Comments (2)

By admin, January 13, 2009 14:03

Hot:

Are you one of the folks who has an Google email account? They are not hard to find, and very easy to get and many folks find it very handy. But for most Windows users, trying to adopt a webmail-like email such as GMAIL in place of typical clients like Outlook Express can have some problems.

Enter Google Notify. Its a great little tool that simply monitors calls to email and redirects them to your Gmail account. No more clicking on email links on web pages and getting outlook express popping up. Now the request generates a gmail compose message and seems to work very well. It will also tell you when you have new mail!

What if it doesn’t work?

Continue reading 'Google notify not working?'»

Comments (1)

By Admin, December 23, 2008 09:49

Hot:

From my family to yours, I wish you the best of the holiday season. Please drink responsibly and compute responsibly!

Merry Christmas

and

Happy New Year

As part of our holiday spirit we are offering 50% off our computer repair services (see our new site in the new year which will link to this site). Yes, that means $30.00 instead of our regular $60 for in-house work and $35.00 for our mobile services instead of $70.00 Offer ends January 15th, so call or email before then and book your appointment!! So some people ask, what do I do?

First I am a A+ certified, MCSE carrying computer expert. I am familiar with most operating systems including several of the popular linux distributions.

I am also a certified low-voltage technician who specializes in security and networking. Any wired (or wireless) product I support. I am proficient with security systems, surveillance systems, telephone systems, in addition to your typical computer systems. My company sells a fully integrated solution that marries all your systems to work together, improve automation, reduce false alarm issues, improves legal documentation, and helps you sleep better. Serious solutions that WORK.

I do hardware diagnostics and repair. From laptops to servers, any computer can be diagnosed and fixed from our in-house repair depot. Even if the PC DOES NOT BOOT, we can diagnose the problem.

I also do data backup, recovery and restoration. We can recover deleted files and filesystems. If you use our restoration services, I will also provide you with a custom backup solutions, so that you never have to worry about losing your data EVER. Many folks do not pay much attention to this service but we have saved many important pictures from being lost forever.

I also do malware discovery and removal. I have spent the last several years studying malware and how to remove it. We also provide effective security products to eliminate the risk of infection. We rather spend time making your computer do more things than fixing these issues, so we do NOT just clean it and forget it.

I also design and provide Intrusion detection systems for individual networks. Whether your a small home network with a few users, to large data centers with hundreds of users, are products are designed to not impact your network performance and provide you with the information to enforce policies, and ensure your networks are not being used by the bad guys.

Additionally I have built many custom computers for various needs, from personal video recorders, to network accessible storage, home theatre PCs, to high end gaming rigs, dedicated process servers (file servers, streaming servers, digital video recorders, etc.)

No problem is too big and no request is impossible. Contact me via email for any questions you may have.

Comments Off

By Admin, December 15, 2007 10:38

Hot:

Finally, a “critical” Java runtime update from Apple by ZDNet‘s Ryan Naraine — Apple has shipped a long-overdue Java runtime update to plug at least 30 vulnerabilities that expose Mac OS X users to remote code execution attacks.

This article really only highlights the issue. Quicktime has (and still has) many bugs so many that I’d simply deem it the ‘Buggiest and Most Insecure Application of ALL TIME’. Anyone who uses Quicktime should REMOVE IT immediately, and then clean there system. I’d even recommend cleaning the registry of any APPLE or QUICKTIME entries, something I’m typically loathe to do under any circumstances. Apple simply seems to not understand the security climate in todays world, or doesn’t care about it’s users. Either way it’s reprehensible that they are doing so well in the technology markets without putting security first.

Apple could learn a lot from Microsoft on this, but I’m not saying Microsoft’s approach is superior, I’m just saying it’s actually far more committed to keeping it’s user base informed. Apple seems to prefer just keeping us in the dark, or to use an alliteration, they prefer to keep the apples on the tree so they don’t bonk someone on the head and perhaps wake them up to reality. Apple’s products and OS is really insecure! This is like many ignorant companies that seem to think if ‘we have a security breach, we keep it secret’, and this is the approach I find criminal. I for one am lobbying governments to change this, and FORCE ANYONE with sensitive data or source code to proprietary OS’s to FULLY DISCLOSE vulnerabilities to reduce ones exposure to 0-day attacks.

It took Apple 6 months (!!!!) to come up with the latest patch, and it didn’t fix all of them, actually of the 30 it claimed, only 18 are TRULY fixed. I’d call it lying…I don’t mix my fruit up.’

