Fraud Reports Wiki
Register
No edit summary
Tag: Source edit
Tag: Source edit
Line 17: Line 17:
 
37.46.135.24 abuse''@''abusehost.ru
 
37.46.135.24 abuse''@''abusehost.ru
 
95.165.27.205 abuse''@''spd-mgts.ru
 
95.165.27.205 abuse''@''spd-mgts.ru
103.9.158.67 - cuong.trinh''@''vnso.vn thao.nguyen''@''vnso.vn
+
103.9.158.67 cuong.trinh''@''vnso.vn thao.nguyen''@''vnso.vn
103.28.149.174 - support''@''easyway.co.id
+
103.28.149.174 support''@''easyway.co.id
103.92.25.124 - info''@''tlsoft.vn system''@''tlsoft.vn
+
103.92.25.124 info''@''tlsoft.vn system''@''tlsoft.vn
 
103.117.141.163 abuse''@''casbay.com
 
103.117.141.163 abuse''@''casbay.com
 
103.117.141.184 abuse''@''casbay.com
 
103.117.141.184 abuse''@''casbay.com
Line 33: Line 33:
 
103.28.149.174 support''@''easyway.co.id
 
103.28.149.174 support''@''easyway.co.id
 
103.83.192.109 abuse.support''@''h4g.in
 
103.83.192.109 abuse.support''@''h4g.in
112.78.10.214 - vanht''@''ods.vn
+
112.78.10.214 vanht''@''ods.vn
 
185.130.206.6 abuse''@''as61317.net
 
185.130.206.6 abuse''@''as61317.net
 
198.27.110.97 abuse''@''ovh.ca
 
198.27.110.97 abuse''@''ovh.ca
Line 39: Line 39:
 
209.127.28.5 abuse''@''servermania.com
 
209.127.28.5 abuse''@''servermania.com
   
103.138.96.86 - hello''@''hostitsmart.in (REMOVED)
+
103.138.96.86 hello''@''hostitsmart.in (REMOVED)
103.221.220.169 - hiendm''@''viettelidc.com.vn hm-changed''@''vnnic.vn (REMOVED)
+
103.221.220.169 hiendm''@''viettelidc.com.vn hm-changed''@''vnnic.vn (REMOVED)
146.247.49.105 - https://my.netcetera.co.uk (REMOVED)
+
146.247.49.105 https://my.netcetera.co.uk (REMOVED)
178.239.177.183 - abuse''@''irideos.it (REMOVED)
+
178.239.177.183 abuse''@''irideos.it (REMOVED)
27.124.85.93 - abuse''@''medialink.net.id (REMOVED)
+
27.124.85.93 abuse''@''medialink.net.id (REMOVED)
45.86.163.7 - support''@''crowncloud.net (REMOVED)
+
45.86.163.7 support''@''crowncloud.net (REMOVED)
82.199.101.248 - zapros''@''seven-sky.net (REMOVED)
+
82.199.101.248 zapros''@''seven-sky.net (REMOVED)
93.119.105.5 - abuse''@''virtono.com (REMOVED)
+
93.119.105.5 abuse''@''virtono.com (REMOVED)
94.156.175.107 - abuse''@''iws.co (REMOVED)
+
94.156.175.107 abuse''@''iws.co (REMOVED)
103.42.58.58 - support''@''tgs.com.vn (REMOVED)
+
103.42.58.58 support''@''tgs.com.vn (REMOVED)
103.42.58.61 - support''@''tgs.com.vn (REMOVED)
+
103.42.58.61 support''@''tgs.com.vn (REMOVED)
103.8.26.45 - abuse''@''internet-webhosting.com (REMOVED)
+
103.8.26.45 abuse''@''internet-webhosting.com (REMOVED)
119.59.123.55 - hoanglong''@''azdigi.com thachpham''@''azdigi.com (REMOVED)
+
119.59.123.55 hoanglong''@''azdigi.com thachpham''@''azdigi.com (REMOVED)
130.185.72.89 - support''@''parspack.com REMOVED
+
130.185.72.89 support''@''parspack.com REMOVED
171.244.143.163 - soc''@''viettel.com.vn (REMOVED)
+
171.244.143.163 soc''@''viettel.com.vn (REMOVED)
 
