Polyamory and crime on the Internet

Note: Followups to this entry at http://tacit.livejournal.com/238112.html (part 1) and http://tacit.livejournal.com/240750.html (part 2)

UPDATED 13-December-07 10:50 EST Updates indicated in text
UPDATED2 14-December-07 1:05 PM EST Updates indicated in text
UPDATED3 14-December-07 2:00 PM EST Updates indicated in text
UPDATED4 02-January-08 2:44 PM EST Updates indicated in text

So I recently decided, like many folks do, to Google my name. I do this periodically, because it’s always fun to see how many sites are linking to me (and I’m in the process of building a list of non-English mirrors of my polyamory site — it’s been translated into Polish, Hebrew, German, and a bunch of other languages, which is cool).

And in the process, I think I’ve discovered what might be one of the largest-scale cases of Web site hacking and virus distribution I’ve ever heard of.

A little background is in order. If you’ve used Google for any length of time, you probably know that when you Google popular keywords you’ll often run into “spam pages.” These are pages that are just stuffed full of keywords at random; in the Google search results, they will have titles like “tribadism fight scenes, free tribadism porn video Britney Spears, make money fast terrorism Iran big cock” and have excerpts that look like “she shoved it in and bridal hosiery wedding cake viagra fetish smurf Bible amateur transvestite video free vacation europe nymphomaniac ipod”. These are spam pages; they are filled with hundreds of keywords, and if you click on them, you will be redirected to the spammer’s site. They exist just to intercept popular Google searches and direct traffic wherever the spammers want it.

They are also popular with virus writers. Virus writers will create thousands of fake Web pages filled with popular keywords, then use those Web pages to servers that will attempt to automatically download viruses onto the computer of anyone running Windows who’s unwary enough to click on them.

Okay, so.

Yesterday, I did a keyword search for my name. Normally, I get about nine pages of results; but yesterday, I got 56 pages of results, over 200 in all.

Most of these pages look like this:

The polyamory news franklin veaux mitt was rigid enough to prevent me from either closing them too hard or opening polyfamilies polyamory for the practical them too far. She raised my left hand and fastened it in a similar polyamory weekly podcast manner, into a similar latex mitten.society for human sexuality polyamory info “I just wondered. You were standing there with a dazed polyamory open wedding vows look on your face playing with that cucumber and I thought something might world polyamory association presentations and workshops franklin veaux. Once inside, he polyamory san diego quickly stripped off his apron and polyamory cape coral unfastened his belt and pants. It was nearly as big as Mark’s, and open relationships polyamory that pleased her. Quickly unbuttoning her blouse to reveal her tits. page personal poly polyamory web He gently squeezed them, making her moan deep in her throat.


UPDATED3: I’ve looked at some of the random text on these pages, and it’s not really random at all–it’s a short porn story with random keywords seeded throughout it. It contains a number of statistically improbable phrases. One of these is “Ashley had always wanted to go there”–doing a Google search for that exact phrase results in 13,800 hits–nearly every single one of which is a spam redirector.


You get the idea. “Oh, well, this is interesting,” thought I, “polyamory, and my name, have become popular enough Google web searches that the spammers are including them in spam pages now.”

I clicked on some of these result links, curious to see who the spammer was and what site he was trying to direct traffic to.

And that’s when things started to get weird. What I found was a very large, highly organized campaign to direct Web traffic to servers hosted in Eastern Europe that would infect visitors with a computer virus, all orchastrated by a single person or group of people and all being done by what appears to be a massive breach of hundreds and hundreds of hacked Web sites, all hosted by the same ISP–the largest single Web site security breach I’ve heard of.

If you want to keep going down the rabbit hole:

CAUTION * CAUTION * CAUTION The spam URLs given in this post redirect to virus droppers. If you are on a Windows machine using a normal Web browser, DO NOT click on these links. A text-based browser is safe to use, and the viruses affect only Windows machines and so will not hurt Mac or Linux systems.

The first Web site I found that contained one of these spam pages is on page 19 of the Google results for the search term “franklin veaux” (with quotes). It’s on a site called patkolstad.org; the URL of the spammer redirect page is

http://patkolstad.org/images/ipmtt/har/ad/5/polyamory.html

The Web site at patkolstad.org belongs to a man named Pat Kolstad, who is one of the city councilmen in Santa Clara, CA. Not, in other words, a likely spammer interested in directing people to virus droppers in Eastern Europe. Clearly, his Web server has been hacked, and the redirectors have been placed on his server without his knowledge. I did a whois lookup on his domain name to see who his Web host is. He is hosted by ipowerweb, a cut-rate Web hosting company that advertises “Hosting over 700,000 Web sites!”

The next Web site I found that contains one of these spam pages is a place called u4info.net. It’s a Chinese-language forum of some sort. The spam page is at

http://u4info.net/study/templates/subSilver/images/lang_english/nucrz/har/ad/5/polyamory.html

It looks like what happened here is pretty straightforward; the forum software has a security vulnerability, and the hackers used it to drop spam redirection pages into the forum template directory, right? Anyway, I did a whois on this site, and found that it is also hosted by ipowerweb. Interesting coincidence, I thought.

Next on the list is axlemike.com. It’s a Web site for a business in Mesa, Arizona that recycles and rebuilds axles for trucks. The hacker apparently penetrated this site’s security and placed a redirector at

http://axlemike.com/Catalog/image/Index2/wclyn/har/ad/1/polyamory.html

that goes to the same virus dropper. I looked up this site’s hosting information; it’s hosted at ipowerweb.com.

Okay, two is coincidence; three is starting to look like a trend.

I started skipping around, looking up the whois information for Web sites that contained obvious spam pages in the search.

indielegaldocs.com? Hosted by ipowerweb. theannuityvault.com? Hosted by ipowerweb. cntmicrosystems.com? Hosted by ipowerweb. sixgunband.com? Hosted by ipowerweb.

Every one of these Web sites, and hundreds and hundreds more, has been hacked. In every case, the hacker has placed pages filled with keywords related to polyamory, that redirect to virus droppers. And every one of them is hosted by the same Web hosting firm: ipowerweb.

I kept going. maggerific.com. footloosecanada.com. osynergyc.com. culpeperchristianschool.com. peoplethought.com. ansacnet.com. All hosted by ipowerweb. In fact, I kept this up for over an hour, checking hundreds of domains that had been hacked and had these redirector pages installed on them. ALL of them reside on servers owned by ipowerweb.com.

In other words, it appears that someone has figured out how to penetrate Web sites hosted by this hosting company at will, and has all at once placed Web pages on all of them which intercept popular Google keyword searches and redirect them to virus droppers.

ipowerweb boasts that it hosts over 700,000 Web sites. Think about that for a minute.

UPDATE: Apparently, this is nothing new. It seems ipowerweb.com is notorious across the Internet for their poor security, and sites hosted on ipowerweb.com can be hacked at will. This blog post claims that ipowerweb has known about their security issues for quite some time, and that the anti-malware organization Stop Badware reports that one out of every five compromised virus-dropping Web sites is hosted by ipowerweb.


I dropped an email to the abuse team at ipowerweb.com, letting them know that I had found a number of Web sites they were hosting had been compromised, and contained Web pages that redirected visitors to sites that tried to install viruses on their systems. I gave them a list of some of the URLs of the redirectors, and told them there were hundreds, if not thousands. more, and that they seemed to have a massive security breach on a huge scale.

Today, I got an email back that said “I have checked the web site (domain name) and noticed that there is no virus redirector files located at (redirector URL) . Please get back to us with link where exactly no virus redirector files are located so that we can take necessary action against this web site.”

Well, hmm, that’s odd, I thought, they were there yesterday.

I clicked on the links in the email that I’d sent, and sure enough, all of them showed 404: File Not Found errors. “Now that’s damn odd,” I thought.

I went back and repeated the Google search. The same comporomised servers came up. I clicked on the links in Google and found myself redirected to the virus droppers.

I clicked on the links in the email and found myself staring at a 404 File Not Found error.

I clicked on the links in Google and found myself at a virus dropper.

A light bulb went on. “Aha!” I thought. “I bet these redirectors hide themselves! If you visit one of these pages from Google, it’ll redirect you; but if not, it won’t!”

A little background is necessary for anyone who does not understand how the Web works. If you are on a Web site, and you click on a link to another site, your browser will tell the site you clicked on where you came from. For example, if you are reading my LiveJournal, and you click on a link to my SymToys site, your browser will tell my Symtoys site “I came from tacit.livejournal.com”.

This is called a “referer.” Your browser will tell any link you clicked on who the referer was–that is, where you clicked on the link.

My theory was that if the referer to one of these spam pages was set to anything but “google.com” the page would redirect to a 404 error; otherwise, it would redirect to the virus dropper.

To test this, I used a program called wget. This is a nifty little program that’s sometimes used to troubleshoot malfunctioning Web servers. If you type “wget www.symtoys.com” on a command line, it will show you step by step every bit of communication between your computer and the symtoys.com server; that is, you’ll be able to see the exact commands that a Web browser would send to www.symtoys.com, and the exact responses the server would send back.

You can tell wget to pretend to be just about any browser, and you can tell wget to pretend to have any referer you want. I picked one of the URLs of one of these redirectors, namely:

http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html

Then I typed the command “wget http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html” This is what I saw:

wget http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
–16:21:32– http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
=> `polyamory.html’
Resolving mdhardyinc.com… done.
Connecting to mdhardyinc.com[66.235.203.135]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: /404 [following]
–16:21:34– http://mdhardyinc.com/404
=> `404′
Connecting to mdhardyinc.com[66.235.203.135]:80… connected.
HTTP request sent, awaiting response… 404 Not Found
16:21:35 ERROR 404: Not Found.

