Hi,

some idiot just stole my CC info. The link is:

http://billing.updates.2checkout.com.securedform.com/~desimant/IOUYNCO8C7698B6798B79386V936 8N758976 9857689576984 76856757698 576985 895758 7B58 95 67985795 859 7958 78 679848UT 05549 9/

Can someone find out which datacenter this site is hosted on because I want that to be shut down before that idiot finds my CC info on his server !! Please help !!

His IP is 66.90.79.140. Which datacenter does this IP belong to ? The tracerout goes to cogentco.com. Which datacenter could this be ??

DONT HOST THIS PERSON !!!

Thanks,
Tom

66.90.79.140

SSL Cert: No valid SSL on this Host, Get Secure
Record Type: IP Address
IP Location: United States - Illinois - Schaumburg - Egrowth
Reverse IP: Web server hosts 11 websites (reverse ip tool requires free login)


--------------------------------------------------------------------------------
FDCservers.net LLC FDCSERVERS (NET-66-90-64-0-1)
66.90.64.0 - 66.90.127.255
Egrowth EGROWTH (NET-66-90-79-128-1)
66.90.79.128 - 66.90.79.143

# ARIN WHOIS database, last updated 2004-09-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Have you pinged the IP and check the last ip's in the string?

DNS Report for cogentco.com

Generated by www.DNSreport.com at 16:12:39 GMT on 30 Sep 2004.
Category Status Test Name Information
Parent PASS Missing Direct Parent check OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.
INFO NS records at parent servers Your NS records at the parent servers are:

auth1.dns.cogentco.com. [66.28.0.14] [TTL=172800] [US]
auth2.dns.cogentco.com. [66.28.0.30] [TTL=172800] [US]
auth4.dns.cogentco.com. [80.245.32.74] [TTL=172800] [FR]
auth5.dns.cogentco.com. [80.91.64.50] [TTL=172800] [ES]

[These were obtained from d.gtld-servers.net]
PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there, with 4 entries.
PASS Glue at parent nameservers OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names.
NS INFO NS records at your nameservers Your NS records at your nameservers are:

auth2.dns.cogentco.com. [TTL=10800]
auth4.dns.cogentco.com. [TTL=10800]
auth5.dns.cogentco.com. [TTL=10800]
auth1.dns.cogentco.com. [TTL=10800]


PASS All nameservers report identical NS records OK. The NS records at all your nameservers are identical.
PASS All nameservers respond OK. All of your nameservers listed at the parent nameservers responded.
PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).
PASS Number of nameservers OK. You have 4 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.
PASS Lame nameservers OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
PASS Missing (stealth) nameservers OK. All 4 of your nameservers (as reported by your nameservers) are also listed at the parent servers.
PASS Missing nameservers 2 OK. All of the nameservers listed at the parent nameservers are also listed as NS records at your nameservers.
PASS No CNAMEs for domain OK. There are no CNAMEs for cogentco.com. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present. Note that I only checked cogentco.com, I did not check the NS records, which should not have CNAMEs either.
PASS No NSs with CNAMEs OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS Nameservers on separate class C's OK. You have nameservers on different Class C (technically, /24) IP ranges. You must have nameservers at geographically and topologically dispersed locations. RFC2182 3.1 goes into more detail about secondary nameserver location.
PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.
INFO Nameservers versions Your nameservers have the following versions:

66.28.0.14: "purple"
66.28.0.30: "purple"
80.245.32.74: "purple"
80.91.64.50: "purple"

PASS Stealth NS record leakage Your DNS servers do not leak any stealth NS records (if any) in non-NS requests.
SOA INFO SOA record Your SOA record [TTL=10800] is:
Primary nameserver: auth1.dns.cogentco.com.
Hostmaster E-mail address: dns.cogentco.com.
Serial #: 2004092801
Refresh: 3600
Retry: 1800
Expire: 1209600
Default TTL: 10800

PASS NS agreement on SOA serial # OK. All your nameservers agree that your SOA serial number is 2004092801. That means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNS Report only checks the NS records listed at the parent servers (not any stealth servers).

PASS SOA MNAME Check OK. Your SOA (Start of Authority) record states that your master (primary) name server is: auth1.dns.cogentco.com.. That server is listed at the parent servers, which is correct.