180.131.147.100- abuse''@''nawala.org (REMOVED)
 
180.131.147.100- abuse''@''nawala.org (REMOVED)
185.140.249.133 - contact''@''buzinessware.com (REMOVED)
+
185.140.249.133 contact''@''buzinessware.com (REMOVED)
   
   
Line 71: Line 71:
 
 
 
5.133.12.14 5.133.12.15 5.133.12.16 abuse@artnet.pl (REMOVED)
 
5.133.12.14 5.133.12.15 5.133.12.16 abuse@artnet.pl (REMOVED)
5.181.158.179 - abuse@mivocloud.com (REMOVED)
+
5.181.158.179 abuse@mivocloud.com (REMOVED)
5.187.52.12 - artnet.pl/kontakt (REMOVED)
+
5.187.52.12 artnet.pl/kontakt (REMOVED)
45.86.163.7 - support@crowncloud.net (REMOVED)
+
45.86.163.7 support@crowncloud.net (REMOVED)
 
45.119.41.11 45.119.41.12 45.119.41.14 abuse@swisslayer.com (REMOVED)
 
45.119.41.11 45.119.41.12 45.119.41.14 abuse@swisslayer.com (REMOVED)
82.199.101.44 - zapros@seven-sky.net (REMOVED)
+
82.199.101.44 zapros@seven-sky.net (REMOVED)
82.199.101.248 - zapros@seven-sky.net (REMOVED)
+
82.199.101.248 zapros@seven-sky.net (REMOVED)
80.233.134.249 - abuse@telia.lv (REMOVED)
+
80.233.134.249 abuse@telia.lv (REMOVED)
87.120.253.209 - abuse@neterra.net (REMOVED)
+
87.120.253.209 abuse@neterra.net (REMOVED)
89.222.128.42 - abuse@netorn.ru (REMOVED)
+
89.222.128.42 abuse@netorn.ru (REMOVED)
93.119.105.5 - abuse@virtono.com (REMOVED)
+
93.119.105.5 abuse@virtono.com (REMOVED)
 
89.222.128.42 abuse@netorn.ru (REMOVED)
 
89.222.128.42 abuse@netorn.ru (REMOVED)
94.156.175.107 - abuse@iws.co (REMOVED)
+
94.156.175.107 abuse@iws.co (REMOVED)
103.8.26.45 - abuse@internet-webhosting.com (REMOVED)
+
103.8.26.45 abuse@internet-webhosting.com (REMOVED)
103.42.58.58 - support@tgs.com.vn (REMOVED)
+
103.42.58.58 support@tgs.com.vn (REMOVED)
103.42.58.61 - support@tgs.com.vn (REMOVED)
+
103.42.58.61 support@tgs.com.vn (REMOVED)
103.92.25.124 - info@tlsoft.vn system@tlsoft.vn (REMOVED)
+
103.92.25.124 info@tlsoft.vn system@tlsoft.vn (REMOVED)
103.221.220.169 - hiendm@viettelidc.com.vn hm-changed@vnnic.vn (REMOVED)
+
103.221.220.169 hiendm@viettelidc.com.vn hm-changed@vnnic.vn (REMOVED)
119.59.123.55 - hoanglong@azdigi.com thachpham@azdigi.com (REMOVED)
+
119.59.123.55 hoanglong@azdigi.com thachpham@azdigi.com (REMOVED)
130.185.72.89 - support@parspack.com (REMOVED)
+
130.185.72.89 support@parspack.com (REMOVED)
141.98.10.136 - admin@serveroffer.lt (REMOVED)
+
141.98.10.136 admin@serveroffer.lt (REMOVED)
146.247.49.105 - https://my.netcetera.co.uk (REMOVED)
+
146.247.49.105 https://my.netcetera.co.uk (REMOVED)
159.148.186.165 159.148.186.167 - support@serveria.com helpdesk@latnet.eu (REMOVED)
+
159.148.186.165 159.148.186.167 support@serveria.com helpdesk@latnet.eu (REMOVED)
176.123.9.53 176.123.9.60 176.123.9.67 - https://support.swisslayer.com (REMOVED)
+
176.123.9.53 176.123.9.60 176.123.9.67 https://support.swisslayer.com (REMOVED)
185.9.158.37 - abuse@spd.net.tr (REMOVED)
+
185.9.158.37 abuse@spd.net.tr (REMOVED)
185.99.3.68 - abuse@global.ba (REMOVED)
+
185.99.3.68 abuse@global.ba (REMOVED)
185.128.42.106 185.128.42.108 185.128.43.22 185.128.43.54 - abuse@rackend.net (REMOVED)
+
185.128.42.106 185.128.42.108 185.128.43.22 185.128.43.54 abuse@rackend.net (REMOVED)
185.140.249.133 - contact@buzinessware.com (REMOVED)
+
185.140.249.133 contact@buzinessware.com (REMOVED)
185.140.249.133 - contact@buzinessware.com (REMOVED)
+
185.140.249.133 contact@buzinessware.com (REMOVED)
185.183.104.124 - abuse@m247.ro (REMOVED)
+
185.183.104.124 abuse@m247.ro (REMOVED)
 
