On Thu, 9 Oct 2003, John Neiberger wrote: Doing some Googling on tubul I found: WAP S.A. Katarzyna Piatek (tubul at wp.pl) +48.327811019 FAX- +48.327811025 Opolska 22 Katowice, 40-084 PL -Hank
Actually, in the case of the wired article (removeform.com), it seems to be connected to a site in Florida.I asked my programmer (gabor@sentex.net) to decode the obfuscated java script/page that is served up by one of the zombies (On FreeBSD fetch -B 18192 -o danger.html http://www.removeform.com/d - I got it from 207.5.215.72at the time).I have attached it as a zip file with its contents. You will note that the form post goes back to
form action="http://207.36.47.68/cgi-bin/addinfo.cgi"
OrgName: CyberGate, Inc. OrgID: CYBG Address: 3250 W. Commercial Blvd. Suite 200 City: Ft. Lauderdale StateProv:FL PostalCode: 33309 Country: US
This appears to be a rather prolific spammer. At first I thought they were affiliated with www.skynetweb.com because they have the same address, including suite number, but it now appears that they are really affiliated with these guys:
http://www.affinity.com/about/our_team/our_team.htm
John --
Hank Nussbacher