ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
ROKSO
The Register of Known Spam Operations
Konstantin Oftin a/k/a Igori Saharov

Evidence Menu:

Konstantin Oftin a/k/a Igori Saharov Index


Country: Russian Federation
State:
Botnet spammer & Festi botnet herder.


Konstantin Oftin a/k/a Igori Saharov SBL Listings History
Current SBL Listings
Archived SBL Listings

Domains [2014]


SBL229468 :

LISTED (SBL226094) 16 JULY FOR THE SAME CAUSE
=============================================
Pharmacy Express SITE: http://doctordqfsh.com
Pharmacy Express SITE: http://doctorbvyv.ru
Pharmacy Express SITE: http://m.doctordqfsh.com
Pharmacy Express SITE: http://m.doctorbvyv.ru
Pharmacy Express SITE: http://[varies]
: IP address 85.25.156.216: on intergenia.de,plusserver.de
: IP address 50.30.34.33: on hostingsolutionsinternational.com
: IP address 209.239.121.30: on hostingsolutionsinternational.com

Resolved by the:

Pharmacy Express NAMESERVERS (dnskreel.com,serverolew.su,kkgjwdns.com,dedicopqe.su)
: IP address 46.22.166.246: on e-ring.pl
: IP address 46.22.166.157: on e-ring.pl
: IP address 61.191.190.8: on anhuitelecom.com,ahhfptt.net.cn,Chinanet Anhui Province, chinanet-ah
: IP address 61.191.190.175: on anhuitelecom.com,ahhfptt.net.cn,Chinanet Anhui Province, chinanet-ah

Pharmacy Express utilizes a profiler and heartbeat tracker.

As usual, Pharmacy Express makes use of a flash file, pons4.swf, which
provides a rather comprehensive profile of the visitor's system and
which was provided by google! Googlesydnication.com! Wait ... that is
"dn" not "nd". Well that is what it was until they lost that domain and
then it was google! Ooops ... no ... googl. Googlsyndications.com.

Perhaps Google finally acted. The flash file then used the domain,
choosebestkeyword.com but they have now changed it to fastclickstatus.com.

Besides providing a function which is used by Pharmacy Express for a
thorough profile of the victim's system (so extensive one doesn't
need cookies) via Javascript (the profile is part of the data submitted
to the pharmacy site) the flash file also continually connects back to
fastclickstatus.com on ports 80, 843 (the usual flash policy port)
and 10843 (coded in the flash file itself).

Pharmacy Express PROFILER/TRACKER: fastclickstatus.com
: IP address 107.181.174.54: SBL229099 [*]

*: This was previously at 107.181.174.45
SBL227999 (LISTING REMOVED)

Resolved by its nameserver at 107.181.174.54: SBL229099

The order form has changed and now returns a contact even
for rejected orders:

SUPPORT SITE: http://yourliveservice.com
: IP address 209.239.121.30: on hostingsolutionsinternational.com

This host is also a pharmacy host/proxy.

Resolved by its:

Pharmacy Express (and support site) NAMESERVERS (serverienw.com,hostgallop.com):
: IP address: 50.30.34.33: on hostingsolutionsinternational.com
: IP address: 95.191.130.248: on rt.ru,sibdc.ru

Pharmacy Express SUPPORT CONTACT [email]: support@yourliveservice.com
Pharmacy Express SUPPORT CONTACT [phone]: +1-212-389-6349


HERE ARE A FEW OTHER HOSTNAMES
FOR THE PHARMACY SITE.
-----------------------------------
doctordqfsh.com A 85.25.156.216
doctoreqla.com A 85.25.156.216
doctortuve.com A 85.25.156.216
medicdebjp.com A 85.25.156.216
medicdeor.com A 85.25.156.216
medicswqo.com A 85.25.156.216
sqjhdoctors.com A 85.25.156.216
xfxomedics.com A 85.25.156.216
urlsbn.ru A 85.25.156.216
doctornnek.cn.com A 50.30.34.33
doctorjus.com A 50.30.34.33
doctormull.com A 50.30.34.33
albzdoctors.ru A 50.30.34.33
azfgmedic.ru A 50.30.34.33
azgvmedic.ru A 50.30.34.33
cgngmedics.ru A 50.30.34.33
cgpbmedics.ru A 50.30.34.33
cgqgmedics.ru A 50.30.34.33
cgrxmedics.ru A 50.30.34.33
doctorbvyv.ru A 50.30.34.33
doctorbzui.ru A 50.30.34.33
doctorgfuf.ru A 50.30.34.33
doctorjyyp.ru A 50.30.34.33
doctorltonsrom.ru A 50.30.34.33
doctorluldhi.ru A 50.30.34.33
doctorlzew.ru A 50.30.34.33
doctormdgd.ru A 50.30.34.33
doctormvoh.ru A 50.30.34.33
doctorncte.ru A 50.30.34.33
doctornzjk.ru A 50.30.34.33
doctorpezhs.ru A 50.30.34.33
doctorthyjo.ru A 50.30.34.33
doctortrtyh.ru A 50.30.34.33
doctoruxvq.ru A 50.30.34.33
doctorvctcd.ru A 50.30.34.33
doctorxonft.ru A 50.30.34.33
doctorythb.ru A 50.30.34.33
dsdlmedics.ru A 50.30.34.33
egjxmedics.ru A 50.30.34.33
eqhsdoctor.ru A 50.30.34.33
gdzcmedic.ru A 50.30.34.33
gegbmedic.ru A 50.30.34.33
hfncmedics.ru A 50.30.34.33
hpfwmedic.ru A 50.30.34.33
medicaabf.ru A 50.30.34.33
medicaacg.ru A 50.30.34.33
medicacrja.ru A 50.30.34.33
medicafbi.ru A 50.30.34.33
medicajffu.ru A 50.30.34.33
medicalkk.ru A 50.30.34.33
medicaoci.ru A 50.30.34.33
medicaytcf.ru A 50.30.34.33
medicbfgb.ru A 50.30.34.33
medicbgtc.ru A 50.30.34.33
mediccpnof.ru A 50.30.34.33
mediccvmqh.ru A 50.30.34.33
medicdafr.ru A 50.30.34.33
medicdcomq.ru A 50.30.34.33
medicddpb.ru A 50.30.34.33
medicdgxyd.ru A 50.30.34.33
medicdrwl.ru A 50.30.34.33
medicegblm.ru A 50.30.34.33
mediceywh.ru A 50.30.34.33
medicfdaf.ru A 50.30.34.33
medicflmr.ru A 50.30.34.33
medicgchtt.ru A 50.30.34.33
medicgkvd.ru A 50.30.34.33
medicgsfw.ru A 50.30.34.33
medicgyxm.ru A 50.30.34.33
medichhcgk.ru A 50.30.34.33
medichxqbd.ru A 50.30.34.33
medichykry.ru A 50.30.34.33
medicidse.ru A 50.30.34.33
medicijjqv.ru A 50.30.34.33
medicixdvk.ru A 50.30.34.33
medicjaftu.ru A 50.30.34.33
medicjiirt.ru A 50.30.34.33
medicjtpd.ru A 50.30.34.33
medickcra.ru A 50.30.34.33
medickecv.ru A 50.30.34.33
medickfhq.ru A 50.30.34.33
mediclakxh.ru A 50.30.34.33
mediclhechim.ru A 50.30.34.33
mediclhowthe.ru A 50.30.34.33
medicllgdj.ru A 50.30.34.33
medicllorol.ru A 50.30.34.33
mediclwoa.ru A 50.30.34.33
medicmbfyi.ru A 50.30.34.33
medicmjuve.ru A 50.30.34.33
medicmqwp.ru A 50.30.34.33
medicnnqti.ru A 50.30.34.33
medicnrwye.ru A 50.30.34.33
medicnsxgs.ru A 50.30.34.33
medicnuqk.ru A 50.30.34.33
medicnywvu.ru A 50.30.34.33
medicoingw.ru A 50.30.34.33
medicownm.ru A 50.30.34.33
medicoyhsx.ru A 50.30.34.33
medicpnbcd.ru A 50.30.34.33
medicpwqe.ru A 50.30.34.33
medicpyqz.ru A 50.30.34.33
medicrjnc.ru A 50.30.34.33
medicrmxh.ru A 50.30.34.33
medicsemi.ru A 50.30.34.33
medicsgtu.ru A 50.30.34.33
medicslas.ru A 50.30.34.33
medicsuhgg.ru A 50.30.34.33
medicsxulj.ru A 50.30.34.33
medictdel.ru A 50.30.34.33
medictejf.ru A 50.30.34.33
medictmbv.ru A 50.30.34.33
medictqzr.ru A 50.30.34.33
medicuhefj.ru A 50.30.34.33
medicukker.ru A 50.30.34.33
medicvcnfw.ru A 50.30.34.33
medicvuuwf.ru A 50.30.34.33
medicwytsj.ru A 50.30.34.33
medicxktef.ru A 50.30.34.33
medicxqise.ru A 50.30.34.33
medicyjwaf.ru A 50.30.34.33
medicymzyo.ru A 50.30.34.33
medicynvb.ru A 50.30.34.33
medicyqha.ru A 50.30.34.33
mediczqt.ru A 50.30.34.33
mediczrb.ru A 50.30.34.33
mediczxnuq.ru A 50.30.34.33
rhxumedics.ru A 50.30.34.33
vjnqmedics.ru A 50.30.34.33
xcdmmedics.ru A 50.30.34.33
xcfwmedics.ru A 50.30.34.33
yqfimedics.ru A 50.30.34.33
mediciwqrl.su A 50.30.34.33
medicpatzm.su A 50.30.34.33
-----------------------------------

DETAILS:
--------

PHARMACY EXPRESS SITE: http://doctordqfsh.com
PHARMACY EXPRESS SITE: http://doctorbvyv.ru
PHARMACY EXPRESS SITE: http://m.doctordqfsh.com [*]
PHARMACY EXPRESS SITE: http://m.doctorbvyv.ru
PHARMACY EXPRESS SITE: http://[varies]

*: Now they use a script. The full page (for non-mobile users)
is at m.[domain_name] and the shorter page for mobile
connections is at [domain_name]. This is new.
They may be working on it.

NOTE ABOVE THAT SOME OF THE DOMAIN NAMES RESOLVE
DIFFERENTLY. LET ME CHECK THE RESOLUTIONS FOR TWO
HOSTS doctordqfsh.com AND doctorbvyv.ru.