 
   

Revision as of 00:40, 3 August 2021

Description

A hijacked host works for somebody else, without the owner knowing it. The diagrams show examples of a hijacked machine being used as a proxy name server and proxy web server.

This occurs when a trojan has invaded the computer as a result of a security exposure. For example, the machine may have been connected to the Internet while it had a trivial password. A hijacker has broken into the system by applying the hundred most frequently used passwords to the "root" administrator ID, and one of them matched. He has installed the trojan, and it will abuse the host by using its computing resources and its bandwidth. Hijacking is an illegal, criminal act in any country.

Trojan ns

Hijacked Name Server example

Trojan ws

Hijacked Web Server example

Sample hijacked IPs

October 2020 - August 2021

EvaPharmacy NAME SERVER examples with abuse reporting address

2.184.67.164 abuse@ito.gov.ir
5.101.140.77 abuse@ukservers.com 
37.46.135.24 abuse@abusehost.ru
95.165.27.205 abuse@spd-mgts.ru
103.9.158.67 cuong.trinh@vnso.vn thao.nguyen@vnso.vn
103.28.149.174 support@easyway.co.id
103.92.25.124 info@tlsoft.vn system@tlsoft.vn
103.117.141.163 abuse@casbay.com
103.117.141.184 abuse@casbay.com
103.121.91.117 id@bkns.vn
103.126.6.161 abuse@serverstack.in
103.146.23.100 info@lanit.com.vn
103.147.153.123 abuse@shineservers.com
103.147.153.126 abuse@shineservers.com
103.228.114.93 odeoninfra@gmail.com
103.236.150.106 abuse@serverkeren.com
103.236.201.228 admin@idcloudhost.com
103.242.117.197 sales@machiwala.in
103.28.149.174 support@easyway.co.id
103.83.192.109 abuse.support@h4g.in
112.78.10.214 vanht@ods.vn
185.130.206.6 abuse@as61317.net
198.27.110.97 abuse@ovh.ca
202.145.2.67 abuse@uninet.net.id
209.127.28.5 abuse@servermania.com
103.138.96.86 hello@hostitsmart.in (REMOVED)
103.221.220.169 hiendm@viettelidc.com.vn hm-changed@vnnic.vn (REMOVED)
146.247.49.105 https://my.netcetera.co.uk (REMOVED)
178.239.177.183 abuse@irideos.it (REMOVED)
27.124.85.93 abuse@medialink.net.id  (REMOVED)
45.86.163.7 support@crowncloud.net  (REMOVED)
82.199.101.248 zapros@seven-sky.net (REMOVED)
93.119.105.5 abuse@virtono.com   (REMOVED)
94.156.175.107 abuse@iws.co (REMOVED)
103.42.58.58 support@tgs.com.vn  (REMOVED)
103.42.58.61 support@tgs.com.vn (REMOVED)
103.8.26.45 abuse@internet-webhosting.com   (REMOVED)
119.59.123.55 hoanglong@azdigi.com thachpham@azdigi.com (REMOVED)
130.185.72.89 support@parspack.com REMOVED
171.244.143.163 soc@viettel.com.vn (REMOVED)
180.131.147.100- abuse@nawala.org (REMOVED)
185.140.249.133 contact@buzinessware.com (REMOVED)


