This is a little bizarre, so I'm not sure what to make of it.

When I was using the NASUM CGI-proxy server last night, it was running abnormally slowly, and I noticed repeated messages in the status bar that the browser was connecting with "www.boobs.com" I don't know if the latter site is malicious or not, or if it was just an attempt to serve ads. I was unable to find anything current about it on Google, and I don't want to visit to find out if it's a harmful site.

Hi Samurai V,

The site sounds bad indeed, I'll add it and see if someone complains about it.

From google search

Thanks for the info, Kimberly. I wondered if I was just being paranoid, but it does sound like a malicious site.

The proxy I was using at the time was www.nasum.celebrityblog.net/cache.cgi, but I don't know for certain if they were the culprit. I have used this proxy about 10 times previously with no problems, though it's possible that they tried sleazy tactics before but were thwarted by my use of a Hosts file.

Cheers,
Samurai V

Banner ads:

lfs-ads.lfshosting.co.uk

Thanks, added

Kim

Porn banners:

serve.pussycash.com

Thanks Samurai V, added.

Kim

embracer.com - I've noticed ads being loaded from them.

Ads:

ads.crucialparadigm.com

Rogue spyware apps:

www.razespyware.net
razespyware.net

@monk

Ads seems to be served by serve.embracer.com, no need to block the whole domain embracer.com. An accurate sample / webpage where you were hit by those ads would be welcome.

@MaKaVeLi

Thanks, added.

Kim

I saw ads from them on torrentspy.com a few weeks ago and had added embracer.com to my list in Adblock with Firefox. I just checked around there, but I didn't see any current ads from them, sorry.

Thanks monk, I'll try to figure it out.

Kim

no idea what this site is/does...www.nice-work.de.tc

But a guy said he was posting a picture, and he said to find it there. lol. I wasn't going to go clicking a blind link, that didn't end in an image format, so I think it might be okay to block. http://www.google.com/search?sourceid=navc...rk%2Ede%2Etc%22 only shows some guestbook site.

Im guessing it's soem sort of affiliate thing where he gets a referral or money per click....tho that's just a blind guess.

Banner ads:

integration.mediaplazza.com

www.tqlkg.com
www.dot.tk
kasar.tk
www.kurtlardiyari.com

all related to IRC spam (Free porn at this link, etc :<). bombarded with pop ups that lead to those domain names. the "free porn" is mpeg.exe (which is actually some Litmus detection by Norton).

This one is related to the recent 40 million accounts breach from Mastercard. It´s a phishing scam.

See this post for reference.

hxxp://www.mastercard-new-register.com

Serves ad I-frames:

bdv.bidvertiser.com

Someone I know just reported that he got a trojan from this link:

www.rlyrics.com/S%5CSteveWinwood/Valerie.asp

rlyrics.com is not currently blocked in the Hosts file.

I had no problem when I visited this site earlier, but then again, I use Firefox with Java turned off rather than IE.

Samurai V,

No, problem I'll add it together with www.lyrics.com, I saw myself 2 Hijack Logs involving those sites.

Thanks r00ted and alien51, added.

Kim

Banner ads:

gfx.avn.com

More banner ads (too late to edit my previous post to add them):

engine.xbiz.com
www.sexy-search.com

Tracking cookie:

count.mystat.pl

Rogue spyware apps:

www.scan-it-clean-it.com
scan-it-clean-it.com
www.deluxe.spy-kill.com
deluxe.spy-kill.com

I saw ads coming from them:

ad.admarketplace.net
www.surfinvest.org
surfinvest.org
www.decroix.net
decroix.net
ads.yonkis.com

Counter:

counter.relmaxtop.com

Thanks Samurai V & MaKaVeLi, added.

Kim

Thanks Samurai V & MaKaVeLi, added.

Kim

Banner ads:

akamai.bizrate.com

(Also, congrats to Kimberly on the promotion to admin!)

Thanks Samurai V.

akamai.bizrate.com added.

Kim

According to this post http://spywarewarrior.com/viewtopic.php?p=85548#85548 this site infects you with alot of spyware if you click on the SNES link.

www.freeroms.com
freeroms.com

On a side note about 2 days ago when I updated the HOSTS file I noticed it had gone down about 2000 entries. Why was that?

Hi MaKaVeLi,

I'll look that up in depth before adding them, since I didn't get anything when visiting that site.

Removal of dead servers.
http://www.bluetack.co.uk/forums/index.php?showtopic=8406

Banner ads (advertising how to create pop-up ads, no less!):

www.robrose.biz

Thanks Samurai V, added.

Kim

www.webforadult.com
www.ilivecam.tk
webcamfree.megaxxxhost.com
www.nostop.cn.ms
idealo.de
log3.stats24.net
images.de.vu
www.cydots.com (looks to be a hosting site? but i got it as a pop up/under when exiting 1 of the above pages)
www.adboost.de.vu
www.smartdots.com

All were related to exe links in webpages (possibly virus/trojans) and/or pop ups, etc.

Thanks r00ted, added.

