's just an email with a link that ends
> with .php. I don't have a testing machine at my disposal as of
> current.. I was wondering if some who knows php rather well, would be
> able to inform me of what happens when the link is clicked? (I have
> never clicked out to test it) or if you have heard of this person. If
> not, I do understand this is a busy list. Feel free to contact me
> directly as I would like to learn as much as possible about this --
> well I assume it is an attack of some sort -- and what the
> consequences are. From what I have observed thus far is that this
> person has a long list of email address and is probably phising in one
> manner or another.
> Any help would be greatly appreciated.
Hi.
As others already noted the server(being a shared webhosting with the
U.S. provider HostGo) redirects(HTTP 302) to 91.223.70.168, from the IP
range belonging to (if i understand correctly) one or more computer
retail stores in Latvia. This server, as well, redirects, this time to
http://defender-cmnxp.in/936778ea093f2a51/sa1/16 - a blank page. This
domain was created 2011-06-08(!), and resolves to 78.41.203.12 - which
we should analyze some more:
"
inetnum:         78.41.203.12 - 78.41.203.12
netname:         WORLD-DEDICATED-NET
descr:           IP range World Dedicated Ltd
country:         NL
admin-c:         AA10575-RIPE
<snip>
person:          Alex Averin
address:         Russian Federation, Moscow, Lenina st. 10
phone:           +79194740626
abuse-mailbox:   e57303 () abuse bz
<snip>
% Information related to '78.41.203.0/24AS42267'

route:           78.41.203.0/24
descr:           IP Range ServerFFS
"
It seems to be a VPS/Dedicated server at ServerFFS, a Dutch hosting
provider. However, the customer seems to have requested a separate
record in the RIPE database on the specific IP in question. The adress
in the record leads us to a suburb of Moscow, and I can find no
information about the supposedly Dutch company "World Dedicated Ltd"

The IP that the mail originated from is belonging to a Taiwanese home ISP.

There is a lot more of information out there :-)

/Wilhelm

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------