EvaPharmacy HOSTING sites with abuse address

5.188.211.29 abuse@pindc.ru
51.89.151.227 abuse@ovh.net
84.200.77.180 abuse@accelerated.de
95.165.27.205 abuse@spd-mgts.ru
95.165.145.236 abuse@spd-mgts.ru
95.165.149.124 abuse@spd-mgts.ru
95.31.40.41 abuse-b2b@beeline.ru
103.135.128.72 abuse@gogetspace.com
185.24.232.134 abuse@servebyte.com

5.133.12.14 5.133.12.15 5.133.12.16 abuse@artnet.pl (REMOVED)
5.181.158.179  abuse@mivocloud.com (REMOVED)
5.187.52.12  artnet.pl/kontakt (REMOVED)
45.86.163.7  support@crowncloud.net (REMOVED)
45.119.41.11 45.119.41.12 45.119.41.14 abuse@swisslayer.com (REMOVED)
82.199.101.44  zapros@seven-sky.net (REMOVED)
82.199.101.248  zapros@seven-sky.net (REMOVED)
80.233.134.249  abuse@telia.lv (REMOVED)
87.120.253.209  abuse@neterra.net (REMOVED)
89.222.128.42  abuse@netorn.ru (REMOVED)
93.119.105.5  abuse@virtono.com (REMOVED)
89.222.128.42 abuse@netorn.ru (REMOVED)
94.156.175.107  abuse@iws.co (REMOVED)
103.8.26.45  abuse@internet-webhosting.com (REMOVED)
103.42.58.58  support@tgs.com.vn (REMOVED)
103.42.58.61  support@tgs.com.vn (REMOVED)
103.92.25.124  info@tlsoft.vn system@tlsoft.vn (REMOVED)
103.221.220.169  hiendm@viettelidc.com.vn hm-changed@vnnic.vn (REMOVED)
119.59.123.55  hoanglong@azdigi.com thachpham@azdigi.com (REMOVED)
130.185.72.89  support@parspack.com (REMOVED)
141.98.10.136  admin@serveroffer.lt (REMOVED)
146.247.49.105  https://my.netcetera.co.uk (REMOVED)
159.148.186.165 159.148.186.167  support@serveria.com helpdesk@latnet.eu (REMOVED)
176.123.9.53 176.123.9.60 176.123.9.67  https://support.swisslayer.com (REMOVED)
185.9.158.37  abuse@spd.net.tr (REMOVED)
185.99.3.68  abuse@global.ba (REMOVED)
185.128.42.106 185.128.42.108 185.128.43.22 185.128.43.54  abuse@rackend.net (REMOVED)
185.140.249.133  contact@buzinessware.com (REMOVED)
185.140.249.133  contact@buzinessware.com (REMOVED)
185.183.104.124  abuse@m247.ro (REMOVED)

Where to contact the compromised hosting ISP:

Abuse contact for '5.45.80.0 - 5.45.83.255' is 'abuse@ispiria.net'
Abuse contact for '5.133.12.14 - 5.133.12.15' is 'abuse@artnet.pl'
Abuse contact for '5.181.158.0 - 5.181.158.255' is 'abuse@mivocloud.com'
Abuse contact for '5.187.48.0 - 5.187.55.255' is 'abuse@artnet.pl'
Abuse contact for '5.253.60.0 - 5.253.63.255' is 'abuseto@adminvps.ru'  
Abuse contact for '31.200.247.0 - 31.200.247.255' is 'ripe@unelink.com'
Abuse contact for '45.86.163.0 - 45.86.163.255' is 'support@crowncloud.net'
Abuse contact for '45.125.65.0 - 45.125.65.255' is 'abuse@tele-asia.net'
Abuse contact for '79.172.193.0 - 79.172.193.255' is 'abuse@deninet.hu'  
Abuse contact for '82.199.104.0 - 82.199.107.254' is 'abuse@seven-sky.net'
Abuse contact for '84.200.77.0 - 84.200.77.255' is 'abuse@accelerated.de'  
Abuse contact for '85.254.72.0 - 85.254.72.255' is 'support@serveria.com'
Abuse contact for '89.222.128.0 - 89.222.131.255' is 'abuse@netorn.net' 'netorn.ru'
Abuse contact for '93.119.104.0 - 93.119.105.255' is 'abuse@virtono.com'
Abuse contact for '94.152.0.0 - 94.152.255.255' is 'abuse@kei.pl'
Abuse contact for '95.84.128.0 - 95.84.159.255' is 'abuse@rt.ru'
Abuse contact for '95.165.128.0 - 95.165.255.255' is 'abuse@spd-mgts.ru'
Abuse contact for '103.86.48.0 - 103.86.48.255' is 'abuse@bangmodhosting.com'
Abuse contact for '103.146.22.0 - 103.146.23.255' is 'hm-changed@vnnic.vn duc@lanit.com.vn' 
Abuse contact for '112.78.0.0 - 112.78.15.255' is 'vanht@ods.vn'
Abuse contact for '130.185.72.0 - 130.185.72.255' is 'report@parspack.com'
Abuse contact for '119.59.96.0 - 119.59.127.255' is 'abuse@metrabyte.cloud'
Abuse contact for '141.98.10.0 - 141.98.10.255' is 'admin@serveroffer.lt'
Abuse contact for '146.247.49.0 - 146.247.49.255' is 'abuse@netcetera.co.uk'
Abuse contact for '159.148.186.0 - 159.148.186.255' is 'support@serveria.com'
Abuse contact for '185.24.232.0 - 185.24.232.255' is 'abuse@servebyte.com'
Abuse contact for '185.128.40.0 - 185.128.43.255' is 'abuse@rackend.net'
Abuse contact for '185.140.248.0 - 185.140.249.255' is 'contact@buzinessware.com'
Abuse contact for '212.34.128.0 - 212.34.159.255' is 'abuse@axarnet.es'

Operating Systems - October 2010

In October 2010, the same hijacking process was still in use. Sample operating systems detected were

  • Apache/2.2.4 (Unix) PHP/5.2.1
  • thttpd/2.25b 29dec2003
  • Microsoft-IIS/6.0
  • WebNet Modulex Web Server (c) 1998-2004 IO Technologies A/S
  • Apache/2.2.3 (CentOS)
  • Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
  • Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch

Notifying somebody about the intrusion

A typical example: vegasinternationalcasino.com. This is a scam that is redirected from a disposable domain.

xasisar.com 210.172.161.135 
name servers: 
NS1.NERIEMLARIS.COM 202.82.63.68 
NS2.HARTONGSHE.COM 210.115.61.211 

(if you don't know how to get these IP addresses, one way is shown in the chapter Hijacked_host#Sending)

Do a whois look-up of the IP addresses

You can try with dnsstuff.com, but it might not give the addresses. In most cases it is useful: put the IP address in the "IPWHOIS Lookup" field, and when you get the results, click the link to show the email addresses.

