Just an FYI, FBI and Secret Service are actively working these
as they are identified.
We definitely don't need more victims. If you don't feel
you're getting the response needed contact US CERT:
https://forms.us-cert.gov/report/ or
http://www.us-cert.gov/contact.html
We'll make sure the information gets into the right hands. I
will say that I know many others on the list have been doing
a great job of identifying sites as well as reporting. SANS
ISC keep up the good work!
The information goes into Federal Law Enforcement who also
works with Local LE.
Jerry
Date: Sat, 3 Sep 2005 11:00:03 -0400
From: "Marcus H. Sachs" <marc@sachsfamily.net>
Subject: FW: Need some help: IDEAS, Inc.
To: <nanog@merit.edu>
Cc: <handlers@sans.org>One of our incident handlers at the SANS Internet Storm
Center has been
trying to chase down the bogus Katrina assistance web sites.
Below is a
note of frustration he sent internally to us this morning. I
asked if I
could cross-post over to NANOG to see if any of you could assist.
Thanks in advance!
Marc
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Marcus H. Sachs, P.E. KJ4WA : marc@sans.org
Director, SANS Internet Storm Center : isc.sans.org
Washington D.C. USA (EDT, GMT-4) : +1 703 707 9293
++++++++++++++++++++++++++++++++++++++++++++++++++++++Sent: Saturday, September 03, 2005 9:32 AM
Subject: Need some help: IDEAS, Inc.Morning all:
Last night, I pulled a new copy of the .com and .net zone
files down and did
another grep for "katrina" domains. Obviously, there are now
more...
In the process of checking and cross-referencing, I found
that our friends
"IDEAS, Inc" are a little more "involved" than we originally
thought:
http://www.hurricanekatrinarelief.com
http://www.hurricanekatrinapics.com
http://www.hurricanekatrinaneworleans.com
http://www.hurricanekatrinaflooding.com
http://www.hurricanekatrinainfo.com
http://www.hurricanekatrinamap.com
http://www.hurricanekatrinanews.com
http://www.hurricanekatrinapath.com
http://www.hurricanekatrinaphoto.com
http://www.hurricanekatrinaphotos.com
http://www.hurricanekatrinarelieffund.com
http://www.hurricanekatrinatracking.com
http://www.hurricanekatrinaupdate.com
http://www.hurricanekatrinavideos.com
http://www.katrinadamage.com
http://www.katrinapics.com
http://www.katrinavideos.com
http://www.neworleanshurricanekatrina.com...and those are just the 18 I was able to find.
Right now, there are two weak points to this particular house
of cards.
1) The first site listed,
"http://www.hurricanekatrinarelief.com" is what
drives all of the others. Each of the other sites, loads the
first one in
an IFRAME. That makes it easy for the bastards to update
them all. This
site is hosted by Interland. Their final word on shutting
these scumballs
down until they could prove they were legitimate was:
"We have been advised by our legal department that the local
authorities
should be contacted. The local authorities can submit a
subpoena to our
legal department. We will be glad to comply to such a request."
ie. "We have no balls. Go away".
2) All of the other sites are hosted at the IP address
206.251.184.10.
Immediate upstream is "datasync.net/.com" and they are
located in (of
course...) Louisiana. I've emailed them numerous times, and
tried to call
("all circuits are busy..."), but they're probably running in
lights-out
mode right now.
The IDEAS, Inc. scum MUST die, but I'm all out of ideas at
this point... the
only other possibility that I can think of it to take them
out at the DNS
level. All of the "slave" sites at 206.251.184.10 use
DirectNIC for their