It got a “file not found error. Then I used the same command, only this time I instructed wget to pretend that it had come from a link on Google:

wget –referer=http://www.google.com http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
–16:19:40– http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
=> `polyamory.html’
Resolving mdhardyinc.com… done.
Connecting to mdhardyinc.com[66.235.203.135]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://traffloader.info/go.php?s=mdhardyinc.com&ver=6 [following]
–16:19:41– http://traffloader.info/go.php?s=mdhardyinc.com&ver=6
=> `go.php?s=mdhardyinc.com&ver=6′
Resolving traffloader.info… done.
Connecting to traffloader.info[87.248.180.67]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
–16:19:43– http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php?id=4161&n=teen&bgcolor=000000′
Resolving www.clipsfestival.com… done.
Connecting to www.clipsfestival.com[82.208.18.109]:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
–16:19:45– http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php?id=4161&n=teen&bgcolor=000000′
Resolving powerof3x.com… done.
Connecting to powerof3x.com[85.255.118.156]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://www.3xpowered.com/m4/index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg [following]
–16:19:47– http://www.3xpowered.com/m4/index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg
=> `index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg’
Resolving www.3xpowered.com… done.
Connecting to www.3xpowered.com[85.255.115.180]:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]

[ <=> ] 32,811 5.17K/s

16:20:03 (5.17 KB/s) – `index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg’ saved [32811]

Look at that!

Here is what is happening:

You go to one of these spam pages. If you came from anywhere but Google, you see a 404 file not found error. However, if you came from Google:

It sends you off to a Web site called “traffloader.info”. Traffloader.info is a Web site hosted in the country of Moldova, a tiny Eastern European country that used to be part of the Soviet Union.

The traffloader.info Web site then picks one of three other Web sites at random, and redirects to that Web site. In this case, it randomly picked www.clipsfestival.com. Clipsfestival.com is a Web site in the Czech Republic, also in Eastern Europe.

Clipsfestival.com redirects to powerof3x.com. The server powerof3x.com is registered in the Ukraine, in Eastern Europe. It redirects to www.3xpowered.com, also registered in the Ukraine.

3xpowered.com is the virus dropper. When you go here, your computer will attempt to download an .exe file, which will, if downloaded and executed, infect your computer.


UPDATED2: A representative from ipowerweb has posted a reply in the comments saying that ipowerweb is actively working to clean up the problem, and working with Google to flag the redirectors in Google search results. However, new entries are appearing in Google search results this afternoon, from additional compromised ipowerweb sites.

These new entries work the same way, but redirect through a different chain of servers to a different virus dropper. An example of one of the new redirectors is at

http://www.nundachamber.com/img/…/qq33/02/polyamory.html

It redirects through a different set of Eastern European servers to a different virus dropper as follows:

wget –referer=http://www.google.com http://www.nundachamber.com/img/…/qq33/02/polyamory.html
–12:54:09– http://www.nundachamber.com/img/…/qq33/02/polyamory.html
=> `polyamory.html’
Resolving www.nundachamber.com… done.
Connecting to www.nundachamber.com[66.235.211.83]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://xerxer.net/go.php?s=nundachamber.com_qq33 [following]
–12:54:09– http://xerxer.net/go.php?s=nundachamber.com_qq33
=> `go.php?s=nundachamber.com_qq33′
Resolving xerxer.net… done.
Connecting to xerxer.net[87.248.180.88]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://shockbabetv.com/l/coloraz/id/3912960/black/white/ / [following]
–12:54:09– http://shockbabetv.com/l/coloraz/id/3912960/black/white/%20/
=> `index.html.1′
Resolving shockbabetv.com… done.
Connecting to shockbabetv.com[85.255.119.93]:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]

[ <=> ] 9,896 2.36M/s


So, to recap: A huge number of Web sites, all hosted by a company called ipowerweb, have recently been hacked all at once. The hacked Web sites have all had new files placed on them which contain thousands of common Google keywords, including my name. When someone visits one of these pages from Google, he gets passed from the hacked Web site through a chain of Web sites in Eastern Europe, and finally ends up on a server that attempts to install a virus.

But who is 3xpowered.com? Surely, there must be some information about the owner of this Web site, right?

Well, no.

UPDATE: I have received a reply from privacyprotect.org; they have stripped the private registration from the virus site. The old and new information is shown below.

OLD information:

whois 3xpowered.com

Domain Name: 3XPOWERED.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.3XPOWERED.COM
Name Server: NS2.3XPOWERED.COM
Status: clientTransferProhibited
Updated Date: 22-nov-2007
Creation Date: 22-nov-2007
Expiration Date: 22-nov-2008

>>> Last update of whois database: Wed, 12 Dec 2007 23:07:34 UTC <<<

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: 3XPOWERED.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 22-Nov-2007
Expiration Date: 22-Nov-2008

Domain servers in listed order:
ns2.3xpowered.com
ns1.3xpowered.com

Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Technical Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Billing Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Status:ACTIVE

CURRENT information:

whois 3xpowered.com

Domain Name: 3XPOWERED.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.3XPOWERED.COM
Name Server: NS2.3XPOWERED.COM
Status: clientTransferProhibited
Updated Date: 22-nov-2007
Creation Date: 22-nov-2007
Expiration Date: 22-nov-2008

>>> Last update of whois database: Thu, 13 Dec 2007 15:45:23 UTC <<<

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: 3XPOWERED.COM

Registrant:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Creation Date: 22-Nov-2007
Expiration Date: 22-Nov-2008

Domain servers in listed order:
ns2.3xpowered.com
ns1.3xpowered.com

Administrative Contact:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Technical Contact:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Billing Contact:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Status:ACTIVE

The information about the person who registered this domain is hidden by a privacy protection organization. These organizations–and there are many–register domains on behalf of others, and then place their own imformation in the whois. They exist because the owner of a domain is required to be listed in the whois database, but many people don’t like revealing that they own a particular Web site. There may be legitimate reasons for this, but it’s popular with spammers and criminals, too.


UPDATE2: The new virus dropper being used in the newest wave of attacks is shockbabetv.com. Unsurprisingly, its whois is also protected by privacyprotect.org:

whois shockbabetv.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: SHOCKBABETV.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.SHOCKBABETV.COM
Name Server: NS2.SHOCKBABETV.COM
Status: clientTransferProhibited
Updated Date: 12-dec-2007
Creation Date: 12-dec-2007
Expiration Date: 12-dec-2008

>>> Last update of whois database: Fri, 14 Dec 2007 18:10:05 UTC <<< Registration Service Provided By: ESTDOMAINS INC Contact: +1.3027224217 Website: http://www.estdomains.com Domain Name: SHOCKBABETV.COM Registrant: PrivacyProtect.org Domain Admin (contact@privacyprotect.org) P.O. Box 97 All Postal Mails Rejected, visit Privacyprotect.org Moergestel null,5066 ZH NL Tel. +45.36946676


The domain that drops viruses is very new–less than a month old. I’d be willing to bet that all the hacked Web sites have been hacked for less than a month, too. I did a simple search for “polyamory” confined to one of the hacked Web sites, mdhardyinc.com, and got 125 hits. So not only have the hackers penetrated hundreds or thousands of Web sites, but each hacked site has hundreds of redirector pages on it.

My conclusion: the Web hosting company ipowerweb.com has been victimized by a security breach on a scale that’s hard to imagine. Eastern European criminals have hacked a huge number of ipowerweb customers, and are using them to catch Google searches for popular search terms, including search terms about polyamory, and redirect them to virus droppers while simultaneously hiding them from anyone not coming in from Google.

The things you can learn by Googling your name.

Any sysadmins or abuse people out ther know what I should do with this information? Who should I report it to?


UPDATED4 Incredibly, the attacks on iPowerWeb documented above are still ongoing, nearly three weeks after iPower was first notified of the problem! I have identified several hundred more compromised Web sites which are as of this writing still redirecting to the same virus droppers. Also incredibly, the same virus droppers are still active on the same servers. Some of the compromised iPower Web site URLs that are still active include:

http://pcdoctor-community.com/pcdblog/wp-admin/hvfjv/her/bad/3/violet-wand.html
http://anthonydilorenzo.com/images/_notes/bxoct/her/bad/8/glans.html
http://lckitchen.com/_borders/_vti_cnf/crfyz/her/bad/8/gay-cowboys.html
http://whitneygaylord.com/css/tfcph/her/bad/8/exhibit.html
http://europaparcs.com/old/img/cpuqc/her/bad/3/spermicide.html
http://riversideauctionsc.com/img/.thumbs/otlvl/her/bad/8/virginity.html
http://dizzysfarm.com/img/_vti_cnf/fdtoi/her/bad/3/queef.html
http://thebizmate.com/LazyBoy/Ads/ocdko/her/bad/3/harlot.html
http://thebizmate.com/LazyBoy/Ads/ocdko/her/bad/3/harlot.html
http://michaelannyoung.com/PuertoV/images/uplhz/her/bad/3/vaginal.html
http://motionpicturesdvd.com/shopping/files/hczwv/her/bad/8/oral-contraceptives.html
http://heavenstouchgifts.com/bksbbls/bible/rswmd/her/bad/8/pregnant.html
http://jphonline.com/pdffiles/_vti_cnf/ddzqv/her/bad/3/yaoi.html

and hundreds more. As before, going to any of these links directly produces a 404 error; going to these links with the browser referrer set to “google.com” causes redirection to the traffloader.info site, which then further redirects to a virus dropper hosted at 3xfestival.com or scanner.spyshredderscanner.com.

