Dark Christianity - Post a comment

Links

May 2008

				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

dogemperor

09:57 pm 5/30/07

Read Comments Add to Memories Tell a Friend Link

"Warriors for Innocence": Hosting info, more research

As noted previously, most of the domains associated with Warriors For Innocence have their domain names provided by anonymised registration companies; however, we still have ways of finding where the domains "live", so to speak (namely, via traceroute and reverse DNS).

So, I break out my trusty little tool "Sam Spade" to do research on both the potentially malware infected site (yay raw HTML) and do some testing on the hosts.

Warriorsforinnocence.com traceroutes to 68.178.232.100 which resolves to parkwebwin-v01.prod.mesa1.secureserver.net; secureserver.net's whois info is

Administrative Contact:

Wild West Domains, Inc., Wild West Domains, Inc. dns@jomax.net
Wild West Domains, Inc.
14455 N Hayden Rd #219
Scottsdale, Arizona 85260
United States
4806242500 Fax -- 4805058844

Technical Contact:

Wild West Domains, Inc., Wild West Domains, Inc. dns@jomax.net
Wild West Domains, Inc.
14455 N Hayden Rd #219
Scottsdale, Arizona 85260
United States
4806242500 Fax -- 4805058844

Secureserver.net largely operates as an MLM-ish reseller for GoDaddy.com (which is a domain registry that also does domain hosting).

Texasfred.net resolves to 72.22.71.57, which resolves to st98.startlogic.com. Startlogic.com's whois info:

Administrative Contact:

Startlogic
Webmaster StartLogic
919 E. Jefferson St, Suite 100
phoenix, AZ 85034
US
Phone: 800-725-8064
Email: hostmaster@startlogic.com

Technical Contact:

Startlogic
Webmaster StartLogic
919 E. Jefferson St, Suite 100
phoenix, AZ 85034
US
Phone: 800-725-8064
Email: hostmaster@startlogic.com

In investigating the page itself (via Sam Spade's own raw text browser--this way, there is no possibility to get cookies, malware, or in fact be tracked at all other than by dynamic IP address) we find that the first attempt always results in a redirect (presumably where it tries to make one eat a cookie), hitting the redirect, we're in.

It also appears that warriorsforinnocence.com *may* have gotten nuked by their hosting company (the redirect I am receiving at present is to the standard GoDaddy "this domain is parked here" message).