Dear members, clients and guests of our portal,
Over the last few years our portal has helped you to organize your business, find new partners and increase sales.However, all good things end. Many of you know that we have experienced legal problems over the last year. Our competitors from other social networks are trying to take over our client base.
Our website has been hacked and our database was stolen. After that we were taken to court because of identity theft.Unfortunately, legal expenses and unfavorable court verdict with following closure of our bank accounts will lead to closure of our website. All paying members will receive refund starting from March 14th.
Please check attached file for legal information in regards to your account.

Best regards,

The Ecademy TeamEcademy – The Social Network for Business People
Company Registration:3651083 VAT:718 0377 36 

h11p://www.facebook.com.profile.php.id.371233.cn

He also had the following from another user on his wall

“lol i cant believe these pics got posted….its going to be BADDDD when her boyfriend sees these- h11p://www.facebook.com.profile.php.id.371233.cn”

Of course, the guilty domain is 371233.cn… a whois doesn’t reveal much..

whois 371233.cn
Domain Name: 371233.cn
ROID: 20071101s10001s02380333-cn
Domain Status: ok
Registrant Organization: 小问
Registrant Name: 笑纹
Administrative Email: 24@244.com
Sponsoring Registrar: 北京新网互联科技有限公司
Name Server:ns1.4980603.com
Name Server:ns2.4980603.com
Name Server:ns3.4980603.com
Name Server:ns4.4980603.com
Registration Date: 2007-11-01 23:30
Expiration Date: 2008-11-01 23:30

Then the whois of the hosted server 4980603.com is

Domain Name………. 4980603.com
Creation Date…….. 2007-10-19 18:26:55
Registration Date…. 2007-10-19 18:26:55
Expiry Date………. 2008-10-19 18:26:55
Organisation Name…. xiaowen
Organisation Address. No.323 chang’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. top wen
Admin Address…….. No.323 chang’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 24@244.com
Admin Phone………. +86.1034546677
Admin Fax………… +86.1067688466

Tech Name………… top wen
Tech Address……… No.323 chang’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 24@244.com
Tech Phone……….. +86.1034546677
Tech Fax…………. +86.1067688466

Bill Name………… top wen
Bill Address……… No.323 chang’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 24@244.com
Bill Phone……….. +86.1034546677
Bill Fax…………. +86.1067688466
Name Server………. ns4.4980603.com
Name Server………. ns3.4980603.com
Name Server………. ns2.4980603.com
Name Server………. ns1.4980603.com

The site looks quite convincing to the user, they haven’t updated the year to 2008 yet…

The source of the site is basically the following form…

<form method=”post” action=”login.php”><div id=”loginform”><div class=”form_row clearfix”><label for=”email” id=”label_email”>Email:</label><input type=”text” class=”inputtext” id=”email” name=”email” /></div><div class=”form_row clearfix”><label for=”pass” id=”label_pass”>Password:</label><input type=”password” class=”inputpassword” id=”pass” name=”pass” value=”" /></div><label class=”persistent”><input type=”checkbox” class=”inputcheckbox” onclick=”document.getElementById(“persistent_notification”).style.display=this.checked?”block”:”none”;” id=”persistent” name=”persistent” value=”1″ /><span>Remember me</span></label><div style=”display: none” id=”persistent_notification”><div class=”status”><h2><span id=status_title>By selecting “remember me” you will stay logged into this computer until you click logout. If this is a public computer please do not use this feature.</span></h2></div>
</div><div id=”buttons” class=”form_row clearfix”><label></label><input type=”submit” value=”Login” name=”login” id=”login” onclick=”this.disabled=true; this.form.submit();” class=”inputsubmit” /> or <strong><a id=reg_btn_link href=”https://www.facebook.com/r.php?” >Sign up for Facebook</a> </strong></div><p class=”reset_password form_row”><label></label><a href=”http://www.facebook.com/reset.php”>Forgot your password?</a></p></div></form>

There’s also a reference to an internal IP…

<span title=”10.1.227.120″>20</span><span title=”19192216″>07</span>

Anyone else seen this?

My security feeds today had numerous stories about the root dns servers being hacked. There have been a couple of cases going back to the 80′s written about in
Clifford Stoll’s book, the Cuckoo’s Egg where hackers targeted the root servers. These servers are seen as trophy win, you get into these, you get into the backbone of the
internet, hence its alluring appeal. Naturally these servers need to be as secure as possible. Recently, Sun were commissioned to install Solaris 10 for the ISC F-ROOT server
f.root-servers.net (192.5.5.241).

The attack against the servers was a DDoS (Distributed Denial of Service), this consists of using thousands of zombie machines sending hundred of thousands of requests to try to
overwhelm them and deny it from delivering the service it is designed to deliver. In this instance, the servers stood up against the attack.

Just another day in the internet.