interesting investigation
Posted: Thu Nov 20, 2003 12:08 am
I've been on this odd investigation for a while as I've been finding these weird log entries that are irrevelent. What I mean by that is that the referrers shown are not real.
I'm glad I save logs since I decided to look back and it seems to have started October 12th. Notice how it's the same IP, and the same sites, and all these sites have useless content and are all very similar, and simply look like blogs.
I'm glad I save logs since I decided to look back and it seems to have started October 12th. Notice how it's the same IP, and the same sites, and all these sites have useless content and are all very similar, and simply look like blogs.
Code: Select all
217.73.164.106 [12/Oct/2003 23:18:40] - - "services.iceteks.com/" - - "http://www.kwmap.com/" MSIE 6.0
217.73.164.106 [13/Oct/2003 23:00:59] - - "www.iceteks.com/" - - "http://www.kwmap.com/" MSIE 6.0
217.73.164.106 [13/Oct/2003 23:01:05] - - "www.iceteks.com/link2us.htm" - - "http://www.kwmap.com/" MSIE 6.0
217.73.164.106 [13/Oct/2003 23:01:11] - - "www.iceteks.com/contact.htm" - - "http://www.kwmap.com/" MSIE 6.0
217.73.164.106 [03/Nov/2003 21:07:59] - - "www.iceteks.com/" - - "http://www.websearchde.com/" MSIE 6.0
217.73.164.106 [03/Nov/2003 21:07:59] - - "www.iceteks.com/" - - "http://www.websearchde.com/" MSIE 6.0
217.73.164.106 [03/Nov/2003 22:10:16] - - "www.iceteks.com/" - - "http://www.websearchde.com/" MSIE 6.0
217.73.164.106 [04/Nov/2003 07:31:22] - - "services.iceteks.com/" - - "http://www.websearchde.com/" MSIE 6.0
217.73.164.106 [12/Nov/2003 15:18:05] - - "www.iceteks.com/" - - "http://www.malixya.com/" MSIE 6.0
217.73.164.106 [12/Nov/2003 20:03:59] - - "services.iceteks.com/" - - "http://www.akksess.com/" MSIE 6.0
217.73.164.106 [13/Nov/2003 05:11:38] - - "www.iceteks.com/" - - "http://www.a-b-l-o-g.com/" MSIE 6.0
217.73.164.106 [14/Nov/2003 23:40:34] - - "www.iceteks.com/" - - "http://www.worldnewslog.com/" MSIE 6.0
141.85.3.130 [16/Nov/2003 20:13:58] - - "www.iceteks.com/" - - "http://www.a-b-l-o-g.com/" MSIE 6.0
141.85.3.130 [17/Nov/2003 02:49:51] - - "services.iceteks.com/" - - "http://www.malixya.com/" MSIE 6.0
217.73.164.106 [17/Nov/2003 19:06:36] - - "www.iceteks.com/" - - "http://www.saulem.com/" MSIE 6.0
217.73.164.106 [17/Nov/2003 19:13:27] - - "services.iceteks.com/" - - "http://www.mikesspot.com/" MSIE 6.0
217.73.164.106 [17/Nov/2003 22:40:14] - - "www.iceteks.com/" - - "http://www.kwlablog.com/" MSIE 6.0
217.73.164.106 [18/Nov/2003 07:58:24] - - "services.iceteks.com/" - - "http://www.a-b-l-o-g.com/" MSIE 6.0
217.73.164.106 [18/Nov/2003 16:53:46] - - "www.iceteks.com/" - - "http://www.jennifersblog.com/" MSIE 6.0
[code]
WellI did a bit of research and found some information on what this really is.
[url=http://blog.netwarriors.org/d/2003/11/17/16.38.56/]http://blog.netwarriors.org/d/2003/11/17/16.38.56/[/url]
[i]Another Referrer-Spammer is on the loose. And he’s doing some good old-fashioned goggle-boosting, too. Read on for more.
