nxplorer

[admin]

Hi, I'm still here but fully involved in making the new website.

By coincidence found something VERY strange today. Somebody has copied my complete website and uploaded it to another domain:

www.nxplorer.us (DO NOT DOWNLOAD ANYTHING FROM THERE -- IT'S MALWARE!!!)

What's that?

[Exolon]

Hi Don,

did you talked to paypal to stop billing in the name of nxplorer?

Maybe he is simply trying to make some money based on xyplorers success.

Regards

Mike

[Filehero]

http://network-tools.com/default.asp?pr ... xplorer.us

Code: Select all

119.81.19.207 is from Singapore (SG) in region Southern and Eastern Asia
Input: nxplorer.us
canonical name: nxplorer.us
Registered Domain: nxplorer.us

Whois query for nxplorer.us...
Results returned from whois.nic.us:

Domain Name:                                 NXPLORER.US
Domain ID:                                   D49653768-US
Sponsoring Registrar:                        ENOM, INC.
Sponsoring Registrar IANA ID:                48
Registrar URL (registration services):       whois.enom.com
Domain Status:                               clientTransferProhibited
Variant:                                     NXPLORER.US
Registrant ID:                               7D0C6D20D3D99F73
Registrant Name:                             Dimitri Gorolev
Registrant Address1:                         17 Furshtatskaya St.
Registrant City:                             St. Petersburg
Registrant State/Province:                   NA
Registrant Postal Code:                      191028
Registrant Country:                          Russian Federation
Registrant Country Code:                     RU
Registrant Phone Number:                     +7.8123312649
Registrant Email:                            dimitri.gorolev@safe-mail.net
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11
Administrative Contact ID:                   7D0C6D20D3D99F73
Administrative Contact Name:                 Dimitri Gorolev
Administrative Contact Address1:             17 Furshtatskaya St.
Administrative Contact City:                 St. Petersburg
Administrative Contact State/Province:       NA
Administrative Contact Postal Code:          191028
Administrative Contact Country:              Russian Federation
Administrative Contact Country Code:         RU
Administrative Contact Phone Number:         +7.8123312649
Administrative Contact Email:                dimitri.gorolev@safe-mail.net
Administrative Application Purpose:          P1
Administrative Nexus Category:               C11
Billing Contact ID:                          7D0C6D20D3D99F73
Billing Contact Name:                        Dimitri Gorolev
Billing Contact Address1:                    17 Furshtatskaya St.
Billing Contact City:                        St. Petersburg
Billing Contact State/Province:              NA
Billing Contact Postal Code:                 191028
Billing Contact Country:                     Russian Federation
Billing Contact Country Code:                RU
Billing Contact Phone Number:                +7.8123312649
Billing Contact Email:                       dimitri.gorolev@safe-mail.net
Billing Application Purpose:                 P1
Billing Nexus Category:                      C11
Technical Contact ID:                        7D0C6D20D3D99F73
Technical Contact Name:                      Dimitri Gorolev
Technical Contact Address1:                  17 Furshtatskaya St.
Technical Contact City:                      St. Petersburg
Technical Contact State/Province:            NA
Technical Contact Postal Code:               191028
Technical Contact Country:                   Russian Federation
Technical Contact Country Code:              RU
Technical Contact Phone Number:              +7.8123312649
Technical Contact Email:                     dimitri.gorolev@safe-mail.net
Technical Application Purpose:               P1
Technical Nexus Category:                    C11
Name Server:                                 NS9.HAWKHOST.COM
Name Server:                                 NS10.HAWKHOST.COM
Created by Registrar:                        ENOM, INC.
Last Updated by Registrar:                   ENOM, INC.
Domain Registration Date:                    Mon May 11 04:55:20 GMT 2015
Domain Expiration Date:                      Tue May 10 23:59:59 GMT 2016
Domain Last Updated Date:                    Mon May 11 04:57:51 GMT 2015
DNSSEC:                                      false

Weird and strange.

[admin]

All buy links point to me. Even if someone would (so stupid to) buy from this site the money would go to me. Weird.

Maybe it's evil work in progress... I'll watch it...

[bdeshi]

The installer that site supplies behaves exactly like a virus. [ed. VirusTotal analysis] Notably, one of the processes it starts also spoofs QDir's icon!

Somebody's trying to capitalize on XYplorer's popularity to spread malware.

You should definitely go stop that before people think these two sites are the same, based on the visual similarity alone. In any case, it's not good at all for XY.

[admin]

Wow. Thanks for guinea-pigging!

But stop that? How?

[bdeshi]

Why, report to the webhost! According to Filehero's report, the site appears to be hosted by a hawkhost.com

Code: Select all

Name Server:                                 NS9.HAWKHOST.COM
Name Server:                                 NS10.HAWKHOST.COM

ref

meanwhile, I submitted some scam reports, like google safebrowsing.