230 thoughts on “Polyamory and crime on the Internet

  1. Wow. Crazy.

    My first guess is to go first back to the hosting company with the new info so that they can fix their systems and second to Google. The latter might want to see if their searchgoons can come up with a way to protect their database against this type of spam in the future.

    Beyond that, though, I’m not sure.

    • The hosting company doesn’t care. Unless it costs them hundred of thousands of customers, they aren’t going to care. Security costs money; when you pay someone $2/month (for example), what do you expect to get?

      Google would be a good route except there’s almost nothing they can do about it. Do you expect them to virus scan the entire Internet?

      • Apparently ipowerweb do care. And while I certainly don’t expect Google to check for malware, they can and do update their algorithm to minimize the impact of spam and of software that targets their systems to unrealistically inflate search results.

        I know cynical apathy-projection is pretty popular these days, but as cool as it may look, it’s not always a safe bet.

        • There’s a difference between looking like you care and actually caring. If they really cared about the security of their systems and their customers, they wouldn’t be in messes like this every time they turn around. So, which is worse… they really don’t care — at least not enough to put resources on fixing the issues that lead to such problems in the first place — or they’re laughablly incompetent? Their response sounds way too much like something from a marketing/PR person. I’ve beleive it when they’ve actually cleaned up their act.

      • Google’s becoming a lot more proactive about flagging malware sites with search result notifications that say “This site may damage your computer,” but as near as I can tell they need user feedback in order to do so.

        • Unfortunately, these sorts of things can move faster than the mighty Google can follow. As you’ve seen, they’re already doing referer checks. It’s not much of a stretch to add user-agent and/or ip range checks as well. So, if you are Google (or a googlebot), you get something that’s not malware. That means Google’s automatic processing won’t be able to catch it. At best they could be suspicious of the page based on the number of redirects, url manipulation patterns, network neighborhoods it’s been redirected through and ultimately served by, etc. But it would only be “suspect”; those things don’t add up to a smoking gun. (It adds up to high legal liability actually. As an ISP, you wouldn’t be very happy knowing Google has you tagged as “trashy”.)

  2. Wow. Crazy.

    My first guess is to go first back to the hosting company with the new info so that they can fix their systems and second to Google. The latter might want to see if their searchgoons can come up with a way to protect their database against this type of spam in the future.

    Beyond that, though, I’m not sure.

  3. digging a little

    The payload program that they try to get you to download is some sort of a trojan, with an installer made with the NullSoft windows installer kit.

    Running strings on the binary shows a lot of function calls to hook into various security related windows DLLs.

    The MD5 sum of the binary is 14c9e76c2df1fac2820f5d56f426d06b, which does not yield any hits on Google. So I guess you have found something new!

    It does seem like the binary has additional payload that is packed up (compressed) and obfuscated in some way. I was able to uncompress a piece of it, but it didn’t have much that was interesting.

    But it may be a lot like this this Trojan:

    http://www.offensivecomputing.net/?q=node/370

    and may even be from the same Trojan generator kit. I don’t know, I am not really an expert in these things.

    here is a sample of the sort of system calls, etc:

    SHAutoComplete
    SHLWAPI
    GetUserDefaultUILanguage
    AdjustTokenPrivileges
    LookupPrivilegeValueA
    OpenProcessToken
    RegDeleteKeyExA
    ADVAPI32
    MoveFileExA
    GetDiskFreeSpaceExA
    KERNEL32

  4. digging a little

    The payload program that they try to get you to download is some sort of a trojan, with an installer made with the NullSoft windows installer kit.

    Running strings on the binary shows a lot of function calls to hook into various security related windows DLLs.

    The MD5 sum of the binary is 14c9e76c2df1fac2820f5d56f426d06b, which does not yield any hits on Google. So I guess you have found something new!

    It does seem like the binary has additional payload that is packed up (compressed) and obfuscated in some way. I was able to uncompress a piece of it, but it didn’t have much that was interesting.

    But it may be a lot like this this Trojan:

    http://www.offensivecomputing.net/?q=node/370

    and may even be from the same Trojan generator kit. I don’t know, I am not really an expert in these things.

    here is a sample of the sort of system calls, etc:

    SHAutoComplete
    SHLWAPI
    GetUserDefaultUILanguage
    AdjustTokenPrivileges
    LookupPrivilegeValueA
    OpenProcessToken
    RegDeleteKeyExA
    ADVAPI32
    MoveFileExA
    GetDiskFreeSpaceExA
    KERNEL32

  5. Franklin…you have stumbled onto some things that we in the information security industry have been harping on for some time. I work for a company that does primary research in bot and computer security. You have done a pretty good job of summarizing just one of many techniques used by organized crime to take over computers. The best place to start is with the ISP upstream from the infected company and the sysadmins of the infected machines themselves. Quite frankly, many sysadmins ignore many of these requests due to the overhwelming time issues. There are several industry “ISACS” that will share this information across industry lines. You may also want to pursue one of those entities. Finally, there is the local FBI HTCIA and Infraguard chapters. I would be happy to share those if interested.

    Mark

  6. Franklin…you have stumbled onto some things that we in the information security industry have been harping on for some time. I work for a company that does primary research in bot and computer security. You have done a pretty good job of summarizing just one of many techniques used by organized crime to take over computers. The best place to start is with the ISP upstream from the infected company and the sysadmins of the infected machines themselves. Quite frankly, many sysadmins ignore many of these requests due to the overhwelming time issues. There are several industry “ISACS” that will share this information across industry lines. You may also want to pursue one of those entities. Finally, there is the local FBI HTCIA and Infraguard chapters. I would be happy to share those if interested.

    Mark

  7. There are several techniques used to accomplish this through searches…one is through DNS harvesting…a recent white paper was published out of Ga Tech regarding some of these techniques. There are several other ways that searches and traffic are directed to illegitimate sites.

  8. Re: Apparently they do:

    If you track most of the malicious networks like I do…you will find that MOST use the anonymity of privacyprotect.org to hide behind. Look closer and you will find some suspicous owners…

  9. Re: Apparently they do:

    If you track most of the malicious networks like I do…you will find that MOST use the anonymity of privacyprotect.org to hide behind. Look closer and you will find some suspicous owners…

  10. Re: Apparently they do:

    My opinion is that it would be thrown into /dev/null! However, they do have regulatory agencies knocking at the door. They may do something. Very hard to say.

  11. Wow, that’s quite a scheme! I am guessing that unless you personally know someone honest at ipowerweb, you’re not going to get good answers unless there’s a letter that comes from a lawyer. but that’s just a guess.

    The FBI might be a good one to call.

    I’m guessing Google is likely to be more productive. If I happen across someone who could help with this, mind if I reference this page?

  12. Wow, that’s quite a scheme! I am guessing that unless you personally know someone honest at ipowerweb, you’re not going to get good answers unless there’s a letter that comes from a lawyer. but that’s just a guess.

    The FBI might be a good one to call.

    I’m guessing Google is likely to be more productive. If I happen across someone who could help with this, mind if I reference this page?

  13. I skipped the highly technical stuff, mainly for lack of time, but it seems to me I’d be fine surfing on a Windows box with Firefox and NoScript… Why do people have to use insecure browsers?
    …and can we make a rug out of these people’s hides? (the spammers/virus-writers, not the IE users)

  14. I skipped the highly technical stuff, mainly for lack of time, but it seems to me I’d be fine surfing on a Windows box with Firefox and NoScript… Why do people have to use insecure browsers?
    …and can we make a rug out of these people’s hides? (the spammers/virus-writers, not the IE users)

  15. I could be wrong, but as of 4 years ago Ipowerweb did not own its own data center. And if this is still true you can do a reverse DNS lookup on the server IPs and report it to the data center.

    My hosting company leases all of our servers from The Planet and the few abuse reports we have gotten have been treated very seriously by the data center.

    peace
    Wolf
    http://www.alphaone-tech.com

    • A reverse DNS of some of the compromised Web site IP addresses just leads back to ipowerweb, so I don’t know if they host their own data centers or not.

      Apparently, however, this is not a new problem, and ipowerweb appears to have such poor security that hackers can penetrate sites hosted with them easily. I’ve updated the main message above with links and references to this problem, which appears to be long-standing.

  16. I could be wrong, but as of 4 years ago Ipowerweb did not own its own data center. And if this is still true you can do a reverse DNS lookup on the server IPs and report it to the data center.

    My hosting company leases all of our servers from The Planet and the few abuse reports we have gotten have been treated very seriously by the data center.

    peace
    Wolf
    http://www.alphaone-tech.com

  17. Keep fighting the good fight.

    Forget the war on drugs or in Iraq, I’d like to see our next president declare war on spammers and trojans.

    I think a cruise missile or two might get the point across…

  18. Keep fighting the good fight.

    Forget the war on drugs or in Iraq, I’d like to see our next president declare war on spammers and trojans.

    I think a cruise missile or two might get the point across…

  19. Wow, impressive research job. I’m a bit surprised to realize I’m actually familiar with all of the tools and techniques you’ve used, from similar stuff I’ve done in the past (although I only deal with referrers because I’ve discovered a referrer-blocking proxy server makes the web work far smoother)

    Also, just a plain interesting event. You don’t seem to mind people linking this, so… *yoink* 🙂

  20. Wow, impressive research job. I’m a bit surprised to realize I’m actually familiar with all of the tools and techniques you’ve used, from similar stuff I’ve done in the past (although I only deal with referrers because I’ve discovered a referrer-blocking proxy server makes the web work far smoother)

    Also, just a plain interesting event. You don’t seem to mind people linking this, so… *yoink* 🙂

    • That’d be awesome!

