Is this a fake CNN website?

[brokencrow]

You'd be surprised what's on Inktomi's servers (or anybody else's). They were hosting a child porn site I got involved in shutting down a year or two ago. I doubt they got the time or the personnel to check everything hosted there. I doubt they deliberately allow this kind of content.

[preacherman481]

Ok, I emailed this site too: ynoc-request@yahoo-inc.com

I'm signing off for the night, so someone else will need to make notifications if necessary.

[dalek]

Hi brokencrow

You will probably see these


: ADDITIONAL SECTION:
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.46
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.43
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.50
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.41
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.48
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.47
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.45
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.42
Domain ID13440477-LRMS
Domain Name:R-ACCOUNTSBMIKP.INFO
Created On:17-May-2006 11:01:21 UTC
Last Updated On:17-May-2006 11:01:25 UTC
Expiration Date:17-May-2007 11:01:21 UTC
Sponsoring Registrar:MIT (R141-LRMS)
;; QUESTION SECTION:
;r-accountsbmikp.info. IN ANY

;; ANSWER SECTION:
r-accountsbmikp.info. 600 IN A 68.142.212.47
r-accountsbmikp.info. 600 IN A 68.142.212.48
r-accountsbmikp.info. 600 IN A 68.142.212.50
r-accountsbmikp.info. 600 IN A 68.142.212.40
r-accountsbmikp.info. 600 IN A 68.142.212.41
r-accountsbmikp.info. 600 IN A 68.142.212.42
r-accountsbmikp.info. 86400 IN NS ns9.san.yahoo.com.
r-accountsbmikp.info. 86400 IN NS yns1.yahoo.com.
r-accountsbmikp.info. 86400 IN NS yns2.yahoo.com.
r-accountsbmikp.info. 86400 IN NS ns8.san.yahoo.com.
r-accountsbmikp.info. 600 IN SOA hidden-master.yahoo.com. geo-support.yahoo-inc.com. 2006052101 10800 3600 7084000 28800
r-accountsbmikp.info. 600 IN MX 20 mx1.biz.mail.yahoo.com.
r-accountsbmikp.info. 600 IN MX 30 mx5.biz.mail.yahoo.com.
r-accountsbmikp.info. 600 IN TXT "i=173&m=geo-g3-mx2-p8"
Source

[brokencrow]

I figured as much, dalek. Sounds like...organized crime.

I did a whois on "r-accountsbmikp.info" and am unable to find anything on that name.

Wow, these guys cover their tracks.

Maybe this is a job for one of those eff-bee-eye men. Welcome to CSI-AntiOnline.

[hexadecimal]

i tried the link, it seems offline as of current

AVG is fantastic!

i think its better then norton, panda, and trend micro.... the only ones i think are as good are kasperky and bit defender *personal fav*

install AVG free on EVERY COMPUTER you can... its worth it. and its free so your not installing stolen software.

[.:front2back:.]

Damn the site has obviously been pulled off line.
I was hoping to get a sample of the .exe and pull it apart to have a look. Allwell there's always next time i guess..

f2B

[brokencrow]

I submitted the two "mpg.exe's" from www.todaycnn.com site to VirusTotal (thanks for that link, nihil). They appear to be trojan downloaders.

The result for both was:

AntiVir 6.34.1.37 06.04.2006 no virus found
Authentium 4.93.8 06.02.2006 no virus found
Avast 4.7.844.0 06.02.2006 no virus found
AVG 386 06.02.2006 no virus found
BitDefender 7.2 06.04.2006 no virus found
CAT-QuickHeal 8.00 06.03.2006 no virus found
ClamAV devel-20060426 06.04.2006 no virus found
DrWeb 4.33 06.04.2006 no virus found
eTrust-InoculateIT 23.72.28 06.04.2006 no virus found
eTrust-Vet 12.6.2240 06.02.2006 no virus found
Ewido 3.5 06.04.2006 no virus found
Fortinet 2.77.0.0 06.03.2006 suspicious
F-Prot 3.16f 06.02.2006 no virus found
Ikarus 0.2.65.0 06.02.2006 Trojan.DownLoader.8190
Kaspersky 4.0.2.24 06.04.2006 no virus found
McAfee 4776 06.02.2006 no virus found
Microsoft 1.1441 06.04.2006 no virus found
NOD32v2 1.1577 06.04.2006 no virus found
Norman 5.90.17 06.02.2006 no virus found
Panda 9.0.0.4 06.04.2006 Suspicious file
Sophos 4.05.0 06.03.2006 no virus found
Symantec 8.0 06.04.2006 no virus found
TheHacker 5.9.8.154 06.01.2006 no virus found
UNA 1.83 06.02.2006 no virus found
VBA32 3.11.0 06.04.2006 no virus found

The site originally had two supposed mpg's, the first named UFO_CRASHED_IN_NEW_JERSEY_1_.mpg.exe (1.3 mb) and the second named UFO_CRASHED_IN_NEW_JERSEY_2_.mpg.exe (2.5 mb). I've got copies of both if anybody's interested in dissecting them.

[preacherman481]

Re: Fake CNN web site (KMM32564316V8942L0KM)
From:
Yahoo! Domains <domains-abuse@cc.yahoo-inc.com>
To:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Date:
Today 11:56:26 am


Thank you for informing us of possible abuse on Yahoo! Domains. We have
investigated the site and taken the necessary action. Please continue to
notify us of any content you believe violates the Yahoo! Domains Terms
of Service, located at:

http://smallbusiness.yahoo.com/tos/tos.php

This is an email I received a little earlier today. I'm not sure guys, but it looks like this might be the result of this thread. But then, again, maybe others reported it too.

In any event, thanks to Broomiebar for saying something about this, and thanks to everyone else who provided information.

Whether the removal of this site was the result of our efforts, or someone's else's, it's good to see the hosting company respond, and people working together to make the Internet a little safer

[preacherman481]

Well guys,
It seems this site is back in action again. I sent another "abuse" email. Maybe they'll shut it down for good.

[brokencrow]

I'm wondering if they're just testing the waters. Getting only one ip address so far, versus the 10-11 we got last week. Right in the same range:

68.142.212.41

There we go, there's another ip address:

68.142.212.50

You been keeping an eye on this one all week, preacherman?

edit -- yeah, they're back. Last ip address was 68.142.212.47, now back to .41. Running this scam off the same servers. How do they get away with it?