Vulnerability Development mailing list archives
Re: Update on grokster trojan domain name
From: Markus Kern <markus-kern () gmx net>
Date: Fri, 28 Dec 2001 13:24:41 +0100
I found a URL that will return some information: http://www.2001-007.com/index.asp?UserURL=GET+/&User_IP=127.0.0.1&user id=127&User_Browser=IE
When I looked at www.2001-007.com yesterday it was running IIS 5.0 and lots of other services (DNS, ftp, telnet, SMTP, echo, ...). As of now (12/28/01 12:15 GMT) the host seems to be down. Doing a AXFR for *.2001-007.com using one of the DNS servers (ns1.vrinter.net ) listen in the whois data for www.2001-007.com returns Resource records for this zone: 2001-007.com, SOA, ns1.vrinter.net 2001-007.com, NS, ns1.vrinter.net 2001-007.com, NS, ns2.vrinter.net www.2001-007.com, A, 66.36.0.30 zappa.2001-007.com, A, 66.36.0.254 2001-007.com, SOA, ns1.vrinter.net Received a total of 6 records ns1.vrinter.net and ns2.vrinter.net are 66.36.0.22 and 66.36.0.99 respectively. zappa.2001-007.com is still up and runs IIS 5.0 and also lots of other stuff. Using the above URL on zappa yields a 404. http://zappa.2001-007.com/ returns an "Under Construction" page which looks like a default install of IIS. regards, Markus <markus-kern () gmx net>
it returned "765354" and the number keeps increasing everytime i load the page - perhaps it's a running count of page loads (or hosts infected) ??
Current thread:
- Update on grokster trojan domain name scott (Dec 27)
- Re: Update on grokster trojan domain name Markus Kern (Dec 28)
- RE: Update on grokster trojan domain name Ken Pfeil (Dec 28)
- Re: Update on grokster trojan domain name Markus Kern (Dec 28)