NAMESERVERS FOR doctordqfsh.com AND doctorbvyv.ru
FROM THE .com AND .ru SERVERS.
RESOLUTIONS FROM THE .com AND .su SERVERS.
=================================================
doctordqfsh.com NS ns1.dnskreel.com
doctordqfsh.com NS ns2.serverolew.su
doctorbvyv.ru NS ns1.kkgjwdns.com
doctorbvyv.ru NS ns2.dedicopqe.su
ns1.dnskreel.com A 46.22.166.246
ns2.dnskreel.com A 61.191.190.8
ns1.serverolew.su A 46.22.166.246
ns2.serverolew.su A 61.191.190.8
ns1.kkgjwdns.com A 111.73.46.178
ns2.kkgjwdns.com A 46.22.166.16
ns1.dedicopqe.su A 61.191.190.175
ns2.dedicopqe.su A 46.22.166.157

dig @46.22.166.246 doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctordqfsh.com A 85.25.156.216
dig @61.191.190.8 doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctordqfsh.com A 85.25.156.216

dig @111.73.46.178 doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @46.22.166.16 doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; connection timed out

dig @61.191.190.175 doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctordqfsh.com A 50.30.34.33
dig @46.22.166.157 doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctordqfsh.com A 50.30.34.33

dig @46.22.166.246 m.doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: m.doctordqfsh.com A 85.25.156.216
dig @61.191.190.8 m.doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: m.doctordqfsh.com A 85.25.156.216

dig @111.73.46.178 m.doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @46.22.166.16 m.doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; connection timed out

dig @61.191.190.175 m.doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: m.doctordqfsh.com A 50.30.34.33
dig @46.22.166.157 m.doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: m.doctordqfsh.com A 50.30.34.33

dig @46.22.166.246 doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorbvyv.ru A 85.25.156.216
dig @61.191.190.8 doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorbvyv.ru A 85.25.156.216

dig @111.73.46.178 doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @46.22.166.16 doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; connection timed out

dig @61.191.190.175 doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorbvyv.ru A 50.30.34.33
dig @46.22.166.157 doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorbvyv.ru A 50.30.34.33

dig @46.22.166.246 m.doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: m.doctorbvyv.ru A 85.25.156.216
dig @61.191.190.8 m.doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: m.doctorbvyv.ru A 85.25.156.216

dig @111.73.46.178 m.doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @46.22.166.16 m.doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; connection timed out

dig @61.191.190.175 m.doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: m.doctorbvyv.ru A 50.30.34.33
dig @46.22.166.157 m.doctorbvyv.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: m.doctorbvyv.ru A 50.30.34.33
=================================================

The ns{1,2}.kkgjwdns.com nameservers are now down (not updated).
The associated pair, ns{1,2}.dedicopqe.su has bee updated.

We have two pairs of nameservers.
One pair, 46.22.166.246 and 61.191.190.8 resolves
Pharmacy Express hosts to 85.25.156.216.
The other, 61.191.190.175 and 46.22.166.157 resolves
them to 50.30.34.33.

One would expect that these are used as load balancers and
that one can find the same sites up at both IP addresses.

Let me check for doctordqfsh.com at both.

* Connected to 85.25.156.216:80
: GET / HTTP/1.1
: Host: doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: [script type="text/javascript"]
: var nomobredirect='0';var is_mobile='1';var redirect='m.doctordqfsh.com';
: var width=(screen.width>screen.height)?screen.width:screen.height;
: if(width<1024&&is_mobile=='0'&&nomobredirect=='0'&&redirect.length>3){window.location=location.protocol+'//'+redirect;}
: ...
: [/script]
: ...
: [a href="http://m.doctordqfsh.com/?nomob=1"]Go to full version[/a]


* Connected to 85.25.156.216:80
: GET / HTTP/1.1
: Host: m.doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


* Connected to 50.30.34.33:80
: GET / HTTP/1.1
: Host: doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: [script type="text/javascript"]
: var nomobredirect='0';var is_mobile='1';var redirect='m.doctordqfsh.com';
: var width=(screen.width>screen.height)?screen.width:screen.height;
: if(width<1024&&is_mobile=='0'&&nomobredirect=='0'&&redirect.length>3){window.location=location.protocol+'//'+redirect;}
: ...
: [/script]
: ...
: [a href="http://m.doctordqfsh.com/?nomob=1"]Go to full version[/a]


* Connected to 50.30.34.33:80
: GET / HTTP/1.1
: Host: m.doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


SEE THE SUPPORT SITE, BELOW. IT IS AT IP ADDRESS 209.239.121.30
THIS IS ALSO A PHARMACY HOST/PROXY:

* Connected to 209.239.121.30:80
: GET / HTTP/1.1
: Host: doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: [script type="text/javascript"]
: var nomobredirect='0';var is_mobile='1';var redirect='m.doctordqfsh.com';
: var width=(screen.width>screen.height)?screen.width:screen.height;
: if(width<1024&&is_mobile=='0'&&nomobredirect=='0'&&redirect.length>3){window.location=location.protocol+'//'+redirect;}
: ...
: [/script]
: ...
: [a href="http://m.doctordqfsh.com/?nomob=1"]Go to full version[/a]


* Connected to 209.239.121.30:80
: GET / HTTP/1.1
: Host: m.doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


The "full" pages obtained from the three sites were byte-for-byte identical
except for two lines (different items were highlighted, for example:
: onmouseover="highlightItem('idm456174816', true)"
vs.
: onmouseover="highlightItem('idm652153504', true)"

N.B.
-----------------------------------------------------------
This is a change. Previously the URL, http://[domain_name]/
would provide the main (full) page. In this case, not following
the redirection to m.[domain_name] produces a very short page
with almost no graphics which contains the link to the full page
at m.[domain_name]. Yesterday there was an extra line of Javascript
which did redirect my desktop system to m.[domain_name] for the
full version of the page.

The use of the word "mobile" (var is_mobile) suggests that they
are trying to set up a short, mobile version of the page and
redirect mobile users to it but ... the full page, rather than
the mobile version, is at m.[domain_name] and my desktop system
was not redirected to the full version this time.

This appears to be a work in progress.
-----------------------------------------------------------

IP ADDRESS: 85.25.156.216
-------------------------
PHARMACY EXPRESS SITE
% Abuse contact for '85.25.156.216 - 85.25.156.216' is 'abuse@plusserver.de'
inetnum: 85.25.156.216 - 85.25.156.216 (85.25.156.216/32!)
country: SC
person: [omitted]
route: 85.25.0.0/16
descr: PlusServer AG
changed: [omitted]@intergenia.de 20070125
Address 85.25.156.216 maps to static-ip-85-25-156-216.inaddr.ip-pool.com
216.156.25.85.in-addr.arpa has SOA [omitted]@ptr1.intergenia.de
-------------------------

IP ADDRESS: 50.30.34.33
-----------------------
PHARMACY EXPRESS SITE
CIDR: 50.30.32.0/20
OrgName: Hosting Solutions International, Inc.
StateProv: MO
Country: US
OrgAbuseEmail: abuse@hostingsolutionsinternational.com
Address 50.30.34.33 maps to hawk080.startdedicated.com
33.34.30.50.in-addr.arpa has SOA [omitted]@ns1.nameserverservice.com
-----------------------

IP ADDRESS: 209.239.121.30
--------------------------
PHARMACY EXPRESS SUPPORT SITE
PHARMACY EXPRESS SITE
CIDR: 209.239.112.0/20
OrgName: Hosting Solutions International, Inc.
StateProv: MO
Country: US
OrgAbuseEmail: abuse@hostingsolutionsinternational.com
Address 209.239.121.30 maps to static-ip-209-239-121-30.inaddr.ip-pool.com
30.121.239.209.in-addr.arpa has SOA [omitted]@ns1.nameserverservice.com
--------------------------

IP ADDRESS: 46.22.166.246
IP ADDRESS: 46.22.166.157
-------------------------
PHARMACY EXPRESS NAMESERVER
% Abuse contact for '46.22.166.0 - 46.22.166.255' is 'artur@e-ring.pl'
inetnum: 46.22.166.0 - 46.22.166.255
netname: E-RING-NETWORK
country: PL
e-mail: [omitted]@e-ring.pl
Address 46.22.166.246 maps to 46.22.166.246.host.v-net.pro
Address 46.22.166.157 maps to 46.22.166.157.host.v-net.pro
166.22.46.in-addr.arpa has SOA [omitted]@ionic.pl
-------------------------

IP ADDRESS: 61.191.190.8
IP ADDRESS: 61.191.190.175
------------------------
PHARMACY EXPRESS NAMESERVER
inetnum: 61.191.0.0 - 61.191.255.255
descr: CHINANET Anhui province network
descr: China Telecom
abuse-mailbox: abuse@anhuitelecom.com
191.61.in-addr.arpa has SOA [omitted]@ns.ahhfptt.net.cn
------------------------

I will check doctordqfsh.com at 85.25.156.216.

Let's see ... These sites can have different brandings.
Some are branded as Canadian Pharmacy in the title (an old
spamvertized pharmacy site) with a copyright claiming to be
Canadian Health&Care Mall (a current Yambo spam operation
brand) though it is neither - it is Pharmacy Express.

This is one of their sites branded as ... Pharmacy Express.

This uses the /201/ directory (other themes/brandings are in
different directories, such as /204/ for Canadian Health&Care Mall).

An encoded phone number appears on all their sites, decoded
to a Javascript variable which is unused on, for example,
Canadian Health&Care Mall sites. The Javascript used to put
the phone number on the page at Pharmacy Express branded sites,
but no longer.

ENCODED JAVASCRIPT: SHORTER SCRIPTS, NOW ENCODED
------------------------------------------------
They used to use a lot of their own code. Now they use jquery.
Their code used to be plain Javascript source text.
Then their (large) script was doubly encoded (base64 and XOR
with an array of values). This time four sections of code
at the end of the script (including the QuickSearch library)
are encrypted.

