Spam Alert
 
 Full Report: /Botnet_Canadian_Pharmacy_spam171118.html
 
 Consumed following related reports:

[133098] http://prettydesert.com/
[136993] http://prettydesert.com
Changed status to confirmed spam.Consumed following related reports:

[171189] http://bxb.zopotter.com
IP Converted: 123.111.50.177

dword = 2070885041
hex1 = 0x7b6f32b1
hex2 = 0x7b.0x6f.0x32.0xb1
oct = 0173.0157.062.0261
View CIDR AS9318 Report: http://www.cidr-report.org/cgi-bin/as-report?as=9318

"9318 | KR | apnic | 1998-06-03 | HANARO-AS Hanaro Telecom Inc."<br />
Extended information for AS9318:
State/Province:
Country: kr
Responsible Domain: hananet.net
Abuse Email: abuse@hananet.net
IP Converted: 58.242.152.80

dword = 988977232
hex1 = 0x3af29850
hex2 = 0x3a.0xf2.0x98.0x50
oct = 072.0362.0230.0120
View CIDR AS4837 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4837

"4837 | CN | apnic | 2001-09-17 | CHINA169-BACKBONE CNCGROUP China169 Backbone"<br />
Extended information for AS4837:
State/Province:
Country: cn
Responsible Domain: cnc-noc.net
Abuse Email: abuse@cnc-noc.net
IP Converted: 221.122.64.14

dword = 3715776526
hex1 = 0xdd7a400e
hex2 = 0xdd.0x7a.0x40.0xe
oct = 0335.0172.0100.016
View CIDR AS4808 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4808

"4808 | CN | apnic | 1996-01-09 | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network"<br />
Extended information for AS4808:
State/Province:
Country: cn
Responsible Domain: cnc-noc.net
Abuse Email: abuse@cnc-noc.net
View CIDR AS17772 Report: http://www.cidr-report.org/cgi-bin/as-report?as=17772

"17772 | CN | apnic | 2001-06-01 | CHINACOM CHINA COMMUNICATIONS SYSTEM Co.,Ltd."<br />
Extended information for AS17772:
State/Province:
Country: cn
Responsible Domain: cetc-chinacomm.com.cn
Abuse Email: postmaster@cetc-chinacomm.com.cn
IP Converted: 220.188.192.70

dword = 3703357510
hex1 = 0xdcbcc046
hex2 = 0xdc.0xbc.0xc0.0x46
oct = 0334.0274.0300.0106
View CIDR AS4134 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4134

"4134 | CN | apnic | 2002-08-01 | CHINANET-BACKBONE No.31,Jin-rong Street"<br />
Extended information for AS4134:
State/Province:
Country: cn
Responsible Domain: chinanet.cn.net
Abuse Email: cncert@cert.org.cn
IP Converted: 116.199.157.11

dword = 1959238923
hex1 = 0x74c79d0b
hex2 = 0x74.0xc7.0x9d.0xb
oct = 0164.0307.0235.013
View CIDR AS9394 Report: http://www.cidr-report.org/cgi-bin/as-report?as=9394

"9394 | CN | apnic | 1998-08-27 | CRNET CHINA RAILWAY Internet(CRNET)"<br />
Extended information for AS9394:
State/Province:
Country: cn
Responsible Domain: crc.net.cn
Abuse Email: anti-spam@chinanet.cn.net
Criminal Evidence

See the Spam Wiki entry at http://www.spamtrackers.eu/wiki/index.php?title=Canadian_Pharmacy
or from China: http://www.spamtrackers.hk/wiki/index.php?title=Canadian_Pharmacy
See the McAfee Site Advisor information at http://siteadvisor.com/sites/prettydesert.com


> XIN NET TECHNOLOGY CORPORATION AKA SINO-I
REGISTRATION OF THE WEB SITE: prettydesert.com
ACTION: To suspend this criminal site which breaks your terms of service, set the domain status to clientHold


