Sponsored by..

Showing posts with label Porn. Show all posts
Showing posts with label Porn. Show all posts

Monday, 20 October 2014

beeg.com hacked (again)

Earlier this year I looked at a hack attack on popular porn site beeg.com (Alexa rank 429) which appeared to be something to do with a fake advertising agency that had bought ad space.

Well, it appear that beeg.com has been hacked again (as of yesterday) [1] [2] [3] and has been serving up an exploit kit (which appears to have been cleaned up now).

What's interesting about this attack are the domains in use, all using .CF (Central African Republic), .GA (Gabon), .ML (Mali) plus the more commonly abused .TK and .UNI.ME. The domains detected are listed at the end of this post, but they all appear to be dead now.

All the domains in question use nameservers using the domain rezupsell.com which uses an anonymous registration, but which itself uses reg3.ru nameservers which perhaps gives a clue as to the general origins of this attack.

The malicious hosts were based on the following IPs which might be worth blocking:

192.208.185.103 (Continuum Data Centers, US)
64.187.224.62 (Microglobe LLC, US)
64.251.19.156 (Infolink / Serverpronto, US)


(plain list for copy-and-pasting)
192.208.185.103
64.187.224.62
64.251.19.156

The domains that seem to be associated with this attack are as follows:
axxesopri.cf
carrillen.cf
casselful.cf
ceurstros.cf
chcontaca.cf
ciscomphy.cf
coperhemi.cf
cymersion.cf
disticsis.cf
elenecyat.cf
geommibun.cf
kofaxiors.cf
leumilyso.cf
moultrayi.cf
newspryga.cf
oruminfol.cf
oxbretrin.cf
pathotect.cf
romarflyt.cf
samarkare.cf
shtanakin.cf
spotalaba.cf
stanaderi.cf
tinginest.cf
trollethi.cf
univalone.cf
yocreitaw.cf
zinifersi.cf
librayippinedi.cf
locinagenphafe.cf
obusicaressoft.cf
pandalinexitys.cf
parsportertuel.cf
picabulsteeneo.cf
portgateaminem.cf
pucreweatiange.cf
sysoplanitolbr.cf
techrintorcell.cf
tentectrilyawp.cf
thngrxiamedier.cf
toresilvadplet.cf
axxesopri.ga
casselful.ga
ceurstros.ga
chcontaca.ga
ciscomphy.ga
coperhemi.ga
cymersion.ga
disticsis.ga
elenecyat.ga
geommibun.ga
kofaxiors.ga
leumilyso.ga
moultrayi.ga
newspryga.ga
oruminfol.ga
oxbretrin.ga
pathotect.ga
romarflyt.ga
portgateaminem.cf
shtanakin.ga
spotalaba.ga
stanaderi.ga
tinginest.ga
trollethi.ga
univalone.ga
yocreitaw.ga
zinifersi.ga
librayippinedi.ga
locinagenphafe.ga
obusicaressoft.ga
pandalinexitys.ga
parsportertuel.ga
picabulsteeneo.ga
portgateaminem.ga
pucreweatiange.ga
sysoplanitolbr.ga
techrintorcell.ga
tentectrilyawp.ga
thngrxiamedier.ga
toresilvadplet.ga
acrostorilifeg.uni.me
actuallessaric.uni.me
adianaldbalide.uni.me
adzilablenetsk.uni.me
aestatchapease.uni.me
aistedianametr.uni.me
akedianonligno.uni.me
aladdiersought.uni.me
altonemagingso.uni.me
annousynqsoftv.uni.me
armanorducketi.uni.me
articatianavia.uni.me
ascetonbringra.uni.me
asitegoldnterp.uni.me
asurcersalcode.uni.me
aumentediaside.uni.me
axiantfxtresti.uni.me
aycarpaxcellon.uni.me
backcopartveit.uni.me
barretaballtip.uni.me
bazzinguatelee.uni.me
bectechedianel.uni.me
benshnorgerven.uni.me
beyoneyentpoin.uni.me
boldowngottoni.uni.me
boxholephoniwo.uni.me
breadischarksm.uni.me
axxesopri.ml
carrillen.ml
casselful.ml
ceurstros.ml
chcontaca.ml
ciscomphy.ml
coperhemi.ml
cymersion.ml
disticsis.ml
elenecyat.ml
geommibun.ml
kofaxiors.ml
leumilyso.ml
moultrayi.ml
newspryga.ml
oxbretrin.ml
pathotect.ml
samarkare.ml
shtanakin.ml
spotalaba.ml
stanaderi.ml
tinginest.ml
trollethi.ml
univalone.ml
yocreitaw.ml
zinifersi.ml
locinagenphafe.ml
obusicaressoft.ml
pandalinexitys.ml
parsportertuel.ml
picabulsteeneo.ml
portgateaminem.ml
pucreweatiange.ml
sysoplanitolbr.ml
techrintorcell.ml
tentectrilyawp.ml
thngrxiamedier.ml
toresilvadplet.ml
axxesopri.tk
carrillen.tk
casselful.tk
ceurstros.tk
chcontaca.tk
ciscomphy.tk
coperhemi.tk
cymersion.tk
disticsis.tk
elenecyat.tk
geommibun.tk
kofaxiors.tk
leumilyso.tk
moultrayi.tk
newspryga.tk
oruminfol.tk
oxbretrin.tk
pathotect.tk
romarflyt.tk
samarkare.tk
shtanakin.tk
spotalaba.tk
stanaderi.tk
tinginest.tk
trollethi.tk
univalone.tk
yocreitaw.tk
zinifersi.tk
librayippinedi.tk
locinagenphafe.tk
obusicaressoft.tk
pandalinexitys.tk
parsportertuel.tk
picabulsteeneo.tk
portgateaminem.tk
pucreweatiange.tk
sysoplanitolbr.tk
techrintorcell.tk
tentectrilyawp.tk
thngrxiamedier.tk
toresilvadplet.tk