The encoded phone number which appears in the home page's HTML code
-------------------------------------------------------------------------------
var msgs = {
: removeProduct: "You are removing %PRODUCT_TITLE% from your cart. Continue?",
: notFound: "Not found",
: emptySearchQuery: "Empty search query",
: search: "Search...",
: minLengthIs: "minimum allowed length is",
: maxLengthIs: "maximum allowed length is",
: characters: "characters",
: emptyCart: "Do you really want to empty cart ?",
: phone: "+k-aee vgb-kevk",
: siteTitle: "Pharmacy Express"
};
-------------------------------------------------------------------------------
is decoded by their translate function in the script file,
http://[hostname]/201/js/_set_main.js?v=50cbe09ef02bf940e4b14b2badb24e0d

function translate(string,search,replace), which just implements
a simple substitution, transliteration, "tr", function,
: $('.phn').html(translate(msgs.phone, 'kagzrvbehn', '1845962037'));

[The code was originally
: var phone=translate(msgs.phone,'kagzrvbehn','1845962037');
using a separate variable for the decoded phone number
which was then used on the page. Now the 'phone' variable is gone.]
(The substitution had been different in the dim past.)

and, of course:
: echo "+k-aee vgb-kevk" | tr 'kagzrvbehn' '1845962037'

gives the usual phone number: +1-800 642-1061

NOTE: If your browser does NOT indicate that it supports compression (gzip)
the pages come back uncompressed BUT THE JAVASCRIPT AND/OR STYLE SHEET
FILE MAY COME BACK COMPRESSED ANYWAY. I often configure firefox not to
accept compressed pages so I can do a packet capture and 'grep' through
it for relevant items. Material will be invisible even with Javascript
enabled if the browser is set not to request (or decompress) compressed
content and the Javascript is compressed. At times only the Javascript
file was compressed. At other times only the style sheet was compressed.
Sometimes both come back compressed. Only the style sheet was compressed
this time.

The page style changed some time ago. Besides using Javascript to place messages
(and encoding the phone number - one can no longer 'google' for that number to find
other hosts/pages) there were lines over 50K in size on the starting page.
Those were long style sheet codes. Now separate style sheet files are used
and the longest line I now see on the page is about 17K in size.

Surprisingly the copyright notice at the bottom of the page,
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.
was not encoded as the phone number is though you won't find
"Pharmacy Express" when grep'ing through the page's HTML code
as it appears as "Pha[span]rmacy Express.[/span]".

STYLE SHEET TO POSITION BOOKMARK (facebook, etc.) LINKS OVER IMAGE
---------------------------------------------------------------------------
WHILE I HAVE NOT RECENTLY SEEN THE Facebook AND OTHER SOCIAL NETWORK LINKS
ON THE PAGES USING DIFFERENT BRANDINGS (e.g. "Canadian Pharmacy",
"Canadian Health&Care Mall") THEY DO APPEAR ON THIS PHARMACY EXPRESS SITE.
---------------------------------------------------------------------------
The page has links to various social networking sites such as
[a href="http://www.facebook.com/share.php?u=%site_url%" class="c" title="Save to Facebook"][/a]
in a "div" element, [div class="bookmarks"].

The Javascript contains the code to update the data:
------------------------------------------------
var reSiteURL = new RegExp('\%site_url\%', "g");
var reSiteTitle = new RegExp('\%site_title\%', "g");
$(".bookmarks a").each(function() {
var url = $(this).attr('href');
url = url.replace(reSiteURL, location.protocol + '//' + location.host);
url = url.replace(reSiteTitle, msgs.siteTitle); $(this).attr('href', url);});
------------------------------------------------
When Javascript was first used to update the social site links
there was only a regular expression to change the site_url,
not the site_title, but when they started using multiple brandings
such as 'ED Express' or 'Canadian Pharmacy' the code to set the
title was added.

The bookmark links, such as the above facebook link, have length zero!
How to click on them? The style sheet repositions them over the header image,
: .header .bookmarks{position:absolute;top:177px;left:35px}
: .header .bookmarks a{width:16px;height:16px;display:block;position:relative;
: float:left;margin-right:2px;margin-top:3px}
giving each a width of 16 pixels. They are positioned so that the
clickable region for each social network's link is placed over
that network's icon embedded in the header image,
http://[hostname]/201/img/header/header-bg-usps.jpg
which is often modified to suit the current holiday or celebration
such as header-bg-canada.jpg for Canada Day.

When these sites were hosted on bots (at other times the
spammer gets his own hosting) or for other reasons had
problems with bandwidth the images had often been hosted
elsewhere but I have not seen images loaded from elsewhere
for quite some time.

This time very few real images are loaded, but from the spamvertized
site itself with URLs such as:
: http://[hostname]/201/img/sprite/most_popular_1.jpg?v=1406198662

NOTE: Few images are used. For example two images are used for all
the pill images, "sprite" panels (tableaux of pill subimages)
: http://[hostname]/201/img/sprite/most_popular_1.jpg?v=1406198662
: http://[hostname]/201/img/sprite/most_popular_2.jpg?v=1406198662
STYLE SHEET:
: .spr_products_75x75_viagra,.spr_products_75x75_viagra_brand,.spr_products_75x75_cialis,...
: {background-image:url(../img/sprite/most_popular_1.jpg?v=1406198662) !important}
and various selections from the image are carefully placed
: .spr_products_75x75_propecia
: {background-position:-75px 0 !important;width:75px !important;height:75px !important}
so the portion which appears as the background for each
anchor tag/link is just the proper pill image.
(A TINY CHANGE. The version I have most often seen has
"background-position:-75px 0px" but sometimes a site uses
"-75px 0"; after all "0px" or "0anything_else" is still the
same size, zero.)

One used to find separate images such as
: http://[hostname]/101/img/products/75x75/levitra_brand.jpg
Now the images appear to have a time stamp, net-time, the number
of seconds since 1 January 1970.

Sometimes these sites have a secure order form and sometimes not.
Usually the order site is not secure.

This time upon reaching the CHECKOUT page I found the form:
: [form id="form_checkout" action="/checkout/" method="post"][/form]

Most often, recently, the action has simply been action="/checkout/"
with payment being submitted to the pharmacy site itself.
Sometimes the "action" points to another, order, site such as
the following (lexicographically sorted by domain name).
Note that sometimes (but infrequently) they are secure:
: http://e-billprovider.com
: http://e-billresponse.com
: http://e-billsupport.com
: http://e-buyassist.com
: http://e-buybox.com
: http://e-buyprocess.com
: http://e-cartprocess.com
: http://e-fastestpay.com
: http://e-paymentassist.com
: http://e-paymentservice.com
: http://ebillwebform.com
: http://eclientplace.com
: https://eclientplace.com <== SECURE
: http://ecustomerbill.com
: http://ecustomercheckout.com
: http://ecustomerpay.com
: http://egoodbill.com
: http://epayonlineservice.com
: http://epayviaweb.com
: http://eworldwidepay.com
: http://onlinepaymentsite.com
: http://onlinetransservice.com
: https://paycartservice.com <== SECURE
: http://payquickonline.com
: http://securecartservice.com
: https://securecartservice.com <== SECURE
: http://a5.yourprofileheres.com

PHARMACY EXPRESS ORDER SITE: http://m.doctordqfsh.com/checkout/

* Connected to 85.25.156.216:80
: POST /checkout/ HTTP/1.1
: Host: m.doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]

In the past the title had been
: [title]Welcome to http://[hostname] Checkout page[/title]

In spite of their assurance that:
"we provide 256bit SSL secure pay page to process your order"
your financial data is submitted unencrypted and insecurely.

Verisign's assurance of security is given in their seal at
: http://[hostname]/201/img/sprite/cart.png?v=1406198662
(part of another sprite tableau) but while in the past the
Verisign seal had been displayed, it is not this time.

THERE HAVE BEEN RECENT CHANGES TO THE ORDER FORM PAGE.
------------------------------------------------------
They used to use very obnoxious Javascript on this page.
It checked and validated each keystroke. On a slightly aged
system, such as mine it was actually quite painful to use
their order form.

Now they use *extremely* obnoxious Javascript on this page.
It spends much more time and is much more CPU expensive while
checking everything every moment and, combined with the flash
tracker which continually runs in the background, connecting
over and over to their tracking site (every twenty seconds
- see below) it is now *very* painful to use their order form
on a slightly aged system such as mine.

If you like the tab key and to tab from form entry to form
entry expecting some sort of sensible arrangement - well,
you will be disappointed here.

There used to be two input boxes for one's email address,
a first and a second, "confirmation" input box to catch
typos. That second box still has the field name "confirm_email"
but is now labeled as 'Alternative e-mail'. They have also
added an input box for a second phone number ("Mobile phone").
The other day "Alternative e-mail" and "Mobile phone" inputs
were required for a successful form submission (though one
could simply enter the same address or phone number in both
input boxes). Today they are optional.

While they seem to have some respect for Verisign and I
did not see the Verisign seal, they seem to have lost all
respect for McAfee as the McAfee SECURE seal at ma.png
: http://[hostname]/checkout/img/ma.png
is back on the page (this seal used to be in a sprite tableau,
transparent_gif_[TIME_STAMP].gif which I no longer see and
had not been on the pages for quite some time) "guaranteeing"
the security of the transaction.
------------------------------------------------------

One connects to the order site, submitting the data:
: i=XXxWQU... This is base 64 encoded data with embedded
: Win/Dos EndsOfLines (%0D%0A). The unescaped
: string had a length pf 5428 characters including
: Win/DOS EOLs and 5288 without the EOL characters.

*: The use of "="'s to pad the string's length to a multiple
of four bytes when necessary suggests some sort of
base 64 encoding but it is not simply encoded plain text
using the standard encoding. The data varies and the
string has had different lengths in the past.

NOTE: There are two forms appearing on the page at
the pharmacy site (whose data is submitted
to the order site).
The one with the data does not have an action
submitting it to the order URL.
Javascript simply empties the form going to the
order URL, copies the "i" value from the dummy
form with data to the form going to the order URL
and submits that.

and one gets the order-form page:

: Pharmacy Express Checkout page
: The information you provided will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express

: For quite some time the page had started with:
: ----------------------------------------------
: Pharmacy online-store
: The information you provide will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express

: In the past it had read:
: ------------------------
: Welcome to http://[hostname] Checkout page
: The information you provide will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express
: ------------------------

and before that it had read:
----------------------------
: (c) 2003-2012 Pharmacy Express
: Have a question? Call us back +1-888-738-9650
----------------------------
but now the phone contact is missing.