--snip--
The system maps to a box at the University of Bucharest. What's interesting, though, is the fact that the bot seems to be the same used by kwmap:
[b]217.73.164.106 - - [13/Oct/2003:01:42:16 -0700] "GET / HTTP/1.0" 200 47170 "http://www.kwmap.com/" "MSIE 6.0"[/b]
That's kwmap. And this here is the Referrer-Spammer:
[b]141.85.3.130 - - [16/Nov/2003:16:34:17 -0800] "GET / HTTP/1.0" 200 14580 "http://www.jennifersblog.com/" "MSIE 6.0"[/b]
And later:
[b]217.73.164.106 - - [17/Nov/2003:12:56:43 -0800] "GET / HTTP/1.0" 200 19249 "http://www.jennifersblog.com/" "MSIE 6.0"[/b]
Which is kwmap.com, again. kwmap.com is 217.73.164.106, 141.85.3.130 has no reverse lookup information, but since Port 80 (HTTP) is open, I thought I'd have a peek. And what did I find? kwmap.com, of course. Which leads me to my next check:
--snip--
[/i]
It apears these are to promote porn sites on search engines if you check this link:
[url=http://www.idly.org/2003/11/14/porn_sites_hiding_behind_blogs.php]http://www.idly.org/2003/11/14/porn_sites_...ehind_blogs.php[/url]
[i]
Over the last few days, I’ve seen a number of pseudo-realistic blogs spring up. They link to real stories, but all the comment and trackback links are just javascript redirects to the root of the site:
javascript:document.location=”/”;
Jennifer’s Blog, Malixya, Bongo Home and A-B-L-O-G all display the same behaviors although the latter lacks comment and trackback links (probably a good thing as clicking on them makes makes it evident the site isn’t real). These sites, it appears, are ripping off templates from other places — although I haven’t been able to find any of the original sites, Bongo Home does have residual references to Blog City. It appears that I’m not the only one to notice this.
The real kicker here is what is hiding at the bottom of each of these pages:
<a href=”http://www.malixya.com/adult-webcam/”><img src=”/adult-webcam.gif” width=”78” height=”24” border=”0”></a>
It appears that these sites, using a clean little weblog as a front, are hosting a large amount of porn. I do not recommend visiting the above URL and I would suggest that if you do, you should disable Javascript as then the page is just rendered in text without strobing gif nakedness.
They’re attempting to increase the Google Juice of the main page of the site by spamming people’s referrers, and thereby increase the juice of the adult-webcam page. Currently, the sites have little or no juice, but they’ve only been at it for a little while.
Jennifer’s blog:
Brian Mcwatters
10721 St Ives Ct
Bloomington, MN 55431
United States
email: admin@jennifersblog.com
phone: 9166832524
fax: 9166832524
Bongo Home:
Jim Schwodler
20078 Kenwood Trail
Colorado Springs, CO 80915
United States
email: admin@bongohome.com
phone: 7574441409
fax: 7574441409
A-B-L-O-G:
Adam Wilmot
4234 Rue Dartagnan
Stone Moutain, ga 30083
United States
email: admin@a-b-l-o-g.com
phone: 9122465543
fax: 9122465543
Malixya:
Clarence V. Walcott
1006-15 Wentworth
Seattle, WA 98112
United States
email: admin@malixya.com
phone: 8013433620
fax: 8013433620
That is not the proper prefix for a phone number in Seattle, although the zip code is somewhat credible. I don’t know about the other cities.
--snip--
[/i]
I recommend you check the links since it explains more, I just like posting some of the content in case the page is taken down or whatever.
There's lot more info on google for those interested:
[url=http://www.google.ca/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&sa=G&q=%22%2Bwww.malixya.%2Bcom/%22]http://www.google.ca/search?hl=en&lr=&ie=U...ixya.%2Bcom/%22[/url]
[url=http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22http%3A%2F%2Fwww.saulem.com%2F%22&btnG=Google+Search&meta=]http://www.google.ca/search?hl=en&ie=UTF-8...le+Search&meta=[/url]
[url=http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22http%3A%2F%2Fwww.akksess.com%2F%22&btnG=Google+Search&meta=]http://www.google.ca/search?hl=en&ie=UTF-8...le+Search&meta=[/url]
[url=http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22http%3A%2F%2Fwww.a-b-l-o-g.com%2F%22&btnG=Google+Search&meta=]http://www.google.ca/search?hl=en&ie=UTF-8...le+Search&meta=[/url]
Basiclaly just type one of the urls in my log in here, and you get some results sayin git's spam referrers.
This is quite an interesting little investigation. :handintest:
[color=#888888][size=85]Archived topic from Iceteks, old topic ID:1664, old post ID:14233[/size][/color]