Friday, 21 March 2014

Porn site beeg.com hacked, aadserver.com and malware sites to block

The folks at Malwarebytes posted an exellent and interesting blog entry on the hack of porn site beeg.com. The technical analysis is spot on.. but sometimes you need actionable intelligence too.

Let's rush towards the climax of the infection chain for a moment. Malwarebytes identify a couple of malicious domains, both hosted on 92.63.109.45 (TheFirst-RU, Russia).

mdquhrp.clark4houk.eu
ipquqoh.lapierre3dudley.eu

Source: Malwarebytes blog
That IP actually contains a lot more bad domains that have all been recently registered with hidden details:

mdquhrp.clark4houk.eu
boqmkwe.lapierre3dudley.eu
wjlxuxt.artola1brodgen.eu
jqeqt.kundel2klimas.eu
ocsck.amar1krauel.eu
qeuhn.kusmider3bossert.eu
ipquqoh.lapierre3dudley.eu
mnsblx.kempffer7hazeldine.eu
alxrjqo.julian7hoscheid.eu
nnmkeseu.clark4houk.eu
jtwwnu.amar1krauel.eu
wbxrufy.hsiang4akai.eu
tanhts.contardo1jak.eu
gcumqix.hazen1ceponis.eu
lgyqyfos.kundel2klimas.eu
qymvauk.artola1brodgen.eu
rugoo.farant4diperna.eu
iyttjqaa.farant4diperna.eu
ekgdb.julian7hoscheid.eu
bteqspe.labranche9allan.eu
pwdulvt.labranche9allan.eu
noslpt.eriksson5akhavan.eu
ywata.kusmider3bossert.eu
yqovf.lamirande9buhler.eu
oidgvrz.kepekci8billoteau.eu
www.kundel2klimas.eu

But how did visitors get delivered to the payload site in the first place? The previous step in the Malwarebytes chain was a site called miofitching3.com on 217.174.108.33 (Domishko Hosting, Russia). A look at the sites recently hosted on that IP shows the following:

aadserver.com
miofetcher1.com
miofitching3.com
miofleiming1.com
miofleiming2.com
miofleiming3.com
miofleiming4.com
miofleiming5.com
miofleiming6.com

One of these things is not like the others. Yes, aadserver.com doesn't match. But the name makes it sound like an advertising network. The domain has hidden WHOIS details but was only registered on 13th February.