      I suspect it will do little good, however. I’ve updated the main post with additional information about ipowerweb.com; it appears they have persistent security problems that extend back a long time, possibly related to vulnerabilities in their Web control panel software. According to stopbadware.org, an astonishing 20% of all Web sites being used to host or download malware are hosted by ipowerweb.com. If this is correct, it appears their problems run deep indeed, and that to date they have not acknowledged or addressed these problems.

    • Ipower killed my dedicated server on 12/13

      Hi,

      Could you please ask your friends at ipower why my dedicated server was killed on or around 12/13? I can’t get a straight answer from anyone and no one is willing to talk. The server was paid for through March. I have been a customer for several years. I have a massive online database system with hundreds of users and they said it has all been erased. One of the tier one tech support guys said ‘sorry’ but he didn’t sound sincere.

      How is such a thing possible? Someone from ipower went into my dedicated server and without my permission erased everything.

      Can I sue them for nullifying 2+ years of my life?

      Please help!

  21. Faaaaassssscinating…not only as a real-life example of a “weaponized” virus (i.e., one “payloaded” in such a manner as to provide maximum infection vectors) but also as a great idea for fictional hackers to follow. 😀

  22. Faaaaassssscinating…not only as a real-life example of a “weaponized” virus (i.e., one “payloaded” in such a manner as to provide maximum infection vectors) but also as a great idea for fictional hackers to follow. 😀

  23. she shoved it in and bridal hosiery wedding cake viagra fetish smurf Bible amateur transvestite video free vacation europe nymphomaniac ipod

    I just wanted to note that this is wonderful Vogon poetry.

    Other than that – well, we have an ISP pretty badly hosed there. Challenge might be to actually get through the front desk and get hold of someone who understands that they have a problem. If they have actual tech people (and that’s a pretty big if these days), getting on a security forum or list these people use or where people who know them hang out might be a way to get hold of intelligent lifeforms there.

    One thing to notice here is the effect of the new world of hacking. This is a truly large-scale effort. This is not done by script kiddies, there’s no defacing here. These guys are professionals, and as a result take the threat to a whole new level.

    This is fascinating stuff. I will forward it around a bit. If you know how to reach knowledgeable people in law enforcement, that might be a good thing. For one thing, the FBI can probably get the attention of a US ISP. On a longer term, having the FBI’s of the world knocking the door of Ukraine etc authorities is one way we might eventually convince them to wear white hats.

    Thanks for posting this.

  24. she shoved it in and bridal hosiery wedding cake viagra fetish smurf Bible amateur transvestite video free vacation europe nymphomaniac ipod

    I just wanted to note that this is wonderful Vogon poetry.

    Other than that – well, we have an ISP pretty badly hosed there. Challenge might be to actually get through the front desk and get hold of someone who understands that they have a problem. If they have actual tech people (and that’s a pretty big if these days), getting on a security forum or list these people use or where people who know them hang out might be a way to get hold of intelligent lifeforms there.

    One thing to notice here is the effect of the new world of hacking. This is a truly large-scale effort. This is not done by script kiddies, there’s no defacing here. These guys are professionals, and as a result take the threat to a whole new level.

    This is fascinating stuff. I will forward it around a bit. If you know how to reach knowledgeable people in law enforcement, that might be a good thing. For one thing, the FBI can probably get the attention of a US ISP. On a longer term, having the FBI’s of the world knocking the door of Ukraine etc authorities is one way we might eventually convince them to wear white hats.

    Thanks for posting this.

  25. Re: Apparently they do:

    I have today received a reply from Privacy Protect; they have stripped the virus dropping site of its protected status. I’ve posted an update with the current whois information in the message above.

  26. A reverse DNS of some of the compromised Web site IP addresses just leads back to ipowerweb, so I don’t know if they host their own data centers or not.

    Apparently, however, this is not a new problem, and ipowerweb appears to have such poor security that hackers can penetrate sites hosted with them easily. I’ve updated the main message above with links and references to this problem, which appears to be long-standing.

  27. That’d be awesome!

    I suspect it will do little good, however. I’ve updated the main post with additional information about ipowerweb.com; it appears they have persistent security problems that extend back a long time, possibly related to vulnerabilities in their Web control panel software. According to stopbadware.org, an astonishing 20% of all Web sites being used to host or download malware are hosted by ipowerweb.com. If this is correct, it appears their problems run deep indeed, and that to date they have not acknowledged or addressed these problems.

  28. Re: Apparently they do:

    Great job. Looks like they are finally responding to some of the pressure being put on them. Notice who actually owns the domains. You will find MANY domains owned by similar folks…there is true organization here.

  29. On Behalf of IPOWER

    We are aware of this malicious attack, a patch is currently being rolled out, and over the next few hours the redirects should get wiped out. We are also working with the search engines to clear out the indexed malicious pages. This attack was isolated to our legacy platform. As some of you are aware, we have been in the process for a couple months of moving our customers to our new platform, on which one of the many improvements is moving away from the legacy server by server architecture to a distributed platform which allows for greater security processes and controls. The changes we are making should protect our customers from these type of attacks in the future. And, we are also working with law enforcement with regards to this matter.

    • Re: On Behalf of IPOWER

      Excellent! That’s good news, and I’m happy to see that you’re taking efforts to stop the problem and to work with Google about cleaning up their listings. You may be interested to know that this afternoon there appear to be more compromised Web sites, and that they’re using a different payload server now.

    • Re: On Behalf of IPOWER

      Why did you delete my paid for dedicated server on 12/13 and provide me no warning???

      No one at tech support will give me an answer!!!

      You destroyed 3 years of my work and I have hundreds of users/clients to answer to who can’t even find me on internet because my site is gone and with it my email.

      What you have done is either malicious or criminally negligent. Sorry just won’t cut it.

      Please come clean and explain what you have done.

      • Re: On Behalf of IPOWER

        UPDATE: I got through to Ipower (Endurance) executive offices in Burlington, MA and finally found internal advocate who made things happen.

        They went from ‘sorry everything is erased there is nothing we can do’ to my website is back up.

        Don’t ever take tech supports word for anything. Keep pushing until you get someone high up to take ownership of the problem.

  30. On Behalf of IPOWER

    We are aware of this malicious attack, a patch is currently being rolled out, and over the next few hours the redirects should get wiped out. We are also working with the search engines to clear out the indexed malicious pages. This attack was isolated to our legacy platform. As some of you are aware, we have been in the process for a couple months of moving our customers to our new platform, on which one of the many improvements is moving away from the legacy server by server architecture to a distributed platform which allows for greater security processes and controls. The changes we are making should protect our customers from these type of attacks in the future. And, we are also working with law enforcement with regards to this matter.

  31. Thanks for that note – I’m building a website for a Non-Profit and was looking at hosting options. At least now I know keep our hosting company in the US.

  32. Thanks for that note – I’m building a website for a Non-Profit and was looking at hosting options. At least now I know keep our hosting company in the US.

  33. I saw this from a link on the polfamilies mailing list. The sheer scale of this beggars belief. Then again, virtually all of the insecurity and dangers of the Internet come from machine not full up to date with their security patches… sad to say, but unfortunately true. The irresponsibility of ipower, given that it hosts such a huge number of websites is what really makes me dispair more than anything else.

  34. I saw this from a link on the polfamilies mailing list. The sheer scale of this beggars belief. Then again, virtually all of the insecurity and dangers of the Internet come from machine not full up to date with their security patches… sad to say, but unfortunately true. The irresponsibility of ipower, given that it hosts such a huge number of websites is what really makes me dispair more than anything else.

  35. from StopBadware.org

    Hi,

    Thanks for helping call this to attention. I imagine iPower folks heard from many sources, but I know that both folks at Google’s anti-malware team and folks at StopBadware.org contacted iPower yesterday. We were assured that iPower was working hard to fix things – you can see the full blog post about our conversation here (http://blogs.stopbadware.org/articles/2007/12/13/ipower-responds-to-latest-threat)

    Also, to be fair to iPower, our report that highlighted them as a top host of malware-distributing sites is from early May. We also weren’t saying they had 1 in 5 bad sites, but rather that they were #1 out of the 5 top network service providers owning IP addresses with badware being distributed (we have no way to compare a subset of sites like iPower’s to the internet as a whole). When we made our announcement in May, iPower was one of several companies who contacted us immediately and worked with us to clean and secure their sites.

    Thanks again for your vigilance and for helping bring these issues to the attention of the folks who can help fix them fast. I’d like to invite you (and any of your readers who see this) to share information like this with us in the future, too – just write to contact @ stopbadware.org.

    Erica George
    StopBadware.org staff

  36. from StopBadware.org

    Hi,

    Thanks for helping call this to attention. I imagine iPower folks heard from many sources, but I know that both folks at Google’s anti-malware team and folks at StopBadware.org contacted iPower yesterday. We were assured that iPower was working hard to fix things – you can see the full blog post about our conversation here (http://blogs.stopbadware.org/articles/2007/12/13/ipower-responds-to-latest-threat)

    Also, to be fair to iPower, our report that highlighted them as a top host of malware-distributing sites is from early May. We also weren’t saying they had 1 in 5 bad sites, but rather that they were #1 out of the 5 top network service providers owning IP addresses with badware being distributed (we have no way to compare a subset of sites like iPower’s to the internet as a whole). When we made our announcement in May, iPower was one of several companies who contacted us immediately and worked with us to clean and secure their sites.

    Thanks again for your vigilance and for helping bring these issues to the attention of the folks who can help fix them fast. I’d like to invite you (and any of your readers who see this) to share information like this with us in the future, too – just write to contact @ stopbadware.org.

    Erica George
    StopBadware.org staff

  37. Re: Apparently they do:

    Perhaps not. I just updated the post again; the people responsible have switched payload servers, and the new payload server whois is also protected by privacyprotect.org.

  38. It seems there’s little that can be done directly against servers hosted in Eastern Europe, short of turning all of Eastern Europe into a “firewall and forget” black hole, but I wish that American ISPs would become more security-conscious and more proactive about not allowing the hackers to run rampant over their networks…

  39. It seems there’s little that can be done directly against servers hosted in Eastern Europe, short of turning all of Eastern Europe into a “firewall and forget” black hole, but I wish that American ISPs would become more security-conscious and more proactive about not allowing the hackers to run rampant over their networks…

  40. Re: On Behalf of IPOWER

    Excellent! That’s good news, and I’m happy to see that you’re taking efforts to stop the problem and to work with Google about cleaning up their listings. You may be interested to know that this afternoon there appear to be more compromised Web sites, and that they’re using a different payload server now.

  41. Of course, our president is unclear on both global warming and on how humans evolved. If he’s that dense regarding science, I can’t imagine his ability to comprehend technical issues is any better, even if it’s explained to him in tiny words.

    • Yeah! I saw that last night shortly after it went up. I had no idea that one blog entry would become such a big deal, but apparently I was the first person to discover this particular attack on ipowerweb, so I’ve been getting a lot of attention. Spent all day yesterday on the phone with computer security folks, the reporter from The Register, and other people.

      It’s been a weird couple of days.

  42. Yeah! I saw that last night shortly after it went up. I had no idea that one blog entry would become such a big deal, but apparently I was the first person to discover this particular attack on ipowerweb, so I’ve been getting a lot of attention. Spent all day yesterday on the phone with computer security folks, the reporter from The Register, and other people.

    It’s been a weird couple of days.

  43. Brilliant find, Franklin!

    I wonder if there are any good reliable tools one can install into a shared-hosted web account to detect this sort of hackery as promptly when it happens.

    Thought: If you weren’t updating files constantly (i.e. if the site were largely static, or if the changing content were all in a DB), then creating and periodically an MD5 hash of the directory tree (including file dates and sizes) might be sufficient. If your webhost allows ssh (mine does), this could be done remotely.

    • I rsync my web tree whenever I do updates, so any unauthorised files would show up then. BUT, and this is the gotcha both still have, if the web server itself was backdoored and the main httpd.conf (or whatever) file modified to add a new directory alias then this would be insufficient. The rogue content would be outside of my tree totally.

      Essentially the whole server needs to be protected by something like tripwire.

      Fortunately most web servers drop privs early enough that they can’t be used to update their own server configs 🙂

  44. Brilliant find, Franklin!

    I wonder if there are any good reliable tools one can install into a shared-hosted web account to detect this sort of hackery as promptly when it happens.

    Thought: If you weren’t updating files constantly (i.e. if the site were largely static, or if the changing content were all in a DB), then creating and periodically an MD5 hash of the directory tree (including file dates and sizes) might be sufficient. If your webhost allows ssh (mine does), this could be done remotely.

  45. So my question is, what does the virus do, and how do the people behind it benefit?

    I’m gathering from this that if you google certain terms and then click a site, you can get infected.

    I would assume there are links through other search terms, too.

    But what do they gain from it?

    • I’d _guess_ they’re used to create botnets; they can remote-control your machine to send spam on their behalf. Russian controlled botnets are big business 🙁

    • The three most common ways that folks make money from viruses is by creating botnets (which then can be rented out to others or used to extort money fro gambling sites by threatening to knock them offline during key sporting events), by installing SMTP servers on them and then selling lists of infected computers to spammers, who use the infected computers to relay spam; and by planting keyloggers which will look for certain kinds of URLs (such as any URL containing “bank” or “paypal”) and then sending a record of keystrokes back to the virus writer.

      More and more often, I’m also seeing spammer Web sites hosted on virus-infected computers. In a few cases, I’ve seen entire networks made up of virus-infected PCs that have both Web server and name server software installed; a spammer can host a spam Web page on a virus-infected PC, and even provide his own DNS services via other virus-infected PCs.

        • Maybe malware folks are morphing their scripts

          I came to this because of the mention in theregister. I clicked on a few links using Firefox and wget. I saw the results (download a virus disguised as a media player). The last time I clicked on the same exact link I saw a webpage claiming it was scanning my machine, found 6 virii, and wanted me to click a link to remove the virii. When I closed the window it warned me I shouldn’t do that because I WAS INFECTED.
          Maybe they’ve morphed their referer pages in response to your analysis and theregister’s article.

          • Re: Maybe malware folks are morphing their scripts

            That seems to be the purpose of the traffloader.info site. It loads one of three other sites at random and sends the visitor to one of those three payload sites. The three different payload sites try to download the virus in three different ways: one of them pretends to be a virus scanner site, one of them pretends to be a porn site (and tells visitors they need to download a special CODEC to view the movies), and one of them is just a black page with a broken picture link in the middle which tells visitors they need to download a plugin to view the pictures.

  46. So my question is, what does the virus do, and how do the people behind it benefit?

    I’m gathering from this that if you google certain terms and then click a site, you can get infected.

    I would assume there are links through other search terms, too.

    But what do they gain from it?

  47. I rsync my web tree whenever I do updates, so any unauthorised files would show up then. BUT, and this is the gotcha both still have, if the web server itself was backdoored and the main httpd.conf (or whatever) file modified to add a new directory alias then this would be insufficient. The rogue content would be outside of my tree totally.

    Essentially the whole server needs to be protected by something like tripwire.

    Fortunately most web servers drop privs early enough that they can’t be used to update their own server configs 🙂

  48. I’d _guess_ they’re used to create botnets; they can remote-control your machine to send spam on their behalf. Russian controlled botnets are big business 🙁

  49. The three most common ways that folks make money from viruses is by creating botnets (which then can be rented out to others or used to extort money fro gambling sites by threatening to knock them offline during key sporting events), by installing SMTP servers on them and then selling lists of infected computers to spammers, who use the infected computers to relay spam; and by planting keyloggers which will look for certain kinds of URLs (such as any URL containing “bank” or “paypal”) and then sending a record of keystrokes back to the virus writer.

    More and more often, I’m also seeing spammer Web sites hosted on virus-infected computers. In a few cases, I’ve seen entire networks made up of virus-infected PCs that have both Web server and name server software installed; a spammer can host a spam Web page on a virus-infected PC, and even provide his own DNS services via other virus-infected PCs.

  50. Maybe malware folks are morphing their scripts

    I came to this because of the mention in theregister. I clicked on a few links using Firefox and wget. I saw the results (download a virus disguised as a media player). The last time I clicked on the same exact link I saw a webpage claiming it was scanning my machine, found 6 virii, and wanted me to click a link to remove the virii. When I closed the window it warned me I shouldn’t do that because I WAS INFECTED.
    Maybe they’ve morphed their referer pages in response to your analysis and theregister’s article.

  51. The hosting company doesn’t care. Unless it costs them hundred of thousands of customers, they aren’t going to care. Security costs money; when you pay someone $2/month (for example), what do you expect to get?

    Google would be a good route except there’s almost nothing they can do about it. Do you expect them to virus scan the entire Internet?

  52. a security breach on a scale that’s hard to imagine.

    Indeed. I have a shinny new $5 bill that says it’s an inside job. They just happened to change all the redirectors the day you sent an email to them. Right. It’s an inside job or every corner of their operation is compromised. (read: burn the house down and build a new one.)

    [edit: The level to which this is integrated means the server(s) are compromised, not just the individual sites. To do this on such a wide scale suggests it’s in the web server configuration and not each individual host.]

  53. a security breach on a scale that’s hard to imagine.

    Indeed. I have a shinny new $5 bill that says it’s an inside job. They just happened to change all the redirectors the day you sent an email to them. Right. It’s an inside job or every corner of their operation is compromised. (read: burn the house down and build a new one.)

    [edit: The level to which this is integrated means the server(s) are compromised, not just the individual sites. To do this on such a wide scale suggests it’s in the web server configuration and not each individual host.]

  54. Apparently ipowerweb do care. And while I certainly don’t expect Google to check for malware, they can and do update their algorithm to minimize the impact of spam and of software that targets their systems to unrealistically inflate search results.

    I know cynical apathy-projection is pretty popular these days, but as cool as it may look, it’s not always a safe bet.

  55. Re: Maybe malware folks are morphing their scripts

    That seems to be the purpose of the traffloader.info site. It loads one of three other sites at random and sends the visitor to one of those three payload sites. The three different payload sites try to download the virus in three different ways: one of them pretends to be a virus scanner site, one of them pretends to be a porn site (and tells visitors they need to download a special CODEC to view the movies), and one of them is just a black page with a broken picture link in the middle which tells visitors they need to download a plugin to view the pictures.

  56. Google’s becoming a lot more proactive about flagging malware sites with search result notifications that say “This site may damage your computer,” but as near as I can tell they need user feedback in order to do so.