Comments Off

By Admin, November 9, 2007 12:53

Hot:

Really? A FREE YEAR of Broadband?!? Nobody gives away a free year…

Recently I’ve received copies of a Phishing Attempt that looks like it’s from Shaw (a cable/internet/telephone service company in Canada). This phishing attempt is congruous to the Ebay and banking phishes of the recent past, in that it actually does NOT resemble a ‘real’ email, rather a fictional email to get people excited, in this case instead of warning the user it attempts a positive reaction from “getting free internet for a year”. Whoopie! A years worth of internet from Shaw isn’t that expensive. Phishing attempts are typically NOT viral or malware orientated but certainly can and do use such methods. In this case it looks like a standard email spam sent via exploited web sites.

This is a sophisticated method. It uses a similar style as Shaw uses in their correspondence and uses a legit; if inappropriate, email address. The email was generated and sent using multiple methods so tracking it will be harder to accomplish. Additionally, I shall show the details of the spam and my analysis. Our whois data will be included in the rest of the article.

First off, I will advise of the RED FLAGS in this phishing attempt

#1- “A Free Year of Broadband” – This doesn’t make sense. Shaw has trademarks and service marks that it would use to advertise it’s broadband internet service. Only someone ignorant of Shaw’s trademarks would say this. It’s really unlikely anyone who really works for Shaw would make this error.

#2 – Canadian Law states that any ‘contest’ or ‘giveaways’ contain details of said event. In most cases it’s prudent to disclaim whether or not the contest is allowed in Quebec, since the law is vastly different, and Quebec law generally does NOT allow this type of Contest. (disclaimer: I’m in no way a lawyer, but I am aware of consumer rights.). Missing the disclaimer is a definite flag

#3 – The email that is seen in the From: header is not a normal Shaw correspondence email account.

#4 – The link clearly shows a ‘secure’ link, but in no way is it going to a ‘secure’ site.

#5 – Typical email headers (on email from Shaw) missing

So just upon a quick review of this email we can deduce that it’s not a valid email. To get more pertinent details I’ll analyze these email in detail. I won’t paste the email headers in entirety, any ambiguity will be displayed by ‘XXXXXXXX’, to avoid email harvesting, but I will show you what details were more noteworthy.

The return-path was interesting. One was:

apache@utel16.besthosting.com.ua

, the other one was:

nobody@omega.omc.net

This would indicate to me that the web server sent this email, and in typical hosting fashion, it would be doing so via script on one of the hosts or virtual hosts on the system.

None of the received headers would indicate anything unexpected here, “omega” even has SSL/TLS

enabled but verify set to no.

The header in one of the emails is very interesting:

Date: Thu, 08 Nov 2007 20:49:28 +0200

From: “Shaw Communications Inc.” service@shaw.ca

Subject: Win a year of free broadband

To: XXXXXXX@shaw.ca

Reply-to: service@shaw.ca

Message-id: XXXXXXXXXXXXXXXXX@utel16.besthosting.com.ua

MIME-version: 1.0

Content-type: text/html

X-PHP-Script: 213.186.117.120/~loveterra/indexzz.php for 82.208.212.146

Date and time indicates a East European Time zone. I know Shaw doesn’t have any servers in Europe…

The X-PHP-Script header shows a very interesting detail of where this email came from. We’ll come back to this IP in a bit. But this is a key indicator of an exploited web site on a hosting company or something similar. This IP definitely hosts a web server, and with the above mentioned user account, but at time of checking this link generated a error.

The for address 82.208.212.146 is interesting as it resolves to:

whois -h whois.geektools.com 82.208.212.146 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #1.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the “-B” flag.

% Information related to ’82.208.212.0 – 82.208.212.255′

inetnum: 82.208.212.0 – 82.208.212.255

netname: ITSOLUTIONSNET

descr: ITSolutions, Obrenoviceva 124 4/10

descr: 18000 Nis

descr: Serbia and Montenegro

country: CS

admin-c: IS1188-RIPE

tech-c: AZ919-RIPE

status: ASSIGNED PA

mnt-by: PTTSRBIJANET-MNT

source: RIPE # Filtered

person: Ivan Stankovic

address: ITSolutions

address: YU

e-mail: i.stankovic@my-its.net

phone: +38118512796

fax-no: +38118512797

nic-hdl: IS1188-RIPE

source: RIPE # Filtered

person: Aleksandar Zakic

address: ITSolutions NET

address: CS

e-mail: a.zakic@my-its.net

phone: +381-63-222-361

fax-no: +381-18-512-797

nic-hdl: AZ919-RIPE

source: RIPE # Filtered

% Information related to ’82.208.192.0/19AS13091′

route: 82.208.192.0/19

descr: JP PTT Srbija

descr: PTT Srbija Net

origin: AS13091

mnt-by: PTTSRBIJANET-MNT

source: RIPE # Filtered

Results brought to you by the GeekTools WHOIS Proxy

Server results may be copyrighted and are used with permission.

