Area 51.la & the Curse of Fu Manchu

Post Reply
siblingshot
Posts: 875
Joined: Fri Jan 21, 2011 7:22 pm

Area 51.la & the Curse of Fu Manchu

Post by siblingshot » Sat Mar 26, 2011 9:30 am

No. Not a remote detachment of Edwards Air Force Base in the Mojave Desert of southern Nevada. But equally mysterious; shrouded in off the scale whispers of collusion.

A hotbed of suspicious activity.

It was Shazza who pointed to a potentially malicious java script (in a PM to me) in relation to a conterfeit jeans scam:

http://www.mywot.com/en/forum/10588-chinese-jeans-counterfeit-seller-spotted-your-help-needed-thx

The Whois for 51.la discloses that it is registered to one Yang Fucheng, Street1:5-32, 55 Jingsan Road, Zhengzhou, China.

The Reverse Whois indicates "Yang Fucheng" owns something in the region of 36 other domains.

http://whois.domaintools.com/51.la

51.la itself is rated into the red - albeit 'nudged', merely - here on WOT:

http://www.mywot.com/en/scorecard/51.la

51.la is, however, apparently nothing more than a legitimate web counter site, similar to a host of benign analytics tools commonly used across the web. Operating out of Lao People's Democratic Republic - Laos - bordered by Burma and People's Republic of China to the northwest; Vietnam to the east; Cambodia to the south; and Thailand to the west.

Or. Los Angeles by inscrutable inference:

http://www.la/

Conrad Longmore alleged in Dynamoo's Blog in 2008 that "there are possibly two gangs carrying out the current round of SQL Injection attacks, one possibly based in China and one based in Russia."

js.users.51.la appears in many of the "Chinese" exploits... Presumably part of the bad guys' statistical tracking system the js.users.51.la domain is combined with what appears to be a randomly named .js file."

This [51.la] doesn't appear to be a malware site in itself, but it could be a useful thing to look for in your proxy logs as it may well help track down machines that have visited infected sites. Either search for js.users.51.la or perhaps just 51.la as part of your normal audit process."

The curse of 51.la is seemingly an ongoing rash.

Dr. Leopold recently opened a thread which again exposed it as incipient in one more plague of spamming; phishing; and bogus seals:

http://www.mywot.com/en/forum/10616-blog-spammer-needs-to-get-rated-accordingly

Be aware.

Browser addons such as NoScript were developed to cope with, and protect from, this very insanitary peril. Or exploit. Grow a moustache.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests