Security Incidents mailing list archives

Re: Malware Site

From: Joshua Ginsberg <jag () fsf org>
Date: Wed, 23 Nov 2005 11:41:44 -0500

RTFM-style answer:

First, figure out a little about the site... like who owns the domain
and where is it hosted?

$ whois sutterhealth.org
NOTICE: Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the Public Interest Registry
registry database. The data in this record is provided by Public Interest Registry
for informational purposes only, and Public Interest Registry does not guarantee its
accuracy.  This service is intended only for query-based access.  You agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to: (a) allow, enable, or otherwise
support the transmission by e-mail, telephone, or facsimile of mass
unsolicited, commercial advertising or solicitations to entities other than
the data recipient's own existing customers; or (b) enable high volume,
automated, electronic processes that send queries or data to the systems of
Registry Operator or any ICANN-Accredited Registrar, except as reasonably
necessary to register domain names or modify existing registrations.  All
rights reserved. Public Interest Registry reserves the right to modify these terms at any
time. By submitting this query, you agree to abide by this policy.

Domain ID:D5472804-LROR
Domain Name:SUTTERHEALTH.ORG
Created On:28-Mar-1997 05:00:00 UTC
Last Updated On:13-Sep-2005 15:43:59 UTC
Expiration Date:29-Mar-2007 05:00:00 UTC
Sponsoring Registrar:Register.com Inc. (R71-LROR)
Status:OK
Registrant ID:69813432819f9731
Registrant Name:DNS Admin
Registrant Organization:Sutter Health
Registrant Street1:3707 Schriever Avenue
Registrant Street2:
Registrant Street3:
Registrant City:Mather
Registrant State/Province:CA
Registrant Postal Code:95655
Registrant Country:US
Registrant Phone:+1.9164548279
Registrant Phone Ext.:
Registrant FAX:+1.9164548279
Registrant FAX Ext.:
Registrant Email:dnsadmin () sutterhealth org
Admin ID:69813432819f9731
Admin Name:DNS Admin
Admin Organization:Sutter Health
Admin Street1:3707 Schriever Avenue
Admin Street2:
Admin Street3:
Admin City:Mather
Admin State/Province:CA
Admin Postal Code:95655
Admin Country:US
Admin Phone:+1.9164548279
Admin Phone Ext.:
Admin FAX:+1.9164548279
Admin FAX Ext.:
Admin Email:dnsadmin () sutterhealth org
Tech ID:8141715281ce7130
Tech Name:DNS Admin
Tech Organization:Sutter Health
Tech Street1:3707 Schriever Avenue
Tech Street2:
Tech Street3:
Tech City:Mather
Tech State/Province:CA
Tech Postal Code:95655
Tech Country:US
Tech Phone:+1.9164548729
Tech Phone Ext.:
Tech FAX:+1.9164548729
Tech FAX Ext.:
Tech Email:kingal () SutterHealth org
Name Server:NS1.SUTTERHEALTH.ORG
Name Server:NS2.SUTTERHEALTH.ORG

-----------------

$ host www.sutterhealth.org
www.sutterhealth.org is an alias for sutterhealth.org.
sutterhealth.org has address 65.213.63.34

-----------------

$ whois 65.213.63.34
UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1)
                                  65.192.0.0 - 65.223.255.255
Sutter Health UU-65-213-63 (NET-65-213-63-0-1)
                                  65.213.63.0 - 65.213.63.255

------------------

$ whois -h whois.arin.net UUNET65

OrgName:    UUNET Technologies, Inc.
OrgID:      UU
Address:    22001 Loudoun County Parkway
City:       Ashburn
StateProv:  VA
PostalCode: 20147
Country:    US

NetRange:   65.192.0.0 - 65.223.255.255
CIDR:       65.192.0.0/11
NetName:    UUNET65
NetHandle:  NET-65-192-0-0-1
Parent:     NET-65-0-0-0-0
NetType:    Direct Allocation
NameServer: AUTH03.NS.UU.NET
NameServer: AUTH00.NS.UU.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2000-10-27
Updated:    2002-02-13

RTechHandle: OA12-ARIN
RTechName:   UUnet Technologies, Inc., Technologies
RTechPhone:  +1-800-900-0241
RTechEmail:  help4u () mci com

OrgAbuseHandle: ABUSE3-ARIN
OrgAbuseName:   abuse
OrgAbusePhone:  +1-800-900-0241
OrgAbuseEmail:  abuse-mail () mci com

OrgNOCHandle: OA12-ARIN
OrgNOCName:   UUnet Technologies, Inc., Technologies
OrgNOCPhone:  +1-800-900-0241
OrgNOCEmail:  help4u () mci com

OrgTechHandle: SWIPP-ARIN
OrgTechName:   swipper
OrgTechPhone:  +1-800-900-0241
OrgTechEmail:  swipper () mci com


If you want to be nice, pick up the phone and call the Sutter Health
folks and let them know -- their site may have been cracked and they may
be oblivious. If you want to be more formal, send email to
dnsadmin () sutterhealth org, abuse () sutterhealth org, and
abuse-mail () mci com detailing your findings.

If they're unresponsive, given the site appears to be hosted in the
U.S., notify the Federal Trade Commission. Not like they'll do anything
about it, but that's the procedure.

You can also report the URI to folks like SpamCop who will report it to
the same abuse contacts I listed, and if they're unresponsive, add it to
their URIBL and such.

-jag

On Wed, 2005-11-23 at 16:30 +0000, namtoor () gmail com wrote:

Hi, this site <don't click!> http://sutterhelath.org/index.php </don't click!> is
spreading malware.  They're tricking people into
visiting the site via an embedded link in email
messages.  How should this be reported and/or what
should be done to get this site taken offline?

Thanks!

-- 
Joshua Ginsberg <jag () fsf org>
Free Software Foundation - Senior Systems Administrator

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Malware Site namtoor (Nov 23)
- RE: Malware Site Caleb (Nov 23)
- Re: Malware Site Francisco Pecorella (Nov 23)
- Re: Malware Site Joshua Ginsberg (Nov 23)
  - Re: Malware Site Holger Kipp (Nov 23)
    - Re: Malware Site Joshua Ginsberg (Nov 23)
    - Re: Malware Site Robert Judy (Nov 23)
- Re: Malware Site Andre D. Correa (Nov 23)
- Re: Malware Site Paul Laudanski (Nov 24)
- <Possible follow-ups>
- Re: Malware Site nathanael (Nov 23)
- RE: Malware Site Portz, Jon (Nov 23)