[Dshield] Bizarre Activity Spurt...

Robert Nelson nelsrob at mts.net
Mon Oct 17 21:29:49 GMT 2005

The strange spurt I was experiencing mysteriously stopped Saturday morning.
Now just back to the usual amount of messenger spam. No more 160+ hits in
one minute from the same port... These were all on 1025 and 1026 only.

Go figure.


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Freek de Kruijf
Sent: October 17, 2005 8:06 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Bizarre Activity Spurt...

I captured a number of these packages. I received these packages on the 
following ports; the number in the second column is the count for Oct 16:
1026  523  
1025  425  
1027  44  
1029  10       
1028  10
1030  5      

I analysed a small number of these packages on most of these ports. All had 
the format of the Windows Messenger and the message was: "Windows has
encountered an Internal Error "Your windows registry is corrupted. "We
recommend a complete system scan. " "Visit " http://FixRegNow.net " "To
repair now!

However in the above, the URL varies.
I have also seen:

The last does not have an IP-address anymore. It was

www.fixthereg.com has the IP-addresses:

www.fixregnow.net had the IP-address:
Now it is:

www.cleanthispc.com has the IP-address:

All the above URL refer to the URL http://hop.clickbank.net/<varies>
hop.clickbank.net has IP-address: Also I found a prefix in
front of .hop.clickbank.net, but any prefix refers 
to the same IP-address.
However these URL's also are referals to: http://www.registrycleaner32.com
with IP-address http://winregcleaner.com with IP-address http://www.myspywarecleaner.com with IP-address

The IP-addresses for the URL's in the Windows Message all belong to the ISP 
Internap Network Services and the company
CustName:   Dotster.com
Address:    11807 NE 99th Street, Suite 1100
City:       Vancouver
StateProv:  WA

The hop.clickbank.net (domain) is owned by
   Click Sales, Inc. (CLICKBANK-NET-DOM)
   Domain Administrator
   915 W. Jefferson Street
   Boise, ID 83702
IP-address is owned by:
OrgName:    COLOC8 INC.
OrgID:      COLOC-2
Address:    Administrative Offices
Address:    917 Lusk Street, 3rd Floor
City:       Boise

The last 3 IP-addresses have all different owners. Only one is 
also owned by the ISP Internap Network Services, but the owner is 
CustName:   eNom
Address:    16771 NE 80th Street
City:       Redmond
StateProv:  WA


Beelaerts ICT Consultancy

More information about the list mailing list