CastleCops® Network
--------------------
About CastleCops
Become Premium
Our Sponsors
--------------------
CastleCops
CastleCops Blog
CastleCops Deutsch
CastleCops Hashes
CastleCops Mirrors
CastleCops Wiki
PIRT Squad
--------------------
Malware Removal & Prevention
How did I get infected?
Unknown file uploads
UDRP
--------------------
R3 URL SearchHook
O2/O3 BHOs/Toolbars
O4 Startups
O9 Internet Explorer Buttons
O10 LSPs
O16 ActiveX
O18 Protocol Hijackers
O20 AppInit_DLLs
O21 ShellServiceObjectDelayLoad
O22 Shared Task Scheduler
O23 XP/NT Services
--------------------
Need help
? Click
here
to register for free!
Absolutely zero advertisements on this site
!
$9736.22 of $21422.68
Help CastleCops serve the community on new servers,
Donate Here
to reach our goal.
Donation/Premium
Donations
. Become
Premium Today!
Security Central
·
Home
·
PIRT/Fried Phish
·
MIRT
·
SIRT
·
Deutsch
·
Wiki
·
Newsletter
·
O16/ActiveX
·
CLSID List
·
Contest2007
·
Downloads
·
Feedback (send)
·
Forums
·
HijackThis
·
Hijacktrend
·
LSPs
·
My Downloads
·
O18
·
O20
·
O21
·
O22
·
O23
·
O9
·
Premium
·
Private Messages
·
Proxomitron
·
Reviews
·
Search
·
StartupList
·
Stories Archive
·
Submit News
·
WsIRT
·
Your Account
·
Acceptable Use Policy
Survey
Was 2007 a good year?
Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)
Results
Polls
Votes:
940
Comments:
25
Fried Phish
(TM)
Phishing Incident Reporting and Termination (PIRT) Squad
(SM)
A global phishing termination and intelligence system operated by CastleCops. Become a PIRT Squad terminator by reporting phish today!
[
How-To / FAQ
]
Fried Phish
->
Confirmed Phish
|
Terminated Phish
Select Report Range
--------------------
0-49
50-99
100-149
150-199
200-249
250-299
300-349
350-399
400-449
450-499
500-549
550-599
600-649
650-699
700-749
750-799
800-849
850-899
900-949
status: terminated
HTTP Response
26 May, 2008
06:20:06
HTTP/1.1 302 Found
HTTP/1.1 302 Found
HTTP/1.1 302 Found
HTTP/1.1 302 Found
HTTP/1.0 200 Connection Established
HTTP/1.1 405 Not Allowed
ID
826735 (termination link)
Title
CitiBank
Entry
http://lythia.us/space/sponsor.php?email_from=3Dchrisgrumley@tampabay.rr.com&QJfgVMu9D5e22vHwgd0mjJxlpuKVdLF2yhX5mEN2Kp8xbIMgnUF7ARVdJW1AqfNr1sb4KkgFdz3r3yJQZvmhAoJmNjGAQZ9zw3X7EGo5DZM94wkUodz&f26VRj339FKPbtEFqmdbVBrm4RbN4qjAu8qrUoOin2u3tndzWlnm2I1
PIRT Squad
Reporter
Submitted anonymously thru the web, or sent to pirt (at) castlecops (dot) com.
Timestamp
14 May, 2008 @ 05:39:26
Topic ID
221728
- Read/respond to PIRT commentary.
