nanog mailing list archives

Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes

From: Hank Nussbacher <hank () att net il>
Date: Thu, 9 Oct 2003 22:24:22 +0200 (IST)


On Thu, 9 Oct 2003, John Neiberger wrote:

Doing some Googling on tubul I found:

WAP S.A.
Katarzyna Piatek (tubul at wp.pl)
+48.327811019
FAX- +48.327811025
Opolska 22
Katowice, 40-084
PL

-Hank

Actually, in the case of the wired article (removeform.com), it seems

to be

connected to a site in Florida.I asked my programmer

(gabor () sentex net)

to decode the obfuscated java script/page that is served up by one of

the

zombies (On FreeBSD fetch -B 18192 -o danger.html
http://www.removeform.com/d - I got it from 207.5.215.72at the

time).I

have attached it as a zip file with its contents. You will note that

the

form post goes back to

form action="http://207.36.47.68/cgi-bin/addinfo.cgi";


OrgName:  CyberGate, Inc.
OrgID:    CYBG
Address:  3250 W. Commercial Blvd. Suite 200
City:     Ft. Lauderdale
StateProv:FL
PostalCode: 33309
Country:  US


This appears to be a rather prolific spammer. At first I thought they
were affiliated with www.skynetweb.com because they have the same
address, including suite number, but it now appears that they are really
affiliated with these guys:

http://www.affinity.com/about/our_team/our_team.htm

John
--


Hank Nussbacher

Current thread:

Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes John Neiberger (Oct 09)
- Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes Hank Nussbacher (Oct 09)
- Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes Suresh Ramasubramanian (Oct 09)
  - Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes Jim Popovitch (Oct 09)
- <Possible follow-ups>
- Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes John Neiberger (Oct 09)