A look around the aadserver.com site shows something that looks slick.




It looks slick, but the spelling is terrible and some of the body text has been copied from Wikipedia.. even including a [citation needed] tag. The email contact details are all free webmail providers, and despite promoting itself as an "Australian Ad Server" it has a Russian IP address.

It's pretty obvious that aadserver.com is a fake. The Russian IP address (odd for an Australian business), recent domain registration with hidden WHOIS details, email addresses and poor spelling should have been red flags for an experience media buyer.

So how did these ads end up on beeg.com? Well, if we go back to the first step in the infection chain, we see a reference to a site staticloads.com. This has the same WHOIS details as beeg.com, so my best guess it that the owners of beeg.com were contacted by aadserver.com with a proposition to sell advertising, and a lack of expertise led to fake ads being placed on the site.

So, I mentioned actionable intelligence. Apart from making sure that you properly train media buyers in detecting fake ad agencies, I would strongly recommend applying the following blocklist to your networks to stop any more bad ads from these criminals causing a problems:

92.63.109.45
217.174.108.33
clark4houk.eu
lapierre3dudley.eu
artola1brodgen.eu
kundel2klimas.eu
amar1krauel.eu
kusmider3bossert.eu
kempffer7hazeldine.eu
julian7hoscheid.eu
hsiang4akai.eu
contardo1jak.eu
hazen1ceponis.eu
farant4diperna.eu
labranche9allan.eu
eriksson5akhavan.eu
lamirande9buhler.eu
kepekci8billoteau.eu
aadserver.com
miofetcher1.com
miofitching3.com
miofleiming1.com
miofleiming2.com
miofleiming3.com
miofleiming4.com
miofleiming5.com
miofleiming6.com

Wednesday, 19 February 2014

Somnath Bharti - porn site operator?

I seem to have written a lot about Somnath Bharti lately, and he's certainly a topic of interest in Indian politics. I'm not going to go on about his links to TopSites LLC (watch the video if you are interested), but I wanted to look at these persistent comments that Somnath Bharti was some sort of porn site operator.

If you want the really short version it's this - I've never seen any evidence that Mr Bharti has owned or operated a porn site. That's it.

But what are the links to porn, and where is there confusion?

allwebhunt.com links to porn and pro-pedophilia sites

It is beyond all reasonable doubt that allwebhunt.com is connected to Somnath Bharti. This was a directory of sites that was rapidly taken offline when the Times of India exposed the connection. Some of the more unsavoury contents of that site include a set links to pro-pedophilia sites which had been copied from the Open Directory Project (which had deleted them years ago). That's a pretty poor sense of judgement in this case, but it is really down to sloppiness rather than actual malice in my opinion.

But allwebhunt.com also linked to more regular porn sites, including the examples pictured below.

These entries appeared to be paid or sponsored ones, but the sites themselves are not Mr Bharti's and it does amuse me that some of the India news outlets criticising Mr Bharti for this do exactly the same things themselves.

Ultimately, allwebhut.com (and its predecessor topsites.us) directories are simply a catalogue of available sites, some of those links may be questionable but they do not imply ownership or mean that anything illegal is happening.

