I've sent a takedown request to req.ru for gigpornoforfree.ru. Let's bring this malware gang on its knees, I am tired of seeing WinLock.
A forum for reverse engineering, OS internals and malware analysis
Forget about reg.ru. They point to exetel.de as hosting provider.
Ring0 - the source of inspiration
EP_X0FF wrote:Forget about reg.ru. They point to exetel.de as hosting provider.So the domains are registered with reg.ru, and the hosting is being delivered by exetel.de?
nickvth2009 wrote:EP_X0FF wrote:Forget about reg.ru. They point to exetel.de as hosting provider.So the domains are registered with reg.ru, and the hosting is being delivered by exetel.de?
Code: Select all
DNS servers
ns1.reg.ru
ns2.reg.ru
Answer records
gigpornoforfree.ru A 46.251.237.240 86400s
gigpornoforfree.ru NS ns1.reg.ru 86400s
gigpornoforfree.ru SOA
server: ns1.reg.ru
email: hostmaster@ns1.reg.ru
serial: 1310913829
refresh: 14400
retry: 3600
expire: 604800
minimum ttl: 43200
86400s
gigpornoforfree.ru NS ns2.reg.ru 86400s
domain: GIGPORNOFORFREE.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
e-mail: abatinsan@gmail.com
registrar: REGRU-REG-RIPN
created: 2011.07.17
paid-till: 2012.07.17
source: TCI
Last updated on 2011.07.18 16:30:46 MSK/MSD
Network IP address lookup:
Whois query for 46.251.237.240...
NetRange: 46.0.0.0 - 46.255.255.255
CIDR: 46.0.0.0/8
OriginAS:
NetName: 46-RIPE
NetHandle: NET-46-0-0-0-0
Parent:
NetType: Allocated to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2009-09-29
Updated: 2009-09-30
Ref: http://whois.arin.net/rest/net/NET-46-0-0-0-0
OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2011-03-15
Ref: http://whois.arin.net/rest/org/RIPE
ReferralServer: whois://whois.ripe.net:43
OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
Results returned from whois.ripe.net:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Information related to '46.251.237.0 - 46.251.237.255'
inetnum: 46.251.237.0 - 46.251.237.255
netname: EXETEL-DE
descr: EXETEL ISP
country: DE
admin-c: TJ1504-RIPE
tech-c: TJ1504-RIPE
status: ASSIGNED PA
mnt-by: MNT-WHITE
mnt-lower: MNT-WHITE
mnt-routes: MNT-WHITE
changed: medler@optimate-server.de 20110321
source: RIPE
person: Tim Joe
address: Krantzstr 7
address: DE-52070 Aachen
phone: +49 2415380891
mnt-by: MNT-WHITE
e-mail: abuse@exetel.de
nic-hdl: TJ1504-RIPE
changed: medler@optimate-server.de 20110122
source: RIPE
% Information related to '46.251.224.0/20AS197043'
route: 46.251.224.0/20
descr: Webtraffic
origin: AS197043
mnt-by: MNT-WHITE
changed: medler@optimate-server.de 20100429
source: RIPERing0 - the source of inspiration
Weird, when I did WHOIS for that domain I didn't get to see the abuse address of exetel.de, nor it gave me the name of the hoster. Anyway, I am sending a takedown request now. Thanks for the help. ;)
l33t h3ck3rz t3@m will lock the world (shot of WINAD development process - guy at the left packing new locker with Mystic ****, nb 2 generates random domains, l33t h3ck3r at the right connects to server via mice 4 uploading)
:D:D
:D:D
Last edited by EP_X0FF on Thu Jul 21, 2011 4:19 pm, edited 1 time in total.
Reason: Edited, see forum rules #7
@kmd
Common, I hope WinAD guys has a lot of pain in their asses right now :) And BTW
http://www.kernelmode.info/forum/viewtopic.php?f=8&t=16
Common, I hope WinAD guys has a lot of pain in their asses right now :) And BTW
http://www.kernelmode.info/forum/viewtopic.php?f=8&t=16
7. Please don't use inappropriate language on the forums.Your post has been edited.
Ring0 - the source of inspiration
Yep.
The up stream provider Optimate-Server blocked this bulletproof malware host.
I just got confirmation from cleanmx who did a great job :)
The up stream provider Optimate-Server blocked this bulletproof malware host.
I just got confirmation from cleanmx who did a great job :)
Ring0 - the source of inspiration
New URL:
add:
hxxp://pornoarchivesexgood.ru/1/video/porno-rolik1.avi.exeIP: 31.214.145.191
hxxp://pornoarchivesexgood.ru/2/video/porno-rolik2.avi.exe
hxxp://pornoarchivesexgood.ru/3/video/porno-rolik3.avi.exe
hxxp://pornoarchivesexgood.ru/4/video/porno-rolik4.avi.exe
hxxp://pornoarchivesexgood.ru/6/video/porno-rolik6.avi.exe
hxxp://pornoarchivesexgood.ru/7/video/porno-rolik7.avi.exe
hxxp://pornoarchivesexgood.ru/8/video/porno-rolik8.avi.exe
hxxp://pornoarchivesexgood.ru/9/video/porno-rolik9.avi.exe
hxxp://pornoarchivesexgood.ru/10/video/porno-rolik10.avi.exe
add:
hxxp://sexlifeclubxxx.ru/1/video/porno-rolik1.avi.exe
hxxp://sexlifeclubxxx.ru/2/video/porno-rolik2.avi.exe
hxxp://sexlifeclubxxx.ru/3/video/porno-rolik3.avi.exe
hxxp://sexlifeclubxxx.ru/4/video/porno-rolik4.avi.exe
hxxp://sexlifeclubxxx.ru/6/video/porno-rolik6.avi.exe
hxxp://sexlifeclubxxx.ru/7/video/porno-rolik7.avi.exe
hxxp://sexlifeclubxxx.ru/8/video/porno-rolik8.avi.exe
hxxp://sexlifeclubxxx.ru/9/video/porno-rolik9.avi.exe
hxxp://sexlifeclubxxx.ru/10/video/porno-rolik10.avi.exe
Last edited by GMax on Thu Jul 21, 2011 7:19 pm, edited 2 times in total.
Yes I see and can access. Well, everything is far from the end :) Thanks for information.
update: seems all binaries except first are inaccessible for me, at current time.
update: seems all binaries except first are inaccessible for me, at current time.
Last edited by EP_X0FF on Thu Jul 21, 2011 6:02 pm, edited 1 time in total.
Reason: see update
Ring0 - the source of inspiration