|A hijacked host works for somebody else, without the owner knowing it. The diagrams show examples of a hijacked machine being used as a proxy name server and proxy web server.
This occurs when a trojan has invaded the computer as a result of a security exposure. For example, the machine may have been connected to the Internet while it had a trivial password. A hijacker has broken into the system by applying the hundred most frequently used passwords to the "root" administrator ID, and one of them matched. He has installed the trojan, and it will abuse the host by using its computing resources and its bandwidth. Hijacking is an illegal, criminal act in any country.
Sample hijacked IPs
The IP addresses hosting more that 100 sites per day in August / September are
184.108.40.206 at SERVEBYTE.COM in Dublin, Ireland 220.127.116.11 & 18.104.22.168 at Moscow Local Telephone Network spd-mgts.ru
October 2020 - September 2021
EvaPharmacy NAME SERVER examples with abuse reporting address
22.214.171.124 firstname.lastname@example.org 126.96.36.199 email@example.com 188.8.131.52 firstname.lastname@example.org 184.108.40.206 email@example.com 220.127.116.11 firstname.lastname@example.org email@example.com 18.104.22.168 firstname.lastname@example.org 22.214.171.124 email@example.com 126.96.36.199 firstname.lastname@example.org email@example.com 188.8.131.52 firstname.lastname@example.org 184.108.40.206 email@example.com 220.127.116.11 firstname.lastname@example.org 18.104.22.168 email@example.com 22.214.171.124 firstname.lastname@example.org 126.96.36.199 email@example.com 188.8.131.52 firstname.lastname@example.org 184.108.40.206 email@example.com 220.127.116.11 firstname.lastname@example.org 18.104.22.168 email@example.com 22.214.171.124 firstname.lastname@example.org 126.96.36.199 email@example.com 188.8.131.52 firstname.lastname@example.org 184.108.40.206 email@example.com (REMOVED) 220.127.116.11 firstname.lastname@example.org (REMOVED) 18.104.22.168 email@example.com (REMOVED) 22.214.171.124 firstname.lastname@example.org 126.96.36.199 email@example.com (syt.com) 188.8.131.52 firstname.lastname@example.org 184.108.40.206 email@example.com (REMOVED) 220.127.116.11 firstname.lastname@example.org (REMOVED) 18.104.22.168 email@example.com firstname.lastname@example.org (REMOVED) 22.214.171.124 https://my.netcetera.co.uk (REMOVED) 126.96.36.199 email@example.com (REMOVED) 188.8.131.52 firstname.lastname@example.org (REMOVED) 184.108.40.206 email@example.com (REMOVED) 220.127.116.11 firstname.lastname@example.org (REMOVED) 18.104.22.168 email@example.com (REMOVED) 22.214.171.124 firstname.lastname@example.org (REMOVED) 126.96.36.199 email@example.com (REMOVED) 188.8.131.52 firstname.lastname@example.org (REMOVED) 184.108.40.206 email@example.com (REMOVED) 220.127.116.11 firstname.lastname@example.org email@example.com (REMOVED) 18.104.22.168 firstname.lastname@example.org REMOVED 22.214.171.124 email@example.com (REMOVED) 126.96.36.199- firstname.lastname@example.org (REMOVED) 188.8.131.52 email@example.com (REMOVED)
EvaPharmacy HOSTING sites with abuse address
184.108.40.206 firstname.lastname@example.org 220.127.116.11 email@example.com 18.104.22.168 firstname.lastname@example.org 22.214.171.124 email@example.com 126.96.36.199 firstname.lastname@example.org 188.8.131.52 email@example.com 184.108.40.206 firstname.lastname@example.org 220.127.116.11 email@example.com 18.104.22.168 firstname.lastname@example.org 22.214.171.124 email@example.com 126.96.36.199 firstname.lastname@example.org 188.8.131.52 email@example.com 184.108.40.206 firstname.lastname@example.org
220.127.116.11 18.104.22.168 22.214.171.124 email@example.com (REMOVED) 126.96.36.199 firstname.lastname@example.org (REMOVED) 188.8.131.52 artnet.pl/kontakt (REMOVED) 184.108.40.206 email@example.com (REMOVED) 220.127.116.11 18.104.22.168 22.214.171.124 firstname.lastname@example.org (REMOVED) 126.96.36.199 email@example.com (REMOVED) 188.8.131.52 firstname.lastname@example.org (REMOVED) 184.108.40.206 email@example.com (REMOVED) 220.127.116.11 firstname.lastname@example.org (REMOVED) 18.104.22.168 email@example.com (REMOVED) 22.214.171.124 firstname.lastname@example.org (REMOVED) 126.96.36.199 email@example.com (REMOVED) 188.8.131.52 firstname.lastname@example.org (REMOVED) 184.108.40.206 email@example.com (REMOVED) 220.127.116.11 firstname.lastname@example.org (REMOVED) 18.104.22.168 email@example.com (REMOVED) 22.214.171.124 firstname.lastname@example.org email@example.com (REMOVED) 126.96.36.199 firstname.lastname@example.org email@example.com (REMOVED) 188.8.131.52 firstname.lastname@example.org email@example.com (REMOVED) 184.108.40.206 firstname.lastname@example.org (REMOVED) 220.127.116.11 email@example.com (REMOVED) 18.104.22.168 https://my.netcetera.co.uk (REMOVED) 22.214.171.124 126.96.36.199 firstname.lastname@example.org email@example.com (REMOVED) 188.8.131.52 184.108.40.206 220.127.116.11 https://support.swisslayer.com (REMOVED) 18.104.22.168 firstname.lastname@example.org (REMOVED) 22.214.171.124 email@example.com (REMOVED) 126.96.36.199 firstname.lastname@example.org (REMOVED) 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 email@example.com (REMOVED) 22.214.171.124 firstname.lastname@example.org (REMOVED) 126.96.36.199 email@example.com (REMOVED) 188.8.131.52 firstname.lastname@example.org (REMOVED)
