Stunning Findings
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Stunning Findings

  1. #1
    Banned
    Join Date
    Feb 2004
    Posts
    53

    Stunning Findings

    ok heres the deal, i whent to get on the internet this morning and found that my home page had been set to somthing like http://%6F%64%7A%71%74%74%2E%74%2E%6...?%61%69%64=420
    this sparked my curiosity. so i transilated it.
    well the web address turned out to be odzqtt.t.muxa.cc with a little extetion that i believe made somthing download to my comupter....
    When i WHOIS it, it came up as Muxa.cc (dhu)
    i then pinged it and got the IP: 207.68.172.246
    when i resolved this address it came up as mail.msn.com (what the heck???)
    Furthermore i pinged odzqtt.t.muxa.cc and got the ip address
    81.211.105.37
    i did not get a responce from pinging so i traced it... My packets were lost at a server in Africa.(i think maybe a firewall)
    i scanned the address and found a web server. i went to it but nothis is there....

    Can someone Plz tell me what i am seeing????

  2. #2
    Banned
    Join Date
    Feb 2004
    Posts
    53
    escuss my spelling.....

    i did not scan the firewalled address i scanned 81.211.105.37

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Looks like you are seeing a spyware activity. I'd suggest going to look for HijackThis and CWShredder. Doing a quick google on muxa.cc got quite a few responses including this cached solution.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Banned
    Join Date
    Feb 2004
    Posts
    53
    i got both those and i removed whatever i had... i'm mainly just wondering why it came up as Mail.msn.com

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    A quick google search turned up quite a few hits of this (muxa.cc) showing up in "hijackthis" logs. It looks like you have been hijacked. You might want to check out:

    Hijackthis

    Adware 6

    Spybot-S&D

    Cheers:

    /EDIT
    Sorry, MsM beat me to it.........as usual
    DjM

  6. #6
    Banned
    Join Date
    Feb 2004
    Posts
    53
    i have highjack this and i already removed it, my question is why did it come up to Mail.msn.com

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Hrmm.. Let's see:

    odzqtt.t.muxa.cc


    Registrant:
    Muxa C.C. (muxaccc@yahoo.com)

    Mme Curie street, Verdun
    Beirut, NONE 766
    LB
    +961.01351400

    Domain Name: muxa.cc

    Administrative, Technical, Billing Contact:
    Muxa C.C. (muxaccc@yahoo.com)

    Mme Curie street, Verdun
    Beirut, NONE 766
    LB
    +961.01351400

    Record created on Nov 23 2003.
    Record expires on Nov 23 2006.
    Domain servers:
    cc.muxa.cc
    xx.muxa.cc
    http://muxa.cc has a MSN logo on it. Doing a traceroute does resolve it to a MSN address (see below). Off hand, I'd guess it's a business address perhaps?

    mittens@MsMittens:~$ traceroute muxa.cc
    traceroute to muxa.cc (207.68.172.246), 30 hops max, 38 byte packets
    1 192.168.0.1 (192.168.0.1) 1.069 ms 1.036 ms 1.109 ms
    2 xx.aa.yy.zz (xx.aa.yy.zz) 25.615 ms 25.808 ms 22.926 ms
    3 10.1.67.1 (10.1.67.1) 24.356 ms 51.682 ms 33.789 ms
    4 msmittens.com (aa.xx.yy.zz) 19.812 ms 22.391 ms 8.273 ms
    5 msmittens.com (aa.xx.yy.zz) 24.476 ms 21.083 ms 24.047 ms
    6 dcr1-so-4-3-0.Chicago.cw.net (208.175.10.109) 34.042 ms 33.949 ms 30.905 ms
    7 acr1-loopback.Seattle.cw.net (208.172.82.61) 70.136 ms 70.476 ms 72.288 ms
    8 microsoft-hotmail-exodus.Seattle.cw.net (208.172.83.222) 147.788 ms 81.40 0 ms 82.795 ms
    9 pos0-0.core2.sea2.us.msn.net (207.46.33.185) 84.180 ms 84.550 ms 83.938 ms
    10 207.46.36.142 (207.46.36.142) 84.219 ms 83.839 ms 84.123 ms
    11 vlan805.tuk2f-msfc-2b.us.msn.net (207.68.179.132) 84.864 ms 82.631 ms 83 .625 ms
    12 * * *
    OrgName: Microsoft Corp
    OrgID: MSFT
    Address: One Microsoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US

    NetRange: 207.68.128.0 - 207.68.207.255
    CIDR: 207.68.128.0/18, 207.68.192.0/20
    NetName: MICROSOFT-CORP-MSN-BLK
    NetHandle: NET-207-68-128-0-1
    Parent: NET-207-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS1.CP.MSFT.NET
    NameServer: DNS2.CP.MSFT.NET
    NameServer: DNS1.TK.MSFT.NET
    NameServer: DNS1.DC.MSFT.NET
    NameServer: DNS1.SJ.MSFT.NET
    Comment:
    RegDate: 1996-03-26
    Updated: 2003-01-15

    TechHandle: ZM39-ARIN
    TechName: Microsoft
    TechPhone: +1-425-936-4200
    TechEmail: noc@microsoft.com

    OrgAbuseHandle: HOTMA-ARIN
    OrgAbuseName: Hotmail Abuse
    OrgAbusePhone: +1-425-882-8080
    OrgAbuseEmail: abuse@hotmail.com

    OrgAbuseHandle: MSNAB-ARIN
    OrgAbuseName: MSN ABUSE
    OrgAbusePhone: +1-425-882-8080
    OrgAbuseEmail: abuse@msn.com

    OrgAbuseHandle: ABUSE231-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-425-882-8080
    OrgAbuseEmail: abuse@microsoft.com

    OrgNOCHandle: ZM23-ARIN
    OrgNOCName: Microsoft Corporation
    OrgNOCPhone: +1-425-882-8080
    OrgNOCEmail: noc@microsoft.com

    OrgTechHandle: MSFTP-ARIN
    OrgTechName: MSFT-POC
    OrgTechPhone: +1-425-882-8080
    OrgTechEmail: iprrms@microsoft.com

    # ARIN WHOIS database, last updated 2004-03-28 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Banned
    Join Date
    Feb 2004
    Posts
    53
    another great question would be if muxa.cc has a direct link to MSN.com would that mean that msn would be funding this highjacking tool??????

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Not necessarily. If the person who manages the website is paying for MSN to fund it, then MSN may not be aware of it. Perhaps you could forward this information to abuse@msn.com and see how they respond (believe it or not, Hotmail and MSN Security are actually pretty good about responding to security emails).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    Banned
    Join Date
    Feb 2004
    Posts
    53
    Dear Abuse,
    This morning I was accessing the Internet when I noticed my start page had been changed to a coded address
    http://%6F%64%7A%71%74%74%2E%74%2E%...0?%61%69%64=420
    to which I translated to "odzqtt.t.muxa.cc" with a directory that downloaded some spyware to my computer.
    Upon further investigation I found that the IP address of Muxa.cc resolves to mail.msn.com
    When I traced the address muxa.cc the last thing that came up was vlan805.tuk2f-msfc-2b.us.msn.net.

    My question is "is MSN.com sponsoring a website that downloads unauthorized programs to its users PC's?"

    I await your response,

    Randy L. Warren

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •