VoyForums
[ Show ]
Support VoyForums
[ Shrink ]
VoyForums Announcement: Programming and providing support for this service has been a labor of love since 1997. We are one of the few services online who values our users' privacy, and have never sold your information. We have even fought hard to defend your privacy in legal cases; however, we've done it with almost no financial support -- paying out of pocket to continue providing the service. Due to the issues imposed on us by advertisers, we also stopped hosting most ads on the forums many years ago. We hope you appreciate our efforts.

Show your support by donating any amount. (Note: We are still technically a for-profit company, so your contribution is not tax-deductible.) PayPal Acct: Feedback:

Donate to VoyForums (PayPal):

Login ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 1234567[8]910 ]


[ Next Thread | Previous Thread | Next Message | Previous Message ]

Date Posted: 04:21:14 12/17/03 Wed
Author: Repost
Subject: Hijacking pc's

I was going to treat this as "just another spam," until I started closely
examining the message headers. If you look closely, you will see that a
computer using a Department of Defense Reserved IP address (30.75.148.68)
is hijacking a Pacific Bell ADSL account to send unsolicited commercial
e-mail. The IP address in question is in the second "Received: from"
header

Received: from adsl-64-174-23-171.dsl.sktn01.pacbell.net [64.174.23.171]
by xxxxxxxxxxxxxxxxxxxxxxx
(SMTPD32-7.07) id A93840E0044; Tue, 16 Dec 2003 17:46:00 -0600
Received: from [30.75.148.68] by adsl-64-174-23-
171.dsl.sktn01.pacbell.net with ESMTP id <874733-60688> for
<xxxxxxxxxxxxxxxxx>; Wed, 10 Dec 2003 01:49:10 +0200
Message-ID: <d8g3-6n-t2x-59-48-tz-$ie6@k15y.38>
From: "Delmer Camacho" <225pzcyot@yahoo.com>
Reply-To: "Delmer Camacho" <225pzcyot@yahoo.com>
To: xxxxxxxxxxxxxxxxxxx
Cc: <xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: FWD:Alprazolam.m Valium.m Vicodin.n Xanax.x bvjcsh
Date: Wed, 10 Dec 03 01:49:10 GMT
X-Mailer: Microsoft Outlook Express 5.00.2615.200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="E.D__E8B3..C4EE6"
X-Priority: 3
X-MSMail-Priority: Normal
X-RCPT-TO: <johnhenry@lowgenius.com>
Status: U
X-UIDL: 366900928

I believe that this DOD IP address represents an actively connected DOD
computer which is *also* being hijacked, probably by an automated - and
very sophisticated - bulk e-mailing program. The message shills products
offered from a website called <a rel=nofollow target=_blank href="http://www.dealsforu.biz/">http://www.dealsforu.biz/</a> Domain
registrant information for this domain is as follows:

--------------------------------------------------------------------
.BIZ Registry WHOIS Data
Domain Name DEALSFORU.BIZ
Domain ID D5535206-BIZ
Sponsoring Registrar DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
Domain Status clientTransferProhibited
Registrant ID DI_170061
Registrant Name Jim Respit
Registrant Organization Jim Respit
Registrant Address1 4003 42nd ave S.
Registrant City Seattle
Registrant State/Province WA
Registrant Postal Code 98136
Registrant Country United States
Registrant Country Code US
Registrant Phone Number +206.9334534
Registrant Email jimreyman@hotmail.com
Administrative Contact ID DI_170061
Administrative Contact Name Jim Respit
Administrative Contact Organization Jim Respit
Administrative Contact Address1 4003 42nd ave S.
Administrative Contact City Seattle
Administrative Contact State/Province WA
Administrative Contact Postal Code 98136
Administrative Contact Country United States
Administrative Contact Country Code US
Administrative Contact Phone Number +206.9334534
Administrative Contact Email jimreyman@hotmail.com
Billing Contact ID DI_170061
Billing Contact Name Jim Respit
Billing Contact Organization Jim Respit
Billing Contact Address1 4003 42nd ave S.
Billing Contact City Seattle
Billing Contact State/Province WA
Billing Contact Postal Code 98136
Billing Contact Country United States
Billing Contact Country Code US
Billing Contact Phone Number +206.9334534
Billing Contact Email jimreyman@hotmail.com
Technical Contact ID DI_170061
Technical Contact Name Jim Respit
Technical Contact Organization Jim Respit
Technical Contact Address1 4003 42nd ave S.
Technical Contact City Seattle
Technical Contact State/Province WA
Technical Contact Postal Code 98136
Technical Contact Country United States
Technical Contact Country Code US
Technical Contact Phone Number +206.9334534
Technical Contact Email jimreyman@hotmail.com
Name Server NS1.THEGOODNET.BIZ
Name Server NS2.THEGOODNET.BIZ
Created by Registrar DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
Last Updated by Registrar DIRECT INFORMATION PVT. LTD., (D.B.A.
DIRECTI.COM)
Domain Registration Date Sun Oct 26 19:34:59 GMT 2003
Domain Expiration Date Mon Oct 25 23:59:59 GMT 2004
Domain Last Updated Date Tue Dec 16 19:27:39 GMT 2003
-------------------------------------------------------------------------
---

