If you found this site helpful, please donate to help keep
Don't want to use PayPal? Try our physical
| FREE LICENSE
||The CastleCops Free License giveaway is
underway. The ENTRY PERIOD begins on 10:00 PM Eastern Standard Time
on September 8, 2004 and ends on 10:00 PM Eastern Standard Time on
September 22, 2004. Go here for complete details and
Joined: Jun 30, 2004
|Posted: Wed Jun
30, 2004 12:20 pm
Post subject: How was I hijacked???
|Spent hours on
this, going nowhere quickly. |
The PC is a WinXP box,
fully patched, routinely checked with Spybot 1.3 and AdAware
6. I run SpywareBlaster as well. I also use Thunderbird 0.6
and Firefox 0.8. All other family members run Thunderbird on
this box. IE6 has not been removed, but is fully patched.
Norton Antivirus Corporate Edition 9.0, AV file
6/25/2004 r19 is running and I've scanned the entire PC twice
in safe mode. (ZIP files are scanned 10 deep)
I use a
Netgear FVS318 to interface to my Verizon DSL account.
The events as they happened.
1. My son read
his email via the web. It included e-cards. He read them.
Doesn't remember where they took him, nor does he remember if
he used IE6 or Firefox.
2. Long screaming session
about things TO do and things NOT to do while on the internet.
278th time. Disabled his account.
3. Mis-typing a URL
will now take me automatically to http://www.netidentity.com/ with the
mistaken URL clearly identified inside. Identical results on
I leave IE6 alone. I use it when I absolutely must go to some
bogus activex site, oh, and windowsupdate. But I don't use it
otherwise. I always use Firefox.
URLs that caused this
include: mapblast, mapquest, abc, def ... through xyz.
Please note: I had typed "mapblast" but had hit Enter
rather than Ctrl-Enter, by mistake. The URLs entered are
literally those listed, just the word.
They are then
transformed to http://mapblast/
NOTE: When I ran
appended. These are normally off on my machine. Sorry that I
didn't write it down.
4. SAV CE, Spybot, AdAware,
SypwareBlaster were all checked for updates and the entire
system was scanned. Nothing found.
** My immediate
thought was that Network Solutions was up to their
tricks with it's Site Finder business. A quick check of
another PC in the house eliminated that. It works normally.
5. I checked my syslogs and NULL routed the IP address
being used to access http://www.netidentity.com./ The same page
comes up sans the graphics and the flash. Another check of the
syslogs brings up 184.108.40.206 as generating the pages,
apparently a well known open proxy registered to Mailbank.com.
It's all the same company in Reno, NV.
** Ran whois,
and then looked up the physical addresses. Nothing
truly surprising ... except that the same business address is
** also used for: "Absolute Swine Insemination"
6. Also ran HiJackThis
and went through ALL of the items on it. Nada. Couldn't find
the IP addresses or domain names in the registry. I also ran
them in reverse notation. Nada.
7. Checked my network
settings to make certain that some new DNS server wasn't stuck
in. Nope, still set to use the Netgear box. Put 4 different
DNS servers in -- still get that stupid site.
Spybot 1.3, I reviewed the browser search pages. Each of them
are what I would consider standard pages. In fact, all of them
are identical to the ones that I have at work, sans the compaq
pages. I built my PC at home.
9. Ran latest
CWS_Shredder. Nothing found.
10. Their exploit works
while in "Safe mode w/Networking". Makes me believe that it is
not a DLL or EXE related. Is that true?
enabled. The cookie includes the bad URL (http://mapblast/)
and has "he" <tab> "llo" at the end. I found lots of
little pop under scripts on the internet that are using a
similar technique. None of them talk about using the exploit
in this manner.
12. When run using IE6, another IE
window is displayed on the Taskbar, but it will not maximize.
What little bit I can read of the button displays fastclick.
saw in item 11.
OK, how are they hiding this? I have
searched ALL files on my computer for the word "fastclick",
"netidentity" as well as these IP addresses, but nothing.
I ran sysinternals filemon to look for something
common between the browsers, but I was overwhelmed by the
flood of information. Wonderful tool, but kind of like reading
firewall logs, great if you're looking for something specific.
I need a summary to display something out of the ordinary.
I have NULL routed the netidentity.com domains and set
up a static route to a non-existant IP address for the time
being. But NOT knowing what truly IS happening makes me wonder
if I don't have a keylogger or worse installed.
I don't know if this is just simple adware, or site tracking,
I also don't know if it isn't also a keylogger or worse. I am
treating it as if it was worse.
In the meantime, the
PC is off.
And I am bumming, and quickly falling
behind in work I need to do at night. Any suggestions as to
where to look next. Would also appreciate any constructive
comments on my troubleshooting techniques, as I do this for a
Joined: Jul 29, 2004
|Posted: Thu Jul
29, 2004 1:10 am Post
subject: One possibility on the "Netidentity.com"
|I came at it
from the other direction. |
I regularly download obvious
viruses, trojans and porn-dialers to test my antivirus
program. The latest "Hillary Duff Naked" (probable
porn-dialer) didn't trip McAfee, which both surprised and
Looking inside the file, it's mostly
bitmaps or something regular, but at the end is some text
saying XXXSCR (triple-X screensaver) and Solis.org, which
diverts to http://www.netidentity.com./ The only thing
I see on their pages is a Shockwave Flash thingie which
purports to be "scrolecode". There's no obvious malicious code
on any of the pages I hit. I see the Fastclick popunder code,
but there's nothing in it.
Anyone slamming huge
numbers of Usenet groups with XXX screensavers (if that's what
it really is) oughta be shot. Period. They're only 3 floors up
from the Attorney General's office. Should we tip him off that
there's a miscreant right over his head?
Doing a quick
net search on the street address popped up:
Fine - The Science of Getting Rich!
350 South Center Street
Reno, NV 89501 USA
World Reach Corporation
350 South Center
Reno, NV 89501
Repeat spammer-for-hire, formerly
known as Empire Towers. Tells clients that all their lists are
opt-in, refuses to honor remove requests,
to different domains and providers.
worldreach.com worldreach1.com worldreach.cc refree.com
webhostingpros.net cramz.net yourfinesite.com jetsonville.com
masteragents.com poplaunch.com empiretowers.com
There's also a bunch of other names at the same
address, like NamePlanet.com, Public Safety Information
Systems, Quest, Kotan Publishing, HMX Inc, 1st Corporate
Financial LLC, World Trade Group Inc, Exclusive Entertainment
Production Group, and the list goes on. Looks a lot like a
holding company or shell.
So it wouldn't surprise me
at all that they're now doing IE hijacks. I'm not ballsy
enough to enable plug-ins on a site like this from my main
machine. From their past history above, I'd suspect they
manage to rob your address book and add it to their "known
good" spam list, which probably gets sold to other spammers on
a regular basis.
The current IE-Spyad list blocks all
of the domains that I could find.
Joined: Jun 30, 2004
|Posted: Tue Aug
03, 2004 11:36 am
was mine ... sort of. |
NetIdentity is a real domain
squatter by design. If you want the email address of Jeffrey@domain.com, well,
they need to have "domain.com" registered.
have TONS of them.
I had setup a domain within my
house, that did not LEAVE the house and was not accessible
from the outside, MONTHS ago. No problem. My main Pc and this
one test Pc had that domain installed in them.
test pc is long gone and I neglected to remove the test
domain, adrian.net from my home pc.
So, since WinXP
will append the domain to anything they cannot find ... I
ended up at the netidentity site over and over and over.
The problem was not them, it was my networking that
was the problem. Once I acted a little more legitimate, all
Sorry for not getting back to this post.
Joined: Aug 14, 2004
|Posted: Sat Aug
14, 2004 2:05 am Post
subject: NOTHING to do with spam, hijacking, XXX
|Wow, what a
HUGE -- and totally wrong -- assumption has been made here.
I work with Rebecca and her company, Certain Way
Productions Inc., and it is a publishing company that has
nothing to do with anything mentioned in your post. The only
connection at all is a shared mailing address.
that's because many businesses use the services of Corporate
Service Center Inc. in Reno, NV. The company provides
corporate offices, mail and phone services to Nevada
Corporations whose owners live in other places. (They also set
up corporations, provide registered agent service, and more.)
If there are spammers or otherwise unsavory companies
also using those services, that has NOTHING to do with the
totally separate other companies who are clients of CSC: http://www.corporateservicecenter.com/
Seems like it would be a smart idea to check your
facts before publishing potentially libelous assumptions like
||All times are
GMT - 5 Hours|
cannot post new topics in this forum|
reply to topics in this forum
You cannot edit your posts
in this forum
You cannot delete your posts in this
You cannot vote in polls in this forum
cannot attach files in this forum
You can download
files in this forum
2.0.10 © 2001 phpBB