[hosting] Please Help Us Find Sites Abusing Our Tos

[Liqfan]

Now that gives alot of replies, best thing to do is just look at that, take a few hours ,and ban everyone

[harbino]

here is a site:

ultrawarez.zzl.org

as you can see, the title says it all.

still up and running under UltraWarez.tk

[Trice]

http://freemovies.zzl.org don't know if porns allowed?
http://ourpcgame.zzl.org - Cracks

[HandNF]

peestyle.99k.org/forum/showthread.php?t=2503

[iheartakira]

this website promotes using limewire for piracy(in the flash animation),
and they use the index2.html for spamming forums and shoutbox's.

http://kirasarmy.zzl.org/index2.html

watch that little flash thing fully its maybe 20 seconds long but vary annoying,

and there using a pirated IPB,
well i think its pirated http://kirasarmy.zzl.org/forum/

[Quake]

Here we go: http://warezlinks.99k.org/

Has all sorts of pirated stuff.

[KMoore]

Norton found uuuq.com as unsafe based on the following:

Threat Report
Total threats found: 26

Viruses
Threats found: 23
Here is a sample:

Threat Name: Downloader
Location: http://traffbux.uuuq.com/viewp.php?ad=37

Threat Name: Downloader
Location: http://traffbux.uuuq.com/advertisewmr.php

Threat Name: Downloader
Location: http://traffbux.uuuq.com/advertisewmz.php

Threat Name: Downloader
Location: http://traffbux.uuuq.com/viewp.php?ad=36

Threat Name: Downloader
Location: http://traffbux.uuuq.com/upgrade.php

Threat Name: Downloader
Location: http://traffbux.uuuq.com/forum.php

Direct link to: http://traffbux.uuuq.com/advertisewme.php
Location: http://traffbux.uuuq.com/advertise.php

Threat Name: Direct link to Downloader
Location: http://traffbux.uuuq.com/work.php?r=

Threat Name: Direct link to Downloader
Location: http://traffbux.uuuq.com/viewp.php?ad=37

Threat Name: Direct link to Downloader
Location: http://traffbux.uuuq.com/viewp.php?ad=36

Drive-By Downloads (what's this?)
Threats found: 3
Here is a complete list:

Threat Name: MSIE DHTML CreateControlRange Code Exec
Location: http://traffbux.uuuq.com/

Threat Name: MSIE DHTML CreateControlRange Code Exec
Location: http://traffbux.uuuq.com/viewp.php?ad=37

Threat Name: Direct link to MSIE DHTML CreateControlRange Code Exec
Location: http://traffbux.uuuq.com/work.php?r=

[CSSTest]

Any website on this service with a script tag linking to http://*.bestgoin.com/images/header.php
should be candidate for deletion, for redirecting to scareware / rogueware antivirus product advertisements.
The asterisk is a wildcard random word subdomain.
There's quite a few on this service.

Here's a regex for you:
&lt;script language="JavaScript" src="http://.*\.bestgoin\.com/images/header\.php"></script>
as a string:
"&lt;script language=\"JavaScript\" src=\"http://.*\.bestgoin\.com/images/header\.php\"></script>"


Examples of a website with this script tag:
http://korefan.vndv.com/camcorde7b/box-keygen-live-x.html
The script uses a referrer and seems to break, however you get the redirect if you come from google.
Google site:vndv.com korefan

[hussam]

http://karri.vndv.com/fetal-ald6/index.html

http://gionz.vndv.com/clean-de4f/wayou.html

seem like the same person has those two accounts. they redirect to porn/warez

plus many others http://www.google.com/search?q=site:vndv.com+porn

http://yahoo.uuuq.com/ Impersonates yahoo.com

[CSSTest]

Variation of a Google search query posted above:

http://www.google.com/search?aq=f&hl=e...amp;btnG=Search

May I suggest that for blog and forum sites marked deactivated, with forum spam issues, that should they be reactivated, place a note somewhere visible stating to clean up their site?

