[Dshield] Bizarre Activity Spurt...

Robert Nelson nelsrob at mts.net
Mon Oct 17 21:29:49 GMT 2005


The strange spurt I was experiencing mysteriously stopped Saturday morning.
Now just back to the usual amount of messenger spam. No more 160+ hits in
one minute from the same port... These were all on 1025 and 1026 only.

Go figure.

Robert

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Freek de Kruijf
Sent: October 17, 2005 8:06 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Bizarre Activity Spurt...


I captured a number of these packages. I received these packages on the 
following ports; the number in the second column is the count for Oct 16:
1026  523  
1025  425  
1027  44  
1029  10       
1028  10
1030  5      

I analysed a small number of these packages on most of these ports. All had 
the format of the Windows Messenger and the message was: "Windows has
encountered an Internal Error "Your windows registry is corrupted. "We
recommend a complete system scan. " "Visit " http://FixRegNow.net " "To
repair now!

However in the above, the URL varies.
I have also seen:
www.fixthereg.com
www.cleanthispc.com
www.123regfix.com

The last does not have an IP-address anymore. It was 66.150.161.140.

www.fixthereg.com has the IP-addresses:
69.25.27.170
69.25.27.171
66.150.161.136
66.150.161.134
66.150.161.140
66.150.161.141
69.25.27.173
69.25.27.172

www.fixregnow.net had the IP-address: 64.74.96.243
Now it is: 212.118.243.115

www.cleanthispc.com has the IP-address: 67.19.13.19

All the above URL refer to the URL http://hop.clickbank.net/<varies>
hop.clickbank.net has IP-address: 64.128.87.125 Also I found a prefix in
front of .hop.clickbank.net, but any prefix refers 
to the same IP-address.
However these URL's also are referals to: http://www.registrycleaner32.com
with IP-address 64.111.198.131 http://winregcleaner.com with IP-address
64.74.96.243 http://www.myspywarecleaner.com with IP-address 66.242.131.207

The IP-addresses for the URL's in the Windows Message all belong to the ISP 
Internap Network Services and the company
CustName:   Dotster.com
Address:    11807 NE 99th Street, Suite 1100
City:       Vancouver
StateProv:  WA

The hop.clickbank.net (domain) is owned by
Registrant:
   Click Sales, Inc. (CLICKBANK-NET-DOM)
   Domain Administrator
   915 W. Jefferson Street
   Boise, ID 83702
IP-address is owned by:
OrgName:    COLOC8 INC.
OrgID:      COLOC-2
Address:    Administrative Offices
Address:    917 Lusk Street, 3rd Floor
City:       Boise

The last 3 IP-addresses have all different owners. Only one 64.74.96.243 is 
also owned by the ISP Internap Network Services, but the owner is 
CustName:   eNom
Address:    16771 NE 80th Street
City:       Redmond
StateProv:  WA

-- 
fr.gr.

Beelaerts ICT Consultancy
Freek




More information about the list mailing list