internetserviceteam.com

[AnthonyCea]

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/5.0 (X11; U; Linux sparc64; en-US; rv:1.7.12) Gecko/20051105 Firefox/1.0.7

[AnthonyCea]

89.149.253.21 89-149-253-21.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

[AnthonyCea]

89.149.253.21 89-149-253-21.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041002 Firefox/0.10.1


89-149-253-21.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT) ::ELNSB50::000061100320025802a00111000000000507000 900

[AnthonyCea]

89.149.253.21 89-149-253-21.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) NS8/0.9.6

89-149-253-21.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Creative)

[AnthonyCea]

89.149.253.21 89-149-253-21.internetserviceteam.com
Mozilla/4.61 [en] (X11; U; ) - BrowseX (2.0.0 Windows)

[AnthonyCea]

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/0.6 Beta (Windows)

89.149.253.21 89-149-253-21.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC

[AnthonyCea]

78.159.122.17 78-159-122-17.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20050519 Netscape/8.0.1

[H.Chestwig]

Anyone have a complete list of these CIDRs? I've already spotted this bot trying to crawl a couple of my forums, and I'd like to nail the lot. We don't need hits from ANY server farm crawling our forum, whether there's a few legit businesses on it or not. Members don't access from a server farm.

BTW, Netdirekt.de is also hosting cross-site script attacks. I've complained about a couple of them that I saw in my logs (abuse report filed in both English and Deutsch with the full attack log) and after 2 weeks the xss files were still on their servers. I banned the whole range without shedding a tear, then added more later:

89.149.241.0/24 89.149.242.0/23 89.149.244.0/24 89.149.192.0/18

That's what I have for Netdirekt.de so far, but I see there's a BUNCH of other ranges buried in this thread... I'd rather be proactive than have to deal with it after the fact.

Luckily, we've only had ONE forum spammer successfully register in 2 years, so we're doing much better than some of you. He was one of the idiotic UserCash porn nitwits that was easy to spot and crucify.

Whether it hurts our search rank or not, I'm on the verge of banning ALL of China and Turkey. That's where the majority of our script kiddie wannabes all hail from. We don't have any members in those countries, nor are we likely to ever have any of 'em. If Google.cn and Google.tk don't show us, tough. I've given up sending abuse reports to either country 'cos none were ever acted on.

[AnthonyCea]

Thanks for the data, there is an IP string that shows everything in Internetserviceteam.com IP range over at www.robtex.com that I have pulled in the past.

Robtex.com has changed their output due to interface and changes made in their tools, for the worse it seems, so the data they are providing does not seem as good as what it was in the past.

[AnthonyCea]

Today it seems internetserviceteam.com is attempting to hide their host name.

89.149.253.100 lahex.bisselle.fi
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030504 Mozilla Firebird/0.5+


89.149.236.175 89-149-236-175.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

[AnthonyCea]

89.149.208.209 89-149-208-209.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461)

[AnthonyCea]

12:50 PM Guest Registering 84.16.240.232 84-16-240-232.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1; .NET CLR 2.0.50727)

89.149.253.96 89-149-253-96.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9

[AnthonyCea]

89.149.253.92 89-149-253-92.internetserviceteam.com
Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko/20021016 K-Meleon 0.7

[Psych0SOmatic]

this post may be in wrong section/annoy the moderators since it's half-story, half-post... sorry if it does but if you read it in-full, you can see where I find this related to this particular thread... [I also have an IP address to add to this thread that is related to mod requests to add new IP addr/ranges used by these devious guys at IST.com so please dont hate on me for posting a super-long reply/possible mod-aggrevation,
in-light that you didnt restrict message lengths yourself, please be gracious to a newcomer to your forum... I promise to ramble-on less next time

