nanog mailing list archives

Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes

From: "John Neiberger" <john.neiberger () efirstbank com>
Date: Thu, 09 Oct 2003 13:42:57 -0600

Actually, in the case of the wired article (removeform.com), it seems

to be

connected to a site in Florida.  I asked my programmer

(gabor () sentex net)

to decode the obfuscated java script/page that is served up by one of

the

zombies (On FreeBSD fetch -B 18192 -o danger.html 
http://www.removeform.com/d - I got it from 207.5.215.72  at the

time).  I

have attached it as a zip file with its contents. You will note that

the

form post goes back to

form action="http://207.36.47.68/cgi-bin/addinfo.cgi";


OrgName:    CyberGate, Inc.
OrgID:      CYBG
Address:    3250 W. Commercial Blvd. Suite 200
City:       Ft. Lauderdale
StateProv:  FL
PostalCode: 33309
Country:    US


This appears to be a rather prolific spammer. At first I thought they
were affiliated with www.skynetweb.com because they have the same
address, including suite number, but it now appears that they are really
affiliated with these guys:

http://www.affinity.com/about/our_team/our_team.htm 

John
--

Current thread:

Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes John Neiberger (Oct 09)
- Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes Hank Nussbacher (Oct 09)
- Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes Suresh Ramasubramanian (Oct 09)
  - Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes Jim Popovitch (Oct 09)
- <Possible follow-ups>
- Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes John Neiberger (Oct 09)