Jump to content

Porn Sites Hiding Behind Blogs


TCH-Dick

Recommended Posts

For the last few days family members have been reporting sites that have links to their cpanel listed on them, and while the sites didnt actually have the cpanel names and passwords it could be rather alarming to someone who didnt know how they were doing what they were doing, or why. Well thanks to some investigation by Billy, we have the answer as to why they are doing what they are doing. I have cut and pasted most of the info here, but there is a link at the bottom directly to the site were Billy found it.

 

 

I AM A SPAMMER Sites Hiding Behind Blogs

 

Over the last few days, I’ve seen a number of pseudo-realistic blogs spring up. They link to real stories, but all the comment and trackback links are just javascript redirects to the root of the site:

 

java script:document.location=”/”;

 

Jennifer’s Blog, Malixya, Bongo Home and A-B-L-O-G all display the same behaviors although the latter lacks comment and trackback links (probably a good thing as clicking on them makes makes it evident the site isn’t real). These sites, it appears, are ripping off templates from other places — although I haven’t been able to find any of the original sites, Bongo Home does have residual references to Blog City. It appears that I’m not the only one to notice this.

 

The real kicker here is what is hiding at the bottom of each of these pages:

 

adult-webcam.gif”

 

It appears that these sites, using a clean little weblog as a front, are hosting a large amount of I AM A SPAMMER. I do not recommend visiting the above URL and I would suggest that if you do, you should disable Javascript as then the page is just rendered in text without strobing gif nakedness.

 

They’re attempting to increase the Google Juice of the main page of the site by spamming people’s referrers, and thereby increase the juice of the adult-webcam page. Currently, the sites have little or no juice, but they’ve only been at it for a little while.

 

Jennifer’s blog:

 

Brian Mcwatters

10721 St Ives Ct

Bloomington, MN 55431

United States

email: admin@jennifersblog.com

phone: 9166832524

fax: 9166832524

 

Bongo Home:

 

Jim Schwodler

20078 Kenwood Trail

Colorado Springs, CO 80915

United States

email: admin@bongohome.com

phone: 7574441409

fax: 7574441409

 

A-B-L-O-G:

 

Adam Wilmot

4234 Rue Dartagnan

Stone Moutain, ga 30083

United States

email: admin@a-b-l-o-g.com

phone: 9122465543

fax: 9122465543

 

Malixya:

 

Clarence V. Walcott

1006-15 Wentworth

Seattle, WA 98112

United States

email: admin@malixya.com

phone: 8013433620

fax: 8013433620

 

That is not the proper prefix for a phone number in Seattle, although the zip code is somewhat credible. I don’t know about the other cities.

 

All the blogs were registered on the 8th of November, and have DNS servers in the netblock owned by RIPE out of Amsterdam.

 

Update: My Girlfriend has accused me of pulling a Dave Winer (yes, she actually said I “pulled a Dave”) and not giving credit where credit is due. She noticed the traffic, and (and I’m quoting her here) “she, being incredibly technically inept said ‘Adam, what’s this?’”, whereupon I undertook some investigation.

 

Update: Added link to Beta Blog in the main text, because that’s where the design for Jennifer’s blog was ripped off from. It still contains pointers to Beta Blog’s moblog on TextAmerica.

 

Update: It appears that I didn’t dig quite deep enough at first. The DNS servers being used by all these sites are in the netblock assigned to “Politehnica” University of Bucharest.

 

Update: Some more of these fake blogs from a thread on Nova Boards:

 

kwlablog:

 

Bradley Boesel

Nw 9th Ave. Build.34

Beaverton, OR 97007

United States

email: admin@kwlablog.com

phone: 8045564201

fax: 8045564201

 

wr18.com:

 

Josete Martinez Gallardo

954 Vitt Dr.

Portland, OR 97229

United States

email: admin@wr18.com

phone: 8012815599

fax: 8012815599

 

and lookups on previously mentioned blogs:

 

Mike’s Place:

 

Jeffrey Steinhauer

11921 S. Cricket Ln.

Dublin, CA 94568

United States

email: admin@mikesspot.com

phone: 5408987991

fax: 5408987991

 

Saulem:

 

Jackie R. Varnadore

629 S Fourth St

Oceanside, NY 11572

United States

email: admin@saulem.com

phone: 8645854975

fax: 8645854975

 

It appears that all these sites are being hosted on servers located on the netblock assigned to “Politehnica” University of Bucharest. Maybe the school should get a few emails?

 

Update: Found a few more of these sites via this thread:

 

Akksess is a clear rip-off of Brian Micklethwait’s Education Blog. The Whois information points to:

 

Zachary Munzenrider

8610 83rd St

Ogden, UT 84404

United States

email: admin@akksess.com

phone: 9197796014

fax: 9197796014

 

World News Log is clearly a clone of Kevin Sites Blog.

