interesting investigation

Firewalls, routers, servers, switches, SANs, PBXes, security and related topics
Locked
User avatar
Red Squirrel
Posts: 29209
Joined: Wed Dec 18, 2002 12:14 am
Location: Northern Ontario
Contact:
Contact Red Squirrel

interesting investigation

Post by Red Squirrel »

I've been on this odd investigation for a while as I've been finding these weird log entries that are irrevelent. What I mean by that is that the referrers shown are not real.

I'm glad I save logs since I decided to look back and it seems to have started October 12th. Notice how it's the same IP, and the same sites, and all these sites have useless content and are all very similar, and simply look like blogs.

Code: Select all

217.73.164.106 [12/Oct/2003 23:18:40] - - "services.iceteks.com/" - - "http://www.kwmap.com/"          MSIE 6.0

217.73.164.106 [13/Oct/2003 23:00:59] - - "www.iceteks.com/" - - "http://www.kwmap.com/"          MSIE 6.0
217.73.164.106 [13/Oct/2003 23:01:05] - - "www.iceteks.com/link2us.htm" - - "http://www.kwmap.com/"          MSIE 6.0
217.73.164.106 [13/Oct/2003 23:01:11] - - "www.iceteks.com/contact.htm" - - "http://www.kwmap.com/"          MSIE 6.0

217.73.164.106 [03/Nov/2003 21:07:59] - - "www.iceteks.com/" - - "http://www.websearchde.com/"          MSIE 6.0
217.73.164.106 [03/Nov/2003 21:07:59] - - "www.iceteks.com/" - - "http://www.websearchde.com/"          MSIE 6.0
217.73.164.106 [03/Nov/2003 22:10:16] - - "www.iceteks.com/" - - "http://www.websearchde.com/"          MSIE 6.0

217.73.164.106 [04/Nov/2003 07:31:22] - - "services.iceteks.com/" - - "http://www.websearchde.com/"          MSIE 6.0

217.73.164.106 [12/Nov/2003 15:18:05] - - "www.iceteks.com/" - - "http://www.malixya.com/"          MSIE 6.0
217.73.164.106 [12/Nov/2003 20:03:59] - - "services.iceteks.com/" - - "http://www.akksess.com/"          MSIE 6.0

217.73.164.106 [13/Nov/2003 05:11:38] - - "www.iceteks.com/" - - "http://www.a-b-l-o-g.com/"          MSIE 6.0

217.73.164.106 [14/Nov/2003 23:40:34] - - "www.iceteks.com/" - - "http://www.worldnewslog.com/"          MSIE 6.0

141.85.3.130 [16/Nov/2003 20:13:58] - - "www.iceteks.com/" - - "http://www.a-b-l-o-g.com/"          MSIE 6.0

141.85.3.130 [17/Nov/2003 02:49:51] - - "services.iceteks.com/" - - "http://www.malixya.com/"          MSIE 6.0
217.73.164.106 [17/Nov/2003 19:06:36] - - "www.iceteks.com/" - - "http://www.saulem.com/"          MSIE 6.0
217.73.164.106 [17/Nov/2003 19:13:27] - - "services.iceteks.com/" - - "http://www.mikesspot.com/"          MSIE 6.0
217.73.164.106 [17/Nov/2003 22:40:14] - - "www.iceteks.com/" - - "http://www.kwlablog.com/"          MSIE 6.0

217.73.164.106 [18/Nov/2003 07:58:24] - - "services.iceteks.com/" - - "http://www.a-b-l-o-g.com/"          MSIE 6.0
217.73.164.106 [18/Nov/2003 16:53:46] - - "www.iceteks.com/" - - "http://www.jennifersblog.com/"          MSIE 6.0
[code]


WellI did a bit of research and found some information on what this really is.

[url=http://blog.netwarriors.org/d/2003/11/17/16.38.56/]http://blog.netwarriors.org/d/2003/11/17/16.38.56/[/url]

[i]Another Referrer-Spammer is on the loose. And he’s doing some good old-fashioned goggle-boosting, too. Read on for more.

--snip--

The system maps to a box at the University of Bucharest. What's interesting, though, is the fact that the bot seems to be the same used by kwmap:

[b]217.73.164.106 - - [13/Oct/2003:01:42:16 -0700] "GET / HTTP/1.0" 200 47170 "http://www.kwmap.com/" "MSIE 6.0"[/b]

That's kwmap. And this here is the Referrer-Spammer:

[b]141.85.3.130 - - [16/Nov/2003:16:34:17 -0800] "GET / HTTP/1.0" 200 14580 "http://www.jennifersblog.com/" "MSIE 6.0"[/b]

And later:

[b]217.73.164.106 - - [17/Nov/2003:12:56:43 -0800] "GET / HTTP/1.0" 200 19249 "http://www.jennifersblog.com/" "MSIE 6.0"[/b]

Which is kwmap.com, again. kwmap.com is 217.73.164.106, 141.85.3.130 has no reverse lookup information, but since Port 80 (HTTP) is open, I thought I'd have a peek. And what did I find? kwmap.com, of course. Which leads me to my next check:

--snip--

[/i]


It apears these are to promote porn sites on search engines if you check this link:

[url=http://www.idly.org/2003/11/14/porn_sites_hiding_behind_blogs.php]http://www.idly.org/2003/11/14/porn_sites_...ehind_blogs.php[/url]

[i]
Over the last few days, I’ve seen a number of pseudo-realistic blogs spring up. They link to real stories, but all the comment and trackback links are just javascript redirects to the root of the site:

    javascript:document.location=”/”;

Jennifer’s Blog, Malixya, Bongo Home and A-B-L-O-G all display the same behaviors although the latter lacks comment and trackback links (probably a good thing as clicking on them makes makes it evident the site isn’t real). These sites, it appears, are ripping off templates from other places — although I haven’t been able to find any of the original sites, Bongo Home does have residual references to Blog City. It appears that I’m not the only one to notice this.

The real kicker here is what is hiding at the bottom of each of these pages:

    <a href=”http://www.malixya.com/adult-webcam/”><img src=”/adult-webcam.gif” width=”78” height=”24” border=”0”></a>

It appears that these sites, using a clean little weblog as a front, are hosting a large amount of porn. I do not recommend visiting the above URL and I would suggest that if you do, you should disable Javascript as then the page is just rendered in text without strobing gif nakedness.

They’re attempting to increase the Google Juice of the main page of the site by spamming people’s referrers, and thereby increase the juice of the adult-webcam page. Currently, the sites have little or no juice, but they’ve only been at it for a little while.

Jennifer’s blog:

    Brian Mcwatters
    10721 St Ives Ct
    Bloomington, MN 55431
    United States
    email: admin@jennifersblog.com
    phone: 9166832524
    fax: 9166832524

Bongo Home:

    Jim Schwodler
    20078 Kenwood Trail
    Colorado Springs, CO 80915
    United States
    email: admin@bongohome.com
    phone: 7574441409
    fax: 7574441409

A-B-L-O-G:

    Adam Wilmot
    4234 Rue Dartagnan
    Stone Moutain, ga 30083
    United States
    email: admin@a-b-l-o-g.com
    phone: 9122465543
    fax: 9122465543

Malixya:

    Clarence V. Walcott
    1006-15 Wentworth
    Seattle, WA 98112
    United States
    email: admin@malixya.com
    phone: 8013433620
    fax: 8013433620

That is not the proper prefix for a phone number in Seattle, although the zip code is somewhat credible. I don’t know about the other cities.

--snip--
[/i]


I recommend you check the links since it explains more, I just like posting some of the content in case the page is taken down or whatever.

There's lot more info on google for those interested:

[url=http://www.google.ca/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&sa=G&q=%22%2Bwww.malixya.%2Bcom/%22]http://www.google.ca/search?hl=en&lr=&ie=U...ixya.%2Bcom/%22[/url]
[url=http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22http%3A%2F%2Fwww.saulem.com%2F%22&btnG=Google+Search&meta=]http://www.google.ca/search?hl=en&ie=UTF-8...le+Search&meta=[/url]
[url=http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22http%3A%2F%2Fwww.akksess.com%2F%22&btnG=Google+Search&meta=]http://www.google.ca/search?hl=en&ie=UTF-8...le+Search&meta=[/url]
[url=http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22http%3A%2F%2Fwww.a-b-l-o-g.com%2F%22&btnG=Google+Search&meta=]http://www.google.ca/search?hl=en&ie=UTF-8...le+Search&meta=[/url]

Basiclaly just type one of the urls in my log in here, and you get some results sayin git's spam referrers.


This is quite an interesting little investigation.  :handintest: 

[color=#888888][size=85]Archived topic from Iceteks,  old topic ID:1664, old post ID:14233[/size][/color]
Honk if you love Jesus, text if you want to meet Him!
Top
Locked

Return to “Networking and Security”