Ownership of teens-boy.net

One of the sites that Mr Bharti owned was teens-boy.net, according to historical WHOS records from 2005:

Domain:        teens-boy.net
Record Date:     2005-01-08
Registrar:     GOTNAMES.CA INC.
Server:     whois.gotnames.ca
Created:     2004-11-26
Updated:    
Expires:     2005-11-26

Domain teens-boy.net

  Date Registered: 2004-11-26
    Date Modified: 2004-11-30
      Expiry Date: 2005-11-26
             DNS1: ns1.www--search.com
             DNS2: ns2.www--search.com

  Registrant

                   My Directory LLC
                   PO Box 7334 - 101591
                   San Francisco, CA (US)
                   94120-73

  Administrative Contact

                   My Directory LLC
                   Somnath Bharti
                   PO Box 7334 - 101591
                   San Francisco
                   CA
                   US
                   94120-73
                   415-462-3044
                   530-504-8433
                   listings@mydir.org

  Technical Contact

                   My Directory LLC
                   Somnath Bharti
                   PO Box 7334 - 101591
                   San Francisco
                   CA
                   US
                   94120-73
                   415-462-3044
                   530-504-8433
                   listings@mydir.org

        Registrar: GotNames.ca
teens-boy.net had been a gay porn site until late 2004 as it appears in the Internet Archive [link is probably not safe for work]. The Internet Archive does not have any pictures on it in this case, but it is clear what the site is about by looking at the text.


It's an odd site for Mr Bharti to have in his name. But what did it actually look like after he bought it? The Internet Archive gives the answer again [this link is OK]. We can see that it just acts as a redirector to dirs.org which is yet another clone of the TopSites directory.




I guess this might have been an attempt at SEO, the domain was bought with a lot of other non-porn domains which also forwarded in this way. As far as I can tell, when the domain registration was up the domain simply expired at the end of 2005, it was re-registered by an unrelated party in 2007.

DVLPMNT MARKETING, INC and www-goto.com confusion

Webnewswire.com ran a story looking at the WHOIS details of www-goto.com, a site that had been registered to Mr Bharti in 2005:

Domain:        www-goto.com
Record Date:     2005-05-18
Registrar:     INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Server:     whois.directnic.com
Created:     2004-12-08
Updated:    
Expires:     2005-12-08

Registrant:
 Media  LLC
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Domain Name: WWW-GOTO.COM

Administrative Contact:
 Bharti, Somnath sales@dirs.org
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Technical Contact:
 Bharti, Somnath sales@dirs.org
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Record last updated 05-17-2005 03:09:40 PM
Record expires on 12-08-2005
Record created on 12-08-2004

Domain servers in listed order:
    NS1.WWW-GOTO.COM    202.14.69.2
    NS2.WWW-GOTO.COM    202.14.69.117
They then looked at the current WHOIS details which are:
Domain:        www-goto.com
Record Date:     2014-02-06
Registrar:     DNC HOLDINGS, INC.
Server:     whois.directnic.com
Created:     2004-12-08
Updated:     2013-06-12
Expires:     2014-12-08 

Domain Name: WWW-GOTO.COM
Registry Domain ID:
Registrar WHOIS Server: whois.directnic.com
Registrar URL: http://www.directnic.com
Updated Date: -001-11-30T00:00:00-06:00
Creation Date: 2004-12-08T11:03:22-06:00
Registrar Registration Expiration Date: 2014-12-08T17:03:22-06:00
Registrar: DNC Holdings, Inc.
Registrar IANA ID: 291
Registrar Abuse Contact Email: abuse@directnic.com
Registrar Abuse Contact Phone: +1.8668569598
Domain Status: ok
Registrant Name: Domain Administrator
Registrant Organization: DVLPMNT MARKETING, INC.
Registrant Street: Hunkins Plaza
Registrant City: Charlestown
Registrant State/Province: Nevis
Registrant Postal Code: NA
Registrant Country: KN
Registrant Phone: 011-869-765-4496
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dvlpmntltd@gmail.com
Admin Name: Domain Administrator
Admin Organization: DVLPMNT MARKETING, INC.
Admin Street: Hunkins Plaza
Admin City: Charlestown
Admin State/Province: Nevis
Admin Postal Code: NA
Admin Country: KN
Admin Phone: 011-869-765-4496
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: dvlpmntltd@gmail.com
Tech Name: Domain Administrator
Tech Organization: DVLPMNT MARKETING, INC.
Tech Street: Hunkins Plaza
Tech City: Charlestown
Tech State/Province: Nevis
Tech Postal Code: NA
Tech Country: KN
Tech Phone: 011-869-765-4496
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: dvlpmntltd@gmail.com
Name Server: NS1.VOODOO.COM
Name Server: NS2.VOODOO.COM
URL of the ICANN WHOIS Data Problem Reporting System
http://wdprs.internic.net
The creation date for the domain is still 2004, so the domain has never dropped and been reregistered, it has been in continual existence since that date. The rather mysterious DVLPMNT MARKETING, INC certainly does seem to be connected with porn domains, but is this company controlled by Mr Bharti? No.


