nit99.biz: When is a forum not a forum? ....

... When it's an exploit of course!This URL (vURL results, PDF);nit99.biz/myy/viewtopic.php?s=bec8f62472wants us to believe it's a forum, that's going to let us view the respective topic associated with the ID in the s= variable. Alas however, it's neither a valid ID, nor a forum at all. What you'll actually get, is a whole host of badness battered down the pipes onto your poor machine.And what

Read More

Crimeware friendly ISP's: Eveloz (AS27716, 200.63.40.0/21, 200.63.48.0/23, 190.5.224.0/22)

The topic today is blackhat SEO, fake AV's and phishing. The culprit responsible for this boatload of maliciousness, is Eveloz (AS27716).Eveloz has 3 upstream providers, namely;AS11556 PA-CAPA2-LACNIC Cable-Wireless PanamaAS14551 ALTERNET-SA-AS UUNET TechnologiesAS23520 NEWWORLDNETWORK New World Network USA, Inc.Eveloz is also directly related to Panamaservers.com, an ISP with a history of

Read More

INFO: Upcoming service interruption

Just a note folks, I treat myself to a new Netgear WNR2000 N Router today (would've loved the MaxRange N router but couldn't afford it), which means the network will be unavailable later tonight, to allow for the current routers being replaced.I'm planning on doing the replacement at approx midnight tonight (GMT), and it shouldn't take more than 15 mins or so (allows for disconnection, connection

Read More

Twitter spam: IAC WebFetti

I received an e-mail from a friend earlier, alterting me to possible malicious content over on Twitter (surprise surprise), and what I found actually did surprise me for a change.This spam run didn't lead to a worm, trojan, virus or other infection - but to an IAC website, webfetti.com.One thing they all have in common, aside from the IAC connection? Well, that would be Twivert. A site that

Read More

Crimeware friendly ISP's: RapidSwitch Ltd (AS29131)

Those of you reading this blog for any length of time, or specializing in the documentation of malicious domains, will no doubt already be aware of RapidSwitch's history, but here's a little refresher for you;242 reasons to avoid 78.129.142.9 (RapidSwitch - AS29131)http://hphosts.blogspot.com/2008/09/242-reasons-to-avoid-781291429.htmlRapidSwitch customers still involved in SMS Fraud ......http:/

Read More

Oi! Google, WAKE UP!

After announcing to the world + dog, that they are offering their own version of OpenDNS, you'd have thought that meant they'd finally gotten serious about security (I know, I'm laughing at the thought too), but nope, Google's results are STILL littered with malicious content that will drive your PC into a frenzy, and drive you to a level of frustration you've never seen.As a quick example, I've

Read More

FYI to pharmalert, and other "reviewers" on SiteAdvisor, WoT etc etc etc

hpHosts has been and continues to be, an excellent project that I love being a part of, and although I'm glad that others find it useful, there's a certain segment that I would like to address. Given I don't know who these particular people are, I evidently can't contact them any other way, so figured a blog post would be best.Those I am referring to, are those "reviewing" and commenting on sites

Read More

Avant Browser on IE’s Ballot Screen

This is indeed fantastic news, and a great present to Anderson, the Avant Force Team, the users that have supported Avant and Orca, and all of us lowly forum staff!As some of you may have heard the EU’s European Commision has forced Microsoft to include a ballot screen on all Windows computers running either Windows XP, Vista, or 7, you will get it through an update on Windows Update. This ballot

Read More

CVE-2009-3459, CVE-2009-4324, and one PDF trick

PDF exploits—mostly targeting Adobe Reader and Acrobat programs—are very commonly used on drive-by web sites. This situation is probably the result of the widespread use of the Adobe plugin, a rather large of number of vulnerabilities found in it, and reliable exploitation techniques.Two recent vulnerabilities for which I have added detection in Wepawet are CVE-2009-3459 and CVE-2009-4324 (click

Read More

Update: Frontlinecom

Remember this and this? Well, it would appear they've had a change of heart, instead of suing me, the MD of the company, David Jones, has decided an apology is a better idea.I actually meant to post an update regarding this, a few days ago when the MD sent me the link, but I've been very side tracked with work and things, and forgot about it.Their blog doesn't mention Mr Mark Jones by name,

Read More

Google + Blackhat SEO + "Teen Porn" = SeekMo

Many said Zango were dead, but myself and several others, have never considered them "dead", mainly because evidence was available to the contrary, but anyway, that's another story.I regularly check up on Google results for hpHosts as it's always proven useful in finding new malicious URL's (quite why is a mystery, but it's convenient non the less). Yesterday however, I stumbled on a couple of

Read More

Update: hpHosts forums and fSpamlist blog

Just an update folks. I'm happy to announce, after fighting with PHP for several hours (gave up, got some work done, then went to sleep), and then again for a couple hours this afternoon, the hpHosts forums and fSpamlist blog are back online.Annoyingly, in the end I had to completely rip PHP out of the server, and install an older version (i.e. the one that was working just fine and dandy until

Read More

hpHosts forums and fSpamlist blog offline

PHP released a new version earlier, and I thought I'd get the servers updated. Installing the new version on my development machine produced no problems, so I installed it on all of the servers that required it. All except the server that houses the hpHosts forums and fSpamlist blog, have taken to the new PHP release without issue.I've already tried rolling back to the prior version that was

Read More

Riccom Ltd SBL'd!

I'm happy to announce, Josh Kirkwood has just informed me that he's been successful in getting Spamhaus to SBL Riccom!http://www.spamhaus.org/sbl/sbl.lasso?query=SBL82098As of a check a couple mins ago, Riccom are still showing as unannounced, which means great news - they're still stranded!http://smakd.potaroo.net/cgi-bin/per-prefix?prefix=91.212.107.0%2F24http://cidr-report.org/cgi-bin/

Read More

Cloudeight: Where for art thou?

Just an update on the Cloudeight/Thundercloud issue folks. At the time of writing this, they've STILL not responded to my e-mail (asking them to what domain they were referring etc).http://hphosts.blogspot.com/2009/12/cloudeight-ever-hear-of-e-mail.htmlhttp://hphosts.blogspot.com/2009/12/thundercloudnetcloudeight-here-we-go.htmlA friend sent me a few of their newsletters, but I've not yet

Read More

EuroConnex/BlueConnex boots Riccom Ltd

I'm happy to announce, I woke up to a rather surprising e-mail today, from a Josh Kirkwood over at EuroConnex/BlueConnex. He informed me, because of this, they've booted Riccom, leaving them stranded.HelloI have read your article about us (/2009/12/blueconnexeuroconnex-as29550-riccom-ltd.html ) Firstly thanks for making such a concise list of the badness contained in that riccom /24 it was real

Read More

Update: hpHosts server performance

Well, I'm back home for an hour (got the doctors in just over an hour too), so I've pulled the hpHosts server offline, replaced the PSU, replaced the CPU coolant, and am now defragging the data drive (the one with the hpHosts site files).The system drive was defragged over night, so if performance doesn't improve, I'm going to have to look at other options (it still needs converted over to SQL

Read More

hpHosts website performance

The hpHosts server seems to be running alot slower than usual lately, and annoyingly, has been getting progressively worse over the past few weeks. I suspect it's due to a traffic overload, but am going to check the hardware in it as soon as I get back (I'm expecting to be back within approx 13 hours or so).The server has just been rebooted, but it's only gained a minor increase, and as such,

Read More

HopOne/Superb.net outage

I was trying to access the Avant Browser forums earlier, and wondered why I couldn't. FTP wouldn't connect, nor would HTTP, so I tried via Web-Sniffer, to rule out a problem at this end, and nope, nothing there either.I then tried to phone HopOne, and was told I was in the position 3 of the queue, and would be speaking to someone in "2 minutes", but could check on their network status at

Read More

BlueConnex/EuroConnex (AS29550): Riccom LTD (91.212.107.*, AS49038, riccom-cy.org)

Dear BlueConnex/EuroConnex, I wonder if you'd mind explaining to the ladies and gents of the internet, why you have STILL not booted Riccom? Why you continue providing connectivity for them, despite their not being a single legit domain within their IP range!.BlueConnex/EuroConnex's still providing connectivity is the reason they got a mention in the crimeware friendly ISP's listings, and sadly,