Handler Note:
14 May, 2008
19:26:41
downie
: Consumed following related reports:
[826941] http://lythia.us/space/sponsor.php?email_from=3Dchrisgrumley@tampabay.rr.com&QJfgVMu9D5e22vHwgd0mjJxlpuKVdLF2yhX 5mEN2Kp8xbIMgnUF7ARVdJW1AqfNr1sb4KkgFdz3r3yJQZvmhAoJmNjGAQZ9zw3X7EGo5DZM94wkUodz&f26VRj339FKPbtEFqmdbVBrm4RbN4qj Au8qrUoOin2u3tndzWlnm2I1
[827140] http://lythia.us/space/sponsor.php?email_from=3Dlynnellerbrock@hotmail.com&JyRqvLWeMG2yiY6nFN3Lq9ycIjhoVG8F8xec2 MX5ewrhtMzJb5Cj6UnJCsMMFao7qWHrOytmqO6qfLuO8wFzkHOFaIkoSo5y36CP7oZ4JbcWdYveQv1&V27CoNJmITHRkgw7JOTuvvKp9vgkbCEyq g0OKTPEKTZO9iphR8zVupM
Handler Note:
14 May, 2008
19:29:36
downie
: The URL redirects to a Citibank phishing site at http://worlddancecentre.com/images/space/index.php
, active at the time of investigation.
(worked as http://www.castlecops.com/CitiBank_phish827405.html)
A page fetch was successful.
Handler Note:
14 May, 2008
19:30:25
downie
: View CIDR AS16626 Report: http://www.cidr-report.org/cgi-bin/as-report?as=16626
"16626 | US | arin | 2000-05-30 | GNAXNET-AS - Global Net Access, LLC"
Handler Note:
14 May, 2008
19:30:30
downie
: Extended information for AS16626:
State/Province: ga
Country: us
Responsible Domain: dv2.com
Abuse Email: abuse@dv2.net
Handler Note:
14 May, 2008
19:31:38
downie
: ***************************************************
WARNING THERE IS MALWARE ON THIS SITE
****************************************************
Handler Note:
14 May, 2008
19:39:40
downie
: Generated and sent email phish alert to respective parties.
Handler Note:
29 May, 2008
00:38:20
downie
: 403
Fetched URLs
http://lythia.us/space/sponsor.php?email_from=3Dchrisgrumley@tampabay.rr.com&QJfgVMu9D5e22vHwgd0mjJxlpuKVdLF2yhX5mEN2Kp8xbIMgnUF7ARVdJW1AqfNr1sb4KkgFdz3r3yJQZvmhAoJmNjGAQZ9zw3X7EGo5DZM94wkUodz&f26VRj339FKPbtEFqmdbVBrm4RbN4qjAu8qrUoOin2u3tndzWlnm2I1
Slaves
826941
,
827140
,
Report for
at 14 May, 2008 @ 06:04:00
View Report
---
lythia.us
75.127.104.17
16626
whois
dig
host
fetch
asn
whois
at 14 May, 2008 @ 06:04:04
GeekTools Whois Proxy v5.0.4 Ready. Checking access for 149.20.54.191... ok. Checking server [whois.nic.us] Results: Domain Name: LYTHIA.US Domain ID: D7204959-US Sponsoring Registrar: MELBOURNE IT LTD Domain Status: ok Registrant ID: A110624624775064 Registrant Name: Lauren Henzler Registrant Organization: Lauren Henzler Registrant Address1: 801 Sebring ave Registrant City: Pittsburgh Registrant State/Province: PA Registrant Postal Code: 15216 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.4123430914 Registrant Email: xreddress@aol.com Registrant Application Purpose: P3 Registrant Nexus Category: C11 Administrative Contact ID: A110624628830326 Administrative Contact Name: Lauren Henzler Administrative Contact Organization: Lauren Henzler Administrative Contact Address1: 801 Sebring ave Administrative Contact City: Pittsburgh Administrative Contact State/Province: PA Administrative Contact Postal Code: 15216 Administrative Contact Country: United States Administrative Contact Country Code: US Administrative Contact Phone Number: +1.4123430914 Administrative Contact Email: xreddress@aol.com Billing Contact ID: A110624624775062 Billing Contact Name: YahooDomains BillingContact Billing Contact Organization: Yahoo! Inc Billing Contact Address1: 701 First Ave. Billing Contact City: Sunnyvale Billing Contact State/Province: CA Billing Contact Postal Code: 94089 Billing Contact Country: United States Billing Contact Country Code: US Billing Contact Phone Number: +1.6198813096 Billing Contact Email: domain.billing@YAHOO-INC.COM Technical Contact ID: A110624624775063 Technical Contact Name: YahooDomains TechContact Technical Contact Organization: Yahoo! Inc Technical Contact Address1: 701 First Ave. Technical Contact City: Sunnyvale Technical Contact State/Province: CA Technical Contact Postal Code: 94089 Technical Contact Country: United States Technical Contact Country Code: US Technical Contact Phone Number: +1.6198813096 Technical Contact Email: domain.tech@YAHOO-INC.COM Name Server: NS1-SATURN.NSWEBHOST.COM Name Server: NS2-SATURN.NSWEBHOST.COM Created by Registrar: MELBOURNE IT LTD Last Updated by Registrar: MELBOURNE IT LTD Domain Registration Date: Thu Jan 20 18:38:48 GMT 2005 Domain Expiration Date: Mon Jan 19 23:59:59 GMT 2009 Domain Last Updated Date: Thu Jan 10 02:25:54 GMT 2008 >>>> Whois database was last updated on: Wed May 14 06:02:05 GMT 2008 <<<< NeuStar, Inc., the Registry Administrator for .US, has collected this information for the WHOIS database through a .US-Accredited Registrar. This information is provided to you for informational purposes only and is designed to assist persons in determining contents of a domain name registration record in the NeuStar registry database. NeuStar makes this information available to you "as is" and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data: (1) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; (2) in contravention of any applicable data and privacy protection laws; or (3) to enable high volume, automated, electronic processes that apply to the registry (or its systems). Compilation, repackaging, dissemination, or other use of the WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without NeuStar's prior written permission. NeuStar reserves the right to modify or change these conditions at any time without prior or subsequent notification of any kind. By executing this query, in any manner whatsoever, you agree to abide by these terms. NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All domain names are subject to certain additional domain name registration rules. For details, please visit our site at www.whois.us. Results brought to you by the GeekTools WHOIS Proxy Server results may be copyrighted and are used with permission. Your host (149.20.54.191) has visited 289 times today.
whois
at 14 May, 2008 @ 19:29:38
GeekTools Whois Proxy v5.0.4 Ready. Checking access for 149.20.54.190... ok. Final results obtained from rwhois.gnax.net. Results: Referring data: OrgName: Global Net Access, LLC OrgID: GNAL-2 Address: 1100 White St SW City: Atlanta StateProv: GA PostalCode: 30310 Country: US ReferralServer: rwhois://rwhois.gnax.net:4321 NetRange: 75.127.64.0 - 75.127.127.255 CIDR: 75.127.64.0/18 NetName: GNAXNET NetHandle: NET-75-127-64-0-1 Parent: NET-75-0-0-0-0 NetType: Direct Allocation NameServer: DNS1.GNAX.NET NameServer: DNS2.GNAX.NET Comment: RegDate: 2007-06-18 Updated: 2008-01-14 RAbuseHandle: ABUSE745-ARIN RAbuseName: GNAX ABUSE RAbusePhone: +1-404-230-9150 RAbuseEmail: abuse@gnax.net RTechHandle: ENGIN7-ARIN RTechName: GNAX ENGINEERING RTechPhone: +1-404-230-9150 RTechEmail: engineering@gnax.net OrgAbuseHandle: ABUSE745-ARIN OrgAbuseName: GNAX ABUSE OrgAbusePhone: +1-404-230-9150 OrgAbuseEmail: abuse@gnax.net OrgNOCHandle: ENGIN7-ARIN OrgNOCName: GNAX ENGINEERING OrgNOCPhone: +1-404-230-9150 OrgNOCEmail: engineering@gnax.net OrgTechHandle: ENGIN7-ARIN OrgTechName: GNAX ENGINEERING OrgTechPhone: +1-404-230-9150 OrgTechEmail: engineering@gnax.net # ARIN WHOIS database, last updated 2008-05-13 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Rwhois server data: %rwhois V-1.5:003fff:00 rwhois.gnax.net (by Network Solutions, Inc. V-1.5.7.3) network:Class-Name:network network:ID:258.75.127.64.0/19 network:Auth-Area:75.127.64.0/19 network:Network-Name:NSWebhost-COLO network:IP-Network:75.127.104.0/27 network:Organization;I:NSWebhost network:Tech-Contact;I:engineering@gnax.net network:Admin-Contact;I:engineering@gnax.net network:Created:20080123 network:Updated:20080213 network:Updated-By:engineering@gnax.net %referral rwhois://root.rwhois.net:4321 %ok Results brought to you by the GeekTools WHOIS Proxy Server results may be copyrighted and are used with permission. Your host (149.20.54.190) has visited 4 times today.