  57. There’s a difference between looking like you care and actually caring. If they really cared about the security of their systems and their customers, they wouldn’t be in messes like this every time they turn around. So, which is worse… they really don’t care — at least not enough to put resources on fixing the issues that lead to such problems in the first place — or they’re laughablly incompetent? Their response sounds way too much like something from a marketing/PR person. I’ve beleive it when they’ve actually cleaned up their act.

  58. Unfortunately, these sorts of things can move faster than the mighty Google can follow. As you’ve seen, they’re already doing referer checks. It’s not much of a stretch to add user-agent and/or ip range checks as well. So, if you are Google (or a googlebot), you get something that’s not malware. That means Google’s automatic processing won’t be able to catch it. At best they could be suspicious of the page based on the number of redirects, url manipulation patterns, network neighborhoods it’s been redirected through and ultimately served by, etc. But it would only be “suspect”; those things don’t add up to a smoking gun. (It adds up to high legal liability actually. As an ISP, you wouldn’t be very happy knowing Google has you tagged as “trashy”.)

  59. Franklin, can I call on your expertise in a very similar matter?
    The executive summary: Received email from a user at juno.com, looks like it was structured to bypass Gmail’s spam filtering. The payload appears to be a link to a very long, random-string URL hosted on thirdpartyoffers.juno.com, the root of the account being utterly empty. I went up the directory tree a bit, and the whole thing seems to be a redirect to tagline.bidsystem.com
    I’d dig more, but I don’t have a fully functional linux box at the moment, so I wanted to ask you to take a look. I can provide the full link, but didn’t want to post it uninvited.

  60. Franklin, can I call on your expertise in a very similar matter?
    The executive summary: Received email from a user at juno.com, looks like it was structured to bypass Gmail’s spam filtering. The payload appears to be a link to a very long, random-string URL hosted on thirdpartyoffers.juno.com, the root of the account being utterly empty. I went up the directory tree a bit, and the whole thing seems to be a redirect to tagline.bidsystem.com
    I’d dig more, but I don’t have a fully functional linux box at the moment, so I wanted to ask you to take a look. I can provide the full link, but didn’t want to post it uninvited.

  61. NNNgal

    It could be older.

    Perhaps two months ago (or more?), I googled my name and came up with websites I had nothing to do with that I can see now are malware sites of exactly this type. They do not appear on google today.

    Thanks for doing this research. But arrggh! How do I know if my system is compromised from clicking those links?

    www DOT latina-girl DOT ws
    www DOT purenudism DOT net
    www DOT treize DOT ws

    • Re: NNNgal

      Unfortunately, a lot of client-side antivirus scanners seem not to be terribly effective at spotting the viruses and malware transmitted by the Russian Business Network. Online scanners seem to fare somewhat better; the one I use is at

      http://housecall.trendmicro.com

      Though to be honest, the best way I’ve found to deal with viruses is to run a Mac or run Linux, and run Windows in virtualization. Tat way, if you suspect you’re infected, you just delete the virtual disk file and replace it from a known-clean backup.

  62. NNNgal

    It could be older.

    Perhaps two months ago (or more?), I googled my name and came up with websites I had nothing to do with that I can see now are malware sites of exactly this type. They do not appear on google today.

    Thanks for doing this research. But arrggh! How do I know if my system is compromised from clicking those links?

    www DOT latina-girl DOT ws
    www DOT purenudism DOT net
    www DOT treize DOT ws

  63. Re: NNNgal

    Unfortunately, a lot of client-side antivirus scanners seem not to be terribly effective at spotting the viruses and malware transmitted by the Russian Business Network. Online scanners seem to fare somewhat better; the one I use is at

    http://housecall.trendmicro.com

    Though to be honest, the best way I’ve found to deal with viruses is to run a Mac or run Linux, and run Windows in virtualization. Tat way, if you suspect you’re infected, you just delete the virtual disk file and replace it from a known-clean backup.

  64. Ipower killed my dedicated server on 12/13

    Hi,

    Could you please ask your friends at ipower why my dedicated server was killed on or around 12/13? I can’t get a straight answer from anyone and no one is willing to talk. The server was paid for through March. I have been a customer for several years. I have a massive online database system with hundreds of users and they said it has all been erased. One of the tier one tech support guys said ‘sorry’ but he didn’t sound sincere.

    How is such a thing possible? Someone from ipower went into my dedicated server and without my permission erased everything.

    Can I sue them for nullifying 2+ years of my life?

    Please help!

  65. Re: On Behalf of IPOWER

    Why did you delete my paid for dedicated server on 12/13 and provide me no warning???

    No one at tech support will give me an answer!!!

    You destroyed 3 years of my work and I have hundreds of users/clients to answer to who can’t even find me on internet because my site is gone and with it my email.

    What you have done is either malicious or criminally negligent. Sorry just won’t cut it.

    Please come clean and explain what you have done.

  66. Re: On Behalf of IPOWER

    UPDATE: I got through to Ipower (Endurance) executive offices in Burlington, MA and finally found internal advocate who made things happen.

    They went from ‘sorry everything is erased there is nothing we can do’ to my website is back up.

    Don’t ever take tech supports word for anything. Keep pushing until you get someone high up to take ownership of the problem.

  67. Is this thread alive?

    The same person seems to have imgstorages.com

    I requested their contact info from PrivacyProtect (who appear to be out of the Netherlands?).

    I haven’t found out any other news through Google. Is there a further update?

    I can be reached at bodhisattvah on hotmail if there’s anything I can do to help. Or I can post the domain registrant info here when I receive it.

    • Re: Is this thread alive?

      Right you are; this does in fact seem to be part of the same group’s network of virus droppers.

      The URL you cited is a redirector to

      http://www.sysprocedure.com/download.php?id=4001

      which routes to a 404 if it doesn’t see a browser type and referrer that it likes,

      imgstorages.com is hosted in the Ukraine (surprise, surprise) on ukrtelegroup, the same host for the virus dropper pages I cited above. Ditto for the payload site, sysprocedure.com.

  68. Is this thread alive?

    The same person seems to have imgstorages.com

    I requested their contact info from PrivacyProtect (who appear to be out of the Netherlands?).

    I haven’t found out any other news through Google. Is there a further update?

    I can be reached at bodhisattvah on hotmail if there’s anything I can do to help. Or I can post the domain registrant info here when I receive it.

  69. Re: Is this thread alive?

    Right you are; this does in fact seem to be part of the same group’s network of virus droppers.

    The URL you cited is a redirector to

    http://www.sysprocedure.com/download.php?id=4001

    which routes to a 404 if it doesn’t see a browser type and referrer that it likes,

    imgstorages.com is hosted in the Ukraine (surprise, surprise) on ukrtelegroup, the same host for the virus dropper pages I cited above. Ditto for the payload site, sysprocedure.com.

  70. A new wrinkle to all this

    Good day, My name is Timothy. I webmaster 7 sites on my server and I have been receiving referral spam and in the process of tracking it down I found this blog entry. For those not in the know, referral spam is fake referrals to a website which leaves their web address in the weblogs. Seeing as many people have their weblogs available on-line (webalizer, awstats..ect), they become forwarding links in the search engines. Here are some new addresses to add to the list:

    SVIOLETT.COM

  71. A new wrinkle to all this

    Good day, My name is Timothy. I webmaster 7 sites on my server and I have been receiving referral spam and in the process of tracking it down I found this blog entry. For those not in the know, referral spam is fake referrals to a website which leaves their web address in the weblogs. Seeing as many people have their weblogs available on-line (webalizer, awstats..ect), they become forwarding links in the search engines. Here are some new addresses to add to the list:

    SVIOLETT.COM

  72. HACK OF IPOWER SERVERS

    Our business site was hacked by xerxer.net late November 2007. I notified iPower and asked for help in doing a reconsideration request in Google. They closed my problem report without any correspondence, let alone help. I reopened the problem report. Guess what? You guessed it, iPower closed the report again with no correspondence. They really couldn’t give a stuff. In early January, as a matter of urgency, we moved our site to a new secure server. We lost a lot of sales, and are still losing sales as we have not recovered in the search engines. Lesson is: if you rely on your site, do leave it in the hands of incompetents.

    Mad as hell (former) iPower customer

  73. HACK OF IPOWER SERVERS

    Our business site was hacked by xerxer.net late November 2007. I notified iPower and asked for help in doing a reconsideration request in Google. They closed my problem report without any correspondence, let alone help. I reopened the problem report. Guess what? You guessed it, iPower closed the report again with no correspondence. They really couldn’t give a stuff. In early January, as a matter of urgency, we moved our site to a new secure server. We lost a lot of sales, and are still losing sales as we have not recovered in the search engines. Lesson is: if you rely on your site, do leave it in the hands of incompetents.

    Mad as hell (former) iPower customer

  74. iPowerweb is terrible

    I used to host several sites with them and still have one that I’m just now finally getting around to transferring off. Their technical and billing support personnel seem equally incompetent. They actually shut down one of my sites because it was the target of some kind of spam attack, and blamed me for it! These guys are not just a joke. They’re a menace.

  75. iPowerweb is terrible

    I used to host several sites with them and still have one that I’m just now finally getting around to transferring off. Their technical and billing support personnel seem equally incompetent. They actually shut down one of my sites because it was the target of some kind of spam attack, and blamed me for it! These guys are not just a joke. They’re a menace.

  76. Misdirection from search engines

    This is still going on (21 July 08) I have just got to this site because I have found exactly this problem on my web site at http://www.malagash.com – hosted by, yeh you guessed it… ipower.com.

  77. Misdirection from search engines

    This is still going on (21 July 08) I have just got to this site because I have found exactly this problem on my web site at http://www.malagash.com – hosted by, yeh you guessed it… ipower.com.