In the past, when the order site was secure, the text read:
: Welcome to http://[hostname] Secure checkout page
: You have just been redirected to this 256bit SSL secure pay page to process
: your order.
but at the last secure order site, the page omitted the claim of security
as well as the contact phone number.

to which one submits

* Connected to 85.25.156.216:80
: POST /checkout/ HTTP/1.1
: Host: m.doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]

the data:

: new_customer=1
: &email=[victim's address: email]
: &first_name=[victim's name: first]
: &confirm_email=[victim's address: email] [+]
: &last_name=[victim's name: last]
: &billing_country_id=US
: &billing_city=[victim's address: city]
: &billing_state_id=[victim's address: state]
: &billing_address=[victim's address: street]
: &billing_zip=[victim's address: zip code]
: &phone=[victim's phone number]
: &mobile_phone=[victim's phone number - mobile] [*]
: &shipping_form=on [&]
: &payment_method=visa
: &issuing_bank=[credit card: issuing bank]
: &card_number=[victim's credit card number]
: &cvv=[credit card: private security number]
: &comment=[comment section] [*]
: &birth_year=[victim's birthdate: year]
: &birth_month=[victim's birthdate: month]
: &birth_day=[victim's birthdate: day]
: &expiration_month=[credit card: expiration date: month]
: &expiration_year=[credit card: expiration date: year]
: &utime=[Javascript: Date().toLocaleString()]
: &screen=[Javascript: screen.width+'x'+screen.height+'x'+screen.colorDepth]
: &platform=[Javascript: navigator.platform]
: &srv=[FLASH: fingerprinting system info] [#]
: &fid=[FLASH: flash/session random iD] [#]
: &fnt=[FONTS: fingerprinting font info] [#]
: &uid=[FLASH: SESSION ID] [#]
: &pasted=
: &submit_order=1 [-]

+: This now appears on the form as "Alternative e-mail"
Originally it was a required field.
Now it is optional.

*: New
Originally this was a required field.
Now it is optional.

&: Previously was "as_billing"

-: Previously was "submit_order"

There have been a few changes.
------------------------------
1: Specifying that the shipping address was the
same as the billing address resulted in the
removal/suppression of the shipping_country_id
and shipping_state_id values which had previously
been present.

2: submit_order had the string value, "submit_order",
most recently and how has the value, 1.

3: Two elements (the shipping country and state)
have disappeared while two new ones,
mobile_phone and comment have appeared so the
number of name/value pairs submitted is the same.
------------------------------

One thing interested me. The submit button on this
form says "Confirm data" but that is not a capital
English "C". It is a cyrillic capital "ES" (C).

(Previously the data was submitted in one step but
now one goes through an intermediate "confirmation
page". That page does not repost the data but allows
one to return to the order form page to edit it or
continue - in which case it simply posts the
confirmation data,
: confirm_order=confirm_order
to

* Connected to 85.25.156.216:80
: POST /checkout/ HTTP/1.1
: Host: m.doctordqfsh.com

which sends one on to a status page:

: HTTP/1.1 302 OK
: Server: nginx/1.2.1
: Location: http://m.doctordqfsh.com/checkout/status/

The order of the entries has changed somewhat.
Here is the prior version:

: OLD DATA AND ORDER:
: -------------------
: new_customer=1
: &email=[victim's address: email]
: &confirm_email=[victim's address: email]
: &phone=[victim's phone number]
: &first_name=[victim's name: first]
: &last_name=[victim's name: last]
: &billing_address=[victim's address: street]
: &billing_city=[victim's address: city]
: &billing_country_id=US
: &billing_state_id=[victim's address: state]
: &billing_zip=[victim's address: zip code]
: &birth_year=[victim's birthdate: year]
: &birth_month=[victim's birthdate: month]
: &birth_day=[victim's birthdate: day]
: &payment_method=visa
: &issuing_bank=[credit card: issuing bank]
: &card_number=[victim's credit card number]
: &expiration_month=[credit card: expiration date: month]
: &expiration_year=[credit card: expiration date: year]
: &cvv=[credit card: private security number]
: &shipping_form=as_billing
: &shipping_country_id=US
: &shipping_state_id=[APPARENTLY THE UNUSED DEFAULT]
: &submit_order=submit_order
: &utime=[Javascript: Date().toLocaleString()]
: &screen=[Javascript: screen.width+'x'+screen.height+'x'+screen.colorDepth]
: &platform=[Javascript: navigator.platform]
: &srv=[FLASH: fingerprinting system info] [#]
: &fid=[FLASH: flash/session random iD] [#]
: &fnt=[FONTS: fingerprinting font info] [#]
: &uid=[FLASH: SESSION ID] [#]
: &pasted=

UPDATED CREDIT CARD PAYMENT OPTIONS:
------------------------------------
It seems that they have lost payment options,
for originally
: Visa (payment_method=visa)
: MasterCard (payment_method=mastercard)
: American Express (payment_method=amex)
: JCB (payment_method=jcb) [Japan Credit Bureau]
: Diners Club (payment_method=dinersclub)
: ACH (payment_method=ach) [Automated Clearing House]
were available and then only
: Visa (payment_method=visa)
was available.
American Express had reappeared, was gone for some time
and now is back ("amex").


Isn't Adobe's Shockwave Flash wonderful?
----------------------------------------
A perfect little tool to fingerprint visitors quite
accurately. The order site loads a little flash file,
pons4.swf. It used to be named bridge.swf (and the page
element, a DIV with id="swfContent", contains pons4.swf,
an object with that id, "bridge") then it was named pons.swf
but they have changed it (though the pons.swf file using
using the tracker host, getclickanalysis.com, is still
available). The file is rather heavily obfuscated so it
took some time to handle).

* Connected to 85.25.156.216:80
: GET /checkout/pons4.swf HTTP/1.1
: Host: m.doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: Content-Type: application/x-shockwave-flash
: Content-Length: 3038

You don't see this hidden item (width="1" height="1").
This file creates a callback function:
: flash.external.ExternalInterface.addCallback(...);
which provides an interface for Javascript. This
provides the Javascript at the order site with a
profile of the visitor's system as determined by the
flash file. Two ID variables (fid and uid) are set.
Along with those the flash file is used to get your system
capabilities and store them in a variable, srv, and finally
it gets a full list of all your fonts ("getFontList") and
sets the variable, fnt, to that list (I have over 400 fonts
installed). I wonder if anyone has the same list of fonts
that I have. The system variable, srv, lists your OS
and kernel (e.g. Linux 2.4.32 for kernel 2.4.32 on
Linux) among many other items. Well, who needs cookies
with so precise a fingerprint?

And this pons4.swf file? It is Google's!!! Sorry Googl's.
WAIT. It isn't google's or googl's any more.

The new domain name is fastclickstatus.com.

Recently it was googlsyndications.com's (before that it
was googlesydnication.com's ("dn", not "nd")) tracker
(besides the interface to enable Javascript to access the
profile that flash can extract from your system, this flash
file "calls home" every twenty seconds, a heartbeat tracker).
When they seem to have lost the "Google" domain names
they used the domain name choosebestkeyword.com and have
now switched to fastclickstatus.com.

Since Pharmacy Express continued to use this tracker as it
moved from googlesydnication to googlsyndications even when the
backend for the heartbeat tracker was down for awhile, I would
hazard a guess that googlesydnication.com, googlsyndications.com,
choosebestkeyword.com and now fastclickstatus.com are part of
Pharmacy Express.


PHARMACY EXPRESS TRACKER: http://[varies].fastclickstatus.com

This was originally google.sydnication.com ("dn", not "nd")
until they lost that domain. It then changed to googlsyndications.com.
It then changed to choosebestkeyword.com and is now
fastclickstatus.com.

Where is it now?

NAMESERVERS FOR fastclickstatus.com FROM THE .com SERVERS.
==========================================================
fastclickstatus.com NS ns1.fastclickstatus.com
fastclickstatus.com NS ns2.fastclickstatus.com
ns1.fastclickstatus.com A 107.181.174.54
ns2.fastclickstatus.com A 107.181.174.54

dig @107.181.174.54 fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: fastclickstatus.com A 107.181.174.54

dig @107.181.174.54 8rvvv2weqt0tlofmuekhlb8k9mfiadp6.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 8rvvv2weqt0tlofmuekhlb8k9mfiadp6.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 iqe4rp02ntlfon5jbzb4in5cdh1433dj.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: iqe4rp02ntlfon5jbzb4in5cdh1433dj.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 ufhyl3n0esyzd2ivey7tz52f3o6v5f6m.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: ufhyl3n0esyzd2ivey7tz52f3o6v5f6m.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 yv0cat4jipkgz7vqxnzva5tvg91cfpll.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yv0cat4jipkgz7vqxnzva5tvg91cfpll.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 jwej8feb8ew7glckzsvnpef7xtov1r8r.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: jwej8feb8ew7glckzsvnpef7xtov1r8r.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 sr4ph67ej8mw4mf2afcv3nty7qgn4li0.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: sr4ph67ej8mw4mf2afcv3nty7qgn4li0.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 mlh3l0y16n7aviautqhfhgag37u8s2zh.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: mlh3l0y16n7aviautqhfhgag37u8s2zh.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 8tfe6gtt6fr1cvt7l2j4pmpvg9f4g0l9.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 8tfe6gtt6fr1cvt7l2j4pmpvg9f4g0l9.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 x6trjwmqzj944m1r7yqkj7aa150vk3k3.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: x6trjwmqzj944m1r7yqkj7aa150vk3k3.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 b4xc98tfxwxf1euuz6q2nxjwjk6wiyr3.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: b4xc98tfxwxf1euuz6q2nxjwjk6wiyr3.fastclickstatus.com A 107.181.174.54

dig @107.181.174.54 8rvvv2weqt0tlofmuekhlb8k9mfiadp6-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 8rvvv2weqt0tlofmuekhlb8k9mfiadp6-sk.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 iqe4rp02ntlfon5jbzb4in5cdh1433dj-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: iqe4rp02ntlfon5jbzb4in5cdh1433dj-sk.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 ufhyl3n0esyzd2ivey7tz52f3o6v5f6m-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: ufhyl3n0esyzd2ivey7tz52f3o6v5f6m-sk.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 yv0cat4jipkgz7vqxnzva5tvg91cfpll-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yv0cat4jipkgz7vqxnzva5tvg91cfpll-sk.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 jwej8feb8ew7glckzsvnpef7xtov1r8r-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: jwej8feb8ew7glckzsvnpef7xtov1r8r-sk.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 sr4ph67ej8mw4mf2afcv3nty7qgn4li0-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: sr4ph67ej8mw4mf2afcv3nty7qgn4li0-sk.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 mlh3l0y16n7aviautqhfhgag37u8s2zh-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: mlh3l0y16n7aviautqhfhgag37u8s2zh-sk.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 8tfe6gtt6fr1cvt7l2j4pmpvg9f4g0l9-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 8tfe6gtt6fr1cvt7l2j4pmpvg9f4g0l9-sk.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 x6trjwmqzj944m1r7yqkj7aa150vk3k3-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: x6trjwmqzj944m1r7yqkj7aa150vk3k3-sk.fastclickstatus.com A 107.181.174.54
dig @107.181.174.54 b4xc98tfxwxf1euuz6q2nxjwjk6wiyr3-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: b4xc98tfxwxf1euuz6q2nxjwjk6wiyr3-sk.fastclickstatus.com A 107.181.174.54
==========================================================
This is a much shortened version. As this heartbeat tracker connects every
twenty seconds and I forgot about the site and left the order page open
I have hundreds of random keys in my logs. It seems they have modified the
Flash file for this time it only saved one entry in Flash's #SharedObjects
directory (not the hundreds I have previously seen - one time, leaving the
order site open in the browser I had 3592 additions to my #SharedObjects
directory). Is this due to using a constant local object "cust" instead of
decoding an encoded version of the string, "cust" (a change that I did notice)?