This leads us to two more domains: thegoodnet.biz (owners of the
machines that this domain is hosted on, and possibly the originating
source) and "directi.com," listed as the domain registrar for
dealsforu.biz. Domain information for thegoodnet.biz indicates that the
owner is in Russia.

-------------------------------------------------------------------------
---
.BIZ Registry WHOIS Data
Domain Name THEGOODNET.BIZ
Domain ID D5868264-BIZ
Sponsoring Registrar DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
Domain Status clientTransferProhibited
Registrant ID DI_213625
Registrant Name Andrey Gurkov
Registrant Organization ZAO TATCBE
Registrant Address1 novie cheremushinskaya str. 15a-7-77
Registrant City Tula
Registrant Postal Code 101671
Registrant Country Russian Federation
Registrant Country Code RU
Registrant Phone Number +7.671811
Registrant Email andrey_k17@hotmail.com
Administrative Contact ID DI_213625
Administrative Contact Name Andrey Gurkov
Administrative Contact Organization ZAO TATCBE
Administrative Contact Address1 novie cheremushinskaya str. 15a-7-77
Administrative Contact City Tula
Administrative Contact Postal Code 101671
Administrative Contact Country Russian Federation
Administrative Contact Country Code RU
Administrative Contact Phone Number +7.671811
Administrative Contact Email andrey_k17@hotmail.com
Billing Contact ID DI_213625
Billing Contact Name Andrey Gurkov
Billing Contact Organization ZAO TATCBE
Billing Contact Address1 novie cheremushinskaya str. 15a-7-77
Billing Contact City Tula
Billing Contact Postal Code 101671
Billing Contact Country Russian Federation
Billing Contact Country Code RU
Billing Contact Phone Number +7.671811
Billing Contact Email andrey_k17@hotmail.com
Technical Contact ID DI_213625
Technical Contact Name Andrey Gurkov
Technical Contact Organization ZAO TATCBE
Technical Contact Address1 novie cheremushinskaya str. 15a-7-77
Technical Contact City Tula
Technical Contact Postal Code 101671
Technical Contact Country Russian Federation
Technical Contact Country Code RU
Technical Contact Phone Number +7.671811
Technical Contact Email andrey_k17@hotmail.com
Name Server NS1.THEGOODNET.BIZ
Name Server NS2.THEGOODNET.BIZ
Created by Registrar DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
Last Updated by Registrar DIRECT INFORMATION PVT. LTD., (D.B.A.
DIRECTI.COM)
Domain Registration Date Fri Dec 12 22:51:23 GMT 2003
Domain Expiration Date Sat Dec 11 23:59:59 GMT 2004
Domain Last Updated Date Tue Dec 16 17:17:25 GMT 2003
-------------------------------------------------------------------------
------------

The domain registration information for "Directi.com" is:

-------------------------------------------------------------------------
------------

Domain Name: DIRECTI.COM

Registrant:
Direct Information Pvt Ltd
Bhavin Turakhia (bhavin.t@directi.com)
A/23, Maharaja Surajmal, Fourbung rd., Andheri(W)
Bombay
MH,400053
IN
Tel. +91.2226370256