The following example uses the Unix commands.

whois 210.172.161.135

gives no email address but a code TW184JP for [Technical Contact] - so use command:

whois -h whois.nic.ad.jp TW184JP 

Let's go to 202.82.63.68 - relevant details from the whois output:

% [whois.apnic.net node-2] 
tech-c: TA114-AP 

There are also other tech-c lines later but we'll see this is enough. Use command:

whois -h whois.apnic.net TA114-AP 

And you'll get

tech-c: NOC18-AP 
tech-c: JL1059-AP 
tech-c: DL430-AP 
(and their addresses) 

Actually in this case the NOC address was already in the first reply, but that isn't always enough. Also, usually you don't have to use a specific WHOIS server - for example:

whois TA114-AP

but I used it here as a "worst case" example. In the case of TW184JP the server was absolutely necessary.

Sending

Send these people friendly messages that their customers should clean up the computer at that IP address immediately and make it more secure in the future, by changing administrator passwords. Sample messages follow for each type of hijack operation.

If you like, you can give them extra info:

  • In the case of WWW, give them the domain address, because most spamversites don't work with raw IP. In many cases the spammers cycle "their" servers so fast that this info will be obsolete by the time your message is read, but it gives credibility anyway. For example:
    • dig +trace kidbopcd.com
kidbopcd.com.           600     IN      A       200.170.112.252
  • in the case of name servers, add the DNS lookup that lead you to the IP, for example:
    • dig +trace kidbopcd.com
kidbopcd.com.           172800  IN      NS      ns1.obtundert.com.
kidbopcd.com.           172800  IN      NS      ns1.suffoccateter.com.
kidbopcd.com.           172800  IN      NS      ns2.excentriccod.com.
kidbopcd.com.           172800  IN      NS      ns2.terkclass.com.
    • dig ns1.obtundert.com
ns1.obtundert.com.      172422  IN      A       203.129.232.82

Example of hijacking

For information on the hijacking of Windows machines, see the sections on Storm and Botnet hosting.

This section describes hijacking of Linux machines.

On February 28th, 2007, one of Alex Polyakov's My Canadian Pharmacy web sites was running using these hijacks


Name Server configuration
Name Server Hijacked IP Crime Sponsoring Registrar
ns1.ourboycot.com [63.223.11.14] Moniker.com
ns1.perceivablenut.com [63.223.11.14] Beijing Innovative Linkage Technology
ns2.grisaillesag.com [210.34.0.101] Beijing Innovative Linkage Technology
ns2.transitstars.com [64.94.117.200] DSTR Acquisition (blackhole address)


Hijacked web and image servers
Web Site IP Image Server IP
[163.14.20.71] [85.17.4.29]


Summary

Two compromised machines are used as proxy name servers at [63.223.11.14] and [210.34.0.101]
Two compromised machines are used as proxy web server [163.14.20.71] and proxy image server [85.17.4.29]




In October/November 2007, the image server strategy changed. Instead of being spread over up to 5 image server IPs at a time, rotating 3 or 4 times a day, there was just one fixed address for all image serving:

88.255.90.42 running Server: Apache/2.2.3 (Fedora)

This IP address is at the top end of a range administered in Turkey

inetnum:        88.255.90.0 - 88.255.90.255
netname:        AbdAllah_Internet
descr:          AbdAllah Internet Hizmetleri
descr:          Etnografya Muze mevkii Kirazlik Mh. No:32 Rize

The person responsible for that IP range is given as

person:         Mahmod AbdAllah el Gashmi
address:        AbdAllah Internet Hizmetleri
e-mail:         ipadmin@ahlen.biz
phone:          +90 543 3767728

The complaints department is listed as

Routing and peering issues: ipadmin@ahlen.biz
SPAM and Network security issues: abuse@ahlen.biz
Customer support: ipadmin@ahlen.biz
General information: ipadmin@ahlen.biz

Attempts to contact this ISP and their upstream provider, Turk Telecom have so far been fruitless. The contact details for Turk Telecom are listed as

role:           TT Administrative Contact Role
address:        Turk Telekom
address:        Bilisim Aglari Dairesi
address:        Aydinlikevler
address:        06103 ANKARA
phone:          +90 312 313 1950
fax-no:         +90 312 313 1949
e-mail:         abuse@ttnet.net.tr

Sample Hijacked Web Server alert message


Please read this message carefully.