* Connected to 107.181.174.54:80
: GET /images/tick.gif HTTP/1.1
: Host: 8rvvv2weqt0tlofmuekhlb8k9mfiadp6.fastclickstatus.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.7
: Content-Type: application/x-shockwave-flash
: Content-Length: 274


* Connected to 107.181.174.54:80
: GET /images/sprite.gif HTTP/1.1
: Host: fastclickstatus.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.7
: Content-Type: application/x-shockwave-flash
: Content-Length: 0


* Connected to 107.181.174.54:843
: <policy-file-request/>[NULL_BYTE]

: <?xml version="1.0"?>
: <cross-domain-policy>
: <allow-access-from domain="*" to-ports="*" />
: </cross-domain-policy>


* Connected to 107.181.174.54:10843
: 8rvvv2weqt0tlofmuekhlb8k9mfiadp6
: [NULL_BYTE]

: <?xml version="1.0"?>
: <cross-domain-policy>
: <allow-access-from domain="*" to-ports="*" />
: </cross-domain-policy>

The flash file calls back to fastclickstatus.com every twenty seconds
(for http://[random].fastclickstatus.com/images/tick.gif[*])

*: tick.gif is a small flash, CWS, file, though
in the past it had come back as "Content-Type: image/gif".

: ...
: 14:54:09 tkz5o0g6gc59xjveqc99fn93k2m0stco.fastclickstatus.com/images/tick.gif
: 14:54:29 gu1bkgv69fz0xj1winy3bjhxdbc8w4jl.fastclickstatus.com/images/tick.gif
: 14:54:49 tml5hfktcssg0ike1keb719y2ym4cilr.fastclickstatus.com/images/tick.gif
: 14:55:09 nq71htuaiigl20tai1dcanvz9vpj882k.fastclickstatus.com/images/tick.gif
: 14:55:29 2ibcf0xudqu1dowhvqy4a3ykqasiax4x.fastclickstatus.com/images/tick.gif
: 14:55:49 fgajs2rjoahiml5oj5se8lwih20ix4ex.fastclickstatus.com/images/tick.gif
: 14:56:09 9l8pn7zyijb7lbkvro3xxyppwebjedyn.fastclickstatus.com/images/tick.gif
: 14:56:29 meuixr79beddqa2n36jb17042rn1mqp9.fastclickstatus.com/images/tick.gif
: 14:56:49 fom3r4j23w97oprnp1i2gps0bbuzfw2a.fastclickstatus.com/images/tick.gif
: 14:57:09 017k0txzzvjuxps40ffxg6k3nvq1e1cz.fastclickstatus.com/images/tick.gif
: ...

The resolutions, above, for the hostnames containing "-sk"
are used to resolve a different hostname each time for
connections to port 10843 which, like those to port 843,
are raw connections by the Flash player for policy data.

SUPPORT SITE: http://yourliveservice.com
SUPPORT SITE: http://liveserviceonline.com [NO LONGER RESOLVABLE]
SUPPORT CONTACT [email]: support@yourliveservice.com
SUPPORT CONTACT [email]: support@liveserviceonline.com [NO LONGER ACCESSIBLE]
SUPPORT CONTACT [phone]: +1-212-389-6349

In the past, if a payment was rejected (the site verified
the credit card for the payment before returning the status
page) the status page returned simply indicated a failure.

SOMETIMES in verifying a Visa card it seemed that the backend
did not quickly enough obtain a result in which case the site
provided a default status page indicating that the card was
accepted and providing a further contact (web site or email
and a phone number).

Submitting a fake order using a Visa card sometimes, but very
seldom, would provide the further contact.

They have updated the order form and its activity and now,
even a rejected order submission elicits:

* Connected to 85.25.156.216:80
: GET /checkout/status/ HTTP/1.1
: Host: m.doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Checkout status[/title]
: ...
: We are sorry but the transaction was declined by the bank. ...
: If you have any questions about your order, please, contact us:
: phone: +1-212-389-6349
: e-mail: [a href="mailto:support@yourliveservice.com"]support@yourliveservice.com[/a]
: ...
: (c) 2003-2014 Pharmacy Express

So, what is at http://yourliveservice.com?

NAMESERVERS FOR yourliveservice.com FROM THE .com SERVERS.
RESOLUTIONS FROM THE .com SERVERS.
==========================================================
yourliveservice.com NS ns2.hostgallop.com
yourliveservice.com NS ns1.serverienw.com
ns1.hostgallop.com A 117.41.185.240
ns2.hostgallop.com A 109.68.190.176
ns1.serverienw.com A 50.30.34.33
ns2.serverienw.com A 95.191.130.248

dig @117.41.185.240 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @109.68.190.176 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @50.30.34.33 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 209.239.121.30
dig @95.191.130.248 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 209.239.121.30
==========================================================

* Connected to 209.239.121.30:80
: GET / HTTP/1.1
: Host: yourliveservice.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]LiveHelp Support[/title]
: ...
: Our Support Center helps you to:
: 1. View order status
: 2. Cancel order
: 3. View orders' history
: ...
: If you need additional information, please, contact us anytime
: e-mail: [a href="mailto:support@liveserviceonline.com"]support@liveserviceonline.com[/a]
: phone: +1-212-389-6349
: (c) 2003-2014 LiveHelp Support Center.

We have the same phone contact and the new:

SUPPORT CONTACT [email]: support@liveserviceonline.com

But ... there are no NS records in the .com servers
for liveserviceonline.com.

The registration lists
: Name Server: ns1.hostersc.su
: Name Server: ns2.hostzb.com

NAMESERVERS FOR liveserviceonline.com FROM THE REGISTRATION.
RESOLUTIONS FROM THE .com SERVERS.
============================================================
liveserviceonline.com NS ns1.hostersc.su [from the registration]
liveserviceonline.com NS ns2.hostzb.com [from the registration]
ns1.hostzb.com A 117.41.185.247
ns2.hostzb.com A 109.68.190.176
I COULD NOT LOCATE DATA FOR hostersc.su.

dig @117.41.185.247 liveserviceonline.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @109.68.190.176 liveserviceonline.com A +norec +noauth +noqu +noadd
: ;; connection timed out
============================================================

and just in case you think that this is an innocent third party
support service:

* Connected to 209.239.121.30:80
: GET / HTTP/1.1
: Host: doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: [script type="text/javascript"]
: var nomobredirect='0';var is_mobile='1';var redirect='m.doctordqfsh.com';
: var width=(screen.width>screen.height)?screen.width:screen.height;
: if(width<1024&&is_mobile=='0'&&nomobredirect=='0'&&redirect.length>3){window.location=location.protocol+'//'+redirect;}
: ...
: [/script]
: ...
: [a href="http://m.doctordqfsh.com/?nomob=1"]Go to full version[/a]


* Connected to 209.239.121.30:80
: GET / HTTP/1.1
: Host: m.doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.

It is also a host/proxy for the pharmacy pages, themselves.

IP ADDRESS: 209.239.121.30
--------------------------
PHARMACY EXPRESS SUPPORT SITE
PHARMACY EXPRESS SITE (see above)
% Abuse contact for '91.227.152.0 - 91.227.155.255' is 'noc@AS39182.net'
inetnum: 91.227.152.0 - 91.227.155.255
netname: GATE-AS
descr: Locals Ltd.
country: RU
abuse-mailbox: noc@AS39182.net
route: 91.227.154.0/23
remarks: Abuse notifications to: abuse@worldstream.nl
155.227.91.in-addr.arpa has SOA [omitted]@netbreeze.net
--------------------------

IP ADDRESS: 50.30.34.33
-----------------------
PHARMACY EXPRESS SUPPORT SITE NAMESERVER
CIDR: 50.30.32.0/20
OrgName: Hosting Solutions International, Inc.
StateProv: MO
Country: US
OrgAbuseEmail: abuse@hostingsolutionsinternational.com
Address 50.30.34.33 maps to hawk080.startdedicated.com
33.34.30.50.in-addr.arpa has SOA [omitted]@ns1.nameserverservice.com
-----------------------

IP ADDRESS: 95.191.130.248
--------------------------
PHARMACY EXPRESS SUPPORT SITE NAMESERVER
% Abuse contact for '95.191.130.0 - 95.191.130.255' is 'ripe@rt.ru'
inetnum: 95.191.130.0 - 95.191.130.255
descr: OJSC "Rostelecom" NSK
remarks: for information service of OJSC "Rostelecom"
country: RU
remarks: abusing & hacking complaints email abuse@sibdc.ru
route: 95.191.128.0/17
descr: OJSC "Sibirtelecom"
notify: [omitted]@ncc.sibirtelecom.ru
--------------------------

ADDITIONAL INFO: TRACKER SITE?: http://getclickanalysis.com

As mentioned above, pons.swf (along with pons4.swf which
is actually used) is available at the spamvertized
pharmacy sites:

* Connected to 85.25.156.216:80
: GET /checkout/pons.swf HTTP/1.1
: Host: m.doctordqfsh.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: Content-Type: application/x-shockwave-flash
: Content-Length: 2982

One does not find the tracker host in the strings in
this file or in a decompilation. However, there are
heavily encoded strings in the decompilation.
Decoding them shows the hostname getclickanalysis.com.