Where to contact the compromised hosting ISP:
Abuse contact for '184.108.40.206 - 220.127.116.11' is 'email@example.com' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'firstname.lastname@example.org' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'email@example.com' Abuse contact for '184.108.40.206 - 220.127.116.11' is 'firstname.lastname@example.org' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'email@example.com' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'firstname.lastname@example.org' Abuse contact for '184.108.40.206 - 220.127.116.11' is 'email@example.com' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'firstname.lastname@example.org' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'email@example.com' Abuse contact for '184.108.40.206 - 220.127.116.11' is 'firstname.lastname@example.org' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'email@example.com' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'firstname.lastname@example.org' Abuse contact for '184.108.40.206 - 220.127.116.11' is 'email@example.com' 'netorn.ru' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'firstname.lastname@example.org' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'email@example.com' Abuse contact for '184.108.40.206 - 220.127.116.11' is 'firstname.lastname@example.org' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'email@example.com' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'firstname.lastname@example.org' Abuse contact for '184.108.40.206 - 220.127.116.11' is 'email@example.com firstname.lastname@example.org' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'email@example.com' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'firstname.lastname@example.org' Abuse contact for '184.108.40.206 - 220.127.116.11' is 'email@example.com' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'firstname.lastname@example.org' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'email@example.com' Abuse contact for '184.108.40.206 - 220.127.116.11' is 'firstname.lastname@example.org' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'email@example.com' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'firstname.lastname@example.org' Abuse contact for '184.108.40.206 - 220.127.116.11' is 'email@example.com' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'firstname.lastname@example.org' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'email@example.com' Abuse contact for '184.108.40.206/26' is 'syt.com web site' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org'
Example - ServeByte
ServeByte Dedicated Servers, Ireland
agatheprudi.ru has address 22.214.171.124 ailaandrei.ru has address 126.96.36.199 aileedredi.ru has address 188.8.131.52 ailsunyetta.ru has address 184.108.40.206 angelinesteffi.ru has address 220.127.116.11 antoninazarla.ru has address 18.104.22.168 ardisjadara.ru has address 22.214.171.124
Example - SPD-MGTS
Moscow Local Telephone Network (OAO MGTS), Russia
onlinepharmshop.ru has address 126.96.36.199 purefamilymall.su has address 188.8.131.52 purepharmbargain.ru has address 184.108.40.206 purepharmmart.su has address 220.127.116.11 purepharmreward.su has address 18.104.22.168
Example - Digi Turunc
Digi Turunc, Istanbul - digiturunc.com
goodcarequality.com has address 22.214.171.124 goodcarequality.su has address 126.96.36.199 goodrxstore.su has address 188.8.131.52 healthiestmens.com has address 184.108.40.206 hotnaturaleshop.ru has address 220.127.116.11 laurainebrenda.com has address 18.104.22.168
stormibeverie.com has address 22.214.171.124 theherbalwebmart.su has address 126.96.36.199 theprivateinc.su has address 188.8.131.52 yourherbalgroup.su has address 184.108.40.206 yourpillprogram.su has address 220.127.116.11
healingrxassist.ru has address 18.104.22.168 herbalrxmart.ru has address 22.214.171.124 homefastelement.su has address 126.96.36.199 homefastmall.su has address 188.8.131.52 homefastservices.su has address 184.108.40.206
Operating Systems - October 2010
In October 2010, the same hijacking process was still in use. Sample operating systems detected were
- Apache/2.2.4 (Unix) PHP/5.2.1
- thttpd/2.25b 29dec2003
- WebNet Modulex Web Server (c) 1998-2004 IO Technologies A/S
- Apache/2.2.3 (CentOS)
- Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
- Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch
Notifying somebody about the intrusion
A typical example: vegasinternationalcasino.com. This is a scam that is redirected from a disposable domain.