 

Choong Wai Chan

16/35 Collins St

Clawson, MI 48017

United States

email: admin@worldnewslog.com

phone: 9134656230

fax: 9134656230

 

Aly pointed out Teoras in the comments. Here’s the whois entry.

 

C. Jeffry Paoletti

Otsego, MI 49078

United States

email: admin@teoras.com

phone: 9197542757

fax: 9197542757

 

All these sites are registrered through Stargate Inc. Although it’s probably against their interests to hunt down these people who are giving them false information. I keep posting the false WHOIS information on the off chance that someone could verify it — and to keep a record for the future.

 

The thread (mentioned above) also, inexplicably, quotes the entire entry. I’m not so sure I’m happy about that.

 

Updated 2003.11.17 10:30: Another rundown on the subject. It appears that people are beginning to find this rather irritating. :D

 

Updated 2003.11.17 17:05: This entry is getting a tremendous amount of attention, thanks to Metafilter and dozens of other weblogs. I just wanted to point everyone’s attention to a couple excellent bits of detective work about these blogs.

 

* Vigilant.tv has information on how they tracked the spammers to their ‘lair’. They also have a method for defeating the referrer spam with mod_rewrite

* Andrew Urquhart approached the research in the same manner, although unlike me he seems to have compiled all his evidence before posting.

* JMac writes in the WebProWorld forums on her sleuthing activities. She has done a lot of work, including uncovering a potential email address of the perpetrator, and has been running down leads via email. It seems that all roads, in this case, lead to Bucharest.

* MJ points to another method for getting rid of the referrer spam.

* Milov.nl highlights the stolen designs of these ‘blogs’.

 

 

http://www.idly.org/2003/11/14/porn_sites_..._blogs.php#more

Link to comment
Share on other sites

Guest schussat
What I don't understand is what they hope to gain by spamming our referer lists.  We (webmasters) are the only ones to see them so where's the benefit?

In lots of cases, that's true, but there are plenty of referer logs that seem to be public. Searching for kwlablog.com for instance, turns up lots of pages of either outright referer logs or weblogs, for instance, that display recent referers. I assume those are the hits that they're aiming for, because I had exactly the same thought that you did.

Link to comment
Share on other sites

Interesting reading. I too am puzzled as to why someone would want to link to a cpanel. Bottom line...are there any security issues that users should be aware of? (Other than the common sense ones, of course!)

 

Thanks for the info!

Link to comment
Share on other sites

They arent actually linking to cpanel, whats happening is, person A sees a link to www.whatever.com in their refferer list while looking thru thier awstats in cpanel, so person A naturally clicks on the link in cpanel to go see who is visiting their site. Now site B has a recent reffer script running that shows a link on the main page of the site, person A came from their cpanel so it shows as a link on site B's home page.

 

There isnt any real security risk since if a person follows that link to cpanel they will be asked for a name and password to log in.

Link to comment
Share on other sites

Very interesting. And good work. At this moment my website cpanel link has been added to Jennifersblog, malixya, a-b-l-o-g, and some other suspicious appearing blogs.

 

Clicking on the links to my site from these false fronts I can enter directly into my cpanel. Whereas if I click on some other pirated sites I am asked for a name and password in order to enter. Can I go directly into my cpanel because I am using my own machine? Or does anyone who clicks on my url, with the added 8082, have direct entry?

 

Also, I see that you offer the email addresses to some of these blogs. Will emailing them and asking to be removed improve matters or simply offer them another oportunity to exploit my site and email address?

 

You have done very good work with this and I'm sure that anyone who has thus been exploited will be grateful.

 

Sincerely, Paul

Link to comment
Share on other sites

Can I go directly into my cpanel because I am using my own machine?

 

Thats correct, if anyone else clicked on the link to your cpanel they would be prompted for a password, E-mailing the sites would probably do ZERO good, I'm sure that the e-mail address and contact names are false

Link to comment
Share on other sites

Well, that's a relief. And once again thanks for sharing your knowledge. Those interested in this issue might also want to visit another forum site in which cpanel security is discussed. It advised changing passwords to foil the interlopers. It appears to have worked. (At least I hope so.)

 

http://www.totalchoicehosting.com/forums/i...?showtopic=5610

 

Thanks again for elliminating some anxiety regarding the soundness of my rather innocent web site, which, after all, is dedicated to art.

 

Paul

Link to comment
Share on other sites

Thanks for the info! Rock Sign

 

I noticed these referrers in my awstats yesterday and was curious. I clicked on one and boy, was I suprised to see my cpanel link right there on their home page!

 

I basically freaked out for a minute, then clicked on the link and presto, I was back in my cpanel! Then I was really worried, but calmed myself by realizing that my browser had stored my username/password and that other visitors to this blog would not be able to get in. But it was pretty scary! :dance:

 

I didn't realize it was a I AM A SPAMMER gateway, but I was going to report them here anyway. You guys beat me to it!

 

As to these fake bloggers: :)

 

 

...dave

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...