Another (The Same) Hacker Attack

The hacker was the same as last week.

Whois Reports the following:

Domain Name: CDPUVBHFZZ.COM

Registrar: BIZCN.COM, INC.

Whois Server: whois.bizcn.com

Referral URL: http://www.bizcn.com

Name Server: NS1.CHBDVRNFAG.COM

Name Server: NS2.CHBDVRNFAG.COM

Status: clientDeleteProhibited

Status: clientTransferProhibited

Updated Date: 31-mar-2008

Creation Date: 31-mar-2008

Expiration Date: 31-mar-2009

>>> Last update of whois database: Sat, 12 Apr 2008 22:34:49 UTC <<<

Domain name: cdpuvbhfzz.com

Registrant Contact:

0

Mark Arnold arnold@google.com

+13.193387549 fax: +13.193387549

201 East Benton Street

Iowa City KY 522401

us

Administrative Contact:

Mark Arnold arnold@google.com

+13.193387549 fax: +13.193387549

201 East Benton Street

Iowa City KY 522401

us

Technical Contact:

Mark Arnold arnold@google.com

+13.193387549 fax: +13.193387549

201 East Benton Street

Iowa City KY 522401

us

Billing Contact:

Mark Arnold arnold@google.com

+13.193387549 fax: +13.193387549

201 East Benton Street

Iowa City KY 522401

us

DNS:

ns1.chbdvrnfag.com

ns2.chbdvrnfag.com

Created: 2008-03-31

Expires: 2009-03-31

Henry (a CC reader) had also done some other investigation and found the following:

IP address
PING cdpuvbhfzz.com (85.255.121.195)

and here is an nmap run

Interesting ports on 85.255.121.195:
Not shown: 1679 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
53/tcp open domain
57/tcp filtered priv-term
80/tcp open http
111/tcp filtered rpcbind
113/tcp open auth
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
515/tcp filtered printer
1720/tcp filtered H.323/Q.931
3306/tcp open mysql
17300/tcp filtered kuang2
27374/tcp filtered subseven
Device type: general purpose|WAP|specialized
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (90%), Siemens linux (86%),
Atmel Linux 2.6.X (86%)

I placed a call to the listed number in New York and got a real estate answering machine. I left a message telling the gent that his system was marauding around the Internet infecting web sites.

See this reply for more information.

17 thoughts on “Another (The Same) Hacker Attack

  1. Hello Dan:

    I’ve been trying to get to your site all day and noticed something was wrong. Chiriqui Chatter had the same appearance as when it was hacked the last time. My browser was being directed to cdpuvbhfzz.com.

    My system got infected and had to restore it to a previous date to crush the malware. At least on two occasions my computer was working as if directed form a Master Computer—Denial of Service or Zombie. To prevent this from happening, I had to turn the computer off for several hours.

    Downloaded and installed Avast anti virus software and scanned my system, but found nothing. Tried Spybot and Adware without joy to find the elusive virus. The only thing that worked was MS Windows System Restore.

    I’ve been using the computer since 4:00 p.m. until now and everything seems normal; however I can’t say that the problem has been totally solved. This is the first time my system has been infected with a virus.

    I’m glad your site is up and running. I found about it just now. The sixty thousand dollar question, is how can we stop this person from doing further harm in the future? Can his site be denounced to the FBI or FCC for a more thorough investigation? I feel very disgusted and impotent at this time.

    Regards,

    Omar.-

  2. Hi Omar. The information that I posted of the offending site, is not the culprit in my estimation. It may very well be an innocent person, who himself has had his account hijacked and turned into a malware distributor.

    If the creation information of the account above is correct, this is a new account. It was only opened at the end of March.

    The registering entity for this new account looks strange. It takes you to an Asian site. Henry’s information on the open ports also is interesting.

    If the owner of the site, from the information above, is correct and if the contact phone number is correct, then I have left a message for him to check with his provider about his being hacked. If he hasn’t been hacked, but is the culprit, then Google will spread my post around so others will have the information.

    Omar, I am sorry your PC got hit. Mine might have been wiped out too, if I hadn’t been running Linux. As soon as I recognized the problem, I took CC off line. However, when I brought up XP the last time to gather more information (not really a smart thing to do), Avast caught the problem and prevented damage.

    I have altered my password to WordPress. I will be checking with my webhost to see what else can be done to protect CC in the future.

  3. Don,
    I noticed that one of the entries was “27374/tcp filtered subseven.”
    Subseven is similar to Netbus or Back Orifice, a nasty Trojan. It runs silent and deep. Good luck to those who get this nasty on there Windoze machine.
    Kevin

  4. Sorry to hear of your woes, Don.

    It can be very frustrating. I had my joomla website’s frontpage defaced 3 or 4 years ago – by some Turkish fundamentalist nutters who went around finding easy vulnerable joomla-based sites to deface.

    I started to setup my first serious wordpress based site in the last couple of weeks. Thus I am keen to more fully understand how the buggers are getting into your site.