===
I found this vbb thru googling internetserviceteam.com

After using a very old computer P2-400/128MB/XPPro-SP2 (not version 2002) without any anti spyware or firewall stuff, just very restrictive IE settings on ALL Zones Internet/trusted/Intranet-Local,etc
-simply as a testbed to see what would happen if I let it idle for ages and ages unprotected [the old thing couldnt be protected if it wanted to with 95/128MB of RAM being used at boot]... I disabled all the craptastic services that are always exploited by hackers as I have been since 2002 when microsoft themselves hacked me through MSN Messenger [they did and I can prove it (or perhaps they just used the Indexing Service to get a list of files on my hard drive remotely and expediantly (was using w2k SP2 in 2002 and I didnt know about default C$ shares or a ton of other important info prior to that day), but thats another story]

Back to present-day;
Long story short that unprotected system (the P2-400) (except the disabling of NetBIOS, being behind a router, disabling of a load of windows services, losing 0 functionality) it was never hacked period and I let it sit and idle for ages (over 2 1/2 years, fully unpatched, but internet setting/windows services heavily customized/disabled). Go me.

Based on this I gave an new HTPC I just purchased a chance to get screwed up, so it was unexploited with XP SP2 (ver 2002 Asus OEM) for several days ... few days later I give SP3 a chance (after boycotting WinUpdate entirely since Win98), expecting the worse after the update... and the worse is what I got.


the internetserviceteam guys hacked me quite deeply within an hour of updating to SP3 (full audits of priviledges used for Event Log, date of exploited .dlls accesssed timestamp etc,etc allowed me to deduce this information, among other tricks)
I did forget to turn of NetBIOS for the adapter though, knowing it's horrible history



So on to the point...
so a simple routine netstat -an led to the discovery of
Proto Local Address Foreign Address State
TCP yohoho:1067 localhost:8012 CLOSE_WAIT
TCP yohoho:1078 localhost:8012 ESTABLISHED
TCP yohoho:1086 localhost:8012 ESTABLISHED
TCP yohoho:1110 localhost:8012 ESTABLISHED
TCP yohoho:8012 localhost:1078 ESTABLISHED
TCP yohoho:8012 localhost:1086 ESTABLISHED
TCP yohoho:8012 localhost:1110 ESTABLISHED

[another]
TCP yohoho:1113 89-149-227-210.internetserviceteam.com:http TIME_WAIT [times 25, identical IP, numerous local-loop ports 1113-1153
fport.exe identified the following:
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.[[[[removed]]].com

Pid Process Port Proto Path
1036 -> 135 TCP
4 System -> 445 TCP
3332 explorer -> 8012 TCP C:\WINDOWS\explorer.exe
1036 -> 445 UDP
4 System -> 500 UDP
3332 explorer -> 1026 UDP C:\WINDOWS\explorer.exe
0 System -> 1037 UDP
0 System -> 1075 UDP
0 System -> 1164 UDP
0 System -> 1165 UDP
0 System -> 4500 UDP

so I installed all my favorite 3rd party software AFTER it had been hacked (SP3) to further figure out the full nastiness of what had transpired.

Ad-Aware's nifty process-watch allowed me to see the .dll's IST had installed and attached to various system processes including winlogon.exe, explorer.exe, ctfmon.exe and services.exe and Internet Explorer [not hidden by the hackers, visible in IE addon manager]

These .dlls were awtrOfCT.dll, ssqQkHBs.dll, vufunqcv.dll., blfkllkn.dll, fqikbccb.dll.. the latter two I found only by looking in the evil HLKM\...\CurrentVersion\Run registry entry [it's like the Startup folder on your startmenu but hidden, for those who don't know.. but this forum seems like his mod'd by some smart guys]
, using RUNDLL (of course) to get execute DLLs like child's play
Pretty nasty... whats amusing to me though is that they were only able to get to me when I was using SP3....
i searched for evidence of this rootkit other old computers I had turned on to see if while my new PC got exploited, would the other XP SP2 machines on the LAN at that time be infected... they weren't.

