Author Topic: ihatefun.com  (Read 5510 times)

0 Members and 1 Guest are viewing this topic.

November 20, 2008, 02:12:23 pm
Read 5510 times

cconniejean

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 34
This site has been reported at our forum twice now. Last report was for some hard porn links, emailed the owner, said they removed them. They missed a few. This one has a exe file in it.

Code: [Select]
Full URL: http://ihatefun.com/v-web/?m=hot
Redirected to: http://protectionscanner.com/2009/2/freescan.php?nu=880369
Redir: http://protectionscanner.com/2009/download/trial/A9installer_880369.exe

November 20, 2008, 04:26:26 pm
Reply #1

sowhat-x

  • Guest
There's quite a lot of crap there...followed a bit the redirections there via Ethereal:

From ihatefun.com,it goes to:
Quote
hxxp://ogfox.info/in.cgi?30&parameter=
And then moves on to...
Quote
hxxp://world-web-service.com/soft.php?aid=0369&d=2&product=XPA&refer=88de8805a
Regarding world-web-service.com...his friends revealed:
http://www.bfk.de/bfk_dnslogger.html?query=91.203.93.68

Back to ogfox.info,the first step redirector in the chain...
Quote
hxxp://ogfox.info/
-> "Account closed due terms violation."
Yeah,sure...since he says so - playing around by supplying different parameters:

Quote
hxxp://ogfox.info/in.cgi? ->
hxxp://www.thecanadianmeds.com/item.php?id=188&aid=99
====================

Quote
hxxp://ogfox.info/in.cgi?13&parameter=s
hxxp://find-fm.com//search.php?aid=2228&keyword=psp
hxxp://www.peakclick.com/toolbar/2228/toolbar.exe -> Adware.Win32.Mostofate
====================

Quote
hxxp://ogfox.info/in.cgi?19&parameter=k
hxxp://www.results-today.com/search.php?keyword=Online+casino&aid=2228&num=5&tpl=gambling&sid=49
results-today.com provides us with "searching" facilities...but not with a main web page,he-he...
"Forbidden - You don't have permission to access / on this server."
It then moves to the following "monstrous" url:
Code: [Select]
hxxp://64.111.196.117/c.php?s=eNo1VMkOskgYfCAyNnSz9eE_uLCIgIAi6GVCAy2ryK6Ehx8nk8mXSqVSqbpU8uUrhFBeORat9qH8s7IblmW5_wmyrMxxkP3ZHETrFQp9FAjVUbOzGFYjmf_8WVEsYyqSSOR4-QcSpXEqwTTiaQQJK5K_WcjLEoUIE54n8a8uRSJNECESJLIsxisSV25N7ffNx_WlKbY-8AIqdIrqjcvYklMdWKeL8lC3uXPQjq2hKPLENvqCd-oopZlwvcTCd5HqQXGWMLHf_QBCsw1I_g5MPfJDdAsTkb8ggB4X89gS7TEckGcP9qUyktKdhrm4F842P4dXT--q93iQ2ia_6karHboGNSfr0OjVYBzspdW2dlu6jMlQ3qnoJ3A9G-w-jnK6n6Mswq2SqOgpF8XQlE4z5DYtshnmHngt9mOhR-v4lLrtvEszud-bLHzYp1vG2b61lQsjCJ-WOTxeRL7fv0GXJ7dsN5pzVY0BcUXDiy5HFabK8Ohd7WpwzO2if2zgF7Dtd4ZdsWejVAPLcERtf2ndwIzJDZ2btJ_fZy6l4aSV1BnBRWNPqdm4XScebBuFr1w0aCnANpnFxzvtS7DgRHu6V7MofVunx4czfuusUafhdtvXGNXvqfgtGDkfrwNBKra5L0fe4mvyTB3Oj9TjkqWClJ6xO95kLOgimHTfBPXjoySuy_q_CVV-JL740Lm69eEOXsQPRNaRqUrtVoZNXNw-rkqzSqE-YPutZERGmkgR41J_3rmOymmv8yK1J_-FWw-EsXV1iM6cLZcyrNIwdq7cbT-7BuBqqWz8DcF9eCHJGjHbDPf9h0lcoIFhR8bGPi97Nx06x3keREMguN_jq-d4cx4qVBe3jT_YJJoawZcG4zHqnXMHfu514tlK2OOkKs7oRXX6ZdP391WxvROC5Ckozsm-R8GJImmbie_B40dKvwMBWRC6BePskgIh8TsVxYUAXgrKFkTCGzBPymQnt8umuIGeZMVAL48MuquYj4E8dYWGJ3BL0p1Qo4Xcvo00FaB8MkrSnE9bSZgME58MC2ZbWX6re6MSju2dXt4JM5tcUez17LzDAEsipQwYVHphBN3vO-w2TYaxbnACAlrvvg3LIVMCCserrFG_MPgIFqV6nVJSvbNkAcpS3_lBQOG2Ph5pukNmSgvlkdh7nH_2QxywAzKAbX6kxUwIvoP9M3xew26LRx6Me3NWnz146oyDmniVhY0kbDi84dZV5Dccx_2E-GO8sus8z5su7cdq6P8amiT6buKmXuGaoASZ9SNLavx9BB6bBEZl_hAjd4g1_CU5B6PAq8hXKAhk_6w8FBFeocj_ftvv0H8Nr38Ttz7RrSHRcHkPy_EO8bBKEKYcS1KZl1LCC1EUwZSNCc-xkKOYCv8AgqOwhQ64.111.196.117 is...the feed.peakclick.com already seen above.It then continues to...
Quote
hxxp://mugyra.org/sutra/in.cgi?default=&ID=2228&fb=
hxxp://new-porn-tubeportal2008.net/pornstars/index.php?id=1417
hxxp://codecdownload.super-softwaredownload.com/v-codec.1417.exe
-> Result: 4/34 (11.77%):
http://www.virustotal.com/analisis/1a9f5d49220fd6c3009488e612800834
====================