Creation Date: 11-Aug-1997
Expiration Date: 25-Sep-2005

Domain servers in listed order:
ns.directihosting.com
ns2.directihosting.com


Administrative Contact:
Direct Information Pvt Ltd
Bhavin Turakhia (bhavin.t@directi.com)
A/23, Maharaja Surajmal, Fourbung rd., Andheri(W)
Bombay
MH,400053
IN
Tel. +91.2226370256

Technical Contact:
Direct Information Pvt Ltd
Bhavin Turakhia (bhavin.t@directi.com)
A/23, Maharaja Surajmal, Fourbung rd., Andheri(W)
Bombay
MH,400053
IN
Tel. +91.2226370256

Billing Contact:
Direct Information Pvt Ltd
Bhavin Turakhia (bhavin.t@directi.com)
A/23, Maharaja Surajmal, Fourbung rd., Andheri(W)
Bombay
MH,400053
IN
Tel. +91.2226370256

-------------------------------------------------------------------------

Ah, but there's still MORE trails to follow. Browsing to
www.dealsforu.biz redirects to a page at www.yourmedstore.us Domain
contact information for THAT domain is listed as:

-------------------------------------------------------------------------

Domain Name: YOURMEDSTORE.US
Domain ID: D4042314-US
Sponsoring Registrar: BULKREGISTER.COM, INC.
Domain Status: ok
Registrant ID: PK2510-BR
Registrant Name: Peter Kraus
Registrant Organization: Pelikon Investments Limited
Registrant Address1: Mykinon 1
Registrant City: Nicosia
Registrant State/Province: NO
Registrant Postal Code: 1065
Registrant Country: Cyprus
Registrant Country Code: CY
Registrant Phone Number: +3.5722676170
Registrant Email: serv@rxstoregroup.com
Registrant Application Purpose: P1
Registrant Nexus Category: C32/JP
Administrative Contact ID: PK2510-BR
Administrative Contact Name: Peter Kraus
Administrative Contact Organization: Pelikon Investments Limited
Administrative Contact Address1: Mykinon 1
Administrative Contact City: Nicosia
Administrative Contact State/Province: NO
Administrative Contact Postal Code: 1065
Administrative Contact Country: Cyprus
Administrative Contact Country Code: CY
Administrative Contact Phone Number: +3.5722676170
Administrative Contact Email: serv@rxstoregroup.com
Administrative Application Purpose: P1
Administrative Nexus Category: C32/JP
Billing Contact ID: PK2510-BR
Billing Contact Name: Peter Kraus
Billing Contact Organization: Pelikon Investments Limited
Billing Contact Address1: Mykinon 1
Billing Contact City: Nicosia
Billing Contact State/Province: NO
Billing Contact Postal Code: 1065
Billing Contact Country: Cyprus
Billing Contact Country Code: CY
Billing Contact Phone Number: +3.5722676170
Billing Contact Email: serv@rxstoregroup.com
Billing Application Purpose: P1
Billing Nexus Category: C32/JP
Technical Contact ID: PK2510-BR
Technical Contact Name: Peter Kraus
Technical Contact Organization: Pelikon Investments Limited
Technical Contact Address1: Mykinon 1
Technical Contact City: Nicosia
Technical Contact State/Province: NO
Technical Contact Postal Code: 1065
Technical Contact Country: Cyprus
Technical Contact Country Code: CY
Technical Contact Phone Number: +3.5722676170
Technical Contact Email: serv@rxstoregroup.com
Technical Application Purpose: P1
Technical Nexus Category: C32/JP
Name Server: NS1.RXNS.COM
Name Server: NS2.RXNS.COM
Created by Registrar: BULKREGISTER.COM, INC.
Domain Registration Date: Tue Apr 08 15:32:35 GMT 2003
Domain Expiration Date: Wed Apr 07 23:59:59 GMT 2004

-------------------------------------------------------------------------
---

If one carefully observes, the "contact us" link at yourmedstore.us links
to a url which begins with <a rel=nofollow target=_blank href="http://yourmedstore.7ssl.com">http://yourmedstore.7ssl.com</a>

Domain registration for THAT domain (7ssl.com) reads:

