Security – Page 19 – 37'.news ¯\_(ツ)

June 21, 2012

Seems Legit: Dropbox Edition

Yet another reminder not to blindly click/tap on links in emails. This time it is brought to you by fake Dropbox email.

June 13, 2012

WordPress 3.4

WordPress 3.4 is released.

If you’re running a self-install WordPress Site, first check if all your plugins are compatible.

June 4, 2012

You’ll thank yourself later.

Add the followings to your host file and you’ll thank yourself later.

127.0.0.1       gizmodo.com
127.0.0.1       www.gizmodo.com
127.0.0.1       api.gawker.com
127.0.0.1       cache.gawkerassets.com
127.0.0.1       cache.gizmodo.com
127.0.0.1       fonts.gawker.com
127.0.0.1       ganja.gawkerassets.com
127.0.0.1       img.gawkerassets.com

Header for the host file:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1       localhost
255.255.255.255 broadcasthost
::1             localhost
fe80::1%lo0     localhost

fe80::1%lo0     localhost

Dont know what a hosts file is?
Wikipedia has a page for it.

No more accidentally clicking on links to garbage posts on this particular site.

June 3, 2012

TDSS Rootkit

A client called me because one of the office computer “was not working.”

Well, the problem was much severe than described. It suffered from multiple malware infections. As usual, I used numbers of applications to detect and remove the malware. I also noted that this computer is unable to download any Windows Update.

So, the system is infected with TDSS Rootkit.

The next step is to download Kaspersky Anti-rootkit utility TDSSKiller.

I made sure to “Change parameters” and select the option to detect TDSS file system.

After a reboot, Windows is able to download and install updates.

May 30, 2012

Spammer Alert: margretriverhosting.com

This is the continuation to milkcheesedns.com spammer.

properlymysteriouslyupbeat.com

Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.com

Domain name: properlymysteriouslyupbeat.com

Registrant Contact:
margretriverhosting
Domain Management ()

Fax:
PO Box 66738
Saint Louis, MO 63166-6738
US

Administrative Contact:
margretriverhosting
Domain Management (domains@margretriverhosting.com)
+1.3147146057
Fax: +1.3147146057
PO Box 66738
Saint Louis, MO 63166-6738
US

Technical Contact:
margretriverhosting
Domain Management (domains@margretriverhosting.com)
+1.3147146057
Fax: +1.3147146057
PO Box 66738
Saint Louis, MO 63166-6738
US

Status: Locked

Name Servers:
ns1.safetyorangeblazeorangemule.com
ns2.safetyorangeblazeorangemule.com

Creation date: 30 May 2012 07:20:00
Expiration date: 29 May 2013 23:20:00

margretriverhosting.com

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Registration Service Provided By: PLANET ONLINE
Contact: +1.8887654932
Website: http://www.planetonline.net

Domain Name: MARGRETRIVERHOSTING.COM

Registrant:
Margret River Hosting
Margret River Hosting        (webmaster@margretriverhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366

Creation Date: 20-Aug-2010
Expiration Date: 20-Aug-2012

Domain servers in listed order:
ns1.planetonline.net
ns2.planetonline.net
ns3.planetonline.net
ns4.planetonline.net

Administrative Contact:
Margret River Hosting
Margret River Hosting        (webmaster@margretriverhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366

Technical Contact:
Margret River Hosting
Margret River Hosting        (webmaster@margretriverhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366

Billing Contact:
Margret River Hosting
Margret River Hosting        (webmaster@margretriverhosting.com)
PO Box 105603
#88657
Atlanta
Georgia,30348
US
Tel. +404.6719366

From contact page, which most likely useless:

(314) 714-6057
PO Box 66738 Saint Louis, MO 63166-6738

The information provided in the contact page can be used to chart the spammer’s pattern.