Kim

Computer Associates reports that the following domains are used by the Win32.Alemod trojan:

ecjnoe3inwe.com
fjrewcer32.com
dkjfwekjnc4.com
alphaportal.com

Full report here http://www3.ca.com/securityadvisor/virusin...s.aspx?id=43297

Thanks Samurai V, added.

Kim

Got a link on ICQ to mandy.ne1.net, and all the other domain names were harvested from the source/pop ups/etc

127.0.0.1 mandy.ne1.net
127.0.0.1 ezsexx.com
127.0.0.1 ars.streamray.com
127.0.0.1 images.streamray.com
127.0.0.1 adultrealsex.com
127.0.0.1 banners.images.streamray.com
127.0.0.1 nav.images.streamray.com
127.0.0.1 fpdownload.macromedia.com
127.0.0.1 www.streamray.com
127.0.0.1 webmasters.streamray.com
127.0.0.1 models.streamray.com
127.0.0.1 sofia.ne1.net
127.0.0.1 www.Ne1.net
127.0.0.1 www.R8.org
127.0.0.1 NE1.NET
127.0.0.1 R8.ORG

64.156.213.248 (external link on 1 of these sites points to this direct ip for dl, which is level 3 Communications)

In the source of the page, StreamRay seemed to be a company, and here are the other ranges:
StreamRay DSLNET-20001206-00086:64.205.42.32-64.205.42.63
StreamRay DSLNET-20010808-00661:65.85.194.0-65.85.194.31

I'll check that out r00ted, because I wonder how you were able to get the popups from a domain that has been closed.

oh wow. I guess they got shut down then. It was definately working at the time I posted

Glad to see a bad site gone none the less.




EDIT:
here's some more (totally un-related to hte above reply, and the submission before that) but:
127.0.0.1 adserver.adremedy.com
127.0.0.1 affiliates.modchipstore.com

could probably be added.

Banner ads:

www.cash4fetisch.de

Rouge anti-spyware apps:

www.pszweb.com
pszweb.com
www.noadware.onwww.net
noadware.onwww.net
spyware-removers.browse-online.com
www.spywarecure.net
spywarecure.net
www.spyware.theservicesforu.com
spyware.theservicesforu.com

Clickbank sites:

pszweb.apatrol.hop.clickbank.net
pszweb.spywarerem.hop.clickbank.net
pszweb.panicware.hop.clickbank.net
pszweb.pcss13.hop.clickbank.net
pszweb.noadware.hop.clickbank.net
pszweb.microa2.hop.clickbank.net
pszweb.xoftspy.hop.clickbank.net
pszweb.popnuker.hop.clickbank.net
pszweb.bugdoctor.hop.clickbank.net
pszweb.microa.hop.clickbank.net
pszweb.arsenal99.hop.clickbank.net
mbrown1230.adalert.hop.clickbank.net
addrmagic.noadware.hop.clickbank.net
hx74726176.spywarerem.hop.clickbank.net
hx74726176.xoftspy.hop.clickbank.net
hx74726176.microa2.hop.clickbank.net
hx74726176.noadware.hop.clickbank.net
weth22.noadware.hop.clickbank.net
akmoney.noadware.hop.clickbank.net

Thanks r00ted, Samurai V & MaKaVeLi

Added.

Kim

I don't know if this can be blocked with the Hosts file, but script.weborama.fr serves an annoying pop-up-like advertisement on another site.

Hi Samurai V,

Sometimes things like that can be blocked, sometimes not. Do you have a link to a page where it happens ?

Kim

Clickbank sites:

vtsodha.50secrets.hop.clickbank.net
vtsodha.adviediva.hop.clickbank.net
gamer11793.xoftspy.hop.clickbank.net
gamer11793.thefreecar.hop.clickbank.net
vtsodha.300dates.hop.clickbank.net
vtsodha.allasm.hop.clickbank.net
xxxxx.eckhertz.hop.clickbank.net
test4sure.dgrants.hop.clickbank.net
book94940.mp3center.hop.clickbank.net
topdateus.unicades.hop.clickbank.net
topdateus.jmareports.hop.clickbank.net
topdateus.50secrets. hop.clickbank.net
topdateus.meetwomen.hop.clickbank.net
winner.gnicom.hop.clickbank.net
www.clickbankworld.com
clickbankworld.com
www.clickbank.xbuyers.com
clickbank.xbuyers.com
www.1stpromotion.com
1stpromotion.com
www.bizzydays.com
bizzydays.com

aliye.tk - has links to porn exe's
ikile.net - the actual "download" site hosting the EXE files
www.randevum.com - from the source, looks to be a pay-per-click/affiliate thing

This is where I saw it before using Adblock: http://www.egs-avatars.com/e_gs_images/div...emmes/index.php

When I turned off Adblock and tried to reload the page, the page wouldn't reload, which I found curious

Banner ads:

media.washingtonpost.com

@MaKaVeLi, thanks added.

@r00ted

www.randevum.com looks like a portal, dunno since I don't understand the language.

I'm glad the information proved to be of help. I was a little surprised that the Firefox popup blocker didn't stop the ad, but it's nice to know that the Hosts file can

Same here, my popup blocker didn't stop it and my firewall that has ad-blocking features included didn't stop it neither.

Kim