NAMESERVERS FOR getclickanalysis.com FROM THE .com SERVERS.
===========================================================
getclickanalysis.com NS dns2.registrar-servers.com
getclickanalysis.com NS dns1.registrar-servers.com
getclickanalysis.com NS dns3.registrar-servers.com
getclickanalysis.com NS dns4.registrar-servers.com
getclickanalysis.com NS dns5.registrar-servers.com
dns2.registrar-servers.com A 208.64.122.242
dns2.registrar-servers.com A 208.64.122.244
dns1.registrar-servers.com A 173.245.58.17
dns1.registrar-servers.com A 173.245.58.45
dns1.registrar-servers.com A 173.245.59.16
dns1.registrar-servers.com A 173.245.59.40
dns3.registrar-servers.com A 69.197.21.28
dns3.registrar-servers.com A 69.197.21.29
dns4.registrar-servers.com A 173.245.58.17
dns4.registrar-servers.com A 173.245.58.45
dns4.registrar-servers.com A 173.245.59.16
dns4.registrar-servers.com A 173.245.59.40
dns5.registrar-servers.com A 208.64.122.242
dns5.registrar-servers.com A 208.64.122.244

dig @208.64.122.242 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @208.64.122.244 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @173.245.58.17 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @173.245.58.45 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @173.245.59.16 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @173.245.59.40 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @69.197.21.28 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @69.197.21.29 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @173.245.58.17 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @173.245.58.45 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @173.245.59.16 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @173.245.59.40 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @208.64.122.242 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
dig @208.64.122.244 getclickanalysis.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: getclickanalysis.com A 192.31.186.42
===========================================================

http://getclickanalysis.com gets me a page offering
"Products and Services from Namecheap"

so it appears that this domain is now parked.

PRODUCT INFORMATION:

Besides the change in the order form, a substantial
change in the list of available drugs was made recently.
About one hundred new items were added.

There has been no change in that expanded listing since
the last time I checked.


_______________________________________________________

SBL226094 :

Pharmacy EXPRESS SITE: http://medicnhjet.ru
: IP address 148.251.72.67: on hetzner.de/primahost.info
: IP address 217.23.4.213: on worldstream.nl

Resolved by the:

Pharmacy Express NAMESERVERS (dnsfeyr.su,cloudghnr.com,dnskreel.com,serverolew.su)
: IP address 61.191.190.8: on Chinanet-AH
: IP address 61.191.190.175: on Chinanet-AH
: IP address 178.124.141.227: SBL225879
: IP address 189.197.62.147: SBL225880 (SBL223535 for 189.197.62.128/27)

Pharmacy Express utilizes a profiler and heartbeat tracker.

As usual, Pharmacy Express makes use of a flash file, pons4.swf, which
provides a rather comprehensive profile of the visitor's system and
which was provided by google! Googlesydnication.com! Wait ... that is
"dn" not "nd". Well that is what it was until they lost that domain and
then it was google! Ooops ... no ... googl. Googlsyndications.com.

Perhaps Google finally acted. The flash file then used the domain,
choosebestkeyword.com but they have now changed it to fastclickstatus.com.

Besides providing a function which is used by Pharmacy Express for a
thorough profile of the victim's system (so extensive one doesn't
need cookies) via Javascript (the profile is part of the data submitted
to the pharmacy site) the flash file also continually connects back to
fastclickstatus.com on ports 80, 843 (the usual flash policy port)
and 10843 (coded in the flash file itself).

Pharmacy Express PROFILER/TRACKER: fastclickstatus.com
: IP address 107.181.161.193: SBL225881

Resolved by its nameserver at 107.181.161.193.

HERE ARE A FEW OTHER HOSTNAMES
FOR THE PHARMACY SITE.
----------------------------------
doctordqfsh.com A 217.23.4.213
doctoreqla.com A 217.23.4.213
doctorzukms.com A 217.23.4.213
medicdebjp.com A 217.23.4.213
medicdeor.com A 217.23.4.213
medicswqo.com A 217.23.4.213
doctordhqz.cn.com A 148.251.72.67
doctordhqzl.cn.com A 148.251.72.67
doctormull.com A 148.251.72.67
doctorran.com A 148.251.72.67
medicswap.com A 148.251.72.67
medicxchy.com A 148.251.72.67
cffpmedic.ru A 148.251.72.67
cfjlmedic.ru A 148.251.72.67
doctorbjdf.ru A 148.251.72.67
doctorbvyv.ru A 148.251.72.67
doctorbwyf.ru A 148.251.72.67
doctorcsrb.ru A 148.251.72.67
doctorefae.ru A 148.251.72.67
doctorfksr.ru A 148.251.72.67
doctorfwye.ru A 148.251.72.67
doctorgfuf.ru A 148.251.72.67
doctorgohv.ru A 148.251.72.67
doctorijgi.ru A 148.251.72.67
doctorjgxk.ru A 148.251.72.67
doctorjyyp.ru A 148.251.72.67
doctorkifu.ru A 148.251.72.67
doctorktvm.ru A 148.251.72.67
doctorkvck.ru A 148.251.72.67
doctorlbll.ru A 148.251.72.67
doctorlnho.ru A 148.251.72.67
doctorltonsrom.ru A 148.251.72.67
doctorluldhi.ru A 148.251.72.67
doctorlyzi.ru A 148.251.72.67
doctorlzew.ru A 148.251.72.67
doctormdgd.ru A 148.251.72.67
doctormqie.ru A 148.251.72.67
doctorncte.ru A 148.251.72.67
doctorngxm.ru A 148.251.72.67
doctornifg.ru A 148.251.72.67
doctorpezhs.ru A 148.251.72.67
doctorqpod.ru A 148.251.72.67
doctorraur.ru A 148.251.72.67
doctorrkss.ru A 148.251.72.67
doctorsrmh.ru A 148.251.72.67
doctorsxwa.ru A 148.251.72.67
doctorthyjo.ru A 148.251.72.67
doctorumdj.ru A 148.251.72.67
doctoruxvq.ru A 148.251.72.67
doctorvctcd.ru A 148.251.72.67
doctorwlpc.ru A 148.251.72.67
doctorwrmd.ru A 148.251.72.67
doctoryifq.ru A 148.251.72.67
doctoryjsy.ru A 148.251.72.67
doctorythb.ru A 148.251.72.67
doctorywrj.ru A 148.251.72.67
doctorzxwt.ru A 148.251.72.67
doctorzztr.ru A 148.251.72.67
dsdlmedics.ru A 148.251.72.67
dthcmedic.ru A 148.251.72.67
dvupmedic.ru A 148.251.72.67
erfxmedic.ru A 148.251.72.67
fzjkmedic.ru A 148.251.72.67
hfncmedics.ru A 148.251.72.67
hzxhmedic.ru A 148.251.72.67
jpqgmedic.ru A 148.251.72.67
kkwfmedic.ru A 148.251.72.67
krmfmedic.ru A 148.251.72.67
lgcnmedic.ru A 148.251.72.67
lmecmedic.ru A 148.251.72.67
lrdgmedic.ru A 148.251.72.67
medicaabf.ru A 148.251.72.67
medicaacg.ru A 148.251.72.67
medicacrja.ru A 148.251.72.67
medicajffu.ru A 148.251.72.67
medicalfo.ru A 148.251.72.67
medicalkk.ru A 148.251.72.67
medicaoci.ru A 148.251.72.67
medicaorl.ru A 148.251.72.67
medicaytcf.ru A 148.251.72.67
medicbfgb.ru A 148.251.72.67
medicbgtc.ru A 148.251.72.67
medicbzbs.ru A 148.251.72.67
mediccdfg.ru A 148.251.72.67
mediccpnof.ru A 148.251.72.67
mediccvmqh.ru A 148.251.72.67
medicdafr.ru A 148.251.72.67
medicdcomq.ru A 148.251.72.67
medicddpb.ru A 148.251.72.67
medicdgxyd.ru A 148.251.72.67
medicdjtu.ru A 148.251.72.67
medicdpana.ru A 148.251.72.67
medicdquu.ru A 148.251.72.67
medicdupy.ru A 148.251.72.67
medicefgb.ru A 148.251.72.67
medicegblm.ru A 148.251.72.67
medicejny.ru A 148.251.72.67
medicelqmz.ru A 148.251.72.67
mediceywh.ru A 148.251.72.67
medicfgdt.ru A 148.251.72.67
medicflmr.ru A 148.251.72.67
medicgchtt.ru A 148.251.72.67
medicgljf.ru A 148.251.72.67
medichhcgk.ru A 148.251.72.67
medichqkr.ru A 148.251.72.67
medichxqbd.ru A 148.251.72.67
medichykry.ru A 148.251.72.67
medicidse.ru A 148.251.72.67
medicijjqv.ru A 148.251.72.67
medicisbw.ru A 148.251.72.67
medicixdvk.ru A 148.251.72.67
medicjaftu.ru A 148.251.72.67
medicjaxc.ru A 148.251.72.67
medicjecw.ru A 148.251.72.67
medicjiirt.ru A 148.251.72.67
medicjtpd.ru A 148.251.72.67
medickecv.ru A 148.251.72.67
medickfhq.ru A 148.251.72.67
medickxkfj.ru A 148.251.72.67
mediclakxh.ru A 148.251.72.67
mediclhechim.ru A 148.251.72.67
mediclhowthe.ru A 148.251.72.67
medicllgdj.ru A 148.251.72.67
medicllorol.ru A 148.251.72.67
mediclwma.ru A 148.251.72.67
medicmbfyi.ru A 148.251.72.67
medicmjuve.ru A 148.251.72.67
medicmqwp.ru A 148.251.72.67
medicnhjet.ru A 148.251.72.67
medicnnqti.ru A 148.251.72.67
medicnrwye.ru A 148.251.72.67
medicnsxgs.ru A 148.251.72.67
medicnuqk.ru A 148.251.72.67
medicnxbg.ru A 148.251.72.67
medicnywvu.ru A 148.251.72.67
medicoingw.ru A 148.251.72.67
medicownm.ru A 148.251.72.67
medicoyhsx.ru A 148.251.72.67
medicozma.ru A 148.251.72.67
medicpnbcd.ru A 148.251.72.67
medicqgqn.ru A 148.251.72.67
medicqlti.ru A 148.251.72.67
medicrfus.ru A 148.251.72.67
medicrmxh.ru A 148.251.72.67
medicsemi.ru A 148.251.72.67
medicsgtu.ru A 148.251.72.67
medicsuhgg.ru A 148.251.72.67
medicsxulj.ru A 148.251.72.67
medictejf.ru A 148.251.72.67
medictqzr.ru A 148.251.72.67
medicuhefj.ru A 148.251.72.67
medicukker.ru A 148.251.72.67
medicvcnfw.ru A 148.251.72.67
medicvuuwf.ru A 148.251.72.67
medicwytsj.ru A 148.251.72.67
medicxdrl.ru A 148.251.72.67
medicxdxc.ru A 148.251.72.67
medicxktef.ru A 148.251.72.67
medicxmyk.ru A 148.251.72.67
medicxqise.ru A 148.251.72.67
medicyjwaf.ru A 148.251.72.67
medicykxbx.ru A 148.251.72.67
medicykxvs.ru A 148.251.72.67
medicymzyo.ru A 148.251.72.67
mediczqt.ru A 148.251.72.67
mediczrb.ru A 148.251.72.67
mediczvjp.ru A 148.251.72.67
mediczxnuq.ru A 148.251.72.67
mlqtmedic.ru A 148.251.72.67
naaymedic.ru A 148.251.72.67
oiermedic.ru A 148.251.72.67
qibemedic.ru A 148.251.72.67
qnzdmedic.ru A 148.251.72.67
rruomedic.ru A 148.251.72.67
uelbmedic.ru A 148.251.72.67
uqzbmedic.ru A 148.251.72.67
xgyamedic.ru A 148.251.72.67
ywsnmedic.ru A 148.251.72.67
zhtsmedic.ru A 148.251.72.67
mediciwqrl.su A 148.251.72.67
medicpatzm.su A 148.251.72.67
----------------------------------

DETAILS:
--------

PHARMACY EXPRESS SITE: http://medicnhjet.ru

NOTE ABOVE THAT SOME OF THE DOMAIN NAMES RESOLVE
DIFFERENTLY. LET ME CHECK THE RESOLUTIONS FOR ONE
OF THEM, doctordqfsh.com, AND medicnhjet.ru.