Note the Name server: safetyorangeblazeorangemule.com

Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.com

Domain name: safetyorangeblazeorangemule.com

Registrant Contact:

Technical Support ()

Fax:
PO Box 29502
Las Vegas, NV 89126
US

Administrative Contact:

Technical Support (domains@newbrandhosting.net)
+1.7026660363
Fax: +1.5555555555
PO Box 29502
Las Vegas, NV 89126
US

Technical Contact:

Technical Support (domains@newbrandhosting.net)
+1.7026660363
Fax: +1.5555555555
PO Box 29502
Las Vegas, NV 89126
US

Status: Locked

Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
dns3.registrar-servers.com
dns4.registrar-servers.com
dns5.registrar-servers.com

The problem is that domain name registrars such as eNom and NameCheap would not take pro-active stance in fighting against these type of spammer. It is pretty obvious that the same individuals are responsible for these domain names. They keep registering new domain names and the domain name registrars did not do a thing to stop them from doing so.

May 24, 2012

Diagram of a Spammer

Diagram of a spammer.

Fake hosting company:

strongcloudhosting.com
3rdcloudhosting.com
coomahosting.com
newbrandhosting.net
5thavehost.com
blackshosting.com
1stilinehosting.com
railsonhosting.com

Spammer’s Name Servers:

mobilegroble.com
milkcheesedns.com
grandfatherdns.com
professdns.com
safetyorangeblazeorangemule.com

Samples of spammer’s domain names:

nimbleloaf.com
hallcow.com
questionableoverthrow.com
cameraspadetoad.net
answerloveonline.com
spadesunmeasure.org (not listed in the diagram)
boundarychannelbeam.net (not listed in the diagram)

Click on the image below to view the diagram.

May 22, 2012

Spammer Alert: strongcloudhosting.com

Another domain name related to milkcheesedns.com and grandfatherdns.com just popped up.

Whois information for hallcow.com:

Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.com

Domain name: hallcow.com

Registrant Contact:
Strong Cloud Hosting
System Administrator ()

Fax:
PO Box 660675
Dallas, TX 75266-0675
US

Administrative Contact:
Strong Cloud Hosting
System Administrator (domains@strongcloudhosting.com)
+1.7026660363
Fax: +1.7026660363
PO Box 660675
Dallas, TX 75266-0675
US

Technical Contact:
Strong Cloud Hosting
System Administrator (domains@strongcloudhosting.com)
+1.7026660363
Fax: +1.7026660363
PO Box 660675
Dallas, TX 75266-0675
US

Status: Active

Name Servers:
ns1.grandfatherdns.com
ns2.grandfatherdns.com

Creation date: 28 Feb 2012 20:48:00
Expiration date: 28 Feb 2013 12:48:00

Note the System Administrator email: domains@strongcloudhosting.com

Whois information on strongcloudhosting.com:

Registration Service Provided By: PLANET ONLINE
Contact: +1.8887654932
Website: http://www.planetonline.net

Domain Name: STRONGCLOUDHOSTING.COM

Registrant:
Strong Cloud Hosting
Domain Admin        (contact@strongcloudhosting.com)
PO Box 10188
#88657
Newark
New Jersey,71014
US
Tel. +973.7184005

Creation Date: 20-Aug-2010
Expiration Date: 20-Aug-2012

Domain servers in listed order:
ns1.planetonline.net
ns2.planetonline.net
ns3.planetonline.net
ns4.planetonline.net

Administrative Contact:
Strong Cloud Hosting
Domain Admin        (contact@strongcloudhosting.com)
PO Box 10188
#88657
Newark
New Jersey,71014
US
Tel. +973.7184005

Technical Contact:
Strong Cloud Hosting
Domain Admin        (contact@strongcloudhosting.com)
PO Box 10188
#88657
Newark
New Jersey,71014
US
Tel. +973.7184005

Billing Contact:
Strong Cloud Hosting
Domain Admin        (contact@strongcloudhosting.com)
PO Box 10188
#88657
Newark
New Jersey,71014
US
Tel. +973.7184005

According to contact information on strongcloudhosting.com:

(702) 666-0363

admin@strongcloudhosting.com
PO Box 29502 Las Vegas, NV 89126-9502

The same numbers from newbrandhosting.net and questionableoverthrow.com.