xasisar.com 220.127.116.11 name servers: NS1.NERIEMLARIS.COM 18.104.22.168 NS2.HARTONGSHE.COM 22.214.171.124
Do a whois look-up of the IP addresses
You can try with dnsstuff.com, but it might not give the addresses. In most cases it is useful: put the IP address in the "IPWHOIS Lookup" field, and when you get the results, click the link to show the email addresses.
The following example uses the Unix commands.
gives no email address but a code TW184JP for [Technical Contact] - so use command:
whois -h whois.nic.ad.jp TW184JP
Let's go to 126.96.36.199 - relevant details from the whois output:
% [whois.apnic.net node-2] tech-c: TA114-AP
There are also other tech-c lines later but we'll see this is enough. Use command:
whois -h whois.apnic.net TA114-AP
And you'll get
tech-c: NOC18-AP tech-c: JL1059-AP tech-c: DL430-AP (and their addresses)
Actually in this case the NOC address was already in the first reply, but that isn't always enough. Also, usually you don't have to use a specific WHOIS server - for example:
but I used it here as a "worst case" example. In the case of TW184JP the server was absolutely necessary.
Send these people friendly messages that their customers should clean up the computer at that IP address immediately and make it more secure in the future, by changing administrator passwords. Sample messages follow for each type of hijack operation.
If you like, you can give them extra info:
- In the case of WWW, give them the domain address, because most spamversites don't work with raw IP. In many cases the spammers cycle "their" servers so fast that this info will be obsolete by the time your message is read, but it gives credibility anyway. For example:
- dig +trace kidbopcd.com
kidbopcd.com. 600 IN A 188.8.131.52
- in the case of name servers, add the DNS lookup that lead you to the IP, for example:
- dig +trace kidbopcd.com
kidbopcd.com. 172800 IN NS ns1.obtundert.com. kidbopcd.com. 172800 IN NS ns1.suffoccateter.com. kidbopcd.com. 172800 IN NS ns2.excentriccod.com. kidbopcd.com. 172800 IN NS ns2.terkclass.com.
- dig ns1.obtundert.com
ns1.obtundert.com. 172422 IN A 184.108.40.206
- and so on...
- in the case of image servers, paste from the main page source a link to a picture, for example:
Example of hijacking
This section describes hijacking of Linux machines.
On February 28th, 2007, one of Alex Polyakov's My Canadian Pharmacy web sites was running using these hijacks
|Name Server||Hijacked IP||Crime Sponsoring Registrar|
|ns1.perceivablenut.com||[220.127.116.11]||Beijing Innovative Linkage Technology|
|ns2.grisaillesag.com||[18.104.22.168]||Beijing Innovative Linkage Technology|
|ns2.transitstars.com||[22.214.171.124]||DSTR Acquisition (blackhole address)|
|Web Site IP||Image Server IP|
Two compromised machines are used as proxy name servers at [126.96.36.199] and [188.8.131.52]
Two compromised machines are used as proxy web server [184.108.40.206] and proxy image server [220.127.116.11]
In October/November 2007, the image server strategy changed. Instead of being spread over up to 5 image server IPs at a time, rotating 3 or 4 times a day, there was just one fixed address for all image serving:
18.104.22.168 running Server: Apache/2.2.3 (Fedora)
This IP address is at the top end of a range administered in Turkey
inetnum: 22.214.171.124 - 126.96.36.199 netname: AbdAllah_Internet descr: AbdAllah Internet Hizmetleri descr: Etnografya Muze mevkii Kirazlik Mh. No:32 Rize
The person responsible for that IP range is given as
person: Mahmod AbdAllah el Gashmi address: AbdAllah Internet Hizmetleri e-mail: email@example.com phone: +90 543 3767728
The complaints department is listed as
Routing and peering issues: firstname.lastname@example.org SPAM and Network security issues: email@example.com Customer support: firstname.lastname@example.org General information: email@example.com
Attempts to contact this ISP and their upstream provider, Turk Telecom have so far been fruitless. The contact details for Turk Telecom are listed as
role: TT Administrative Contact Role address: Turk Telekom address: Bilisim Aglari Dairesi address: Aydinlikevler address: 06103 ANKARA phone: +90 312 313 1950 fax-no: +90 312 313 1949 e-mail: firstname.lastname@example.org
Sample Hijacked Web Server alert message
Please read this message carefully. You are receiving this email because you are responsible for IP address xxx.xxx.xxx.xxx Your contact email address is listed at > whois xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is the IP address The machine at this address has been hijacked, and an extra process called "uirqd" has been installed. This process is running many web sites as shown by the command ping example.com > Pinging example.com [xxx.xxx.xxx.xxx] with 32 bytes of data or by visiting http://example.com Action required 1. locate the machine at this IP address 2. change the root and any administrator passwords to make them more secure 3. shutdown the machine, and restart Alternatively, you can issue the commands to display the process id and kill it: ps wax | grep "irqd" kill <pid> [where <pid> is the process-id displayed by the ps command] If you are not the administrator, please forward this information to the administrator.
Thank you from the Pharmacy Alert Security Team
Sample Hijacked Image server alert message (Obsolete)
Please read this message carefully. You are receiving this email because you are responsible for IP address xxx.xxx.xxx.xxx Your email address is listed at https://ipinfo.io/xxx.xxx.xxx.xxx#block-abuse The machine at this address has been hijacked, and an extra process has been installed. This process is running many web sites as shown by these URLs: http://xxx.xxx.xxx.xxx:8080/images/mcp/pp_general.jpg http://xxx.xxx.xxx.xxx:8080/images/mcp/logo.jpg Action required 1. locate the machine at this IP address 2. change the root and any administrator passwords to make them more secure 3. shutdown the machine, and restart Alternatively, you can issue the commands to display the process id and kill it: ps wax | grep "tirqd" kill <pid> [where <pid> is the process-id displayed by the ps command] If you are not the administrator, please forward this information to the administrator. Thank you from the Pharmacy Alert Security Team
Sample Hijacked Name Server alert message
Please read this information carefully. It concerns a security breach on your computer On your IP address at xxx.xxx.xxx.xxx there is a trojan proxy name server installed, that is being used by a pharmacy spamming gang to provide access to illegal web sites. You can prove it with this link https://dnsquery.org/dnstraversal/fraudsitename/A >> ns1.dnsserver1.com [xxx.xxx.xxx.xxx] << your address >> ns2.serverdsn2.com [xxx.xxx.xxx.xxx] << your address DISCOVERY AND REMOVAL To discover the name of the trojan, you need to find the user process attached on udp port 53 (DNS) fuser -n udp 53 The response will contain the pid of the process, for example 1234 Use that process ID to find the name, for example using the Linux command ps wax | grep 1234 You will find it there. You can issue the "kill" command to terminate it. One possible name that is use by the hackers for the trojan is uirqd but it may vary. For a trojan to be installed, there is usually a trivial password used on the root or administrator account. It should be changed to a non-trivial password to avoid further break-ins, before deleting the trojan process. If you are not the administrator for this machine, please forward on these instructions. Thank you from The Pharmacy Alert Security Team
You can even follow up later: if those people are alert, or if the spammers change the IP for another reason, you can repeat this with the new IP.
Known hijacking operations
Operations that are known for persistent hijacking of name servers, web site servers and image servers are