[ed.]

[admin]

OK, done. I'll keep you posted...

[TheQwerty]

Admittedly I'm not too knowledgeable about this stuff but...

The domain appears to be registered through Enom ( http://www.enom.com/help/abusepolicy.aspx ).
Hawkhost appears to be used only as a name server resolving the domain to an IP of 119.81.19.207.

http://network-tools.com/default.asp?pr ... .81.19.207
Shows that IP as registered to softlayer.com, which is a more likely host.

So I would suggest e-mailing abuse@softlayer.com as well. (Maybe abuse@sip2callxpert.com too? )
http://www.softlayer.com/legal lists some other address if it's truly hosted by SoftLayer.

119.81.19.207 is from Singapore (SG) in region Southern and Eastern Asia
Input: 119.81.19.207
canonical name: 119.81.19.207-static.reverse.softlayer.com
Registered Domain: softlayer.com

119.81.19.207 is from Singapore (SG) in region Southern and Eastern Asia
Whois query for 119.81.19.207...

Results returned from whois.arin.net:
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=119.8 ... xt=netref2
#

NetRange: 119.0.0.0 - 119.255.255.255
CIDR: 119.0.0.0/8
NetName: APNIC-119
NetHandle: NET-119-0-0-0-1
Parent: ()
NetType: Allocated to APNIC
OriginAS:
Organization: Asia Pacific Network Information Centre (APNIC)
RegDate: 2007-01-17
Updated: 2010-07-30
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/apnic-info/whois_s ... d-spamming
Ref: http://whois.arin.net/rest/net/NET-119-0-0-0-1

ResourceLink: http://wq.apnic.net/whois-search/static/search.html
ResourceLink: whois.apnic.net

OrgName: Asia Pacific Network Information Centre
OrgId: APNIC
Address: PO Box 3646
City: South Brisbane
StateProv: QLD
PostalCode: 4101
Country: AU
RegDate:
Updated: 2012-01-24
Ref: http://whois.arin.net/rest/org/APNIC

ReferralServer: whois://whois.apnic.net
ResourceLink: http://wq.apnic.net/whois-search/static/search.html

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net
OrgTechRef: http://whois.arin.net/rest/poc/AWC12-ARIN

OrgAbuseHandle: AWC12-ARIN
OrgAbuseName: APNIC Whois Contact
OrgAbusePhone: +61 7 3858 3188
OrgAbuseEmail: search-apnic-not-arin@apnic.net
OrgAbuseRef: http://whois.arin.net/rest/poc/AWC12-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# ttp://www.arin.net/public/whoisinaccuracy/index.xhtml
#

Results returned from whois.apnic.net:
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '119.81.19.192 - 119.81.19.207'

inetnum: 119.81.19.192 - 119.81.19.207
descr: Kamran International Trade Limited
netname: NETBLK-SOFTLAYER-APNIC-CUST-KITL1-AP
country: HK
admin-c: KITL1-AP
tech-c: KITL1-AP
changed: ipadmin@softlayer.com 20120326
status: ASSIGNED NON-PORTABLE
mnt-by: MAINT-SOFTLAYER-AP
mnt-irt: IRT-SOFTLAYER-AP
source: APNIC

irt: IRT-SOFTLAYER-AP
address: Keplerstaat 34, 1171CD Badhoevedorp
e-mail: abuse@softlayer.com
abuse-mailbox: abuse@softlayer.com
admin-c: SDHB1-AP
tech-c: SDHB1-AP
auth: # Filtered
mnt-by: MAINT-SOFTLAYER-AP
changed: hm-changed@apnic.net 20110823
source: APNIC

person: Kamran International Trade Limited
address: Unit G, 7/F Far East Mansion 5-6 Middle Road Tsim Sha Tsui
Kowloon non
country: HK
e-mail: abuse@sip2callxpert.com
abuse-mailbox: abuse@sip2callxpert.com
phone: +1.866.403.7638
nic-hdl: KITL1-AP
mnt-by: MAINT-SOFTLAYER-AP
source: APNIC
changed: ipadmin@softlayer.com 20140129

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

[admin]

Thanks, done!

[bdeshi]

I'd noticed that softlayer "connection" too, but looking at their site made me think they only provide the bare servers--the hardware, and no website hosting. Hawkhost probably leased some servers from them on a reseller contract, and it not illogical to assume that a httracked-website will not go all the way to Softlayer and buy a private server for hosting!

[aurumdigitus]

This is a profoundly unfortunate situation to have arisen.

Cannot help but think of Shakespeare's Henry IV. Part II:

Deny it to a king? Then happy low, lie down!
Uneasy lies the head that wears a crown.

[Exolon]

NOD32 is now blocking the site.

[admin]

[Regmos]

Now Bitdefender also got it.