Interesting hijack: windows-scanner.com
I came across these URLs while completing some research today ((***DO NOT VISIT THE SITE***))
Within seconds I ended up at this URL:
This is how the hijack took place. After hitting the lamauricie.qc.ca URL, we end up at this URL:
The cc.search.results.trust.view.html.in.intrust.cc URL leads us here:
From there we end up at:
The windows-scanner.com URL displays the following dialogue box:
Note the typographical error, "creahes". We have seen that exact typographical error before, back in March, via a malvertizement on lyricsmania.com:
Closing the dialogue box (using the red x, or cancel), leads us to another URL:
windows-scanner.com/2009/1/_freescan.php?aid=<<removed>> (note the slight difference between this URL and the previous URL)
Let's have a look at some of the URLs.
First, cc.search.results.trust.view.html.in.intrust.cc. I had to laugh to see this:
Do we believe that they were *really* hacked?? Heck no!! If we check out the domain "intrust.cc", this is what we discover the following:
Domain Name: INTRUST.CC
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: estdomains.com
Name Server: NS1.INTRUST.CC
Name Server: NS2.INTRUST.CC
Updated Date: 19-jun-2008
Creation Date: 05-sep-2007
Expiration Date: 05-sep-2009
We don't trust ANYTHING with an association with Estdomains. intrust.cc uses the name servers n1.intrust.cc, ns2intrust.cc. Its mail server is mail.intrust.cc. Reverse for all 3 is sr.upperhigh.info.
sr.upperhigh.info leads us to upperhigh.info which leads us to n1.pornlonestar.info and ns2.pornlonestar.info
pornlonestar.info's sponsoring registrar is Directi Internet Solutions Pvt. Ltd., a name that we treat with caution.
bestpictures2.com and windows-scanner.com share an IP address, being 126.96.36.199. The IP address is also shared by globala2.com, jupanu.ro and ns.zion.ro.
windows-scanner.com was registered via Directi Internet Solutions PVT. LTD., and bestpictures2.com was registered via bizcn.com in China.