NAMESERVERS FOR doctordqfsh.com AND medicnhjet.ru
FROM THE .com AND .ru SERVERS.
RESOLUTIONS FROM THE .com AND .su SERVERS.
=================================================
doctordqfsh.com NS ns1.dnskreel.com
doctordqfsh.com NS ns2.serverolew.su
medicnhjet.ru NS ns1.cloudghnr.com
medicnhjet.ru NS ns2.dnsfeyr.su
ns1.serverolew.su A 61.191.190.8
ns2.serverolew.su A 178.124.141.227
ns1.dnskreel.com A 61.191.190.8
ns2.dnskreel.com A 178.124.141.227
ns1.cloudghnr.com A 61.191.190.175
ns2.cloudghnr.com A 189.197.62.147
ns1.dnsfeyr.su A 61.191.190.175
ns2.dnsfeyr.su A 189.197.62.147

dig @61.191.190.8 doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: doctordqfsh.com A 217.23.4.213
dig @178.124.141.227 doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: doctordqfsh.com A 217.23.4.213

dig @61.191.190.175 doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: doctordqfsh.com A 148.251.72.67
dig @189.197.62.147 doctordqfsh.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctordqfsh.com A 148.251.72.67

dig @61.191.190.8 medicnhjet.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: medicnhjet.ru A 217.23.4.213
dig @178.124.141.227 medicnhjet.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: medicnhjet.ru A 217.23.4.213

dig @61.191.190.175 medicnhjet.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: medicnhjet.ru A 148.251.72.67
dig @189.197.62.147 medicnhjet.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: medicnhjet.ru A 148.251.72.67
=================================================

We have two pairs of nameservers.
One pair, 61.191.190.8 and 178.124.141.227 resolves
Pharmacy Express hosts to 217.23.4.213.
The other, 61.191.190.175 and 189.197.62.147 resolves
them to 148.251.72.67.

One would expect, then, that these are used as load
balancers and that one can find the same sites up at
both IP addresses.

Let me check for medicnhjet.ru at both.

* Connected to 148.251.72.67:80
: GET / HTTP/1.1
: Host: medicnhjet.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


* Connected to 217.23.4.213:80
: GET / HTTP/1.1
: Host: medicnhjet.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.

The pages obtained from the two sites were byte-for-byte identical.
(Sometimes there are some minor differences in what appear to be
session or host values.)

IP ADDRESS: 148.251.72.67
-------------------------
PHARAMACY EXPRESS SITE
inetnum: 148.251.72.64 - 148.251.72.95 (148.251.72.64/27)
descr: PrimaHost
country: DE
remarks: abuse@primahost.info
remarks: The contents of your abuse email
remarks: will be forwarded directly on to
remarks: our client for handling.
route: 148.251.0.0/16
org-name: Hetzner Online AG
e-mail: [omitted]@hetzner.de
Address 148.251.72.67 maps to static.67.72.251.148.clients.your-server.de
72.251.148.in-addr.arpa has SOA [omitted]@your-server.de
-------------------------

IP ADDRESS: 217.23.4.213
------------------------
PHARAMACY EXPRESS SITE
inetnum: 217.23.4.197 - 217.23.4.255
descr: WorldStream IPv4.11
country: NL
abuse-mailbox: abuse@worldstream.nl
Address 217.23.4.213 maps to customer.worldstream.nl
4.23.217.in-addr.arpa has SOA [omitted]@worldstream.nl
------------------------

IP ADDRESS: 61.191.190.8
IP ADDRESS: 61.191.190.175
--------------------------
PHARAMACY EXPRESS NAMESERVER
inetnum: 61.191.0.0 - 61.191.255.255
netname: CHINANET-AH
descr: CHINANET Anhui province network
remarks: send spam reports to abuse@anhuitelecom.com
remarks: and abuse reports to abuse@anhuitelecom.com
e-mail: anti-spam@ns.chinanet.cn.net
191.61.in-addr.arpa has SOA [omitted]@ns.ahhfptt.net.cn
------------------------

IP ADDRESS: 178.124.141.227
---------------------------
PHARAMACY EXPRESS NAMESERVER
178.124.141.227/32 is on the SBL as SBL225879.
Pharmacy Express nameserver
---------------------------

IP ADDRESS: 189.197.62.147
--------------------------
PHARAMACY EXPRESS NAMESERVER
189.197.62.147/32 is on the SBL as SBL225880.
Pharmacy Express nameserver
--------------------------
189.197.62.128/27 is on the SBL as SBL223535.
Russian botnet drug spammer server


I will check medicnhjet.ru at 148.251.72.67.

Let's see ... These sites can have different brandings.
Some are branded as Canadian Pharmacy in the title (an old
spamvertized pharmacy site) with a copyright claiming to be
Canadian Health&Care Mall (a current Yambo spam operation
brand) though it is neither - it is Pharmacy Express.

This is one of their sites branded as ... Pharmacy Express.

This uses the /201/ directory (other themes/brandings are in
different directories, such as /204/ for Canadian Health&Care Mall).

An encoded phone number appears on all their sites, decoded
to a Javascript variable which is unused on, for example,
Canadian Health&Care Mall sites. The Javascript used to put
the phone number on the page at Pharmacy Express branded sites,
but no longer.

ENCODED JAVASCRIPT: SHORTER SCRIPTS, NOW ENCODED
------------------------------------------------
They used to use a lot of their own code. Now they use jquery.
Their code used to be plain Javascript source text.
Then their (large) script was doubly encoded (base64 and XOR
with an array of values). This time four sections of code
at the end of the script (including the QuickSearch library)
are encrypted.

The encoded phone number which appears in the home page's HTML code
-------------------------------------------------------------------------------
var msgs = {
: removeProduct: "You are removing %PRODUCT_TITLE% from your cart. Continue?",
: notFound: "Not found",
: emptySearchQuery: "Empty search query",
: search: "Search...",
: minLengthIs: "minimum allowed length is",
: maxLengthIs: "maximum allowed length is",
: characters: "characters",
: emptyCart: "Do you really want to empty cart ?",
: phone: "+k-aee vgb-kevk",
: siteTitle: "Pharmacy Express"
};
-------------------------------------------------------------------------------
is decoded by their translate function in the script file,
http://[hostname]/201/js/_set_main.js?v=ef59575534ec57a5a6ea05695f7b26c8

function translate(string,search,replace), which just implements
a simple substitution, transliteration, "tr", function,
: $('.phn').html(translate(msgs.phone, 'kagzrvbehn', '1845962037'));

[The code was originally
: var phone=translate(msgs.phone,'kagzrvbehn','1845962037');
using a separate variable for the decoded phone number
which was then used on the page. Now the 'phone' variable is gone.]
(The substitution had been different in the dim past.)

and, of course:
: echo "+k-aee vgb-kevk" | tr 'kagzrvbehn' '1845962037'

gives the usual phone number: +1-800 642-1061

NOTE: If your browser does NOT indicate that it supports compression (gzip)
the pages come back uncompressed BUT THE JAVASCRIPT AND/OR STYLE SHEET
FILE MAY COME BACK COMPRESSED ANYWAY. I often configure firefox not to
accept compressed pages so I can do a packet capture and 'grep' through
it for relevant items. Material will be invisible even with Javascript
enabled if the browser is set not to request (or decompress) compressed
content and the Javascript is compressed. At times only the Javascript
file was compressed. At other times only the style sheet was compressed.
Sometimes both come back compressed. Both were compressed this time.

The page style changed some time ago. Besides using Javascript to place messages
(and encoding the phone number - one can no longer 'google' for that number to find
other hosts/pages) there were lines over 50K in size on the starting page.
Those were long style sheet codes. Now separate style sheet files are used
and the longest line I now see on the page is about 17K in size.

Surprisingly the copyright notice at the bottom of the page,
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.
was not encoded as the phone number is though you won't find
"Pharmacy Express" when grep'ing through the page's HTML code
as it appears as "Pha[span]rmacy Express.[/span]".

STYLE SHEET TO POSITION BOOKMARK (facebook, etc.) LINKS OVER IMAGE
---------------------------------------------------------------------------
WHILE I HAVE NOT RECENTLY SEEN THE Facebook AND OTHER SOCIAL NETWORK LINKS
ON THE PAGES USING DIFFERENT BRANDINGS (e.g. "Canadian Pharmacy",
"Canadian Health&Care Mall") THEY DO APPEAR ON THIS PHARMACY EXPRESS SITE.
---------------------------------------------------------------------------
The page has links to various social networking sites such as
[a href="http://www.facebook.com/share.php?u=%site_url%" class="c" title="Save to Facebook"][/a]
in a "div" element, [div class="bookmarks"].

The Javascript contains the code to update the data:
------------------------------------------------
var reSiteURL = new RegExp('\%site_url\%', "g");
var reSiteTitle = new RegExp('\%site_title\%', "g");
$(".bookmarks a").each(function() {
var url = $(this).attr('href');
url = url.replace(reSiteURL, location.protocol + '//' + location.host);
url = url.replace(reSiteTitle, msgs.siteTitle); $(this).attr('href', url);});
------------------------------------------------
When Javascript was first used to update the social site links
there was only a regular expression to change the site_url,
not the site_title, but when they started using multiple brandings
such as 'ED Express' or 'Canadian Pharmacy' the code to set the
title was added.