  78. OMIGOD

    I am one of the hacked sites, and now don’t know what to do. I was about to redesign my site and register it until I discovered the bogus site by accident. For one day, I got “file not found” and today the bogus site popped right up. I really hate the tech support answer: we are working on it. I don’t even know how long ago this happened. Bless you for finding this…I am going to read everything you wrote on this subject.

  79. OMIGOD

    I am one of the hacked sites, and now don’t know what to do. I was about to redesign my site and register it until I discovered the bogus site by accident. For one day, I got “file not found” and today the bogus site popped right up. I really hate the tech support answer: we are working on it. I don’t even know how long ago this happened. Bless you for finding this…I am going to read everything you wrote on this subject.

  80. Manual labor

    > So I recently decided, like many folks do, to Google my name. I do this periodically, because it’s always fun to see how many sites are linking to me (and I’m in the process of building a list of non-English mirrors of my polyamory site — it’s been translated into Polish, Hebrew, German, and a bunch of other languages, which is cool).

    Dude, use Google Alerts (http://www.google.com/alerts) and save yourself some effort!

  81. Manual labor

    > So I recently decided, like many folks do, to Google my name. I do this periodically, because it’s always fun to see how many sites are linking to me (and I’m in the process of building a list of non-English mirrors of my polyamory site — it’s been translated into Polish, Hebrew, German, and a bunch of other languages, which is cool).

    Dude, use Google Alerts (http://www.google.com/alerts) and save yourself some effort!

  82. Cool stuff on your site

    I’ve just discovered your post and I’m finding lots of informative stuff here. I will check back soon and recommend your blog 🙂

  83. Cool stuff on your site

    I’ve just discovered your post and I’m finding lots of informative stuff here. I will check back soon and recommend your blog 🙂

  84. Yes, yes, a thousand times yes!

    🙂

    No big surprise that I agree wholeheartedly. Our partner selection criteria and priorities are very similar.

  85. Yes, yes, a thousand times yes!

    🙂

    No big surprise that I agree wholeheartedly. Our partner selection criteria and priorities are very similar.

  86. I KNEW you would be able to trace the leak better than I! I’ve had several other people “send” me similar e-mails, but since they knew nada about computers, there wasn’t much I could do.

  87. I KNEW you would be able to trace the leak better than I! I’ve had several other people “send” me similar e-mails, but since they knew nada about computers, there wasn’t much I could do.

  88. Fuck you.

    The part he was missing was the idea that she is a fucking prize to be “had”, and that winning her was worth bragging rights to his buddies.

    Frankly, there’s a lot of reason why he and I are exes, but this is not one of them.

    I am not a fucking prize to be won. I am a goddamn human fucking being, and anyone who thinks the difficulty of the “chase” is indicative of my worth is a fucking asshat who deserves to be mocked for his lack of conquests.

  89. Fuck you.

    The part he was missing was the idea that she is a fucking prize to be “had”, and that winning her was worth bragging rights to his buddies.

    Frankly, there’s a lot of reason why he and I are exes, but this is not one of them.

    I am not a fucking prize to be won. I am a goddamn human fucking being, and anyone who thinks the difficulty of the “chase” is indicative of my worth is a fucking asshat who deserves to be mocked for his lack of conquests.

  90. Judging by your arrogant reaction to the fact that you said something offensive and were called out for it, I wouldn’t be too inclined to put much weight into who you think is prize-worthy or not.

  91. Judging by your arrogant reaction to the fact that you said something offensive and were called out for it, I wouldn’t be too inclined to put much weight into who you think is prize-worthy or not.

  92. It’s actually a fairly simple project. I connected the TIP120 to Arduino pin 9 and connected the Sexual Torment LED to Arduino pin 12. The sketch turns the LEDs on when the vibrator runs and off when it stops. Here’s the sketch with 9 patterns:

  93. It’s actually a fairly simple project. I connected the TIP120 to Arduino pin 9 and connected the Sexual Torment LED to Arduino pin 12. The sketch turns the LEDs on when the vibrator runs and off when it stops. Here’s the sketch with 9 patterns:

  94. Mystery Solved

    What you’re looking at is the former site of the Georgia International Convention Center. Per Wikipedia: “Prior to 2003, the Georgia International Convention Center was located behind and connected with the Sheraton Gateway Hotel Atlanta Airport (Riverdale Road). However, because of runway expansion at the airport, they acquired the land which forced the move.”

    If you look at it on Google Maps, satellite view, you see that it’s immediately adjacent to taxiway 10 of runway 28.

  95. Mystery Solved

    What you’re looking at is the former site of the Georgia International Convention Center. Per Wikipedia: “Prior to 2003, the Georgia International Convention Center was located behind and connected with the Sheraton Gateway Hotel Atlanta Airport (Riverdale Road). However, because of runway expansion at the airport, they acquired the land which forced the move.”

    If you look at it on Google Maps, satellite view, you see that it’s immediately adjacent to taxiway 10 of runway 28.

  96. WEIRD CHICK: How come you don’t like me?
    COWBOY #1: I’m a cowboy. This is a cowboy movie. You figure it out.
    WEIRD CHICK: …

    Awesome plot summary – and I was pleasantly surprised by the movie as well.

    There was a plot, Harrison Ford, Daniel Craig, some hot chick, Tonto and the dog. I mean, what more could one ask for? Although you’re right – until you pointed it out I couldn’t put my finger on what was missing. DIALOG. But you can always replace good DIALOG with a STEELY GAZE, right?

  97. WEIRD CHICK: How come you don’t like me?
    COWBOY #1: I’m a cowboy. This is a cowboy movie. You figure it out.
    WEIRD CHICK: …

    Awesome plot summary – and I was pleasantly surprised by the movie as well.

    There was a plot, Harrison Ford, Daniel Craig, some hot chick, Tonto and the dog. I mean, what more could one ask for? Although you’re right – until you pointed it out I couldn’t put my finger on what was missing. DIALOG. But you can always replace good DIALOG with a STEELY GAZE, right?

  98. There’s a study out somewhere that shows that our society actually uses rejections without the word “no” all the time, and everyone understands a rejection when they hear one, even if there is no “no” in it.

    Except when it comes to sex.

    Think “I’d love to have coffee with you but…” – we all know that’s a “no”. Yes, even the most socially awkward people understand that it’s a “no”. People might try to find a solution to the “but…” because of the first part “I’d love to”, but we still understand that these ambiguous phrases are, in fact, a rejection.

    But when it comes to sex, people weasel out of it with “I didn’t know she wasn’t into it – she didn’t SAY no!” That’s not good enough. We, as a society, know when someone is unconscious, or making excuses, or trying to be polite. “No means no” requires women to give a forcible rejection in situations that they have been socialized to fear giving explicit rejections.

    There is punishment for rejecting someone. Usually, it’s just that we feel bad for hurting someone else’s feelings. But sometimes, there’s real consequences. Like the time a guy refused to take my explicit, non-ambiguous rejection at a bar and I had to pull my knife on him to get him to back off. No one should ever have to fear a reprisal for policing their own boundaries.

    So we all phrase our rejections, when we’re even capable of it, in the softest manner possible, leaving the door open to abuse of the ambiguity.

    I think the “no means no”, while absolutely true, misses some fundamental beliefs in our society and “yes means yes” is an attempt to change those underlying beliefs.

    “Yes means yes” *does* require changing the social mindset against sluts and sexuality, which is why this will be a hard sell. But I think that is an important paradigm shift. I think we need to move away from woman being shamed for enjoying or wanting sex.

    “Yes means yes” does not replace “no means no”, it is a step above “no means no”. It removes the burden of responsibility for a person currently in the potential-victim role to police her own boundaries, it puts the burden squarely on the potential-rapist for not getting a clear and unambiguous “yes”, and it *also* creates a society where sex, by necessity, has to be something that all partners enter into freely. Which means that, yes, women have to start owning up to wanting sex. Between the two – getting a woman to say no when she’s afraid is actually much harder than getting a woman to say “yes” when she isn’t, even if both go against social programming. So I vote for the latter.

    When it comes to social mindsets, society is a much healthier place when we teach people to own their own sexuality, than when we teach people that it’s your job to avoid getting raped and that rapists have no responsibility if they manage to put some woman into a position where she can’t say no.

  99. There’s a study out somewhere that shows that our society actually uses rejections without the word “no” all the time, and everyone understands a rejection when they hear one, even if there is no “no” in it.

    Except when it comes to sex.

    Think “I’d love to have coffee with you but…” – we all know that’s a “no”. Yes, even the most socially awkward people understand that it’s a “no”. People might try to find a solution to the “but…” because of the first part “I’d love to”, but we still understand that these ambiguous phrases are, in fact, a rejection.

    But when it comes to sex, people weasel out of it with “I didn’t know she wasn’t into it – she didn’t SAY no!” That’s not good enough. We, as a society, know when someone is unconscious, or making excuses, or trying to be polite. “No means no” requires women to give a forcible rejection in situations that they have been socialized to fear giving explicit rejections.

    There is punishment for rejecting someone. Usually, it’s just that we feel bad for hurting someone else’s feelings. But sometimes, there’s real consequences. Like the time a guy refused to take my explicit, non-ambiguous rejection at a bar and I had to pull my knife on him to get him to back off. No one should ever have to fear a reprisal for policing their own boundaries.

    So we all phrase our rejections, when we’re even capable of it, in the softest manner possible, leaving the door open to abuse of the ambiguity.

