Hosted at your network, peoplesprimary.com is containing malware to hijack browsers and turn those browsers into spamming zombies. Please take action and shut down the site.
Do not go to these urls with your browser. Remove .invalid from the end to make the link functional and see what's inside them.
http://www.peoplesprimary.com.invalid/why_am_I_receiving_these.txt
http://www.peoplesprimary.com.invalid/2010/01/17/new-irc-exploit-freenode/
--
Tuomas Venhola
¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø
ivo@m3r.nl
Hi,
The domain "peoplesprimary.com" hosted by you on ip 88.198.2.173 is currently being abused on freenode irc (channel jquery) for spamming/abusing:
Received a CTCP VERSION To find out more visit http://peoplesprimary.com/why_am_I_receiving_these.txt from ireknbvu (to #jquery)
(and then 100's of those)
The purpose of this "attack" is unclear to me, if it's a form of hacking or just highly immature behaviour. I do advise you to be careful when visiting this page.
I'm not asking you to take any actions unless you see any need to do so according to your own policy (and possibly to keep a good name) but I do want to inform you about stuff happening on your network.
Kind regards
Ivo van der Wijk
¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø
matthias.hecker@mni.fh-giessen.de
Guten Morgen,
gestern und heute Nacht gab es einen massiven "Spam-Angriff" auf das freie IRC Netzwerk Freenode. Der Angreifer und seine Drones posteten folgende URL:
h tt p:// peoplesprimary.com/users/lnux2745/christel.jpg
Vorsicht! Die URL enthält mehrfach folgendes Javascript:
h tt p:// peoplesprimary.com/irc.php
Die Domain löst nach 88.198.2.173 auf. Laut Whois handelt es sich um einen ihrer Server.
Bitte kümmern sie sich darum :)
Mit freundlichen Grüßen
Matthias Hecker (ein Freenode Benutzer)
[Babel] {
Good mornings, yesterday and tonight there was a substantial " Spam Angriff" on the free IRC network Freenode. The aggressor and its Drones posteten the following URL: h tt p: /peoplesprimary.com/users/lnux2745/christel.jpg
Caution! The URL contains the several times following Javascript: h tt p: /peoplesprimary.com/irc.php
The Domain dissolves after 88.198.2.173.
According to WHOIS it acts over one of their servers.
Please they worry about it:)
Yours sincerely
Matthias Hecker (a Freenode user)
}
¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø
dan_williams@sunshine.net
the following site is running a malicious webpage to make clients attack
the freenode irc network, via javascript.
from via gnaa.on.zoy.org
ip 88.198.2.173
jan 16/2010 7:41 PST
your co-operation in the immediate attention of this issue is appreciated.
dan
--
Dan Williams, Owner
http://eds.dyndns.org/
Electronic Device Services
(604) 886 5934
2022 Lower rd
Roberts Creek BC Canada
V0N 2W6
¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø
brad2901@gmail.com
Dear Sir/Madam,
I would like to notfiy you of one of your customers hosting a malware site
which is being used to flood chat networks.
URL: http://gnaa.on.zoy.org/
IP: 88.198.2.173
It has been flooding for many days with a message similar to this: "This is an URGENT MESSAGE regarding your GNAA account! Please Visit http://gnaa.on.zoy.org/ or dial 1-360-215-1281 immediately to speak to a representative! irc.hardchats.com #gnaa"
Please do not visit the website in a browser as it will result in you automatically connecting to one of the chat networks and spamming channels.
If you could remove the offending site it would be highly appreciated.
Thanks.
Brad W
¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø
david.precious@uk2.net
Hi there,
There's an abusive script at the following URL being used to launch spam attacks against Freenode (do not view in a browser with Javascript enabled):
http://tech.on.zoy.org/irc.php
The script at the URL above uses Javascript to populate and automatically submit a form, causing the browser to connect to irc.freenode.net:6667 and issue spam. (It run automatically, so please do *not* visit that URL with Javascript enabled).
This is hosted on 88.198.2.173, hence including abuse@hetzner.de in this mail:
[davidp@supernova:~]$ host tech.on.zoy.org
tech.on.zoy.org is an alias for www.peoplesprimary.com.
www.peoplesprimary.com has address 88.198.2.173
[davidp@supernova:~]$ whois 88.198.2.173 | grep abuse
abuse-mailbox: abuse@hetzner.de
The script is loaded in an iframe from URLs which are posted to IRC, for instance:
* sta (n=clauogil@187.68.37.182) has joined #freenode
irc.hardchats.com #klulz
Warning: the pages contain images and content you won't want to see, and further exploits; I would strongly suggest you do not view it in a browser, unless you have Javascript disabled and a strong stomach.
People are following the spammed URLs, and when they do so, if they're using a browser which will unconditionally execute Javascript (as the majority will), they then participate in the attacks.
I, and the staff and users of Freenode, would greatly appreciate if you could please remove these scripts and secure your webspace ASAP.
Many thanks
David Precious
Non-Machine translation of Matthias Hacker's Letter:
ReplyDeleteHello,
The open IRC Network Freenode was under a heavy spam attack both yesterday and this evening. The attackers and their bots posted the following URL:
h tt p:// peoplesprimary.com/users/lnux2745/christel.jpg
Warning! That URL contains multiple copies of the following Javascript:
h tt p:// peoplesprimary.com/irc.php
The domain points to 88.198.2.173. According to Whois that is handled by one of your servers.
Please take care of it. :)
Thanks,
Matthias Hacker (a Freenode user)
Pretty nice post. I just stumbled upon your blog and wanted to say that I have really enjoyed browsing your blog posts. In any case I’ll be subscribing to your feed and I hope you write again soon!
ReplyDeletecialis online