Now also playing a bit around with mugyra.org parameters...
Quote
hxxp://mugyra.org/sutra/in.cgi?
hxxp://best-xxxportal.com/pornstars/movie.php?id=21232
hxxp://download-citadel-software.com/LiteVideocodecVer.4.21232.exe
-> Result: 5/36 (13.89%)
http://www.virustotal.com/analisis/3b726ace62e51d6ff27cb14928c8aef7

Someone can move around in circles there for quite some time/hours i guess...
What I found rather disappointing,is that quite a few of the above domains/ip addresses,
appear to be in..."business" at least since 2006 according to this very informative thread:
http://www.proprofs.com/forums/index.php?showtopic=4498

November 20, 2008, 04:43:29 pm
Reply #2

cconniejean

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 34
Thank you. I'm glad I had back tracked on this one, had given a clear to visit on the forum. Thanks again.

November 20, 2008, 04:49:21 pm
Reply #3

sowhat-x

  • Guest
Hmmm...Robtex is not accessible for me currently,maybe overloaded or something...  :(
There are some 'good' news though....
http://whois.domaintools.com/ogfox.info
Directi Internet Solutions Pvt. etc etc...
So maybe we could break the javascript chaining there,he-he...  :)

Edit: mugyra.org crap is EstDomains as well...

November 25, 2008, 05:15:06 pm
Reply #4

sowhat-x

  • Guest
ogfox.info died  :)

Quote
Hello,

Apologies for the delayed update.
We have processed your complaint and have suspended the domain name "ogfox.info".

Regards,
Directi Abuse Desk.



November 27, 2008, 01:04:29 pm
Reply #5

cconniejean

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 34
Sweet, I was just rechecking on this one and saw this in my Google search.

Account closed due terms violation.
ogfox(dot)info/ - 1k

Thank you very much for all the help. Have a great Thanksgiving Day  :D