North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: FW: Need some help: IDEAS, Inc.
Just an FYI, FBI and Secret Service are actively working these as they are identified. We definitely don't need more victims. If you don't feel you're getting the response needed contact US CERT: https://forms.us-cert.gov/report/ or http://www.us-cert.gov/contact.html We'll make sure the information gets into the right hands. I will say that I know many others on the list have been doing a great job of identifying sites as well as reporting. SANS ISC keep up the good work! The information goes into Federal Law Enforcement who also works with Local LE. Jerry ---- Original message ---- >Date: Sat, 3 Sep 2005 11:00:03 -0400 >From: "Marcus H. Sachs" <[email protected]> >Subject: FW: Need some help: IDEAS, Inc. >To: <[email protected]> >Cc: <[email protected]> > > >One of our incident handlers at the SANS Internet Storm Center has been >trying to chase down the bogus Katrina assistance web sites. Below is a >note of frustration he sent internally to us this morning. I asked if I >could cross-post over to NANOG to see if any of you could assist. > >Thanks in advance! > >Marc > > >++++++++++++++++++++++++++++++++++++++++++++++++++++++ >Marcus H. Sachs, P.E. KJ4WA : [email protected] >Director, SANS Internet Storm Center : isc.sans.org >Washington D.C. USA (EDT, GMT-4) : +1 703 707 9293 >++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > >-----Original Message----- >Sent: Saturday, September 03, 2005 9:32 AM >Subject: Need some help: IDEAS, Inc. > > >Morning all: > >Last night, I pulled a new copy of the .com and .net zone files down and did >another grep for "katrina" domains. Obviously, there are now more... > >In the process of checking and cross-referencing, I found that our friends >"IDEAS, Inc" are a little more "involved" than we originally thought: > >http://www.hurricanekatrinarelief.com >http://www.hurricanekatrinapics.com >http://www.hurricanekatrinaneworleans.com >http://www.hurricanekatrinaflooding.com >http://www.hurricanekatrinainfo.com >http://www.hurricanekatrinamap.com >http://www.hurricanekatrinanews.com >http://www.hurricanekatrinapath.com >http://www.hurricanekatrinaphoto.com >http://www.hurricanekatrinaphotos.com >http://www.hurricanekatrinarelieffund.com >http://www.hurricanekatrinatracking.com >http://www.hurricanekatrinaupdate.com >http://www.hurricanekatrinavideos.com >http://www.katrinadamage.com >http://www.katrinapics.com >http://www.katrinavideos.com >http://www.neworleanshurricanekatrina.com > >...and those are just the 18 I was able to find. > >Right now, there are two weak points to this particular house of cards. > >1) The first site listed, "http://www.hurricanekatrinarelief.com" is what >drives all of the others. Each of the other sites, loads the first one in >an IFRAME. That makes it easy for the bastards to update them all. This >site is hosted by Interland. Their final word on shutting these scumballs >down until they could prove they were legitimate was: > >"We have been advised by our legal department that the local authorities >should be contacted. The local authorities can submit a subpoena to our >legal department. We will be glad to comply to such a request." > >ie. "We have no balls. Go away". > >2) All of the other sites are hosted at the IP address 206.251.184.10. >Immediate upstream is "datasync.net/.com" and they are located in (of >course...) Louisiana. I've emailed them numerous times, and tried to call >("all circuits are busy..."), but they're probably running in lights-out >mode right now. > >The IDEAS, Inc. scum MUST die, but I'm all out of ideas at this point... the >only other possibility that I can think of it to take them out at the DNS >level. All of the "slave" sites at 206.251.184.10 use DirectNIC for their >DNS... Anyone got sway with them? > >Frankly, gang, I'm at my wits end on this one... > >
|