Read More

GreatNews goes open source

Great News, my favourite RSS reader for the past few years, is going open source folks!.I have to say I haven’t spent a lot of time on GreatNews lately. Save the usual excuses, the most important thing is how to keep GreatNews updated regularly. I’m considering what’s the best way to release GreatNews source code. Most of the code base are safe to open, but there are small amount of code belong

Read More

dot.tk: Use and abuse us as you wish

Want to own a domain name and do whatever you want? Including using it for malicious purposes - use dot.tk apparently.Nope, disgustingly, it's not a joke. Aslong as you're paying them for the domain, they apparently couldn't care less (that may not be how their e-mail to me was worded, but it's certainly what they've implied);Dear Sir/Madam, We appreciate your email. Unfortunately our policy does

Read More

frontlinecom.co.uk: Oh dear

It seems Mr Jones over at frontlinecom.co.uk isn't too happy with me. Not for publishing the information found concerning the spam - but for posting the footer of the e-mail (the bit with the company name, address etc etc in it).Given the information is available publicly anyway, via his own website infact, I'm confused as to what the problem is;It's okay for him to hire people he knows are going

Read More

onlinesupportforyou.com: Yet another scammer, with a twist

A poster to the digitaltoast.co.uk blog concerning supportonclick.com, referenced yet another domain taking part. This time, onlinesupportforyou.com. Unfortunately this time, it is more than just a scam as this particular site, is carrying an exploit via;hxxp://kellerkamer.de/images/impressum.php> hxxp://matistuta.kampno.pl/prace/do_addcat.php>> hxxp://odenserideudstyr.dk/images/

Read More

Thundercloud.net/Cloudeight: Here we go again

Thundercloud/Cloudeight have went on another rant it seems.http://thundercloud.net/infoave/answers/2009/wot.htmI tried sending the following, but their contact form rejected it as it's over 300 chars;"Alas poor yoric ... I've just noticed yet again, that you've failed miserably in checking your facts;1. hpHosts comments on WoT are NOT posted by me. They're put there automagically when WoT syncs

Read More

Need telephone answering services? Don't ask Frontline!

I've just had an interesting conversation with Mark Jones over at Frontline (frontlinecom.co.uk), due to a Simon Carter (likely a fake name) spamming the hpHosts blog to advertise Frontline's website.Mark confirmed they'd hired an Indian based SEO company to market for them, and when told about spamming, said he would advise them not to spam the hpHosts blog again, but would NOT tell them to stop

Read More

Cloudeight: Ever hear of e-mail?

It's not uncommon for someone to e-mail me, or PM me via one of the many forums, to ask why a domain is listed, or ask for it to be removed, or even, ask for a domain to be added. Indeed, I've got 3 e-mails in my inbox at present, from 2 companies demanding their sites removed (Conduit and Ascentive) and threatening to sue me if I don't.Alas it seems, some people can't even send an e-mail. I came

Read More

hpHOSTS - UPDATED December 3rd, 2009

hpHOSTS - UPDATED December 3rd, 2009The hpHOSTS Hosts file has been updated. There is now a total of 111,950 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! Latest Updated: 03/12/2009 13:24Last Verified: 02/12/2009 09:00Download hpHosts now!http://hosts-file.net/?s=DownloadhpHOSTS is a community managed hosts

Read More

techonsupport.com, click4rescue.com, pcrescueworld.com: SupportOnClick revisited

Following on from the SupportOnClick scam, it would appear folks, that we've got a new contender for the worlds worst scammer award.Reports are flowing online, of techonsupport.com, pulling the same scam as the folks over at supportonclick.com (other sites they're known to use are listed below. I first found out about them due to a comment over at DigitalToast.co.uk (I'd not noticed this one

Read More

hpHosts update and fSpamlist server

Just a note folks, due to something cropping up, the hpHosts update will be out tomorrow instead of today (sorry folks).In addition, the fSpamlist server suffered corruption earlier, and sadly, rebuilding it didn't work (MySQL is playing silly buggers). As such, I've moved the site to a temporary server until I get some time tomorrow to rebuild the server from scratch.

Read More

Network downtime ....

Apologies for the latest downtime folks. Sadly the gateway died whilst I was asleep, leaving the entire network unaccessible. I've sorted that out and everything is now available again.I was also meant to have an hpHosts release out a few days ago, but due to a few things cropping up, it will be out later today instead.

Read More