Re: Update on grokster trojan domain name

[Markus Kern <markus-kern () gmx net>]

> I found a URL that will return some information:
> http://www.2001-007.com/index.asp?UserURL=GET+/&User_IP=127.0.0.1&user
> id=127&User_Browser=IE

When I looked at www.2001-007.com yesterday it was running IIS 5.0 and
lots of other services (DNS, ftp, telnet, SMTP, echo, ...).
As of now (12/28/01 12:15 GMT) the host seems to be down.

Doing a AXFR for *.2001-007.com using one of the DNS servers (ns1.vrinter.net
) listen in the whois data for www.2001-007.com returns

Resource records for this zone:
    2001-007.com, SOA, ns1.vrinter.net
    2001-007.com, NS, ns1.vrinter.net
    2001-007.com, NS, ns2.vrinter.net
    www.2001-007.com, A, 66.36.0.30
    zappa.2001-007.com, A, 66.36.0.254
    2001-007.com, SOA, ns1.vrinter.net
Received a total of 6 records

ns1.vrinter.net and ns2.vrinter.net are 66.36.0.22 and 66.36.0.99
respectively.

zappa.2001-007.com is still up and runs IIS 5.0 and also lots of other
stuff. Using the above URL on zappa yields a 404.
http://zappa.2001-007.com/ returns an "Under Construction" page which
looks like a default install of IIS.

regards,
Markus <markus-kern () gmx net>

> it returned "765354" and the number keeps increasing everytime
> i load the page - perhaps it's a running count of page
> loads (or hosts infected) ??