Forum Spam issues:
http://rootvietgiaitri.99k.org (unreachable, lots of spam posts, vBulletin, Vietnamese)
http://2win.zzl.org/ (deactivated, bulgarian)
http://cristocentrico.99k.org/ (unreachable, lots of spam posts, spanish)
http://cro-downloads.99k.org (unreachable, lots of spam posts)
http://eightballers.clanteam.com/boards/vi...97ac08f63ddcc01 (deactivated, this page only, may be more.)
http://lafche.zzl.org/ (deactivated, some spam posts, bulgarian)
http://musicart.zxq.net/ (deactivated, some spam posts, romanian)
http://muzic.99k.org/ (unreachable, Indonesian, lots of posts, but unable to determine if they're spam)
http://nitrohost.clanteam.com/ (deactivated, lots of spam posts)
http://alsahil.zxq.net/vb/ (deactivated, some spam posts, vBulletin, Arabic)
http://meteora.clanteam.com/ (deactivated, vBulletin, Vietnamese)
http://tavoosi.zzl.org/ (deactivated, lots of spam posts, vBulletin, Arabic)


Comment spam in a blog or otherwise:
http://metoo.vndv.com/ (Massive comment spam, indonesian)
http://piske91blog.99k.org/?p=431 (unreachable, One hit, seems to be spammy in the comments, so other posts may be the same)
http://sritebraujb.zzl.org/ (deactivated, Shoutbox spam)
http://zetsumei-bara.zxq.net/ (deactivated, massive comment spam)

Hacking:
http://c1c4tr1z.99k.org/ (unreachable)

Spam:
http://1-2-3-4.vndv.com/about.html (Hidden in the source)
http://61039.vndv.com/page1-1.html (Hidden in the source)
http://alled.vndv.com/ (Obfuscated JS [script before doctype] sends user to ineoffice.com [ad domain]) example page: http://alled.vndv.com/blackberdf/tadem.html
http://bawi.vndv.com/ (JS [script before doctype] sends user to eveningty.com [ad domain]) example page: http://bawi.vndv.com/dd-monsta8/leromo.html
http://bibon.vndv.com/ (JS [script before doctype] sends user to ineoffice.com [ad domain]) example page: http://bibon.vndv.com/flower-gd9/disto.html
http://edu-4share.vndv.com/SO_web.html (Hidden in the source)
http://halloween2008.vndv.com/costumesforhalloween.html (Obfuscated JS that seems to set a cookie, and or send you to rdfq.com. "buy viagra" and "Costume sex")
http://kolo.vndv.com/t1.html (Hidden in the source)
http://korefan.vndv.com/exclusiv87/map.html (100% links, no content, all links lead to a page (JS [script before doctype] sends user to bestgoin.com [ad domain]) )
http://lepin.vndv.com/ (JS [script before doctype] sends user to ineoffice.com [ad domain]) example page: http://lepin.vndv.com/florida-c7/grete.html
http://mrop.vndv.com/ (JS [script before doctype] sends user to ineoffice.com [ad domain]) example page: http://mrop.vndv.com/auto-20047/diled.html
http://nieshamansour.zzl.org/ (disabled: Obfuscated JS sends user to leavet.info [Rogueware / Scareware ad domain]) example page: http://nieshamansour.zzl.org/kiddy-sex-cp.html
http://nort.vndv.com/ (Obfuscated JS [script before doctype] sends user to ineoffice.com [ad domain]) example page: http://nort.vndv.com/candy-ea23/cunst.html
http://patchara60808.vndv.com/page1.html (Hidden in the source)
http://phamphuoc2006.vndv.com/hoto.html (Hidden in the source)
http://sharlenesells.clanteam.com (disabled: Obfuscated JS sends user to leavet.info [Rogueware / Scareware ad domain]) example page: http://sharlenesells.clanteam.com/sitemap.htm
http://testingforcmm.vndv.com/ (Hidden in the source)
http://vereteno.vndv.com (JS [script before doctype] sends user to bestgoin.com [ad domain]) example site: http://vereteno.vndv.com/listen-tc6/male-f...ort-review.html
http://tovares.vndv.com/ (JS [script before doctype] sends user to bestgoin.com [ad domain]) example site: http://tovares.vndv.com/discounte4/pakista...llege-girl.html
http://opora.vndv.com/ (JS [script before doctype] sends user to anewsight.com [ad domain]) example site: http://opora.vndv.com/black-sp49/black-woman-in-porn.html
http://esaul.vndv.com/ (JS [script before doctype] sends user to bestgoin.com [ad domain]) example site: http://esaul.vndv.com/box-came41/bang-gang-shemale.html

Warez:
http://2tsoft.zzl.org/
http://evil.zzl.org/ (Deactivated, Forum about porn, passwords, warez)
http://quachbavuong.vndv.com/software/ (vietnamese, hits on "virus")

Porn:
http://trafic.zxq.net/ (deactivated, sex toplist)
http://yo7ffu.vndv.com/photo-fete5.php

Pharm:
http://zoki.zxq.net/hyzaar.html (unreachable)

Uncertains:
http://bantoi.99k.org/lyquocviet1989.htm (unreachable. Porn?)