A look at the historical WHOIS details again yield some clues. The domain expired in 2008 and ended up being controlled by the registrar DirectNIC..
Domain:        www-goto.com
Record Date:     2008-12-19
Registrar:     INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Server:     whois.directnic.com
Created:     2004-12-08
Updated:     2008-12-09
Expires:     2009-12-08
Previous Screenshots
2008-12-18 screenshot
Reverse Whois:

Registrant:
 directNIC.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Domain Name: WWW-GOTO.COM

Administrative Contact:
 Domain, Expired expireddomain@directnic.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Technical Contact:
 Domain, Expired expireddomain@directnic.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Record last updated 12-09-2008 06:13:27 PM
Record expires on 12-08-2008
Record created on 12-08-2004

Domain servers in listed order:
    NS0.EXPIREDDOMAINSERVICES.COM    69.46.228.236
    NS1.EXPIREDDOMAINSERVICES.COM    69.46.228.237

DirectNIC reserve the right to auction off expired domains and the next WHOIS entry sees the domain being controlled by a domain parking company. It is unlikely that Mr Bharti or any of his associates received anything for this domain, it was essentially scrapped.

Is there any other evidence linking Somnath Bharti to porn?

Over the past couple of weeks I have re-examined the TopSites LLC business plus Mr Bharti's own Madgen Solutions from my own records and other public sources. These revealed all sort of interesting facts and allegations about Mr Bharti's activities.. but absolutely nothing that suggest that he owned or operated porn sites.

Of course, perhaps there is evidence that I am not aware of, but I would be very surprised if there is.. you can always send me an email if you have anything that will prove me wrong.


Tuesday, 10 September 2013

Are top porn sites still riddled with malware?

Back in April I wrote an article about how several top porn sites were having issues with malware. An apparent infection at xvideos.com (link is a little NSFW) led to to look at the Google malware results for the past 90 data again.

I started with a list of sites in the top 1000 sites globally according to data at Alexa.com (a few have dropped out of the top 1000 since I collated the data set) and also used the Alexa data to work out the average number of daily pageviews per user. The next step was to look at Google's data on the number of infected pages and the total number of pages on the site, noting the date of last infection. From that I could work out an "infection likelihood" which is the probability of an average visitor coming into contact with malware during the period the site was infected.

What was surprising was just how clean these sites are looking (well, from a malware perspective). Last time some of the biggest sites had hundreds of pages infected, and now they appear to have virtually none. I've highlighted everything about 1% in red but note that the "riskiest" site (largeporntube.com) has been clean for a couple of months.
 
