Jump to content


Photo

priority estdomains domain suspension requests


  • This topic is locked This topic is locked
101 replies to this topic

#41 Suzi

Suzi

    New Member

  • Experts
  • Pip
  • 19 posts

Posted 11 September 2008 - 09:31 PM

[quote name='estMate' post='27511' date='Sep 11 2008, 02:07 AM']hedgehog: These domains have been suspended, thank You

Suzi: We've suspended vids365.com. As for the false whois information - we don't allow this and even if there wasn't any Zlob on this domain name it'd be suspended after the investigation.
In case there really was some identity theft, we'll definitely deal with this. Please give me all information you have regarding the issue, why do you think that there was any identity theft, and we'll investigate this.
http://sunbeltblog.b...-update_10.html all domains were already suspended[/quote]

Regarding domains registered with stolen IDs, I have not contacted these people to confirm this, although I know someone who often does that. But, using some common sense, think about.. a domain serving rogue AV or malware, on an IP address with a number of other domains serving malware, and the other domains are registered to individuals in RU, Estonia, or CN, etc. then you have one or two registered to someone like a "John Jones at 123 Main St., Smalltown, USA" -- it's not likely that John Jones *really* registered that domain. In every similar case I'm aware of, when the registrant was called, they were confrimed to be ID theft victims.

Regarding false whois information, I used to report such domains with obviously false info here:
http://wdprs.internic.net/
In every case when the registrar was Estdomains, reporting it had no effect. So Igave up. I have not reported any there recently because in the past nothing was done.

Here is another domain being used to serve malware:
updatepanel.us/ctl/crfiles/tdssadw
updatepanel.us/ctl/crfiles/tdssl
updatepanel.us/ctl/crfiles/tdsslog
updatepanel.us/ctl/crfiles/tdssmain
updatepanel.us/ctl/crfiles/tdsspopup
updatepanel.us/ctl/crfiles/tdssserv
etc.
tdssserv is part of a nasty rootkit that makes many severe changes to the infected computer.

http://whois.domaint.../updatepanel.us <--- note the registrant information -- possibly another ID theft victim, unless it's false info.
Suzi

Microsoft MVP Windows Security 2005 - 2009

#42 Suzi

Suzi

    New Member

  • Experts
  • Pip
  • 19 posts

Posted 11 September 2008 - 09:54 PM

Another one.
http://whois.domaint...stlistrated.net <--- TrojanDropper:Win32/Agent.UM

There are 8 other domains in the IP (Layered Tech), not all registered with Estdomains, but these are:
Besttrackday.net
fasttracklink.net
freetrackonline.net
supertrackday.net
thetrackstar.net

This is an example of what researchers see. We find one malware site, and on the IP are a bunch of others. It never ends.
Suzi

Microsoft MVP Windows Security 2005 - 2009

#43 Suzi

Suzi

    New Member

  • Experts
  • Pip
  • 19 posts

Posted 12 September 2008 - 12:43 AM

Well, imagine this. Yet another rogue/scam site from Estdomains, just registered Sept. 11, 2008.

http://whois.domaint...ilyhomesite.com

Found on the Sunbelt blog.

http://sunbeltblog.b...-update-ii.html

There are probably more from the list, but I don't have time to check them.

This leads to another question. estMate, I appreciate what you are trying to do here, but it's really not the security researchers' job to monitor your domain registrations and report them. I'd like to know what Estdomains is doing to check for them yourselves, and stop new ones from being registered.

By now, you should know who you customers are, and know the ones who are registering domains for the purpose of spreading malware and running scam sites. So what is the plan to stop this? The domains reported here are merely the tip of the iceberg. We know that, and you should know that.

Thank you.
Suzi

Microsoft MVP Windows Security 2005 - 2009

#44 Jaxryley

Jaxryley

    Forum Deity

  • Malware Hunters
  • PipPipPipPipPipPip
  • 6,718 posts
  • Gender:Male
  • Location:West Aussie
  • Interests:Gardening and computers.

