Micheal’s rantings, ravings, and general banter

This is an ode to Tom Liston. A while ago, I did some research in to Bluehost and uncovered some questionable relationships and assets they hold, or held at the time.

I wanted to hold off on posting this until I got my other site up and running which is going to be strictly security-related matters, but that won’t be happening for a little while longer. Because of this, this information may be out of date, but the techniques used to uncover this are just as valid. Even so, I think you’ll be surprised at what I uncovered.

Warning: Follow these links at your own risk.

Now that that is settled, let’s get started.

I decided to check up on BlueHost, Fastdomain, and Host Monster, because I was considering hosting with them.

They’ve created quite the business for themselves. All 3 are actually the same company, owned by the same guy. So, let’s look at that.

Bluehost.com:
http://www.who.is/whois-com/ip-address/bluehost.com/
http://www.who.is/domain_archive-com/bluehost.com/
http://www.who.is/domain_information-com/bluehost.com/

Fastdomain:
http://www.who.is/whois-com/ip-address/fastdomain.com/
http://www.who.is/domain_archive-com/fastdomain.com/
http://www.who.is/domain_information-com/fastdomain.com/

Hostmonster:
http://www.who.is/whois-com/ip-address/hostmonster.com/
http://www.who.is/domain_archive-com/hostmonster.com/
http://www.who.is/domain_information-com/hostmonster.com/

If you look at those, you can see that they are indeed the same company. But it gets better.

Look at Hostmonster’s information page. admin [at] webmersion.com

Hmm. I wonder who webmersion is. Let’s take a look.

http://www.who.is/whois-com/ip-address/webmersion.com/

Russia? Why are we in Russia now? madmardy? Let’s see … http://www.who.is/whois-com/ip-address/madmardy.com/

Oooooh, back in the US now. But wait, the DNS is set to 0catch.com. Didn’t we see that already? Yes, we did! http://www.who.is/domain_information-com/hostmonster.com/

So, who is 0catch? Let’s find out. http://www.who.is/domain_information-com/0catch.com/ Wait, eli [at] bluehost.com? Hmmmm. If recall, there were quite a few domains listed at hostmonster’s information page. Let’s check another. http://www.who.is/whois-com/ip-address/webmastersforum.com/ Hmm. Okay, nameservers are set to Bluehost. We know that Hostmonster is part of Bluehost and vice versa. But … Let’s check something. http://www.who.is/domain_archive-com/webmastersforum.com/ 0catch.com was their old DNS? Interesting.

What of that eli [at] bluehost.com? Let’s revisit that.

http://www.who.is/whois-com/ip-address/0catch.com/ Check the IP address. http://www.who.is/whois-ip/209.63.57.4/ Electric Lightwave? eli.net? Is eli [at] bluehost.com the same? Interesting. Ah, but the fun is just beginning.

Let’s go back to our friend, Hostmonster.com. http://www.who.is/domain_information-com/hostmonster.com/

Hmmm, 1accesshost looks interesting. http://www.who.is/whois-com/ip-address/1accesshost.com/

Fastdomain? Hmmm. Let’s, just for fun, visit the website, with JavaScript disabled.

Wow! Look at all of those links! Let’s click one. http://1accesshost.com/internet_hosting.html. Remember, we have JavaScript disabled.

Wow! Look at what we have here:

cannot maybe formerly mostly daily unless, besides hence. new at they’ll. we’ll yet internet hosting meanwhile must around thereby many have. their why she’ll buy, sometime become ours nobody they’re only hereafter daily, knew formerly not otherwise however welcome always didn’t internet hosting namely against more from sometimes mrs being against. we’re. thirty become toward else. make internet hosting three sometime both. she’d help three once. nothing quick but. using which ourselves own, her here’s indeed million. didn’t not becoming time, became her forty others ending internet hosting fast they’ve wouldn’t, be five whereafter yours, let’s near, those myself already wherever once make ms whence internet hosting big former you thousand two, nonetheless within big that’s, behind five should. indeed she’ll and fix one’s he, does internet hosting although wouldn’t whereas nevertheless seven four he’ll hence she’s.