> XIN NET TECHNOLOGY CORPORATION AKA SINO-I
REGISTRATION OF THE NAME SERVERS
These name servers are registered by criminals to resolve only illegal web sites. This breaks your terms of service. You can safely suspend them:
ns1.fopns.com 58.242.152.80 58.242.152.80 Clean China http://rss.uribl.com/ns/fopns_com.html
ns2.fopns.com 221.122.64.14 221.122.64.14 Blacklisted China http://rss.uribl.com/ns/fopns_com.html http://www.spamhaus.org/SBL/sbl.lasso?query=SBL62867
ns3.fopns.com 220.188.192.70 70.192.188.220.broad.nb.zj.dynamic.163data.com.cn Clean China http://rss.uribl.com/ns/fopns_com.html
ns4.fopns.com 116.199.157.11 116.199.157.11 Blacklisted China http://rss.uribl.com/ns/fopns_com.html http://www.spamhaus.org/SBL/sbl.lasso?query=SBL64286

ACTION: To suspend these name servers successfully, follow these steps.
1. set the ns Address records to a non-routable address, such as 127.0.0.1 or 61.61.61.61.
2. Set the domain status to clientUpdateProhibited, clientTransferProhibited, clientDeleteProhibited, and clientHold


> HANARO-AS Hanaro Telecom Inc. (incl. abuse@hanaro.com)
IP ADDRESS OF HOST: 123.111.50.177
The IP address of this criminal site is within your allocated address space.