Reviewing the other IP address of the X-PHP-Header gives us this info:

whois -h whois.geektools.com 213.186.117.120 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #3.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the “-B” flag.

% Information related to ’213.186.117.0 – 213.186.117.143′

inetnum: 213.186.117.0 – 213.186.117.143

netname: UTEL-DC5

descr: Utel DataCenter networks. Colocation

country: UA

admin-c: UNOC-RIPE

tech-c: UNOC-RIPE

status: ASSIGNED PA

mnt-by: AS6877-MNT

remarks: INFRA-AW

source: RIPE # Filtered

role: Utel NOC

address: 101, Volodymyrska str.

address: 01033, Kyiv, Ukraine

phone: +380 44 2359001

fax-no: +380 44 2304560

e-mail: noc@utel.net.ua

admin-c: OLE-RIPE

tech-c: BES100-RIPE

tech-c: OLE-RIPE

tech-c: JIM-RIPE

tech-c: ALT-RIPE

tech-c: UHM-RIPE

nic-hdl: UNOC-RIPE

mnt-by: AS6877-MNT

source: RIPE # Filtered

% Information related to ’213.186.112.0/20AS16124′

route: 213.186.112.0/20

descr: Utel DataCenter, Ukraine

origin: AS16124

mnt-by: AS6877-MNT

source: RIPE # Filtered

Results brought to you by the GeekTools WHOIS Proxy

Server results may be copyrighted and are used with permission.

So, it looks like someone possibly in Serbia and Montenegro, ran a cross site script residing on a server in the Ukraine, against utel16.besthosting.com.ua which sent the email. One would actually have to test this out, which I have not done to confirm this. This is a dangerous step I decided to avoid for brevity.

[page_break]

Looking at another similar email we see:

Date: Tue, 06 Nov 2007 23:24:54 +0100 (CET)

From: “Shaw Communications Inc.”

Subject: Win a year of free broadband

To: XXXXXXXXX@shaw.ca

Reply-to: service@shaw.ca

Message-id:

MIME-version: 1.0

Content-type: text/html

X-Authentication-warning: omega.omc.net: Host localhost.omc.net (127.0.0.1)

claimed to be omega.omc.net

But we can see the authentication warning from this server. No detail unfortunately.

Regardless, the viewable content of these two emails is identical, including an ‘offical’ Shaw footer to further reinforce it’s legitimacy, but it’s futile. These are NOT from SHAW.

The content included in plaintext: However to ensure not even ‘google’ browses the evil link from our site I have sanitized it so it breaks. Details to fix will be below the actual email content:

Content-Transfer-Encoding: 8bit

209.85.15.18 is the address removed above with “Removed.example.com”. This address resolves to:

11/09/07 14:19:19 whois 209.85.15.18@whois.geektools.com

whois -h whois.geektools.com 209.85.15.18 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.arin.net.

Results:

OrgName: Everyones Internet

OrgID: EVRY

Address: 390 Benmar

Address: Suite 200

City: Houston

StateProv: TX

PostalCode: 77060

Country: US

ReferralServer: rwhois://rwhois.ev1servers.net:4321/

NetRange: 209.85.0.0 – 209.85.127.255

CIDR: 209.85.0.0/17

NetName: EVRY-BLK-15

NetHandle: NET-209-85-0-0-1

Parent: NET-209-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.EV1SERVERS.NET

NameServer: NS2.EV1SERVERS.NET

Comment:

RegDate: 2005-12-14

Updated: 2006-11-28

RAbuseHandle: ABUSE477-ARIN

RAbuseName: Abuse Department

RAbusePhone: +1-713-579-2850

RAbuseEmail: abuse@ev1servers.net

RNOCHandle: NOC1445-ARIN

RNOCName: Noc

RNOCPhone: +1-713-579-2850

RNOCEmail: noc@ev1servers.net

OrgAbuseHandle: ABUSE271-ARIN

OrgAbuseName: Abuse

OrgAbusePhone: +1-214-782-7802

OrgAbuseEmail: abuse@theplanet.com

OrgNOCHandle: NOC1445-ARIN

OrgNOCName: Noc

OrgNOCPhone: +1-713-579-2850

OrgNOCEmail: noc@ev1servers.net

OrgTechHandle: VST3-ARIN

OrgTechName: Stinson, Valarie

OrgTechPhone: +1-713-579-2850

OrgTechEmail: admin2@ev1servers.net

# ARIN WHOIS database, last updated 2007-11-08 19:10

# Enter ? for additional hints on searching ARIN’s WHOIS database.

At this point this site seems to be up. Anyone receiving any email similar to this should simply delete it.

If you think it really is legit, call Shaw directly and ask them BEFORE you click on the link. I feel this analysis is accurate and is limited in it’s conclusions. However I hope it serves to help or assist any other who seeks to eliminate phishers, and other scammers.