Odd behavior:
http://script00.vndv.com Google Search Results
I leave it to the admins to make the final decisions.

[CSSTest]

SEO Doorways:
zml.com:
http://pcdvdipod.vndv.com/ http://pcdvdipod.vndv.com/acne/
http://divxvsipod.vndv.com/ http://divxvsipod.vndv.com/dog-day-afternoon/
http://todsplayer.vndv.com/ http://todsplayer.vndv.com/howls-moving-castle/
http://dvdreleases.vndv.com/ http://dvdreleases.vndv.com/The-Soloist/

choosecars.com:
http://carauction344.vndv.com/ http://carauction344.vndv.com/?page=913

Hidden Pharm spam in the source code:
Identifiable by the first div tag immediately after body tag, has styles: position:absolute; top:0px; width: #0px; text-indent: #5px; overflow: hidden; white-space: nowrap;"
In english, this means you've got an element at the top of the screen, with a view of 10-90 pixels wide, with the text starting 5 pixels off the right side of the element. The overflow is "clipped", and the rest of the content will be invisible to the viewer, a scroll-bar is NOT added to the element for the user to see the rest of the content, and white space is nowrap to ensure it stays on the same line.
The text indent is always 5 more than the width to push the spam out of the element's viewport, The width varies but is never less than 10 or more than 90, and always a factor of 10.

http://edu-4share.vndv.com/SO_web.html
http://1-2-3-4.vndv.com/about.html
http://phamphuoc2006.vndv.com/hoto.html
http://testingforcmm.vndv.com/
http://hakim.vndv.com/
http://samstalentmanagement.vndv.com/
http://patchara60808.vndv.com/page1.html
http://61039.vndv.com/
http://trial11helloworld.vndv.com/framed_main.php
http://bootfete.vndv.com/papyrus.html
http://pornjutha60823.vndv.com/
http://aminmaroofi.vndv.com/8.html
http://kolo.vndv.com/t4.html
http://pitchanan61035.vndv.com/page2.html
http://marwoto.vndv.com/
http://asaya61046.vndv.com/2.html
http://frebib.vndv.com/

obvious pharm spam:
http://weightlossp.vndv.com/index.html
http://on-line-met.vndv.com/top/index.html
http://flores.vndv.com/078-meridia.html
http://der-phen.vndv.com/top2/hoodia-np-lipothin-w.html

MFA (a glimpse of the page, or not, then redirected to another page of advert links)
http://education.vndv.com/lawrence-county-...-education.html
http://slumber.vndv.com/baby-basket-gift/b...eluxe-gift.html
http://ecrany.vndv.com/billiard-hall/freedom-hall-pool.html
http://luxurystyle.vndv.com/brown-canvas-fendi-bags/
http://opora.vndv.com/black-sp49/black-designer-shoes.html
http://kohler.vndv.com/coumadin/colchicine-pharbitis.html
http://ecrany.vndv.com/blender-bullet-magi...seen-on-tv.html
http://dimondz.vndv.com/fossil-handbags/
http://jewestore.vndv.com/exotic-body-jewelry/
http://rationedu.vndv.com/advertising-education/

This page seems to be an advertisement landing page for sonico.com?, there is no content except advertising.
http://sonico.vndv.com/

Hidden spam:
http://love-lyrics.vndv.com/index.html (hidden element (display none) after last line of poems, loads of links)

Keyword spamming, found a pattern with "map.html"
http://aharbin.vndv.com/most-inde0/map.html
http://bolok.vndv.com/soccer1753.html
http://chdytdfgh.vndv.com/map.html
http://dalmas.vndv.com/soccer3718.html
http://esaul.vndv.com/box-came41/map.html
http://fifasa.vndv.com/blue-diae3/map.html
http://hichkok.vndv.com/black-br6a/map.html
http://huoprewst.vndv.com/map.html
http://ibonama.vndv.com/birthday17/map.html
http://korefan.vndv.com/exclusiv87/map.html
http://mgss.vndv.com/clothe3/map.html
http://olovz.vndv.com/commerced2/map.html
http://serena.vndv.com/soccer2099.html
http://srez.vndv.com/mens-jac24/map.html
http://steps.vndv.com/infection/04/map.html
http://tilikon.vndv.com/big-blac16/map.html
http://tovares.vndv.com/cleaner-22/map.html
http://vereteno.vndv.com/fat-peopa5/map.html
http://vgsom.vndv.com/map.html
http://volan.vndv.com/soccer8985.html
http://wildgirls.vndv.com/map.html
http://zabava.vndv.com/better-i28/map.html

Due to the activation / server move, I didn't work on other sites in the zymic realm.
Too many results to exclude now, will wait for them to disappear from google.