Posted 12 September 2008 - 01:43 AM

Antivirus 2009 Protection:

hxxp://googlescanners-360.com/

Domain Name: googlescanners-360.com

Status: ok

Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru

Expiration Date: 2009-09-05
Creation Date: 2008-09-05
Last Update Date: 2008-09-05

Name Servers:
ns1.nameself.com
ns2.nameself.com

#45 estMate

estMate

    New Member

  • Members
  • Pip
  • 15 posts

Posted 12 September 2008 - 04:25 AM

googlescanners-360.com isn't registered with us. As for other domains, the ones, which were registered through us, have been suspended. Regarding our preventive measures, the fact that you don't see them doesn't mean there isn't any. Yes, we don't write about them but in most cases we suspend whole accounts with problematic domains and look for connections to other accounts etc. During the last week we've suspended over 15000 different domains.

#46 hedgehog

hedgehog

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male
  • Location:Norway

Posted 12 September 2008 - 08:00 AM

EstMate, a few more domains for you:
best3xvideo.com
fullhd-videos.com
clipdwnld.com (http://www.clipdwnld...=4136&n=blowjob)
how-to-tie-shoe-laces.com (how-to-tie-shoe-laces.com/tds/out.php?s_id=2)
tube28.net (tube28.net/load.php?aff=5006&/HDVideoCodec_ver1.5006.0.exe)
pornotube30.net

#47 estMate

estMate

    New Member

  • Members
  • Pip
  • 15 posts

Posted 12 September 2008 - 08:30 AM

EstMate, a few more domains for you:
best3xvideo.com
fullhd-videos.com
clipdwnld.com (http://www.clipdwnld...=4136&n=blowjob)
how-to-tie-shoe-laces.com (how-to-tie-shoe-laces.com/tds/out.php?s_id=2)
tube28.net (tube28.net/load.php?aff=5006&/HDVideoCodec_ver1.5006.0.exe)
pornotube30.net

Suspended

#48 Guest_remixed_*

Guest_remixed_*
  • Guests

Posted 12 September 2008 - 03:58 PM

http://www.malwareby...?showtopic=6265
re. hxxp://updateserver6.com/firstrun.php?product=AV9
Still live!

#49 Tigger93

Tigger93

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,668 posts
  • Gender:Male

Posted 13 September 2008 - 09:05 AM

Nevermind, got suspended.

#50 hedgehog

hedgehog

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male
  • Location:Norway

Posted 15 September 2008 - 03:34 AM

they keep coming:
fucked-pussies.net
gallz4free.com
porno-passion.net
protectionsofts.com
Nowtubez.net
sexy-dream.net
sex24you.com
tubelized.com (tubelized.com/index.php?id=4178)
yellow-bucks.com (affiliate site, promots malware)
videosfreefresh.com (videosfreefresh.com/l/color/id/3913289/white/)
nichedportal.com (nichedportal.com/bigtits/index.php?id=1526)
club-adult.net

#51 hedgehog

hedgehog

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male
  • Location:Norway

Posted 15 September 2008 - 04:12 AM

Cleanthe.net reports that online-av-scan.com spreads malware and that these domains are on the same ip:
1. 1st-tube.com
2. Anothersoftportal.net
3. Anothersoftportal08.net
4. Anothersoftportal09.net
5. Best-cracks.com
6. Celebs-on-video.com
7. Cleansoftportal.net
9. Codecupgrade.com
10. Crack-land.com
11. Crackundeground.com
13. Hot-porn-tube2007.net
14. Hot-porn-tube2009.net
15. Just-tube.com
16. Karachun.net
17. Muzdownload.com
18. Oldpromoz.net
19. Oldsoftupd.net
20. Online-av-scan.com
21. Porn-tube-2008.com
23. Scanner-tool.com
24. Showconz.com
25. Softupdat.com
27. Updatehost.com

I've removed the ones that were already suspended or registered through a different registrar.

#52 hedgehog

hedgehog

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male
  • Location:Norway

Posted 15 September 2008 - 05:25 AM

A few more:
Bestpornox.com
yourlizsite.com
Youjizzsite.com

#53 estMate

estMate

    New Member

  • Members
  • Pip
  • 15 posts

Posted 15 September 2008 - 08:06 AM

All suspended. Thank you, hedgehog.

P.S. I will be out of my desk for a couple of days. In case you'll have anything to report kindly raise the support ticket

#54 hedgehog

hedgehog

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male
  • Location:Norway

Posted 16 September 2008 - 03:41 AM

Ok, thanks estMate..

I've submitted these through https://support.estdomains.com/:

ticketblack.com (http://ticketblack.c...etblack2006.exe)
virtualceck.com (virtualceck.com/in.cgi?pipka)
superceck.com (http://superceck.com...MShiM/index.php)
Nowmoviez.net (http://www.nowmoviez.../free_sex_video)
win-antivirus-2008.com

#55 cryptodan

cryptodan

    New Member

  • Members
  • Pip
  • 3 posts

Posted 16 September 2008 - 10:13 AM

I'd like to say thank you for suspending the offensive domains for the community, and making the internet a much safer place.

#56 hedgehog

hedgehog

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male
  • Location:Norway

Posted 17 September 2008 - 04:29 AM

The domains I reported yesterday are now suspended, thanks Estdomains.

But there seems to be always more of them, here are a few more that I've discovered today and reported to support.estdomains.com
Antispywareprotect.com
Antivirus2008a.com
Free-virus-check.com
Maxspywareprotect.com
Pcantivirus2008.com
Vip-antivirus.com

#57 hedgehog

hedgehog

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male
  • Location:Norway

Posted 17 September 2008 - 06:57 AM

I've submitted these too to suppport.estdomains.com today:
eantivirus-payments.com
celebsporntube.com
porntubs.org
Porntubefilms.com
Youttube.info
yourstarstube.com
Zzzyoutube.com
cracksserialnumbersddl.net
Crackssiteddl.com
1-cracks-planet.com
Freecracksdirectdownloads.biz
Pass2crack.com
Protoolscracksddl.com
amaturecuties.info/littlesluts/asian-slut-teen.html
embededfiles.com (embededfiles.com/movie1.php?id=1715)
goodwelll.net (goodwelll.net/rd_gg.php?v=21)
myhotfind.com (myhotfind.com/in.cgi?4)
http://downloadtorun.com/ (http://downloadtorun...xe2/3913289.exe)

#58 hedgehog

hedgehog

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male
  • Location:Norway

Posted 17 September 2008 - 10:07 AM

EstMate, perhaps you should have a look at this blogpost:
http://msmvps.com/bl...17/1648037.aspx

#59 Jahewi

Jahewi

    New Member

  • Members
  • Pip
  • 13 posts

Posted 17 September 2008 - 08:14 PM

I have summitted the following site:
hxxp://www.freesexxxx4u.com/

It's one of the download-site for fake Codecs (which ofcourse, in turn, install ZLob :lol:)

More to come soon :angry:

Edited by JeanInMontana, 17 September 2008 - 09:14 PM.
Mung link


#60 hedgehog

hedgehog

    New Member

  • Members
  • Pip
  • 21 posts
  • Gender:Male
  • Location:Norway

Posted 18 September 2008 - 03:02 AM

I've submitted these so far today:
Amateur-adultvideo.com
Amateur-pornmovie.com
brakeporn.net (brakeporn.net/jay/1136970628/1/player.php?m=bW92MS53bXY=&id=34cd2d)
eAntivirusPro.com
freestarsmovies.com
freexxxhere.com
hardcore-adult-video.com
Hardcore-pornmovie.com
Hardcore-video-xxx.com
lightporn.net (lightporn.net/marion/829559177/1/player.php?m=bW92Mi53bXY=&id=3697ff)
Matures-adult-video.com
Matures-pornmovie.com
megazporn.com (megazporn.com/roseanna/575251695/1/player.php?m=bW92MS5hdmk=&id=905ec5)
mp3freesound.com
mpegxxxvideos.com
pornultra.net (pornultra.net/maureen/1307950400/1/player.php?m=bW92Mi5hdmk=&id=ec4e87)
sexwhite.net (sexwhite.net/zachariah/810861416/1/player.php?m=bW92MS53bXY=&id=5f6af5)
sweetfreeporn.com
xeroporn.com (xeroporn.com/xena/59404825/1/player.php?m=bW92MS53bXY=&id=4fc486)
xhporn.net (xhporn.net/aphinius/1528070206/1/player.php?m=bW92MS53bXY=&id=8443d2)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users