Hello Everyone,
Has anyone heard of a UFO that's crashed in NEW JERSEY, it's been reported only on this website
www.todaycnn.com
but I can't find any news of it on CNN.com.
Thanks.
BB
Printable View
Hello Everyone,
Has anyone heard of a UFO that's crashed in NEW JERSEY, it's been reported only on this website
www.todaycnn.com
but I can't find any news of it on CNN.com.
Thanks.
BB
Hmm, I don't know but try clicking on the video links. Since when is a video an .exe program?
Here is the video link info:
http://www.todaycnn.com/UFO_CRASHED_...SEY_1_.mpg.exe
Yeah it fake, when you click on live its an .mpg.exe file. i scanned it and its a virus allright....
Nicely done website though...
Broomiebar:
Why don't you try contacting the people at CNN and letting them know about it? They might want to try to warn people about this site.
Another one of those rogue Inktomi sites. ;)
Seriously, it's hosted by a Yahoo subsidiary, but privately registered to "visa card" out of Emeryville, CA.
Might contact Inktomi, too.
Yeah, I may just do that Preacman but they're CNN
the NEWS leader of the world, I'll just send them a quick email
since I enjoy watching the network.
brokencrow: if you can get me an "abuse" address, I'll send one to the web site hoster.
preacher: (from GeekTools Whois)
Checking server [whois.melbourneit.com]
Results:
Domain Name.......... todaycnn.com
Creation Date........ 2006-06-03
Registration Date.... 2006-06-03
Expiry Date.......... 2007-06-03
Organisation Name.... visa card
Organisation Address. P O Box 99800
Organisation Address.
Organisation Address. EmeryVille
Organisation Address. 94662
Organisation Address. CA
Organisation Address. US
Admin Name........... PrivateRegContact Admin
Admin Address........ P O Box 99800
Admin Address........
Admin Address........ EmeryVille
Admin Address........ 94662
Admin Address........ CA
Admin Address........ US
Admin Email.......... [email protected]
Admin Phone.......... +1.5105952002
Admin Fax............
Tech Name............ PrivateRegContact TECH
Tech Address......... P O Box 99800
Tech Address.........
Tech Address......... EmeryVille
Tech Address......... 94662
Tech Address......... CA
Tech Address......... US
Tech Email........... [email protected]
Tech Phone........... +1.5105952002
Tech Fax.............
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com
Contact CNN at http://www.cnn.com/feedback/forms/form2a.html?1
Ok,
If I email [email protected][/email] it'll go to the site owner right, (who is the person pulling this stuff??). So the yahoo people are the ones to contact?
I want to make sure I'm not contacting the wrong people ;)
I was looking for a phone nmuber through their site quickly but didn't see one earlier so i sent them an email too with the URL and some info....they should be pretty proud of their audience since the fake site came out today and many ppl probably contacted them....
I pinged "www.todaycnn.com" and got 68.142.212.40 for an ip address. A whois on that ip address turned up Inktomi as the owner, so I figured the site's actually hosted with them. It appears though, from what msmittens and I both turned up, that melbourneit.com handles the private registration.
Seeing as how Inktomi does the actual hosting, it might be best to contact them at this email address I turned up (thank you, Sam Spade!):
[email protected]
Try that one. MelbourneIT may have one too but I haven't turned it up yet.
Hhhmm interesting, my Trend Micro didn't pick anything up on the exe...it's a pop up for this site: Totalregistryfixer
Looks new, nothing on google for this yet as malware, or at least I couldn't find it, may want to break the links to the exe.
Had to do a restore to get rid of it...fun and games.... ;)
Edit:
©opy®ight
What did your AV pick up, and what AV are you using?Quote:
Yeah it fake, when you click on live its an .mpg.exe file. i scanned it and its a virus allright....
Yeah, dalek, I rebooted into Ubuntu to download the .exe but couldn't do an online scan because I have Java disabled. Then I wondered, "Why bother?"
I hate taking any chances anymore...
edit -- That's interesting. I just pinged www.todaycnn.com again and got a slightly different ip address (still belongs to Inktomi though): 68.142.212.46
Then again, and this one (!): 68.142.212.50
dalek:
AVG, just said virus found and gave me options to heal, delete etc...i just deleted it....
Sh*t I have a corporate version of Trend Micro Internet 2006 with all the bells and whistles and it missed this and your AVG got it....I'm uh...impressed.... :(Quote:
Originally posted here by ©opy®ight
dalek:
AVG, just said virus found and gave me options to heal, delete etc...i just deleted it....
Ok, I emailed this address bc gave me: [email protected]
Interesting, I went ahead and downloaded the .exe. to "My Documents" and Panda's online scan turned up nothing. I've encrypted it and will run an AV against it the next week or two.