This IP address is currently linked with the following fraudulent, criminal-operated domains:
babyclimb.com A 123.111.50.177
www.anbasic.com A 123.111.50.177
porthad.com A 123.111.50.177
singfeed.com A 123.111.50.177
classdid.com A 123.111.50.177
aftergold.com A 123.111.50.177
takewould.com A 123.111.50.177
www.silentwould.com A 123.111.50.177
laughband.com A 123.111.50.177
expectbehind.com A 123.111.50.177
tirewind.com A 123.111.50.177
shoretoward.com A 123.111.50.177
phrasethird.com A 123.111.50.177
dropthird.com A 123.111.50.177
girlchord.com A 123.111.50.177
swimword.com A 123.111.50.177
standsurface.com A 123.111.50.177
sightrace.com A 123.111.50.177
decimaldance.com A 123.111.50.177
seasononce.com A 123.111.50.177
dictionaryproduce.com A 123.111.50.177
elementdecide.com A 123.111.50.177
www.whatinclude.com A 123.111.50.177
equatesafe.com A 123.111.50.177
rublife.com A 123.111.50.177
rollarrange.com A 123.111.50.177
www.gladspoke.com A 123.111.50.177
runspoke.com A 123.111.50.177
tinysyllable.com A 123.111.50.177
alwaystable.com A 123.111.50.177
yettable.com A 123.111.50.177
mixdouble.com A 123.111.50.177
www.stillsettle.com A 123.111.50.177
originalcame.com A 123.111.50.177
sideplane.com A 123.111.50.177
stillengine.com A 123.111.50.177
www.thankstone.com A 123.111.50.177
www.lateshape.com A 123.111.50.177
appeartype.com A 123.111.50.177
makeare.com A 123.111.50.177
www.hurrycompare.com A 123.111.50.177
beatrequire.com A 123.111.50.177
oldphrase.com A 123.111.50.177
voiceraise.com A 123.111.50.177
leadexercise.com A 123.111.50.177
www.saidsurprise.com A 123.111.50.177
valleysense.com A 123.111.50.177
shellrose.com A 123.111.50.177
mustrose.com A 123.111.50.177
metalcause.com A 123.111.50.177
describeseparate.com A 123.111.50.177
spellequate.com A 123.111.50.177
groundnote.com A 123.111.50.177
basicreceive.com A 123.111.50.177
www.sendchief.com A 123.111.50.177
younghalf.com A 123.111.50.177
fellbring.com A 123.111.50.177
www.raceamong.com A 123.111.50.177
containstrong.com A 123.111.50.177
www.equateeach.com A 123.111.50.177
www.wavelaugh.com A 123.111.50.177
thanenough.com A 123.111.50.177
saltoh.com A 123.111.50.177
campfresh.com A 123.111.50.177
www.huntfinish.com A 123.111.50.177
closeboth.com A 123.111.50.177
www.huntneck.com A 123.111.50.177
countwork.com A 123.111.50.177
humanreal.com A 123.111.50.177
www.sightreal.com A 123.111.50.177
agooriginal.com A 123.111.50.177
www.linenumeral.com A 123.111.50.177
treeshall.com A 123.111.50.177
www.thoughtall.com A 123.111.50.177
toolsmell.com A 123.111.50.177
www.watertell.com A 123.111.50.177
replyfill.com A 123.111.50.177
www.largestill.com A 123.111.50.177
expectroll.com A 123.111.50.177
www.legseem.com A 123.111.50.177
tinybegan.com A 123.111.50.177
www.gasorgan.com A 123.111.50.177
sailgarden.com A 123.111.50.177
www.clearhappen.com A 123.111.50.177
thoughtcontain.com A 123.111.50.177
teethcaptain.com A 123.111.50.177
behindcolumn.com A 123.111.50.177
whoposition.com A 123.111.50.177
stepquestion.com A 123.111.50.177
observeson.com A 123.111.50.177
organship.com A 123.111.50.177
movedrop.com A 123.111.50.177
boughtgroup.com A 123.111.50.177
sharefear.com A 123.111.50.177
havenear.com A 123.111.50.177
overnumber.com A 123.111.50.177
centuryconsider.com A 123.111.50.177
www.roundwonder.com A 123.111.50.177
instrumentanger.com A 123.111.50.177
othergather.com A 123.111.50.177
keyrather.com A 123.111.50.177
outeither.com A 123.111.50.177
ironother.com A 123.111.50.177
dropother.com A 123.111.50.177
coldenter.com A 123.111.50.177
heartwinter.com A 123.111.50.177
alsoletter.com A 123.111.50.177
minutecolor.com A 123.111.50.177
villagehour.com A 123.111.50.177
hillhas.com A 123.111.50.177
nightyes.com A 123.111.50.177
daydiscuss.com A 123.111.50.177
recordflat.com A 123.111.50.177
quicksubject.com A 123.111.50.177
www.clotheconnect.com A 123.111.50.177
leastprotect.com A 123.111.50.177
bottomfeet.com A 123.111.50.177
skinfeet.com A 123.111.50.177
everquiet.com A 123.111.50.177
pathlift.com A 123.111.50.177
thinsit.com A 123.111.50.177
outinstant.com A 123.111.50.177
rememberquotient.com A 123.111.50.177
www.earelement.com A 123.111.50.177
www.thoughinstrument.com A 123.111.50.177
chancesent.com A 123.111.50.177
solvesent.com A 123.111.50.177
centuryevent.com A 123.111.50.177
savefront.com A 123.111.50.177
sisterfront.com A 123.111.50.177
crowdroot.com A 123.111.50.177
rightkept.com A 123.111.50.177
overquart.com A 123.111.50.177
prettydesert.com A 123.111.50.177
www.ageeast.com A 123.111.50.177
similarrest.com A 123.111.50.177
wheellost.com A 123.111.50.177
frompost.com A 123.111.50.177
campmust.com A 123.111.50.177
bothyou.com A 123.111.50.177
dogrew.com A 123.111.50.177
continentflow.com A 123.111.50.177
phraseyellow.com A 123.111.50.177
regionnow.com A 123.111.50.177
richsix.com A 123.111.50.177
www.peatfox.com A 123.111.50.177
creasefamily.com A 123.111.50.177
www.equalmany.com A 123.111.50.177
lednecessary.com A 123.111.50.177
fruitevery.com A 123.111.50.177
inventcarry.com A 123.111.50.177
www.tirehurry.com A 123.111.50.177
mountainindustry.com A 123.111.50.177
preparebusy.com A 123.111.50.177
sidepretty.com A 123.111.50.177
www.tefanmu.net A 123.111.50.177
ACTION: Black-hole the route to this address to prevent further criminal activity


> CHINA169-BACKBONE CNCGROUP China169 Backbone
IP ADDRESS OF NAMESERVER (ns1.fopns.com): 58.242.152.80
The IP address of this criminal nameserver is within your allocated address space.

This IP address is currently linked with the following fraudulent, criminal-operated domains:
ns1.qw22.com A 58.242.152.80
ns1.goo33.com A 58.242.152.80
ns1.boss96.com A 58.242.152.80
ns1.xx8989.com A 58.242.152.80
ns1.fopns.com A 58.242.152.80
ns1.hersns.com A 58.242.152.80
ns1.rorfast.com A 58.242.152.80
ACTION: Black-hole the route to this address to prevent further criminal activity


> CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
> CHINACOM CHINA COMMUNICATIONS SYSTEM Co.,Ltd. (incl. anti-spam@ns.chinanet.cn.net)
IP ADDRESS OF NAMESERVER (ns2.fopns.com): 221.122.64.14
The IP address of this criminal nameserver is within your allocated address space.

This IP address is currently linked with the following fraudulent, criminal-operated domains:
ns3.qw22.com A 221.122.64.14
ns2.goo33.com A 221.122.64.14
ns3.boss96.com A 221.122.64.14
ns3.xx8989.com A 221.122.64.14
ns4.canadianmedsworld.com A 221.122.64.14
ns4.canadianpharmacyltd.com A 221.122.64.14
ns2.fopns.com A 221.122.64.14
ns3.hersns.com A 221.122.64.14
ns3.rorfast.com A 221.122.64.14
ACTION: Black-hole the route to this address to prevent further criminal activity


> CHINANET-BACKBONE No.31,Jin-rong Street (incl. anti_spam@mail.hz.zj.cn,antispam@dcb.hz.zj.cn,anti_spam@mail.nbptt.zj.cn)
IP ADDRESS OF NAMESERVER (ns3.fopns.com): 220.188.192.70
The IP address of this criminal nameserver is within your allocated address space.

This IP address is currently linked with the following fraudulent, criminal-operated domains:
ns2.qw22.com A 220.188.192.70
ns3.goo33.com A 220.188.192.70
ns2.boss96.com A 220.188.192.70
ns2.xx8989.com A 220.188.192.70
ns3.fopns.com A 220.188.192.70
ns2.hersns.com A 220.188.192.70
ns2.rorfast.com A 220.188.192.70
ACTION: Black-hole the route to this address to prevent further criminal activity


> CRNET CHINA RAILWAY Internet(CRNET) (incl. gzy@21cn.com,tietonghn@k65.net)
IP ADDRESS OF NAMESERVER (ns4.fopns.com): 116.199.157.11
The IP address of this criminal nameserver is within your allocated address space.

This IP address is currently linked with the following fraudulent, criminal-operated domains:
ns4.qw22.com A 116.199.157.11
ns4.goo33.com A 116.199.157.11
ns4.boss96.com A 116.199.157.11
ns4.xx8989.com A 116.199.157.11
ns4.hopens.com A 116.199.157.11
ns4.fopns.com A 116.199.157.11
ns4.hersns.com A 116.199.157.11
ns4.rorfast.com A 116.199.157.11
ACTION: Black-hole the route to this address to prevent further criminal activity


The criminality of these domain names can be verified using the following SiteAdvisor link format, http://www.siteadvisor.com/lookup/?q=domainname.tld


Previously recorded SIRT Reports point out that this domain was previously masked behind Googlepages.com as well as blogspot.com splogs to hide the spammers domain from spam filtering software and reporting services such as SpamCop
* /t218252-.html
* /p1079529-SIRT_161886_Blogspot_redirection_Canadian_Pharmacy.html
/p1079825-SIRT_161886_Blogspot_redirection_Canadian_Pharmacy.html
/t215904-.html
/t215911-.html