Comments Off

By Admin, October 23, 2007 12:09

Hot:

Well it appears that ‘supercatalogo.info’ is a HUGE source of spam and malware. I have identified the IP as

89.111.180.225

And the following whois details:

10/23/07 10:15:20 whois 89.111.180.225@whois.geektools.com

whois -h whois.geektools.com 89.111.180.225 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #3.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the "-B" flag.

% Information related to ’89.111.176.0 – 89.111.191.255′

inetnum: 89.111.176.0 – 89.111.191.255

netname: CENTROHOST-NET

descr: JSC Centrohost

country: RU

org: ORG-JC13-RIPE

admin-c: IA327-RIPE

tech-c: IA327-RIPE

status: ASSIGNED PA

mnt-by: PAN1-RIPE-MNT

mnt-lower: PAN1-RIPE-MNT

mnt-routes: PAN1-RIPE-MNT

mnt-domains: IA327-RIPE-MNT

source: RIPE # Filtered

organisation: ORG-JC13-RIPE

org-name: JSC Centrohost

org-type: OTHER

descr: JSC Centrohost

address: 78, Profsojuznaya str.,

address: Moscow, Russia, 117393

phone: +7 495 3630309

phone: +7 495 3630318

admin-c: IA327-RIPE

tech-c: IA327-RIPE

mnt-ref: PAN1-RIPE-MNT

abuse-mailbox: abuse@hc.ru

mnt-by: PAN1-RIPE-MNT

source: RIPE # Filtered

person: Ivan Albetkov

address: Hosting-Center LTD

address: 22, Litovsky bulvar

address: Moscow, Russia, 117588

phone: +7 495 5445566

remarks: **************************************************

remarks: Please send abuse and spam reports to abuse@hc.ru

remarks: **************************************************

nic-hdl: IA327-RIPE

mnt-by: IA327-RIPE-MNT

source: RIPE # Filtered

% Information related to ’89.111.176.0/20AS41126′

route: 89.111.176.0/20

descr: JSC Centrohost route

origin: AS41126

mnt-by: PAN1-RIPE-MNT

source: RIPE # Filtered

So Mr. Gay can go find another rock to crawl under.

Oh, if your looking for details on supercatalogo.info Click the read more to view.

Domain ID:D15402764-LRMS

Domain Name:SUPERCATALOGO.INFO

Created On:22-Nov-2006 14:39:27 UTC

Last Updated On:21-Jan-2007 20:32:36 UTC

Expiration Date:22-Nov-2007 14:39:27 UTC

Sponsoring Registrar:EstDomains, Inc. (R295-LRMS)

Status:OK

Registrant ID:DI_4743150

Registrant Name:Isaias Stefanski

Registrant Organization:Isaias Stefanski

Registrant Street1:Devon Rd 67 26

Registrant Street2:

Registrant Street3:

Registrant City:BATON ROUGE

Registrant State/Province:Louisiana

Registrant Postal Code:70814

Registrant Country:US

Registrant Phone:+1.5043223563

Registrant Phone Ext.:

Registrant FAX:

Registrant FAX Ext.:

Registrant SuperCatalogo.info

Admin ID:DI_4743150

Admin Name:Isaias Stefanski

Admin Organization:Isaias Stefanski

Admin Street1:Devon Rd 67 26

Admin Street2:

Admin Street3:

Admin City:BATON ROUGE

Admin State/Province:Louisiana

Admin Postal Code:70814

Admin Country:US

Admin Phone:+1.5043223563

Admin Phone Ext.:

Admin FAX:

Admin FAX Ext.:

Admin SuperCatalogo.info

Billing ID:DI_4743150

Billing
Name:Isaias Stefanski

Billing Organization:Isaias Stefanski

Billing Street1:Devon Rd 67 26

Billing Street2:

Billing Street3:

Billing City:BATON ROUGE

Billing State/Province:Louisiana

Billing Postal Code:70814

Billing Country:US

Billing Phone:+1.5043223563

Billing Phone Ext.:

Billing FAX:

Billing FAX Ext.:

Billing SuperCatalogo.info

Tech ID:DI_4743150

Tech Name:Isaias Stefanski

Tech Organization:Isaias Stefanski

Tech Street1:Devon Rd 67 26

Tech Street2:

Tech Street3:

Tech City:BATON ROUGE

Tech State/Province:Louisiana

Tech Postal Code:70814

Tech Country:US

Tech Phone:+1.5043223563

Tech Phone Ext.:

Tech FAX:

Tech FAX Ext.:

Tech SuperCatalogo.info

Name Server:NS1.THEHOSTDIRECT.INFO

Name Server:NS2.THEHOSTDIRECT.INFO