And now www.todaycnn.com's ip address is 68.142.212.44, then 68.142.212.43
These guys must have quite the operation (several servers?).
edit -- now it's 68.142.212.47
I googled the IP 68.142.212.43 and got http://castlecops.com/t157606-PIRT_2...42_212_43.html
Which referenced this:
Report for AS14780
Name
INKTOMI-LAWSON - Inktomi Corporation
Whois Entry
IANA has recorded AS14780 as originally allocated by ARIN
RIRs have AS14780 whois information provided by ARIN
-No Whois Entry Obtained-
AS Adjancency Report
In the context of this report "Upstream" indicates that there is an adjacent AS that lines between the BGP table collection point (in this case at AS4637) as the specified AS. Similarly, "Downstream" referes to an adjacent AS that lies beyond the specified AS. This upstream / downstream categorisation is strictly a description relative topology, and should not be confused with provider / customer / peer inter-AS relationships.
14780 INKTOMI-LAWSON - Inktomi Corporation Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS10310 YAHOO-1 - Yahoo!
Announced Prefixes
Rank AS Type Originate Addr Space (pfx) Transit Addr space (pfx) Description
3689 AS14780 ORIGIN Originate: 28928 /17.18 Transit: 0 /0.00 INKTOMI-LAWSON - Inktomi Corporation
Aggregation Suggestions
This report does not take into account conditions local to each origin AS in terms of policy or traffic engineering requirements, so this is an approximate guideline as to aggregation possibilities.
Rank AS AS Name Current Wthdw Aggte Annce Redctn %
9491 AS14780 INKTOMI-LAWSON - Inktomi Corporation 5 0 0 5 0 0.00%
AS14780: INKTOMI-LAWSON - Inktomi Corporation
Prefix (AS Path) Aggregation Action
4.79.181.0/24 4637 10310 14780
66.163.176.0/21 4637 10310 14780
68.142.192.0/19 4637 10310 14780
209.191.64.0/18 4637 10310 14780
216.252.96.0/21 4637 10310 14780
Advertisements that are fragments of the original RIR allocation (more specifics) originated by this AS.
AS14780 4 More Specifics 5 Total Advertisements INKTOMI-LAWSON - Inktomi Corporation
4.79.181.0/24 (4.0.0.0/8)
66.163.176.0/21 (66.163.160.0/19)
68.142.192.0/19 (68.142.192.0/18)
http://www.cidr-report.org/cgi-bin/as-report?as=14780
Another email for reporting abuse [email protected]
Now it's 68.142.212.48
Inktomi is one of those mass server sites. They project sites out. The question is: why would they project this one out? I'd file the complaint with the following:
Inktomi
Yahoo
CNN
You'd be surprised what's on Inktomi's servers (or anybody else's). They were hosting a child porn site I got involved in shutting down a year or two ago. I doubt they got the time or the personnel to check everything hosted there. I doubt they deliberately allow this kind of content.
Ok, I emailed this site too: [email protected]
I'm signing off for the night, so someone else will need to make notifications if necessary.
Hi brokencrow
You will probably see these
: ADDITIONAL SECTION:
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.46
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.43
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.50
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.41
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.48
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.47
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.45
premium8.geo.yahoo8.akadns.net. 171 IN A 68.142.212.42
Domain ID:D13440477-LRMS
Domain Name:R-ACCOUNTSBMIKP.INFO
Created On:17-May-2006 11:01:21 UTC
Last Updated On:17-May-2006 11:01:25 UTC
Expiration Date:17-May-2007 11:01:21 UTC
Sponsoring Registrar:MIT (R141-LRMS)
;; QUESTION SECTION:
;r-accountsbmikp.info. IN ANY
;; ANSWER SECTION:
r-accountsbmikp.info. 600 IN A 68.142.212.47
r-accountsbmikp.info. 600 IN A 68.142.212.48
r-accountsbmikp.info. 600 IN A 68.142.212.50
r-accountsbmikp.info. 600 IN A 68.142.212.40
r-accountsbmikp.info. 600 IN A 68.142.212.41
r-accountsbmikp.info. 600 IN A 68.142.212.42
r-accountsbmikp.info. 86400 IN NS ns9.san.yahoo.com.
r-accountsbmikp.info. 86400 IN NS yns1.yahoo.com.
r-accountsbmikp.info. 86400 IN NS yns2.yahoo.com.
r-accountsbmikp.info. 86400 IN NS ns8.san.yahoo.com.
r-accountsbmikp.info. 600 IN SOA hidden-master.yahoo.com. geo-support.yahoo-inc.com. 2006052101 10800 3600 7084000 28800
r-accountsbmikp.info. 600 IN MX 20 mx1.biz.mail.yahoo.com.
r-accountsbmikp.info. 600 IN MX 30 mx5.biz.mail.yahoo.com.
r-accountsbmikp.info. 600 IN TXT "i=173&m=geo-g3-mx2-p8"
Source
I figured as much, dalek. Sounds like...organized crime.