[Banjo]

Thankyou I shall go through this list now.

[CSSTest]

Today's magic word is "Pill"

Obvious Pharm
http://herbs.vndv.com/
http://line-metabo.vndv.com/top3/release-diet-pill.html
http://clonazepam.vndv.com/lanoxin/lanoxin-manufacturer.html

Hidden Pharm

I'm starting to have suspicions about this, due to the widespread nature, and very creative pages that this material is lurking behind. Most spamming practice is to clone a template to unoriginality.
The thing that casts some doubt on me as to whether this is intentional or not is that this stuff is sometimes appearing on the Zymic "Account Created" page.
Has anyone argued about their site being closed down for the hidden pharm?
Is there a vulnerability being exploited here?
Could it be a compromised template or account, or a drive-by infection?

My moderator sense is tingling and telling me if I had the ability to inspect the accounts, records, and files I could find a trend behind all this.

Here's a google search:
http://www.google.com/search?rlz=1R2GGLL_e...mp;oq=&aqi=

http://informatika.vndv.com/list.html
http://progik.vndv.com/
http://kennedy.vndv.com/
http://project2.vndv.com/disclaimer.html
http://patriotjaya1.vndv.com/count.php
http://sanguinetower.vndv.com/photo.htm
http://philestate.vndv.com/index.html
http://schoenstatt.vndv.com/schoenstattenelmundo.html
http://mag-gospel.vndv.com/8107.html
http://unrivaled.vndv.com/
http://lokcomputer.vndv.com/
http://thuthua-edu.vndv.com/
http://ashkanm.vndv.com/Orders.html
http://dstudio.vndv.com/top.htm
http://marvinantalan.vndv.com/browse.php
http://dstudio.vndv.com/contacts.htm
http://universo-hacking.vndv.com/
http://valen006.vndv.com/
http://projectskiez.vndv.com/
http://dalianchemicals.vndv.com/products.html
http://komseko-modified.vndv.com/
http://101acres.vndv.com/
http://schoenstatt.vndv.com/index.html
http://maryam201.vndv.com/p1.php
http://asdasd.vndv.com/
http://tillonation.vndv.com/music.htm
http://project4.vndv.com/bigwhite.html
http://7ryia.vndv.com/
http://guyabr.vndv.com/about_us.html
http://free-sms.vndv.com/
http://romica.vndv.com/

WTF spam? It doesn't appear to be pushing anything of logical sense, but there's no real content and google seems to think it's english. If you google the domain name, you'll find plain text link anchor text on other websites surrounded by the same rubbish.
http://hahninaccessibl.vndv.com/map.html
http://ikarchitectalle.vndv.com/a.n.-trott...l-preacher.html

redirectors
http://joflis.vndv.com/105megan-hurckes.html
http://halloween2008.vndv.com/bunnycostume.html
http://bagstore.vndv.com/fendi-spy-bag-wit...-written-on-it/
http://whydo.vndv.com/blade-cutter/rotary-...blade-bolt.html

[soulguard]

My site http://startearnnow.99k.org with google PR1 has been announced as "suspended for abuse". I can't find a reason. I am running it from zymic servers for the last 1.5 yrs. I am intended to protect people loosing to online money making scams and to drive them towards SEO.(Re: http://startearnnow.99k.org/data_entry.html) Kindly review and help.

[Joe Corner Reeve]

Hello @CSSTest
Good works, are you police man?

I want to make sure for security. Why do crazy pirates want to upload with warez, cracks....?
It is not allowed. I know about rules by zymic. - I am not pirate - i am nice reseller.

Best regards, Joe

[Ikke Nom]

Phishing web-site: http://maintainance.clanteam.com/
Phishing web-site: http://maintainance.clanteam.com/www.upade2009.co.uk/

Please investigate.

[IamShipon1988]

Thank you for your report. Seems like that site has also been blocked by Mozilla corp and McAfee SiteAdvisor.

[Basil]

Seems like that site has also been blocked by Mozilla corp and McAfee SiteAdvisor.

So why you still host it ?

[John Paul Faroq]

found this site...

http://netviets.99k.org