Saturday, July 7, 2007

ED Pill Store.... the things we should not see

So in my last post I wrote about the spam from ED Pill Store and how my initial analysis only resulted in a complaint to the domain registrator and hosting service used på the site.

Well there are something way more interesting. I of course during my analysis try to see if there are something "hidden" on the server and ended up at www.upergimtwo.com/admin and found this:



Administration page... not configured correctly so it was not possible to edit the site - that would have been really fun, but what is interesting is what is called the main server located at address 66.230.182.166.

The address 66.230.182.166 belongs to ISPrime inc., www.isprime.com which is a hosting provider based in New York, United States which hopefully makes it easier to file complaints AND get a response than it is with the chineese ones. The server located there contains a MySql and it's my guess that this is actually the backend server containing product information etc. and where orders are placed after being submitted at different spamvertised sites such as www.upergimtwo.com

So I will file a complaint with ISPrime!

But there are more. The address 66.230.182.166 also contains a web server and I found the following at 66.230.182.166/staff.



That really confirmed my theory about this being a backend server where orders are placed etc., and it looks quite organized which made me wonder if it's actually a 3rd part product being used, but I have not been able to determine that yet.

Next interesting thing I noticed was than when clicking on one of the links then the address changed from 66.230.182.166/staff to www.everadmin.com/staff.

So ones again I went to make a domain WHOIS lookup, this time on everadmin.com:



I did a little searching and found that the same information has been used before to register some domains used for spamvertised sites selling replica watches. So it's probably forged information but I will look into that later.

But a lot of new information to investigate and most important a service provider located in the United States. I will try to convince them to contact the police and ask if they are interested in being handed over the files on that backend server, I believe there could be extremely interesting information placed on it, information the spammer do not want us to see...

2 comments:

Anonymous said...

This is fantastic research. You should consider joining us at thecarpcstore.com/phpbb2 :)

SiL

Anonymous said...

Seconded, great research!!

Ubedoobie