I did a whois on "r-accountsbmikp.info" and am unable to find anything on that name.
Wow, these guys cover their tracks.
Maybe this is a job for one of those eff-bee-eye men. Welcome to CSI-AntiOnline.
:)
i tried the link, it seems offline as of current
AVG is fantastic!
i think its better then norton, panda, and trend micro.... the only ones i think are as good are kasperky and bit defender *personal fav*
install AVG free on EVERY COMPUTER you can... its worth it. and its free so your not installing stolen software.
Damn the site has obviously been pulled off line.
I was hoping to get a sample of the .exe and pull it apart to have a look. Allwell there's always next time i guess..
f2B
I submitted the two "mpg.exe's" from www.todaycnn.com site to VirusTotal (thanks for that link, nihil). They appear to be trojan downloaders.
The result for both was:
AntiVir 6.34.1.37 06.04.2006 no virus found
Authentium 4.93.8 06.02.2006 no virus found
Avast 4.7.844.0 06.02.2006 no virus found
AVG 386 06.02.2006 no virus found
BitDefender 7.2 06.04.2006 no virus found
CAT-QuickHeal 8.00 06.03.2006 no virus found
ClamAV devel-20060426 06.04.2006 no virus found
DrWeb 4.33 06.04.2006 no virus found
eTrust-InoculateIT 23.72.28 06.04.2006 no virus found
eTrust-Vet 12.6.2240 06.02.2006 no virus found
Ewido 3.5 06.04.2006 no virus found
Fortinet 2.77.0.0 06.03.2006 suspicious
F-Prot 3.16f 06.02.2006 no virus found
Ikarus 0.2.65.0 06.02.2006 Trojan.DownLoader.8190
Kaspersky 4.0.2.24 06.04.2006 no virus found
McAfee 4776 06.02.2006 no virus found
Microsoft 1.1441 06.04.2006 no virus found
NOD32v2 1.1577 06.04.2006 no virus found
Norman 5.90.17 06.02.2006 no virus found
Panda 9.0.0.4 06.04.2006 Suspicious file
Sophos 4.05.0 06.03.2006 no virus found
Symantec 8.0 06.04.2006 no virus found
TheHacker 5.9.8.154 06.01.2006 no virus found
UNA 1.83 06.02.2006 no virus found
VBA32 3.11.0 06.04.2006 no virus found
The site originally had two supposed mpg's, the first named UFO_CRASHED_IN_NEW_JERSEY_1_.mpg.exe (1.3 mb) and the second named UFO_CRASHED_IN_NEW_JERSEY_2_.mpg.exe (2.5 mb). I've got copies of both if anybody's interested in dissecting them.
This is an email I received a little earlier today. I'm not sure guys, but it looks like this might be the result of this thread. But then, again, maybe others reported it too.Quote:
Re: Fake CNN web site (KMM32564316V8942L0KM)
From:
Yahoo! Domains <[email protected]>
To:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Date:
Today 11:56:26 am
Thank you for informing us of possible abuse on Yahoo! Domains. We have
investigated the site and taken the necessary action. Please continue to
notify us of any content you believe violates the Yahoo! Domains Terms
of Service, located at:
http://smallbusiness.yahoo.com/tos/tos.php
In any event, thanks to Broomiebar for saying something about this, and thanks to everyone else who provided information.
Whether the removal of this site was the result of our efforts, or someone's else's, it's good to see the hosting company respond, and people working together to make the Internet a little safer :)
Well guys,
It seems this site is back in action again. I sent another "abuse" email. Maybe they'll shut it down for good.
I'm wondering if they're just testing the waters. Getting only one ip address so far, versus the 10-11 we got last week. Right in the same range:
68.142.212.41
There we go, there's another ip address:
68.142.212.50
You been keeping an eye on this one all week, preacherman?
edit -- yeah, they're back. Last ip address was 68.142.212.47, now back to .41. Running this scam off the same servers. How do they get away with it?
Looks like something has happened now.
When attempting to connect by IP, page cannot be displayed. When attempting by FQDN, 403 forbidden.
The thing that surprises me most here is they actually added padding to make the fake mpeg look like a 2.5 meg file. Very creative.
--TH13
No, I was in this thread and I just clicked the links out of curiosity, and voila, it was there.Quote:
You been keeping an eye on this one all week, preacherman?
Ok, just checked my email this morning.
Quote:
Dear XXXXX
Thank you for writing to Yahoo! Domains.
Thank you for informing us of possible abuse on Yahoo! Domains. We have
investigated the site and taken the necessary action. Please continue to
notify us of any content you believe violates the Yahoo! Domains Terms
of Service, located at:
http://smallbusiness.yahoo.com/tos/tos.php
Thank you again for contacting Yahoo! Customer Care.
Regards,
XXXXXXXXXXX
Yahoo! Customer Care
http://www.yahoo.com/