dig any
at 14 May, 2008 @ 06:04:03
;lythia.us. IN A lythia.us. 14400 IN A 75.127.104.17 ;lythia.us. IN A lythia.us. 14400 IN A 75.127.104.17 ;lythia.us. IN MX lythia.us. 14400 IN MX 0 lythia.us. ;lythia.us. IN NS lythia.us. 7199 IN NS ns2-saturn.nswebhost.com. lythia.us. 7199 IN NS ns1-saturn.nswebhost.com. ;lythia.us. IN SOA lythia.us. 14400 IN SOA ns1-saturn.nswebhost.com. system.nswebhost.com. 2008041204 14400 7200 3600000 86400 ;lythia.us. IN TXT lythia.us. 14400 IN TXT "v=spf1 ip4:75.127.104.15 a mx a:saturn.nswebhost.com mx:lythia.us include:saturn.nswebhost.com -all" ;lythia.us. IN CNAME ;lythia.us. IN PTR ;lythia.us. IN KEY ;lythia.us. IN HINFO ;lythia.us. IN AAAA ;; Query time: 87 msec ;; SERVER: 204.152.187.111#53(204.152.187.111) ;; WHEN: Wed May 14 06:04:03 2008 ;; MSG SIZE rcvd: 27
host
at 14 May, 2008 @ 06:04:04
host
at 14 May, 2008 @ 19:29:38
fetched page
at 14 May, 2008 @ 06:04:02
MD5 Fingerprint
: 1b8ae2fddbfb0484071b5fe06650dd0e
SHA1 Fingerprint
: 07b461ce738d1062ff6ac407dc0d86c8bbb82e39
HTTP/1.1 200 OK Date: Wed, 14 May 2008 06:02:13 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/4.4.8 Content-Type: text/html Transfer-Encoding: chunked <html> <META HTTP-EQUIV=Refresh Content="0; URL=http://worlddancecentre.com/images/space/index.php?customerid=3Dchrisgrumley@tampabay.rr.com&co_partnerId=2&siteid=0&ru=&PageName=login_run&pp=pass&pageType=708XeMWZllWXS3AlBX+VShqAhQRfhgTDrf&co_partnerId=2&siteid=0&ru=&pp=&pageType=708&MfcISAPICommand=ConfirmRegistration&708XeMWZllWXS3AlBXVShqAhQRfhgTDrfQRfhgTDrfA"></META> </html>
Corresponding BGP Origin ASN
at 14 May, 2008 @ 19:29:42
AS | BGP Prefix | CC | Registry | Allocated
"16626 | 75.127.104.0/21 | | NA | NA"
Possible BGP peer ASNs one AS hop away from BGP Origin ASN
at 14 May, 2008 @ 19:29:42
AS Peers | BGP Prefix | CC | Registry | Allocated
"174 1299 3491 19151 | 75.127.104.0/21 | | NA | NA"
AS Description of a given BGP ASN
at 14 May, 2008 @ 19:30:25
AS | CC | Registry | Allocated | AS Name
"16626 | US | arin | 2000-05-30 | GNAXNET-AS - Global Net Access, LLC"
Version 1.0
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy
. Use signifies your agreement.
174ppm 0.407s (0.178s)
Making cybercriminals unhappy since 2002
*