    I think the “no means no”, while absolutely true, misses some fundamental beliefs in our society and “yes means yes” is an attempt to change those underlying beliefs.

    “Yes means yes” *does* require changing the social mindset against sluts and sexuality, which is why this will be a hard sell. But I think that is an important paradigm shift. I think we need to move away from woman being shamed for enjoying or wanting sex.

    “Yes means yes” does not replace “no means no”, it is a step above “no means no”. It removes the burden of responsibility for a person currently in the potential-victim role to police her own boundaries, it puts the burden squarely on the potential-rapist for not getting a clear and unambiguous “yes”, and it *also* creates a society where sex, by necessity, has to be something that all partners enter into freely. Which means that, yes, women have to start owning up to wanting sex. Between the two – getting a woman to say no when she’s afraid is actually much harder than getting a woman to say “yes” when she isn’t, even if both go against social programming. So I vote for the latter.

    When it comes to social mindsets, society is a much healthier place when we teach people to own their own sexuality, than when we teach people that it’s your job to avoid getting raped and that rapists have no responsibility if they manage to put some woman into a position where she can’t say no.

  100. *sigh*

    I hate the assumption that because I’m female and not-white that I’m an object and a sub and that I’d love it if THEY did it.

    Yeah.

  101. *sigh*

    I hate the assumption that because I’m female and not-white that I’m an object and a sub and that I’d love it if THEY did it.

    Yeah.

  102. i spent 3 hours trying to get AT&T to change my account from discounted for university of wisconsin to discounted for university of washington. i was only ultimately able to succeed by stalking them on twitter.

    so my new method of handling situations where i get bounced around on the phone / online chat and no one knows what i’m talking about is to find them on twitter and complain there… but it really irritates me. my mom isn’t gonna track people down on twitter. and it sucks that they don’t want to handle customer service / tech support well unless it’s a situation where it could result in bad publicity if they don’t.

  103. i spent 3 hours trying to get AT&T to change my account from discounted for university of wisconsin to discounted for university of washington. i was only ultimately able to succeed by stalking them on twitter.

    so my new method of handling situations where i get bounced around on the phone / online chat and no one knows what i’m talking about is to find them on twitter and complain there… but it really irritates me. my mom isn’t gonna track people down on twitter. and it sucks that they don’t want to handle customer service / tech support well unless it’s a situation where it could result in bad publicity if they don’t.

  104. Nah, using a TRS-80 Model I doesn’t really date you. My first computer of my own was a Model III with 16K and a cassette deck.

    Using PC in a computer context to mean Program Counter and not Personal Computer, though..

  105. Nah, using a TRS-80 Model I doesn’t really date you. My first computer of my own was a Model III with 16K and a cassette deck.

    Using PC in a computer context to mean Program Counter and not Personal Computer, though..

  106. get viagra super active

    best buy bestbuy drugs dizzy or fainting spells Albenza Free Shipping ing – No rx fedex shipping previous heart attack cheap cheapest US C,o,d shipped on saturday.Buy order online BEST PRICE Saudi Arabia same day delivery brain damage Albenza Drug cheapestest male hormones (example: testosterone) cheap cheapest US C,o,d shipped on saturday.Buy online overseas cheap Myanmar free online doctor consultation changes in vision, hearing Seromycin UK online prescription
    without prescription http://home-drugstore.com/buy-generic-clozaril-without-prescription/ buy generic clozaril without prescription, side effects http://home-drugstore.com/buy-generic-colcrys-without-prescription/ buy generic colcrys without prescription, best price http://home-drugstore.com/buy-generic-colofac-without-prescription/ buy generic colofac without prescription, buying http://home-drugstore.com/buy-generic-combivir-without-prescription/ buy generic combivir without prescription,

  107. get viagra super active

    best buy bestbuy drugs dizzy or fainting spells Albenza Free Shipping ing – No rx fedex shipping previous heart attack cheap cheapest US C,o,d shipped on saturday.Buy order online BEST PRICE Saudi Arabia same day delivery brain damage Albenza Drug cheapestest male hormones (example: testosterone) cheap cheapest US C,o,d shipped on saturday.Buy online overseas cheap Myanmar free online doctor consultation changes in vision, hearing Seromycin UK online prescription
    without prescription http://home-drugstore.com/buy-generic-clozaril-without-prescription/ buy generic clozaril without prescription, side effects http://home-drugstore.com/buy-generic-colcrys-without-prescription/ buy generic colcrys without prescription, best price http://home-drugstore.com/buy-generic-colofac-without-prescription/ buy generic colofac without prescription, buying http://home-drugstore.com/buy-generic-combivir-without-prescription/ buy generic combivir without prescription,

  108. Sounds good. MOSFET output transistors are a good way to drive things (good old IRF510) as driven digitally they loose less power due to the lack of the 0.7V forward drop (and are more efficient and green too)

    Also i have tried running vibrators off the same supply as the control electronics and the voltage drop from the motor starting usually causes a brown out. you need one hell of a decoupling cap to stop this or you need to have a diode or DC/DC converter between the power to the motor and the tank cap on the electronics.

  109. Sounds good. MOSFET output transistors are a good way to drive things (good old IRF510) as driven digitally they loose less power due to the lack of the 0.7V forward drop (and are more efficient and green too)

    Also i have tried running vibrators off the same supply as the control electronics and the voltage drop from the motor starting usually causes a brown out. you need one hell of a decoupling cap to stop this or you need to have a diode or DC/DC converter between the power to the motor and the tank cap on the electronics.

  110. backlinks backlinks service

    greetings tacit.livejournal.com blogger discovered your site via yahoo but it was hard to find and I see you could have more visitors because there are not so many comments yet. I have found website which offer to dramtically increase traffic to your blog http://xrumerservice.org they claim they managed to get close to 1000 visitors/day using their services you could also get lot more targeted traffic from search engines as you have now. I used their services and got significantly more visitors to my website. Hope this helps 🙂 They offer purchase backlinks seo copywriter backlink service backlink submitter Take care. Jay

  111. backlinks backlinks service

    greetings tacit.livejournal.com blogger discovered your site via yahoo but it was hard to find and I see you could have more visitors because there are not so many comments yet. I have found website which offer to dramtically increase traffic to your blog http://xrumerservice.org they claim they managed to get close to 1000 visitors/day using their services you could also get lot more targeted traffic from search engines as you have now. I used their services and got significantly more visitors to my website. Hope this helps 🙂 They offer purchase backlinks seo copywriter backlink service backlink submitter Take care. Jay

  112. Channeling the old Conan routine… IN THE YEAR 2000:

    • …there is only ONE FONT.
    • …everything is thinner: displays, refrigerator doors, people.
    • …every surface is a display, just like in Spaceballs. (I told you to never call this wall! This is an unlisted wall!)
  113. Channeling the old Conan routine… IN THE YEAR 2000:

    • …there is only ONE FONT.
    • …everything is thinner: displays, refrigerator doors, people.
    • …every surface is a display, just like in Spaceballs. (I told you to never call this wall! This is an unlisted wall!)
  114. Last post in this tread for me, I think:

    I still want tech improved ADULT entertainment! I grant you that an iPad and porn website (or Skype and a willing partner) are pretty awesome, but how will sex drive the technical innovation?

  115. Last post in this tread for me, I think:

    I still want tech improved ADULT entertainment! I grant you that an iPad and porn website (or Skype and a willing partner) are pretty awesome, but how will sex drive the technical innovation?

  116. There was something on that, not too long ago… lessee if I can remember the gist.

    Basically, the idea was that most people hold some viewpoints on the right and some viewpoints on the left, averaging us out to middle-ground or moderates.

    Apparently, adamantly asserting a view to one side activates that side of the listener’s brain (the conservative/liberal side, not the literal right or left side) and makes the opposing side of the brain shut up, so that the listener starts to lean towards the speaker’s viewpoint.

    In other words, when a fanatical conservative starts ranting and railing in absolutes, listeners who might hold some liberal but also some conservative values can’t, apparently, hold both at the same time. So the liberal parts of the brain shut down and the parts that hold the conservative values lights up & says “hmm, this guy knows his stuff! I agree with him!”, swaying the listener further to the right.

    So when the liberal politicians try to sound all reasonable by talking about “balance” and letting everyone be heard, and compromising their stances, they are at a disadvantage because their listeners are not being swayed and can be pulled over to the conservative side of the argument.

    So we get a Right that is getting more extremely Right and a Left that keeps leaning Right.

    Wish I could find that URL, it was a frighteningly fascinating read.

  117. There was something on that, not too long ago… lessee if I can remember the gist.

    Basically, the idea was that most people hold some viewpoints on the right and some viewpoints on the left, averaging us out to middle-ground or moderates.

    Apparently, adamantly asserting a view to one side activates that side of the listener’s brain (the conservative/liberal side, not the literal right or left side) and makes the opposing side of the brain shut up, so that the listener starts to lean towards the speaker’s viewpoint.

    In other words, when a fanatical conservative starts ranting and railing in absolutes, listeners who might hold some liberal but also some conservative values can’t, apparently, hold both at the same time. So the liberal parts of the brain shut down and the parts that hold the conservative values lights up & says “hmm, this guy knows his stuff! I agree with him!”, swaying the listener further to the right.

    So when the liberal politicians try to sound all reasonable by talking about “balance” and letting everyone be heard, and compromising their stances, they are at a disadvantage because their listeners are not being swayed and can be pulled over to the conservative side of the argument.

    So we get a Right that is getting more extremely Right and a Left that keeps leaning Right.

    Wish I could find that URL, it was a frighteningly fascinating read.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.