You will find references to this spamvertised illegal domain on the news.admin.net-abuse.* USENET groups, this spamvertised domain is operated by criminals aiming to sell pharmaceuticals such as Viagra, Xanax, and other meds illegally:
* http://groups.google.com/group/news.admin.net-abuse.sightings/browse_thread/thread/01fb0d41f87afcf5
* http://groups.google.com/group/news.admin.net-abuse.sightings/msg/f5e3f1b71bb2d607
* http://groups.google.com/group/news.admin.net-abuse.sightings/msg/154aa1fb6ee165f2
* http://groups.google.com/group/news.admin.net-abuse.sightings/browse_thread/thread/5b9f8a5aa29f0222/154aa1fb6ee165f2?fwc=1
IP Converted: 76.106.194.40

dword = 1282064936
hex1 = 0x4c6ac228
hex2 = 0x4c.0x6a.0xc2.0x28
oct = 0114.0152.0302.050
View CIDR AS20214 Report: http://www.cidr-report.org/cgi-bin/as-report?as=20214

"20214 | US | arin | 2001-04-06 | CCCH-AS6 - Comcast Cable Communications Holdings, Inc"<br />
Extended information for AS20214:
State/Province: nj
Country: us
Responsible Domain: comcast.net
Abuse Email: abuse@comcast.net
IP Converted: 67.188.53.61

dword = 1136407869
hex1 = 0x43bc353d
hex2 = 0x43.0xbc.0x35.0x3d
oct = 0103.0274.065.075
View CIDR AS33651 Report: http://www.cidr-report.org/cgi-bin/as-report?as=33651

"33651 | US | arin | 2005-02-16 | DNEO-OSP7 - Comcast Cable Communications, Inc."<br />
Extended information for AS33651:
State/Province: nj
Country: us
Responsible Domain: comcast.net
Abuse Email: abuse@comcast.net
IP Converted: 68.81.128.81

dword = 1146191953
hex1 = 0x44518051
hex2 = 0x44.0x51.0x80.0x51
oct = 0104.0121.0200.0121
View CIDR AS33287 Report: http://www.cidr-report.org/cgi-bin/as-report?as=33287

"33287 | US | arin | 2004-11-16 | DNEO-OSP4 - Comcast Cable Communications, Inc."<br />
Extended information for AS33287:
State/Province: nj
Country: us
Responsible Domain: comcast.net
Abuse Email: abuse@comcast.net
IP Converted: 76.226.221.170

dword = 1289936298
hex1 = 0x4ce2ddaa
hex2 = 0x4c.0xe2.0xdd.0xaa
oct = 0114.0342.0335.0252
View CIDR AS7132 Report: http://www.cidr-report.org/cgi-bin/as-report?as=7132

"7132 | US | arin | 1996-09-13 | SBIS-AS - AT&T Internet Services"<br />
Extended information for AS7132:
State/Province: tx
Country: us
Responsible Domain: swbell.net
Abuse Email: abuse@swbell.net
IP Converted: 121.152.240.95

dword = 2040066143
hex1 = 0x7998f05f
hex2 = 0x79.0x98.0xf0.0x5f
oct = 0171.0230.0360.0137
View CIDR AS4766 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4766

"4766 | KR | apnic | 1996-04-22 | KIXS-AS-KR Korea Telecom"<br />
Extended information for AS4766:
State/Province:
Country: kr
Responsible Domain: kornet.net
Abuse Email: abuse@kornet.net
Criminal Evidence

See the McAfee Site Advisor information at http://siteadvisor.com/sites/zopotter.com regarding this domain which currently redirects to an infinite amount of domains across different brands, ranging from jewelery, to pharmaceuticals.