PASS SOA RNAME Check OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: dns@cogentco.com. (techie note: we have changed the initial '.' to an '@' for display purposes).
PASS SOA Serial Number OK. Your SOA serial number is: 2004092801. This appears to be in the recommended format of YYYYMMDDnn, where 'nn' is the revision. For example, if you are making the 3rd change on 02 May 2000, you would use 2000050203. This number must be incremented every time you make a DNS change.
PASS SOA REFRESH value OK. Your SOA REFRESH interval is : 3600 seconds. This seems normal (about 3600-7200 seconds is good; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours). This value determines how often secondary/slave nameservers check with the master for updates.
PASS SOA RETRY value OK. Your SOA RETRY interval is : 1800 seconds. This seems normal (about 120-7200 seconds is good). The retry value is the amount of time your secondary/slave nameservers will wait to contact the master nameserver again if the last attempt failed.
PASS SOA EXPIRE value OK. Your SOA EXPIRE time: 1209600 seconds. This seems normal (about 1209600 to 2419200 seconds (2-4 weeks) is good). RFC1912 recommends 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.
PASS SOA MINIMUM TTL value OK. Your SOA MINIMUM TTL is: 10800 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308 suggests a value of 1-3 hours. This value used to determine the default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used for negative caching.
MX INFO MX Record Your 2 MX records are:
10 server2.mail.cogentco.com. [TTL=10800] IP=66.28.3.23 [TTL=10800] [US]
10 server1.mail.cogentco.com. [TTL=10800] IP=66.28.3.28 [TTL=10800] [US]

PASS Invalid characters OK. All of your MX records appear to use valid hostnames, without any invalid characters.
PASS All MX IPs public OK. All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail.
PASS MX records are not CNAMEs OK. Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it.
PASS MX A lookups have no CNAMEs OK. There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).
PASS MX is host name, not IP OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).
PASS Multiple MX records OK. You have multiple MX records. This means that if one is down or unreachable, the other(s) will be able to accept mail for you.
PASS Duplicate MX records OK. You do not have any duplicate MX records (pointing to the same IP). Although technically valid, duplicate MX records can cause a lot of confusion, and waste resources.
PASS Reverse DNS entries for MX records OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. Note that this information is cached, so if you changed it recently, it will not be reflected here (see the www.DNSstuff.com Reverse DNS Tool for the current data). The reverse DNS entries are:

23.3.28.66.in-addr.arpa server2.mail.cogentco.com. [TTL=10795]
28.3.28.66.in-addr.arpa server1.mail.cogentco.com. [TTL=10795]

As I realize there is another IP address for:
billing.updates.2checkout.com.securedform.com
then for securedform.com itself:
205.234.132.15

Call your credit card company immediately and tell them what happened. You can't trust that the provider will shut it down in time. If I were scamming people like this, I would have my site immediately email me the credit card information that it scammed. That way I can have all the info in case I get shut down.

I really wonder how I could be that stupid... Especially since I have dealt with such sites often enough so I should have known it :(

Now how do I get along for 6 weeks without a credit card ?

i got an email from them last night, too.

thomas.smith. . .many credit card companies can work with you at getting a new number over the phone ( may not get a card quickly, but if you have on-line renewal payments set up using a card, they can give you a new number . . you'll just have to work with the providers you use and change that information (ie GoDaddy, Interland, etc).

thomas.smith. . when you get past this. . give your web hosting forum community a heads up so we can avoid this ourselves. . would ya?

I have three other credit cards with the same CC company but they are all using that same account. Is it possible to just kill that card ? At present I can't call the CC company because they aren't working anymore... I am still looking for an emergency number.

I'm just working too much and I'm tired. I never thought it would be possible to trick me into that... Especially they even asked me for my CC pin number and I thought: Hey, that's suspicious...why does 2CO want my pin number. Fortunately I didn`t enter the pin at least.

The best advice I can give you is to always watch the URL when you enter your CC info and if it asks you for your pin its always a scam.

tell us how you got scammed? you signed up for hosting and they didnt give it to you? you clicked on a link you got in an email?

I got this email:

Dear 2CheckOut customer,,

During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information. This might be due to either of the following reasons:
A recent change in your personal information ( i.e.change of address).
2. Submiting invalid information during the initial sign up process.
3. An inability to accurately verify your selected option of payment due to an internal error within our processors.
Please update and verify your information by clicking the link below:
https://updates.2CheckOut.com/saw-cgi/2CheckOutISAPI.dll?VerifyInformation
If your account information is not updated within 48 hours then your ability to sell or bid on 2CheckOut will become restricted.

Thank you
The 2CheckOut Billing Deptartment

Ok, that is really stupid and I should have seen it but I'm working too much and I'm tired all the time because of the work.

They were using a dynamic DNS service. I contacted that service and they took the site down.

Whats a CC .....

Originally posted by demomen
Whats a CC .....

Credit Card.

did you alert 2CO?

2CO already knows about it, they have a warning on their client login page.

Yes, I did inform 2CO. They already knew it. They told me they did inform the hosting company of that site etc. but it was actually my email to a dynamic DNS provider that shut down the site. I did also contact all other companies that host that site or are affiliated with them and they all took steps against them.

The credit card company has blocked my credit card but my other three credit cards are still working.

The evil site is down, my card is blocked, my passwords are changed so everything is back to normal :)