The results of my analysis are as follows:


Rank
Domain
Pageviews / User
Total pages
Infected
Date
Infection rate
Infection likelihood
38
xvideos.com
11.7
89427
0

0.00%
0.00%
51
xhamster.com
10
11356
1
2013-07-01
0.01%
0.09%
66
pornhub.com
5.6
6235
0

0.00%
0.00%
88
xnxx.com
9.5
26082
0

0.00%
0.00%
95
redtube.com
5
9189
0

0.00%
0.00%
99
youporn.com
5.6
1675
0

0.00%
0.00%
103
livejasmin.com
2.4
502
0

0.00%
0.00%
162
tube8.com
3.9
12697
0

0.00%
0.00%
169
youjizz.com
4.7
1385
0

0.00%
0.00%
227
hardsextube.com
3.3
71817
0

0.00%
0.00%
268
dmm.co.jp
9.2
1245
0

0.00%
0.00%
275
beeg.com
4.9
873
0

0.00%
0.00%
326
motherless.com
14.8
3196
4
2013-06-24
0.13%
1.84%
393
drtuber.com
2.8
1420
0

0.00%
0.00%
438
myfreecams.com
4
148
0

0.00%
0.00%
453
cam4.com
6.3
889
0

0.00%
0.00%
462
adultfriendfinder.com
7.8
241
0

0.00%
0.00%
464
bravotube.net
2.6
1098
0

0.00%
0.00%
502
ixxx.com
3.4
438
5
2013-09-05
1.14%
3.83%
528
chaturbate.com
14.7
2725
0

0.00%
0.00%
578
nuvid.com
2.8
884
0

0.00%
0.00%
588
spankwire.com
3.3
1182
0

0.00%
0.00%
591
porntube.com
2.9
734
0

0.00%
0.00%
595
pornerbros.com
1.9
946
1

0.11%
0.20%
607
largeporntube.com
3.2
5750
160
2013-07-20
2.78%
8.63%
676
yourlust.com
2.7
1224
0

0.00%
0.00%
697
4tube.com
4.3
1337
0

0.00%
0.00%
699
keezmovies.com
3
669
0

0.00%
0.00%
707
pornhublive.com
2.3
30
0

0.00%
0.00%
768
xhamstercams.com
1.8
5
0

0.00%
0.00%
780
h2porn.com
1.8
2193
1

0.05%
0.08%
800
4chan.org
26.7
218
0

0.00%
0.00%
804
video-one.com
13.7
1143
0

0.00%
0.00%
825
xtube.com
12.1
805
0

0.00%
0.00%
830
sunporno.com
2.7
360
0

0.00%
0.00%
848
porn.com
4
1281
0

0.00%
0.00%
864
perfectgirls.net
5.4
1958
5
2013-09-05
0.26%
1.37%
883
nudevista.com
8.7
2088
1
2013-08-03
0.05%
0.42%
931
redtubelive.com
2.8
33
0

0.00%
0.00%
942
alphaporno.com
1.9
10472
32
2013-07-21
0.31%
0.58%
1065
videosexarchive.com
3.8
5183
0

0.00%
0.00%
1238
hellporno.com
3
331
0

0.00%
0.00%
1382
watchmygf.com
1.3
11
0

0.00%
0.00%
1806
ah-me.com
2.7
235
0

0.00%
0.00%
  
So, what is going on? Have these sites cleaned up their act? Well, it certainly looks like there has been an improvement (despite the reported infection at xvideos.com above). 

Over 46,000 people looked at my previous blog post on the topic, and it was covered by some major news outlets [1] [2] [3] [4] [5]. Reaction was varied, and many porn site operators flatly denied the problem despite the Google statistics indicating otherwise.

So perhaps shining a light on the problem helped to clean it up. Perhaps the spike in malware was a temporary glitch. Perhaps the malware operators are better at hiding what they are doing. I suspect that it is a combination of all three.


Despite the apparent cleanup of these sites, my advice is that you still need to exercise caution. It is very important to make sure that your system is fully patched (you can use Secunia OSI to check if you have a Windows PC), and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware, and of course a good and up-to-date anti-virus or security package is essential. In addition, Google's Chrome browser is pretty good at picking up malicious sites, and the most dangerous browser to use tends to be Internet Explorer. And if you have Sun's Java platform installed on your system I would strongly recommend that you remove it as that it currently the most popular way of getting your machine infected.