> XIN NET TECHNOLOGY CORPORATION
REGISTRATION OF THE WEB SITE: zopotter.com
Currently, the root of this domain yields a blank page. If you enter bnxq.zopotter.com - you will be blindly redirected to a Canadian Pharmacy spam-brand site that is operated by criminals. This domain is also currently running on a fast-flux botnet which will rotate it's IPs at a user-set interval. As of this report, the IPs currently servicing this blind-redirect are:
Address | Reverse | BL | Country | Reporting nameserver | Links
67.188.53.61 | N/A | Yes | United States | ns1.guprovider.com | http://www.spamhaus.org/query/bl?ip=67.188.53.61 |
68.81.128.81 | N/A | Yes | United States | ns1.guprovider.com | http://www.spamhaus.org/query/bl?ip=68.81.128.81 |
76.106.194.40 | N/A | Yes | United States | ns1.guprovider.com | http://www.spamhaus.org/query/bl?ip=76.106.194.40 |
76.226.221.170 | N/A | | United States | ns1.guprovider.com |
121.152.240.95 | N/A | Yes | Korea, Republic of | ns1.guprovider.com | http://www.spamhaus.org/query/bl?ip=121.152.240.95 |
121.152.240.95 | N/A | Yes | Korea, Republic of | ns2.guprovider.com | http://www.spamhaus.org/query/bl?ip=121.152.240.95 |
67.188.53.61 | N/A | Yes | United States | ns2.guprovider.com | http://www.spamhaus.org/query/bl?ip=67.188.53.61 |
68.81.128.81 | N/A | Yes | United States | ns2.guprovider.com | http://www.spamhaus.org/query/bl?ip=68.81.128.81 |
76.106.194.40 | N/A | Yes | United States | ns2.guprovider.com | http://www.spamhaus.org/query/bl?ip=76.106.194.40 |
76.226.221.170 | N/A | | United States | ns2.guprovider.com |
76.226.221.170 | N/A | | United States | ns3.guprovider.com |
121.152.240.95 | N/A | Yes | Korea, Republic of | ns3.guprovider.com | http://www.spamhaus.org/query/bl?ip=121.152.240.95 |
67.188.53.61 | N/A | Yes | United States | ns3.guprovider.com | http://www.spamhaus.org/query/bl?ip=67.188.53.61 |
68.81.128.81 | N/A | Yes | United States | ns3.guprovider.com | http://www.spamhaus.org/query/bl?ip=68.81.128.81 |
76.106.194.40 | N/A | Yes | United States | ns3.guprovider.com | http://www.spamhaus.org/query/bl?ip=76.106.194.40 |
76.106.194.40 | N/A | Yes | United States | ns4.guprovider.com | http://www.spamhaus.org/query/bl?ip=76.106.194.40 |
76.226.221.170 | N/A | | United States | ns4.guprovider.com |
121.152.240.95 | N/A | Yes | Korea, Republic of | ns4.guprovider.com | http://www.spamhaus.org/query/bl?ip=121.152.240.95 |
67.188.53.61 | N/A | Yes | United States | ns4.guprovider.com | http://www.spamhaus.org/query/bl?ip=67.188.53.61 |
68.81.128.81 | N/A | Yes | United States | ns4.guprovider.com | http://www.spamhaus.org/query/bl?ip=68.81.128.81 |

Some other evidence of fraudulent use in a fast-flux botnet are as follows:
zopotter.com A 24.127.232.220
zopotter.com A 24.138.244.93
zopotter.com A 24.139.251.57
zopotter.com A 24.178.205.113
zopotter.com A 65.66.148.72
zopotter.com A 66.176.48.150
zopotter.com A 67.64.156.156
zopotter.com A 67.188.53.61
zopotter.com A 68.77.207.186
zopotter.com A 68.81.128.81
zopotter.com A 68.118.96.10
zopotter.com A 68.126.248.183
zopotter.com A 69.86.112.138
zopotter.com A 69.145.220.220
blf.zopotter.com CNAME zopotter.com
rmkpf.zopotter.com CNAME zopotter.com
rekh.zopotter.com CNAME zopotter.com
pnph.zopotter.com CNAME zopotter.com
kprh.zopotter.com CNAME zopotter.com
kgj.zopotter.com CNAME zopotter.com
bkk.zopotter.com CNAME zopotter.com
puq.zopotter.com CNAME zopotter.com
rar.zopotter.com CNAME zopotter.com
tms.zopotter.com CNAME zopotter.com
bvlt.zopotter.com CNAME zopotter.com
bjv.zopotter.com CNAME zopotter.com
pox.zopotter.com CNAME zopotter.com
btz.zopotter.com CNAME zopotter.com
ACTION: To suspend this criminal site which breaks your terms of service, set the domain status to clientHold


> BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
REGISTRATION OF THE NAME SERVERS
These name servers are registered by criminals to resolve only illegal web sites. This breaks your terms of service. You can safely suspend them:
ns1.guprovider.com | 76.106.194.40 | N/A | Blacklisted | United States | http://www.spamhaus.org/query/bl?ip=76.106.194.40
ns2.guprovider.com | 69.119.30.205 | N/A | | United States |
ns3.guprovider.com | 24.188.70.145 | N/A | | United States |
ns4.guprovider.com | 67.64.41.203 | N/A | | United States |

ACTION: To suspend these name servers successfully, follow these steps.
1. set the ns Address records to a non-routable address, such as 127.0.0.1 or 61.61.61.61.
2. Set the domain status to clientUpdateProhibited, clientTransferProhibited, clientDeleteProhibited, and clientHold


> CCCH-AS6 - Comcast Cable Communications Holdings, Inc
> DNEO-OSP7 - Comcast Cable Communications, Inc.
> DNEO-OSP4 - Comcast Cable Communications, Inc.
> SBIS-AS - AT&T Internet Services
> KIXS-AS-KR Korea Telecom
IP ADDRESS OF HOST: 76.106.194.40,67.188.53.61,68.81.128.81,76.226.221.170,121.152.240.95
These IP addresses currently being used to host criminal spam sites have likely been unknowingly infected by MALWARE. These addresses are within your allocated IP ranges.
ACTION: Since these IPs are currently participating in a fast-flux botnet (likely unvoluntary, using hijacked hosting) follow the following procedure:
1. locate the machines that operated from these IP addresses at/around Thursday, May 8, 2008 at ~2:30am UTC.
2. disconnect the machines from the Network/Internet
3. Ensure that the systems are cleaned of all malware using antiviral and anti-spyware programs.
4. Change the root and any administrator passwords to make them more secure
5. Shutdown the machine, and restart

If there are any doubts, direct the customers to the CastleCops Malware Removal and Prevention Procedure:
* http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview

This procedure can be walked through over the phone.

Further more, consider monitoring the customers Internet activity. If further malicious data is found passing through at high rates, this could be attributed to re-infection. Currently, these systems pose a threat to Network Security.

You can read more about the use of hijacked hosts infrastructure at the SpamWiki:
http://www.spamtrackers.eu/wiki/index.php?title=Hijacked_host or
http://www.spamtrackers.hk/wiki/index.php?title=Hijacked_host from China

The fraudulency of these domains mentioned within this report can be cross-referenced with siteadvisor.com

Misc. data I figured I'd throw in, from a botscan IP harvester run:

Interesting...http://bnxq.zopotter.com/ no longer redirects to a spamvertised domain...instead It's displaying an "AppServ Open Project 2.5.9 for Windows" page.....looks like a placeholder of sorts...

http://pastebin.ca/1020598 has the contents of the page source...it seems to be a leaked phpMyAdmin page of sorts...lol.

Quote:

The AppServ Open Project - 2.5.9 for Windows phpMyAdmin Database Manager Version 2.10.2 PHP Information Version 5.2.3 About AppServ Version 2.5.9 for Windows AppServ is a merging open source software installer package for Windows includes : Apache Web Server Version 2.2.4 PHP Script Language Version 5.2.3 MySQL Database Version 5.0.45 phpMyAdmin Database Manager Version 2.10.2 ChangeLog README AUTHORS COPYING http://www.AppServNetwork.com Change Language : Easy way to build Webserver, Database Server with AppServ

When posting BotScan results, please indicate the Time Zone being used.

http://bnxq.zopotter.com is now turning up NXDOMAIN

Same story with prettydesert. Status set to clientHold, resulting in NXDOMAIN.


Case closed!