You are receiving this email because you are responsible for IP address xxx.xxx.xxx.xxx

Your contact email address is listed at 
> whois xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is the IP address

The machine at this address has been hijacked, and an extra process called "uirqd" 
has been installed.
This process is running many web sites as shown by the command

ping example.com
> Pinging example.com [xxx.xxx.xxx.xxx] with 32 bytes of data
or by visiting http://example.com
 
Action required

1. locate the machine at this IP address
2. change the root and any administrator passwords to make them more secure
3. shutdown the machine, and restart

Alternatively, you can issue the commands to display the process id and kill it:

ps wax | grep "irqd"
kill <pid> 
 [where <pid> is the process-id displayed by the ps command]

If you are not the administrator, please forward this information 
to the administrator.

Thank you from the Pharmacy Alert Security Team

Sample Hijacked Image server alert message (Obsolete)


Please read this message carefully.

You are receiving this email because you are responsible for IP address xxx.xxx.xxx.xxx

Your email address is listed at 
http://www.dnsstuff.com/tools/whois.ch?ip=xxx.xxx.xxx.xxx&email=on

The machine at this address has been hijacked, and an extra process has been installed.
This process is running many web sites as shown by these URLs:
 
http://xxx.xxx.xxx.xxx:8080/images/mcp/pp_general.jpg
http://xxx.xxx.xxx.xxx:8080/images/mcp/logo.jpg

Action required

1. locate the machine at this IP address
2. change the root and any administrator passwords to make them more secure
3. shutdown the machine, and restart

Alternatively, you can issue the commands to display the process id and kill it:

ps wax | grep "tirqd"
kill <pid> 
 [where <pid> is the process-id displayed by the ps command]

If you are not the administrator, please forward this information to the administrator.

Thank you from the Pharmacy Alert Security Team
For more information view
http://pharmalert.zoomshare.com/

Sample Hijacked Name Server alert message


Please read this information carefully. It concerns a security breach on your computer

On your IP address at xxx.xxx.xxx.xxx there is a trojan proxy name server installed, that is being used
by a pharmacy spamming gang to provide access to illegal web sites.

You can prove it with this link

http://www.dnsstuff.com/tools/traversal.ch?domain=onespammedsite.com&type=A
>> ns1.dnsserver1.com [xxx.xxx.xxx.xxx] << your address
>> ns2.serverdsn2.com [xxx.xxx.xxx.xxx] << your address

http://www.dnsstuff.com/tools/traversal.ch?domain=otherspammedsite.info&type=A
>> ns1.hackedsvr.com [xxx.xxx.xxx.xxx] << your address
>> ns2.dnshacked.com [xxx.xxx.xxx.xxx] << your address


DISCOVERY AND REMOVAL
To discover the name of the trojan, you need to find the user process
attached on udp port 53 (DNS)

  fuser -n udp 53

The response will contain the pid of the process, for example 1234
Use that process ID to find the name, for example using the Linux command

ps wax | grep 1234

You will find it there. You can issue the "kill" command to terminate it.

One possible name that is use by the hackers for the trojan is uirqd but it may vary.

For a trojan to be installed, there is usually a trivial password used on the root or administrator account. 
It should be changed to a non-trivial password to avoid further break-ins, before deleting the trojan process.

If you are not the administrator for this machine, please forward on these instructions.

Thank you from
The Pharmacy Alert Security Team

Relentless pursuit

You can even follow up later: if those people are alert, or if the spammers change the IP for another reason, you can repeat this with the new IP.


Known hijacking operations

Operations that are known for persistent hijacking of name servers, web site servers and image servers are