-------------------------------------------------------------------------
----

Domain Name: YOURMEDSTORE.US
Domain ID: D4042314-US
Sponsoring Registrar: BULKREGISTER.COM, INC.
Domain Status: ok
Registrant ID: PK2510-BR
Registrant Name: Peter Kraus
Registrant Organization: Pelikon Investments Limited
Registrant Address1: Mykinon 1
Registrant City: Nicosia
Registrant State/Province: NO
Registrant Postal Code: 1065
Registrant Country: Cyprus
Registrant Country Code: CY
Registrant Phone Number: +3.5722676170
Registrant Email: serv@rxstoregroup.com
Registrant Application Purpose: P1
Registrant Nexus Category: C32/JP
Administrative Contact ID: PK2510-BR
Administrative Contact Name: Peter Kraus
Administrative Contact Organization: Pelikon Investments Limited
Administrative Contact Address1: Mykinon 1
Administrative Contact City: Nicosia
Administrative Contact State/Province: NO
Administrative Contact Postal Code: 1065
Administrative Contact Country: Cyprus
Administrative Contact Country Code: CY
Administrative Contact Phone Number: +3.5722676170
Administrative Contact Email: serv@rxstoregroup.com
Administrative Application Purpose: P1
Administrative Nexus Category: C32/JP
Billing Contact ID: PK2510-BR
Billing Contact Name: Peter Kraus
Billing Contact Organization: Pelikon Investments Limited
Billing Contact Address1: Mykinon 1
Billing Contact City: Nicosia
Billing Contact State/Province: NO
Billing Contact Postal Code: 1065
Billing Contact Country: Cyprus
Billing Contact Country Code: CY
Billing Contact Phone Number: +3.5722676170
Billing Contact Email: serv@rxstoregroup.com
Billing Application Purpose: P1
Billing Nexus Category: C32/JP
Technical Contact ID: PK2510-BR
Technical Contact Name: Peter Kraus
Technical Contact Organization: Pelikon Investments Limited
Technical Contact Address1: Mykinon 1
Technical Contact City: Nicosia
Technical Contact State/Province: NO
Technical Contact Postal Code: 1065
Technical Contact Country: Cyprus
Technical Contact Country Code: CY
Technical Contact Phone Number: +3.5722676170
Technical Contact Email: serv@rxstoregroup.com
Technical Application Purpose: P1
Technical Nexus Category: C32/JP
Name Server: NS1.RXNS.COM
Name Server: NS2.RXNS.COM
Created by Registrar: BULKREGISTER.COM, INC.
Domain Registration Date: Tue Apr 08 15:32:35 GMT 2003
Domain Expiration Date: Wed Apr 07 23:59:59 GMT 2004

-------------------------------------------------------------------------
-

At last, we seem to be getting consistent information. Let's dig a
little deeper and look at rxstoregroup.com (the contact address domain)
and rxns.com (the name server domain):

-------------------------------------------------------------------------
--

Registrant:
ScamBlock.Com
1800 N Main St
Apt. 36
Altus, OK 73521
US

Domain name: RXSTOREGROUP.COM

Administrative Contact:
Vaughn, Jayson info@scamblock.com
1800 N Main St
Apt. 36
Altus, OK 73521
US
15804771226
Technical Contact:
Customer Service, EV1 Servers domains@ev1servers.net
2600 SW Freeway
Suite 500
Houston, Texas 77098
US
+1.7133337873 Fax: +1.7139429332

Registration Service Provider:
Everyones Internet, domains@ev1servers.net
<a rel=nofollow target=_blank href="http://www.ev1servers.net">http://www.ev1servers.net</a>



Registrar of Record: TUCOWS, INC.
Record last updated on 24-Nov-2003.
Record expires on 23-Nov-2004.
Record Created on 23-Nov-2003.

