Who are you, Mr Spyware?

By augusto ~ Posted Dom, 24/09/2006 - 10:01


Mostly everyday happens - when your running web services -  to be "visited" [or attacked, if you prefere] from the strangest places of world you never would never think of.

Recently I've noticed some "silly" calls to my web server from a Russian ISP provider.

The ip numbers was something like 

195.225.177.46, 195.225.177.48,  etc etc

These call was coming veryoften.... boring after all,  so - after blocking  them - I've asked to myself: "who the hell are you"

The  whois command  told me this

augusto@aristide:~> whois 195.225.177.46
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '195.225.176.0 - 195.225.179.255'

inetnum:      195.225.176.0 - 195.225.179.255
netname:      NETCATHOST
descr:        NetcatHosting
country:      UA
admin-c:      VS1142-RIPE
tech-c:       VS1142-RIPE
status:       ASSIGNED PI
mnt-by:       RIPE-NCC-HM-PI-MNT
mnt-lower:    RIPE-NCC-HM-PI-MNT
mnt-by:       NETCATHOST-MNT
mnt-routes:   NETCATHOST-MNT
source:       RIPE # Filtered
remarks:      ****************************************
remarks:      * Abuse contacts: abuse@netcathost.com *
remarks:      ****************************************

person:       Vsevolod Stetsinsky
address:      01110, Ukraine, Kiev, 20� Solomenskaya street. room 206.
phone:        +38 050 6226676
e-mail:       vs@netcathost.com
nic-hdl:      VS1142-RIPE
source:       RIPE # Filtered

% Information related to '195.225.176.0/22AS31159'

route:        195.225.176.0/22
descr:        NETCATHOST (full block)
origin:       AS31159
mnt-by:       NETCATHOST-MNT
remarks:      ****************************************
remarks:      * Abuse contacts: abuse@netcathost.com *
remarks:      ****************************************
source:       RIPE # Filtered

 

Ok, Mr Vsevolod Stetsinsky.

And what the hell you want from me? 

 

What the hell you want from me, Mr Stetsinsky

So,  there is this Mr Stetsinsky from Kiev - Ukraina.

He has quite a big range of ip addresses and he's trying to hack my server

So my next question is: What the hell do you do, Mr Spyware?

and I start playing with my browser trying to web call his ip numbers...

http://195.225.177.1/ .... nothing happens...

http://195.225.177.2/ .... nothing happens...

till

http://195.225.177.7/ .... haha.... here you are!

197_225_177_7_SpyWareQuake.png

 

A very nice SpyWare Software...

So?

You first try to hack my server then you'll probably try to sell you cool and very well colored antispyware?

That's not fair!!!  Mr Stetsinsky from Kiev - Ukraina.

and the good is still to come....

 

What a curious connection, Mr Stetsinsky.

In the previous pages  I told you about  this Ukranian man  who  tried to hack my server, from his servers where he sells antispywre software...

As said, he has a large range of ip numbers....

And my curiosity pushed my to see what else he runs on his web servers.

so I play  this easy fame with my browser

 
http://195.225.177.8/ .... nothing happens...

http://195.225.177.9/ ...a search engine... not very interesting..

then

http://195.225.177.17/ another one....

till i type  

http://195.225.177.22/   and   BOOOM!!!!!!

 

Redirect from 195.225.177.22 to msn.com

this is VERY INTERESTING!!!! looks like a msn.com mirror...

that link redirects to www.msn.com, pure microsoft domain! [see http header log enclosed]

So, what does it means?

I think about people asking me about virus and worms, strange pages on their Windows computers opening tons of ads and dialing very expensive  providers, and lots of secury update alert in their computer...

And when they ask to me:

Who makes computer virus?
Why they make these virus?

I used to reply "Well, not easy to say..."

Now on,  I'll send them the link to this page.

And everybody can make his idea about this.

 

 

 

Bookmark/Search this post with:
  • Delicious
  • Digg
  • Reddit
  • Magnoliacom
  • Furl
  • Facebook
  • Google
  • Yahoo
  • Technorati
AllegatoDimensione
from_195_225_177_17_to_msn.com.txt16.24 KB
»

Comments

Opzioni visualizzazione commenti

Seleziona il tuo modo preferito per visualizzare i commenti e premi "Salva impostazioni" per attivare i cambiamenti.

Hi by me the same happen on my page

Submitted by ospite on Dom, 14/01/2007 - 23:08.

I just google it and found: spamhuntress. com/2006/09/10/blocking-netcathost/
specht.com.au/michael/2006/01/27/spam-attack/
a very interested is this look the guestbook posters there ip:
radar.spacebar.org/f/a/weblog/docomment/1/576

Lot infos about this Webhost in Ukraine.
Block
You can also use CIDR ranges which will save you a lot of typing

Netcathost resides within 195.225.176.0 - 195.225.179.255 so you can easily write the following instead:

Deny from 195.225.176.0/22

24 => 195.225.176.
23 => 195.225.176., 195.225.177.
22 => 195.225.176., 195.225.177., 195.225.178., 195.225.179.

These are always multiples of two. 24 also equals a total of 256 addresses. 25 would be 128 addresses and so forth (with 32 as endpoint for a single ip address)

Regards

Invia nuovo commento

  • Linee e paragrafi vanno a capo automaticamente.
  • Web page addresses and e-mail addresses turn into links automatically.

Maggiori informazioni sulle opzioni di formattazione.

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
16 + 2 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.