Wednesday, April 26, 2006

 Question from bigmoney

 Question from bigmoney
Item: (6852613597)
This message was sent while the listing was active.
bigmoney is a potential buyer.
What is the last price for this Item?

Respond to this question in My Messages.
Respond Now

Item Details
Item number: 6852613597
End date: Mar-01-06 18:33:23 PST
View item description:
Thank you for using eBay!


IP is decimal 1088880691.

IP address:
Reverse DNS: [No reverse DNS entry per]
Reverse DNS authenticity: [Unknown]
ASN: 577
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): CA [Canada]
Country Currency: CAD [Canada Dollars]
Country IP Range: to
Country fraud profile: Normal
City (per outside source): Toronto, Ontario

That's a BellCanada IP block:
Bell Canada BELLCANADA-5 (NET-64-228-0-0-1) -
Bell Nexxia (HSE) NEXXIAJ10-CA (NET-64-231-0-0-1) -

No WHOIS records exist for this IP, and there was no reverse DNS information I could glean.
It is probably a personal computer that has been hacked, and is under someone else's control.

Time for us to take a collection and buy this poor sucker a firewall. Any donations?

Here is a port scan. Our scammer box is infected with the W32.MyDoom virus, like many other hosts.

This is probably the vector for the exploit. I see this on lots of other targets.
I suspect that may be the port that receive control messages.
Also it's running half-life engine (port 27015)! Lots of other exploited servers are as well.
The HTTP deamon is Apache and return the ID Celestix celnx. Hmmm who could that be I wonder?

WWhatever let's take them down. I called up and pasted the URL in. Nothing happened!
Whatever this one is doing, nothing shows up in the usernname/password box.
He may be actively blocking because that will poison their list of victims.

Let's see if I can email the ISP and have this box shut down.


Post a Comment

<< Home