From the given shortened URL it will redirect user to the following URL:
http://yhoo-it.com/?id=4ccda25f27843014&s=1&user=matkamil2000
The URL seem to be already expired. But soon it will appeared again. The actual website will appear some kind of offering money that needs user to input their user name and email.
Registration Service Provided By: Bizcn.com
Website: http://www.bizcn.com
Whois Server: whois.bizcn.com
Domain name: yhoo-it.com
Registrant Contact:
zhang yu
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn
Administrative Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn
Technical Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn
Billing Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn
DNS:
ns7.cnmsn.net
ns8.cnmsn.net
Created: 2011-12-04
Expires: 2012-12-04
The domain name seem to be newly registered and exactly the time I was start monitoring it. The domain has been pointed to two DNS ns7.cnmsn.net and ns8.cnmsn.net. The DNS server were also registered from China.
Registration Service Provided By: Bizcn.com
Website: http://www.bizcn.com
Whois Server: whois.bizcn.com
Domain name: cnmsn.net
Registrant Contact:
XiaMen Longtop Online Technology Co.,Ltd
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn
Administrative Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn
Technical Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn
Billing Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn
DNS:
dns.bizcn.com
dns.cnmsn.net
ns5.cnmsn.net
ns6.cnmsn.net
ns1.4everdns.com
ns2.4everdns.com
Created: 2003-08-08
Expires: 2015-02-27
Well, lets dig some more.
Nmap scan report for yhoo-it.com (109.230.222.53)
Host is up (0.29s latency).
rDNS record for 109.230.222.53: hosted.by.xsserver.eu
Not shown: 986 closed ports
PORT STATE SERVICE VERSION
25/tcp filtered smtp
80/tcp open http nginx 1.0.4
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
111/tcp open rpcbind 2 (rpc #100000)
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0)
| ssh-hostkey: 1024 6e:96:96:b1:aa:4b:e2:1a:e5:9f:35:9c:6a:79:af:df (DSA)
|_2048 48:bb:c1:d4:bf:08:4d:c6:41:30:ea:57:3e:eb:fe:19 (RSA)
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1026/tcp filtered LSA-or-nterm
1027/tcp filtered IIS
4444/tcp filtered krb524
5432/tcp open postgresql PostgreSQL DB 8.4.1 - 8.4.4
6129/tcp filtered unknown
6580/tcp open parsec-master?
Device type: general purpose|WAP|router
Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys Linux 2.4.X (92%), Netgear embedded (92%), D-Link embedded (92%), Linksys embedded (92%), Peplink embedded (92%)
, Asus Linux 2.6.X (91%)
Aggressive OS guesses: Linux 2.6.23 - 2.6.33 (95%), Linux 2.6.35 (94%), Linux 2.6.31 (94%), Linux 2.6.32 (94%), Linux 2.6.22 (94%), OpenWrt White Russian 0.9 (Linux 2.4.3
0) (92%), Linux 2.6.18 - 2.6.27 (92%), Linux 2.6.31 - 2.6.34 (92%), Linux 2.6.34 (92%), Netgear DG834G WAP (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 9 hops
Service Info: OS: Linux
TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 12.00 ms 60.53.173.202
2 16.00 ms 60.53.173.213
3 16.00 ms 60.53.173.213
4 228.00 ms 10.55.192.38
5 229.00 ms 10gigabitethernet1-3.core1.lax1.he.net (206.223.123.37)
6 290.00 ms 10gigabitethernet4-3.core1.nyc4.he.net (72.52.92.225)
7 333.00 ms 10gigabitethernet1-2.core1.lon1.he.net (72.52.92.242)
8 399.00 ms 10gigabitethernet4-2.core1.fra1.he.net (184.105.213.146)
9 290.00 ms hosted.by.xsserver.eu (109.230.222.53)
Since I don't trust any source from China even their web hosting provider, I make some Nmap scanning to seem what its got. The web server seem to be running on Unix machine with several web services port opened.
The Yahoo Messenger online status is coming from the expired phone number which probably has been taken by China scammer that live in Malaysia. Malaysia has multicultural country and it's not impossible that a Chinese from China can disguise as Chinese from Malaysia. Another thing is that probably the YM account has been stolen from his machine via malware infection.
More updates coming up soon.