[84077] in North American Network Operators' Group
FW: Need some help: IDEAS, Inc.
daemon@ATHENA.MIT.EDU (Marcus H. Sachs)
Sat Sep 3 11:04:03 2005
From: "Marcus H. Sachs" <marc@sachsfamily.net>
To: <nanog@merit.edu>
Cc: <handlers@sans.org>
Date: Sat, 3 Sep 2005 11:00:03 -0400
Errors-To: owner-nanog@merit.edu
One of our incident handlers at the SANS Internet Storm Center has been
trying to chase down the bogus Katrina assistance web sites. Below is a
note of frustration he sent internally to us this morning. I asked if I
could cross-post over to NANOG to see if any of you could assist.
Thanks in advance!
Marc
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Marcus H. Sachs, P.E. KJ4WA : marc@sans.org
Director, SANS Internet Storm Center : isc.sans.org
Washington D.C. USA (EDT, GMT-4) : +1 703 707 9293
++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----Original Message-----
Sent: Saturday, September 03, 2005 9:32 AM
Subject: Need some help: IDEAS, Inc.
Morning all:
Last night, I pulled a new copy of the .com and .net zone files down and =
did
another grep for "katrina" domains. Obviously, there are now more...
In the process of checking and cross-referencing, I found that our =
friends
"IDEAS, Inc" are a little more "involved" than we originally thought:
http://www.hurricanekatrinarelief.com
http://www.hurricanekatrinapics.com
http://www.hurricanekatrinaneworleans.com
http://www.hurricanekatrinaflooding.com
http://www.hurricanekatrinainfo.com
http://www.hurricanekatrinamap.com
http://www.hurricanekatrinanews.com
http://www.hurricanekatrinapath.com
http://www.hurricanekatrinaphoto.com
http://www.hurricanekatrinaphotos.com
http://www.hurricanekatrinarelieffund.com
http://www.hurricanekatrinatracking.com
http://www.hurricanekatrinaupdate.com
http://www.hurricanekatrinavideos.com
http://www.katrinadamage.com
http://www.katrinapics.com
http://www.katrinavideos.com=20
http://www.neworleanshurricanekatrina.com
...and those are just the 18 I was able to find.
Right now, there are two weak points to this particular house of cards.
1) The first site listed, "http://www.hurricanekatrinarelief.com" is =
what
drives all of the others. Each of the other sites, loads the first one =
in
an IFRAME. That makes it easy for the bastards to update them all. =
This
site is hosted by Interland. Their final word on shutting these =
scumballs
down until they could prove they were legitimate was:
"We have been advised by our legal department that the local authorities
should be contacted. The local authorities can submit a subpoena to our
legal department. We will be glad to comply to such a request."
ie. "We have no balls. Go away".
2) All of the other sites are hosted at the IP address 206.251.184.10.
Immediate upstream is "datasync.net/.com" and they are located in (of
course...) Louisiana. I've emailed them numerous times, and tried to =
call
("all circuits are busy..."), but they're probably running in lights-out
mode right now.
The IDEAS, Inc. scum MUST die, but I'm all out of ideas at this point... =
the
only other possibility that I can think of it to take them out at the =
DNS
level. All of the "slave" sites at 206.251.184.10 use DirectNIC for =
their
DNS... Anyone got sway with them?
Frankly, gang, I'm at my wits end on this one...