Domain servers in listed order:
DNS1.SHNW.NET 216.67.246.98
DNS2.SHNW.NET 216.67.246.115

-------------------------------------------------------------------

and for rxns.com:

-------------------------------------------------------------------

Domain: rxns.com

Registrant
Peter Kraus
Pelikon Investments Limited
hostmaster@RXASOCIATION.COM
Mykinon 1
Nicosia, NO 1065 CY
+357.67778789

Administrative
Peter Kraus
Pelikon Investments Limited
hostmaster@RXASOCIATION.COM
Mykinon 1
Nicosia, NO 1065 CY
+357.67778789

Billing
Peter Kraus
Pelikon Investments Limited
hostmaster@RXASOCIATION.COM
Mykinon 1
Nicosia, NO 1065 CY
+357.67778789

Technical
Peter Kraus
Pelikon Investments Limited
hostmaster@RXASOCIATION.COM
Mykinon 1
Nicosia, NO 1065 CY
+357.67778789

Record created on March 31, 2003
Record last updated on October 24, 2003
Record expires on March 31, 2004

Domain Name Servers:
NS1.RXLIST.CN
NS2.RXLIST.CN

-------------------------------------------------------------

Once again we find Peter Kraus. Let's keep digging. Whoever this person
is, they're pretty good at covering their tracks...but I think I'm seeing
a consistency here.

-------------------------------------------------------------

For RXASOCIATION.COM:

Domain: rxasociation.com

Registrant
Peter Kraus
Pelikon Investments Limited
hostmaster@RXASOCIATION.COM
Mykinon 1
Nicosia, NO 1065 CY
+357.67778789

Administrative
Peter Kraus
Pelikon Investments Limited
hostmaster@RXASOCIATION.COM
Mykinon 1
Nicosia, NO 1065 CY
+357.67778789

Billing
Peter Kraus
Pelikon Investments Limited
hostmaster@RXASOCIATION.COM
Mykinon 1
Nicosia, NO 1065 CY
+357.67778789

Technical
Peter Kraus
Pelikon Investments Limited
hostmaster@RXASOCIATION.COM
Mykinon 1
Nicosia, NO 1065 CY
+357.67778789

Record created on June 16, 2002
Record last updated on October 24, 2003
Record expires on June 16, 2004

Domain Name Servers:
NS1.RXNS.COM
NS1.RXLIST.CN

----------------------------------------------------------

Finally, for RXLIST.CN:

----------------------------------------------------------

Domain Name: rxlist.cn
ROID: 20030407s10001s00421445-cn
Domain Status: ok
Registrant Organization: Pelikon Investments Limited
Registrant Name: Peter Kraus
Registrant Address: Mykinon 1
Registrant Postal Code: 1065
Administrative Email: serv@rxstoregroup.com
Sponsoring Registrar: BulkRegister.com, Inc.
Name Server:ns1.rxlist.cn
Name Server:ns2.rxlist.cn
Registration Date: 2003-04-07 23:40
Expiration Date: 2004-04-07 23:40

This represents the end of the trail, so far as I can tell.

There is no way to be 100% certain of the accuracy of this information
from my end. Careful consideration leads me to believe that the Russian,
Indian, and US information may be a blind alley, although any one or more
of the non-Peter Krause names listed may be directly or indirectly
involved in this, including bearing responsibility for accessing the DOD
computer in question.

It appears to me that the US Department of Defense folks have some things
to discuss with one Peter Kraus, Pelikon Investments Limited, Mykinon 1,
Nikosia, NO, 1065, CY. It seems rather clear that he - or whomever is
actually responsible - is using some kind of software to route messages
through Department of Defense computers to accomplish the propagation of
this spam. I should think - perhaps incorrectly - that the accessing in
ANY way of DOD computers by foreign nationals represents a very serious
security breach.

Maybe I'm totally off-base...but I hope not. If anyone here can make
better use of this information - I've already forwarded it to hostmaster
at nic.mil - please feel free to do so.

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Login ] Create Account Not required to post.
Post a public reply to this message | Go post a new public message
* HTML allowed in marked fields.
Message subject (required):

Name (required):

  Expression (Optional mood/title along with your name) Examples: (happy, sad, The Joyful, etc.) help)

  E-mail address (optional):

Type your message here:


Notice: Copies of your message may remain on this and other systems on internet. Please be respectful.

[ Contact Forum Admin ]


Forum timezone: GMT-8
VF Version: 3.00b, ConfDB:
Before posting please read our privacy policy.
VoyForums(tm) is a Free Service from Voyager Info-Systems.
Copyright © 1998-2019 Voyager Info-Systems. All Rights Reserved.