I successfully manually removed all but the awtrofct.dll just to do it... couldn't get ad-aware to unload it from memory from winlogon.exe but I got it out of being attached to other processes... I guess the SAM somehow let the virus in but then protected it afterwards... lame eh?


awtrofct.dll had aparently been last accessed TOMARROW [according to Windows file timestamp from standard Properties info]



ANYWAYS here are the IPs i caught having their way with my machine before i wdclear'd the bastard and used OEM restore disc (ASUS Windows OEM installs/restores is surprisingly free of bloatware and all the other crap we've come to expect from branded PCs, I love you ASUS)


89-149-227-210.internetserviceteam.com
I saw this range has already been reported by many since 2005 on this thread, but still.

Also this IP from russia appeared, I'm not 100% it was IST using it but it's likely since it was on HTTP port like all the IST requests and I didn't visit any russian websites [why would I do that] (which were TIME_WAIT after i pulled ethernet cable, while the IP below was on CLOSE_WAIT post-plug-pulling)

91.208.0.223

PS they were also using KPOP (POP3 port) to send information.. typical.
[who the HELL ever used POP for mail services anyways, die outlook express, dieeeee!]

PPS more power to you, AnthonyCEA! (and the ACLU and EFF)

[AnthonyCea]

Welcome to the forum Psych0

Professional spammers are hackers by trade, they run bots and posting agent scripts 24/7/365 attacking any page or server they can with comment spam, referral log spam, exploit attacks, dumping links to spyware or virus loading pages so they can convert computers into part of their botnet (zombie computers), conducting PHP shell attacks to take over servers and many other scams and cyber crimes.

Where this is leading is to places like ProjectHoneyPot.org and web applications to block these malicious attacks from spambot network masters.

You can't beat hackers and professional spambot networks without tools and automation, a lot of intelligence is needed also and that is what we try to provide to a very dark world.

Even some of the most sophisticated web developers do not understand the threats posed by these spam botnets.

[AnthonyCea]

Major spambot network operation Internetserviceteam.com is using blacklisted open proxy IP's to ghost their dedicated web server IP's.

09:57 PM Guest Viewing Index
89.149.197.242 89-149-197-242.internetserviceteam.com
Mozilla/4.61 [en] (X11; U; ) - BrowseX (2.0.0 Windows)

09:57 PM Guest Viewing Index
219.159.67.187
Mozilla/4.61 [en] (X11; U; ) - BrowseX (2.0.0 Windows)

[AnthonyCea]

89-149-253-21.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20050207 Firefox/1.0.1

[kram]

Hi all,

I've started seeing IST in my logs the last few days. Same IP's as already listed but also on these host names:

217.20.127.179 (irpstreaming.com)
84.16.233.242 (ajo.es)

I've started trapping these on host name in Apache like so:

# various aliases of "internetserviceteam" bot
# these will be sent to chase their own tails via a conditional rewrite rule later
#
SetEnvIfNoCase Remote_Host "internetserviceteam\.com" banned=trap
SetEnvIfNoCase Remote_Host "ajo\.es" banned=trap
SetEnvIfNoCase Remote_Host "irpstreaming\.com" banned=trap


### REWRITE RULES FOR BAD GUYS
#-----------------------------
#
# These operate based on the env var "banned" set earlier.
#
# Do not redirect requests that are already in the trap.
RewriteRule /trap/ - [L]

# 404 Forbidden to most baddies (via the redirect to "-" feature: no actual redirect and just a 404)
RewriteCond %{ENV:banned} "forbidden"
RewriteRule .* - [F]

# Redirect to trap for certain select baddies. They can chase their own tails in there (so they don't know they are being noticed)
RewriteCond %{ENV:banned} "trap"
RewriteRule .* /trap/comment.html [NC,NS]



This way they can be sent into a black hole where they can post fake comments and follow fake links around in circles.

kram.

[AnthonyCea]

Thanks Kram, that is creative, it is quite funny and a truly innovative concept, thanks for the coding lesson too !

PS: Keep up the good work on behalf of others who are not as sophisticated as you or the hackers.