Remind you of a spam email? This text is typically called Bayes-busters, because it tries to trick the Bayesian filters in to breaking and letting the email through.

Ah, but remember I said with JavaScript disabled? Let’s look at the source.

function decode(original){
var result="";
arrayofstring=original.split(',');
for (var i=0; i <arrayofstring.length; i++) {
result=result+String.fromCharCode(arrayofstring[i]-9);
}
return result;
}

// Broke on to many lines for scrolling
// Micheal
var display="69,111,123,106,118,110,124,110,125,41,123,120,128,124,70,43,51,53,57,43,41,111,
123,106,118,110,107,120,123,109,110,123,70,43,87,88,43,41,107,120,123,109,110,123,70,43,
57,43,41,111,123,106,118,110,124,121,106,108,114,119,112,70,43,57,43,41,120,119,85,120,
106,109,70,43,43,41,120,119,94,119,117,120,106,109,70,43,43,71,19,69,111,123,106,118,110,
41,119,106,118,110,70,43,125,120,121,79,123,106,118,110,43,41,124,108,123,120,117,117,114,
119,112,70,43,106,126,125,120,43,41,124,123,108,70,43,128,128,128,55,58,106,108,108,110,124,
124,113,120,124,125,55,108,120,118,43,71,19,69,56,111,123,106,118,110,124,110,125,71,19";
document.write(decode(display));

Oooooh. That’s not something you do on a normal site. Let’s find out what it becomes.

<frameset rows="*,0" frameborder="NO" border="0" framespacing="0" onLoad="" onUnload="">
<frame name="topFrame" scrolling="auto" src="www.1accesshost.com">
</frameset>

Hrm. For fun, let’s go back to the front page of the site.

Now, let’s go to the contact link at the bottom. Toll-free number in the support section, see that? And oh, see 0catch too? Let’s google the number. Wow again! http://www.google.com/search?q=888-805-4495&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&aclient=firefox-a

But let’s not end the fun yet.

Back to the front page of 1accesshost.com. For fun, let’s click on the link that says Dedicated Servers. Wait, before we click, we see in the status bar that it says fishing-trip. Fishing trip? Phishing trip? Hmmmm. We click anyway, keeping JavaScript disabled. More spam text? And what’s this 100mbfree.com? Let’s use our new tool, who.is. http://www.who.is/whois-com/ip-address/100freemb.com/

Hmmm. Godaddy. Okay. But wait, doesn’t the screenshot look familiar? And that IP address. Something about it … Oh yes! http://www.who.is/whois-ip/209.63.57.10/ eli.net again. Hmmm.

So back to the (ph)fishing trip. Remember, JavaScript disabled. Source code check time! Hmm, Google ads and counter. Let’s click one of those links. Hmm, that odd JavaScript code is back. Let’s decode it again.

<frameset rows="*,0" frameborder="NO" border="0" framespacing="0" onLoad="" onUnload="">
<frame name="topFrame" scrolling="auto" src="http://fishing-trip.100freemb.com">
</frameset>

So it obviously changed a bit.

But let’s go ahead and go to 100freemb.com, still no JavaScript in our browser. Wow! Source code check again. Oooooh, some of those links look familiar … Oh, hostmonster.com info page at who.is! 0catch, 012webtools, and others. But let’s check on one. http://viagra.741.com/ With JS disabled still, we see more spammy text. Hmmm. Let’s go back to 100freemb.com.

http://hostcritique.com/ is another site I found linked to Bluehost during my journey through WHOIS and source code surfing.

Hmmm. The favicon looks familiar … who.is will tell us! Fastdomain?!?! http://www.who.is/whois-com/ip-address/hostcritique.com/

Yup. Now, the IP address. Let’s see. http://www.who.is/whois-ip/69.89.20.128/ Bluehost it is indeed!

Let’s review.

Bluehost.com, Hostmonster.com, and Fastdomain.com are all related. There also appears to be relationships with eli.net (eli [at] bluehost.com) and less than savory hosts, such as 1accesshost.com, 0catch.com (which remember, eli.net/eli [at] bluehost.com own …), 741.com, 100freemb.com, and many, many, many others.

But wait, there’s more. Stay tuned for the next post continuing this saga.