    I installed a wordpress security plugin last week – called WP Security Scan. It will check all your key directories to ensure the CHMOD settings are set securely…..and it also says that the tables in your mysql database should be changed away from the default wp prefixes. You probably know all this stuff anyways….just sharing it, in case you didn’t.
    http://wordpress.org/extend/plugins/wp-security-scan/#post-4986

  5. Hi Don Ray,

    Since your most recent post is closed for comments, I want to add something very important here. This is YOUR website. It is one of the most comprehensive, professional, and respectable sites available about life in Panama. You are the boss! I can tell that you are worn down by the increasing demands of pushy people and hackers, but please don’t let it stop you from doing what you enjoy. I’ll be waiting patiently for your site to resume. In the meantime, take a well deserved break. You can’t please everyone, although you have been determined to try. If this website is your passion, and a wonderful passion it is, let those who want to control the content of your site find another blog to attack. Maybe a hiatus will get rid of those who don’t appreciate your incredible blog. I’m going to miss my daily fix of Chiriqui Chatter. Rest well!

  6. Don Ray, smell those daisies long and hard, and thanks many millions for what you’ve provided. You’re a high quality individual in a world that occasionally forgets to appreciate quality. We don’t seem to have the answers yet to online criminality and immorality, but we hope that the great blessing that the internet has become will not be destroyed by the total losers and other childlike individuals who need to have their lives better structured. God Bless!

  7. dear don ray,
    debbie & frank have said it all for me except i will keep you & yours in my prayers thoughts & meditations please relax & enjoy thanks ellen

  8. makes me wonder if the hacking is linked to some recent plugin that you installed and activated, Don. Maybe a plugin is causing the vulnerability.

  9. Living in the Boca Chica area of Panama we find Chiriqui Chatter a delight and an informative Website. Don’t let them get you down, keep up the good work.

  10. not right….this is your hobby…..you need tell, and take pictures, and explain to others all is happening here. so now, where is Don?…..hummmmm….. i think you need more than one hacker for surrender.
    But maybe you are right in one thing. i dont like people abuse from you. people must know this is a informative web, you are not panama information and tourism office. You cant help all world all time. maybe is our mistake. we must share more information online, in reply’s…..or send a coute to you.

    no preguntes que puede hacer chiriqui chatter por ti, sino , que puedes hacer tu por chiriqui chatter.

    i know gringo’s have correct translation for this sentence…..
    Don, smile
    David

  11. Well, I am a Boquetenyan; but here is the translation, a very nice example of parallelism. The original is written in history (JFK¨s inaugural address).

    … ask, not what Chiriqui Chatter can do for you;
    ask what you can do for Chiriquí Chatter.

  12. Please do not call 319-338-7549

    Regarding Mr. Arnold,

    Hi.

    This entire situation is a difficult one for all.
    I have heard people are being explosed to viruses from a malicious site. That burns me up. However, the number, listed to a legitimate business who has nothing to do with the situation.

    I know, because the phone number and address is for Dick Davin Real Estate (my parents are the brokers) and Mr. Mark Arnold is NOT even employed at the number listed above. He was at one time, but is not now. I am also sure Mr. Mark Arnold does not know anything about the site being used the way it is. He was probably just picked as a name to use to register the domain name, unfortunately.

    Thank you for adding this note to your blog, if you would be so kind.

    John Davin

  13. I got quite different results when checking out CDPUVBHFZZ.COM

    To me it looks like the website might be in the Ukraine.

    First I found out the ip address:

    $ host cdpuvbhfzz.com
    cdpuvbhfzz.com has address 85.255.121.195
    cdpuvbhfzz.com mail is handled by 10 cdpuvbhfzz.com.

    Then using the ip address 85.255.121.195 I did the whois:

    $ whois 85.255.121.195
    % This is the RIPE Whois query server #3.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    % Note: This output has been filtered.
    % To receive output for a database update, use the “-B” flag.

    % Information related to ‘85.255.112.0 – 85.255.127.255’

    inetnum: 85.255.112.0 – 85.255.127.255
    netname: UkrTeleGroup
    descr: UkrTeleGroup Ltd.
    admin-c: UA481-RIPE
    tech-c: UA481-RIPE
    country: UA
    org: ORG-UL25-RIPE
    status: ASSIGNED PI
    mnt-by: RIPE-NCC-HM-PI-MNT
    mnt-lower: RIPE-NCC-HM-PI-MNT
    mnt-by: UKRTELE-MNT
    mnt-routes: UKRTELE-MNT
    mnt-domains: UKRTELE-MNT
    source: RIPE # Filtered

    organisation: ORG-UL25-RIPE
    org-name: UkrTeleGroup Ltd.
    org-type: LIR
    address: UkrTeleGroup Ltd.
    Mechnikova 58/5
    65029 Odessa
    Ukraine
    phone: +380487311011
    fax-no: +380487502499
    mnt-ref: UKRTELE-MNT
    mnt-ref: RIPE-NCC-HM-MNT
    mnt-by: RIPE-NCC-HM-MNT
    source: RIPE # Filtered

    person: Andrew Sotov
    address: Mechnikova 58/5 65029 Odessa
    abuse-mailbox: abuse@ukrtelegroup.com.ua
    phone: +380631508855
    nic-hdl: UA481-RIPE
    source: RIPE # Filtered

  14. Hi Richard,

    You are correct. The key is to follow the ip address, and it indeed heads toward the Ukraine. All emails should go tothe abuse email address. I doubt it it will do any good, but I have sent off a couple.

Leave a Reply