[kram]

Sophisticated, Moi? No, I put this together using the Apache guide and a lot of experimentation! Cannot even be sure that it will work since IST have not visited since I set it up yesterday. That said, in as far as I could test it seems to do what I intended.

I'd like to do something more sophisticated and generalised using the HTTP_REFERER. A lot of requests to my site are unlikely (or never) going to be generated without my own site being the referrer (and in the case of POST's definitely never) and should be possible to trap those somehow...

Kram.

[AnthonyCea]

Just keep working and post your new anti-spambot technology if you would in the spirit of fighting back against these bastards, even if many of us can't figure it out on our own when you put it out on a silver platter.

More Internetserviceteam IP range data:

89.149.241.121 : 89-149-241-121.internetserviceteam.com

89.149.253.21 89-149-253-21.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

[kram]

Thanks for kind words.

For what its worth the rewrite rules I posted above do work (IST fell into the trap on last visit).

I'm thinking now of something along the lines of

RewriteCond REQUEST_METHOD "POST"
RewriteCond HTTP_REFERER !my.com\.*
RewriteRule to oblivion

to trap all POST requests that don't have an appropriate referer. I'll let you know if it works.

kram.

[AnthonyCea]

The worldwide community of webmasters is grateful to you or anyone who posts data enabling them to stop this epidemic of spam botnets, this is taking sites down due to DDoS attacks and is a major time wasting problem for webmasters and server administrators.

[AnthonyCea]

89.149.253.181 89-149-253-181.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)

[AnthonyCea]

05:00 PM Guest Viewing Index
89.149.236.175 89-149-236-175.internetserviceteam.com
Mozilla/6.0 (compatible; MSIE 7.0a1; Windows NT 5.2; SV1)

[AnthonyCea]

08:18 PM Guest Viewing Index
89.149.236.51 89-149-236-51.internetserviceteam.com
Mozilla/6.0 (compatible; MSIE 7.0a1; Windows NT 5.2; SV1)

[AnthonyCea]

89.149.236.51 89-149-236-51.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) NS8/0.9.6

[AnthonyCea]

89.149.226.251 89-149-226-251.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows ME) Opera 7.11 [en]

[AnthonyCea]

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

[AnthonyCea]

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/3.0 (compatible; WebCapture 2.0; Auto; Windows)

[AnthonyCea]

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

[AnthonyCea]

Internetserviceteam.com automated comment spam bot registering under the forum user name EdimupiedammA.


02:16 PM EdimupiedammA Registering 212.95.54.38 212-95-54-38.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.5; Windows 95; BCD2000)

[AnthonyCea]

89.149.195.26 89-149-195-26.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1; SV1; .NET CLR

[AnthonyCea]

09:00 PM Guest Viewing Index
89.149.195.26 89-149-195-26.internetserviceteam.com
Mozilla/0.91 Beta (Windows)

[AnthonyCea]

05:39 AM Guest Viewing Index
89.149.227.65 89-149-227-65.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

[AnthonyCea]

89.149.195.26 89-149-195-26.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 1.0.5)

[ionionel]

Hello all,
I found this post searching for the 89-149-218-62.internetserviceteam.com on google, that site is hosting a stolen domain/site.

I am working with a guy who had two domains stolen and two servers hacked by these guys. They stole his sites and domain names and now they are ddosing his new websites with robots making http requests, non spoofed udp floods and some syn flood, until now I identified at least 3036 bots. Anyone interested in the list can post here.

Any ideea of how can we dismantle these hacking/ddos/spam operations? I visited shadowserver.org which tracks botnets bot for the moment I didn't find anyway how to report the botnet, they seem to require some special level access to do that.

[AnthonyCea]

All you can do today is watch the IP's hitting your server close and ban blacklisted spam source IP addresses.

That, or install a firewall using data garnered from anti-spam portals like ProjectHoneyPot.org to stop them from hitting your websites in the first place.

[AnthonyCea]

89.149.217.184 89-149-217-184.internetserviceteam.com
Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01

[AnthonyCea]

89.149.236.50 89-149-236-50.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461)