The bookmark links, such as the above facebook link, have length zero!
How to click on them? The style sheet repositions them over the header image,
: .header .bookmarks{position:absolute;top:177px;left:35px}
: .header .bookmarks a{width:16px;height:16px;display:block;position:relative;
: float:left;margin-right:2px;margin-top:3px}
giving each a width of 16 pixels. They are positioned so that the
the clickable region for each social network's link is placed over
that network's icon embedded in the header image,
http://[hostname]/201/img/header/header-bg-usps.jpg
which is often modified to suit the current holiday or celebration
such as header-bg-flagday.jpg for Flag Day (US: 14 June).

When these sites were hosted on bots (at other times the
spammer gets his own hosting) or for other reasons had
problems with bandwidth the images had often been hosted
elsewhere but I have not seen images loaded from elsewhere
for quite some time.

This time very few real images are loaded, but from the spamvertized
site itself with URLs such as:
: http://[hostname]/201/img/sprite/most_popular_1.jpg?v=1401366118

NOTE: Few images are used. For example two images are used for all
the pill images, "sprite" panels (tableaux of pill subimages)
: http://[hostname]/201/img/sprite/most_popular_1.jpg?v=1401366118
: http://[hostname]/201/img/sprite/most_popular_2.jpg?v=1401366118
STYLE SHEET:
: .spr_products_75x75_viagra,.spr_products_75x75_viagra_brand,.spr_products_75x75_cialis,...
: {background-image:url(../img/sprite/most_popular_1.jpg?v=1401366118) !important}
(the css page is in http://[hostname]/201/css/)
and various selections from the image are carefully placed
: .spr_products_75x75_propecia
: {background-position:-75px 0 !important;width:75px !important;height:75px !important}
so the portion which appears as the background for each
anchor tag/link is just the proper pill image.
(A TINY CHANGE. The version I have most often seen has
"background-position:-75px 0px" but sometimes a site uses
"-75px 0"; after all "0px" or "0anything_else" is still the
same size, zero.)

One used to find separate images such as
: http://[hostname]/101/img/products/75x75/levitra_brand.jpg
Now the images appear to have a time stamp, net-time, the number
of seconds since 1 January 1970.

Sometimes these sites have a secure order form and sometimes not.
Usually the order site is not secure.

This time upon reaching the CHECKOUT page I found the form:
: [form id="form_checkout" action="/checkout/" method="post"][/form]

Most often, recently, the action has simply been action="/checkout/"
with payment being submitted to the pharmacy site itself.
Sometimes the "action" points to another, order, site such as
the following (lexicographically sorted by domain name).
Note that sometimes (but infrequently) they are secure:
: http://e-billprovider.com
: http://e-billresponse.com
: http://e-billsupport.com
: http://e-buyassist.com
: http://e-buybox.com
: http://e-buyprocess.com
: http://e-cartprocess.com
: http://e-fastestpay.com
: http://e-paymentassist.com
: http://e-paymentservice.com
: http://ebillwebform.com
: http://eclientplace.com
: https://eclientplace.com <== SECURE
: http://ecustomerbill.com
: http://ecustomercheckout.com
: http://ecustomerpay.com
: http://egoodbill.com
: http://epayonlineservice.com
: http://epayviaweb.com
: http://eworldwidepay.com
: http://onlinepaymentsite.com
: http://onlinetransservice.com
: https://paycartservice.com <== SECURE
: http://payquickonline.com
: http://securecartservice.com
: https://securecartservice.com <== SECURE
: http://a5.yourprofileheres.com

PHARMACY EXPRESS ORDER SITE: http://medicnhjet.ru/checkout/

* Connected to 148.251.72.67:80
: POST /checkout/ HTTP/1.1
: Host: medicnhjet.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]

In the past the title had been
: [title]Welcome to http://[hostname] Checkout page[/title]

In spite of their assurance that:
"we provide 256bit SSL secure pay page to process your order"
your financial data is submitted unencrypted and insecurely.

Verisign's assurance of security is given in their seal at
: http://[hostname]/201/img/sprite/cart.png?v=1401366118
(part of another sprite tableau) but while in the past the
Verisign seal had been displayed, it is not this time.

NOTE: The order form has the image:
: http://[hostname]/checkout/201/images/sprite/transparent_gif_1400750440.gif
which contains McAfee's "McAfee SECURE" attestation of security.
It is not displayed. It is a sprite image and also contains a
sprite with an image of a dollar sign ($) which is apparently
all that is used:
: .spr_currency_usd{background-image:url(../images/sprite/transparent_gif_1400750440.gif) !important}

One connects to the order site, submitting the data:
: i=XXxWQU... This is base 64 encoded data with embedded
: Win/Dos EndsOfLines (%0D%0A). The unescaped
: string had a length pf 5370 characters including
: Win/DOS EOLs and 5232 without the EOL characters.

*: The use of "="'s to pad the string's length to a multiple
: of four bytes when necessary suggests some sort of
: base 64 encoding but it is not simply encoded plain text
: using the standard encoding. The data varies and the
: string has had different lengths in the past.

NOTE: There are two forms appearing on the page at
: the pharmacy site (whose data is submitted
: to the order site).
: The one with the data does not have an action
: submitting it to the order URL.
: Javascript simply empties the form going to the
: order URL, copies the "i" value from the dummy
: form with data to the form going to the order URL
: and submits that.

and one gets the order-form page:

: Pharmacy online-store
: The information you provide will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express

: In the past it had read:
: ------------------------
: Welcome to http://[hostname] Checkout page
: The information you provide will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express
: ------------------------

and before that it had read:
----------------------------
: (c) 2003-2012 Pharmacy Express
: Have a question? Call us back +1-888-738-9650
----------------------------
but now the phone contact is missing.

In the past, when the order site was secure, the text read:
: Welcome to http://[hostname] Secure checkout page
: You have just been redirected to this 256bit SSL secure pay page to process
: your order.
but at the last secure order site, the page omitted the claim of security
as well as the contact phone number.

to which one submits

* Connected to 148.251.72.67:80
: POST /checkout/ HTTP/1.1
: Host: medicnhjet.ru
:
: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]

the data:

: new_customer=1
: &email=[victim's address: email]
: &confirm_email=[victim's address: email]
: &phone=[victim's phone number]
: &first_name=[victim's name: first]
: &last_name=[victim's name: last]
: &billing_address=[victim's address: street]
: &billing_city=[victim's address: city]
: &billing_country_id=US
: &billing_state_id=[victim's address: state]
: &billing_zip=[victim's address: zip code]
: &birth_year=[victim's birthdate: year]
: &birth_month=[victim's birthdate: month]
: &birth_day=[victim's birthdate: day]
: &payment_method=visa [-]
: &issuing_bank=[credit card: issuing bank]
: &card_number=[victim's credit card number] [-]
: &expiration_month=[credit card: expiration date: month]
: &expiration_year=[credit card: expiration date: year]
: &cvv=[credit card: private security number]
: &shipping_form=as_billing
: &shipping_country_id=US [*]
: &shipping_state_id=[APPARENTLY THE UNUSED DEFAULT] [*]
: &submit_order=submit_order [+]
: &utime=[Javascript: Date().toLocaleString()]
: &screen=[Javascript: screen.width+'x'+screen.height+'x'+screen.colorDepth]
: &platform=[Javascript: navigator.platform]
: &srv=[FLASH: fingerprinting system info] [#]
: &fid=[FLASH: flash/session random iD] [#]
: &fnt=[FONTS: fingerprinting font info] [#]
: &uid=[FLASH: SESSION ID] [#]
: &pasted=

*: AT THIS SITE THE DATA:
: &extra_conversation_time_from=[start_time]
: &extra_conversation_time_to=[end_time]
which immediately followed the zip code and preceded the birth_year
and the other "extra" values
: &extra_remind_by_phone=never
: &extra_remind_by_phone_days=30
: &extra_remind_by_phone_from=9
: &extra_remind_by_phone_to=20
: &extra_remind_by_email=never
: &extra_remind_by_email_days=30
as well as the flag showing whether the medical questionnaire
data should be submitted or not
: &medical_questionnaire_show=0
are missing. IT SEEMS THAT THEY HAVE REMOVED THESE FROM THEIR PAGES.
The two items, shipping_country_id and shipping_state_id are rather new.
As I set the shipping data equal to the billing data, shipping_form=as_billing,
these may be unused. They had better be! They got the STATE I submitted
right for the billing_state_id but the shipping_state was apparently
left set equal to the default (top of the list, AL, Alabama).

+: THIS USED TO SAY submit_order=submit_order, then it said
submit_order=1, (at least on sites with other brandings)
and now it says submit_order=submit_order again.

-: UPDATED CREDIT CARD PAYMENT OPTIONS:
It seems that they have lost payment options,
for originally
: Visa (payment_method=visa)
: MasterCard (payment_method=mastercard)
: American Express (payment_method=amex)
: JCB (payment_method=jcb) [Japan Credit Bureau]
: Diners Club (payment_method=dinersclub)
: ACH (payment_method=ach) [Automated Clearing House]
were available and then only
: Visa (payment_method=visa)
was available.
American Express had reappeared, was gone for some time
and now is back ("amex").


#: Isn't Adobe's Shockwave Flash wonderful?
-------------------------------------------
A perfect little tool to fingerprint visitors quite
accurately. The order site loads a little flash file,
pons4.swf. It used to be named bridge.swf (and the page
element, a DIV with id="swfContent", contains pons4.swf,
an object with that id, "bridge") then it was named pons.swf
but they have changed it. The file is rather heavily
obfuscated so it took some time to handle).

* Connected to 148.251.72.67:80
: GET /checkout/pons4.swf HTTP/1.1
: Host: medicnhjet.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: Content-Type: application/x-shockwave-flash
: Content-Length: 3038

You don't see this hidden item (width="1" height="1").
This file creates a callback function:
: flash.external.ExternalInterface.addCallback(...);
which provides an interface for Javascript. This
provides the Javascript at the order site with a
profile of the visitor's system as determined by the
flash file. Two ID variables (fid and uid) are set.
Along with those the flash file is used to get your system
capabilities and store them in a variable, srv, and finally
it gets a full list of all your fonts ("getFontList") and
sets the variable, fnt, to that list (I have over 400 fonts
installed). I wonder if anyone has the same list of fonts
that I have. The system variable, srv, lists your OS
and kernel (e.g. Linux 2.4.32 for kernel 2.4.32 on
Linux) among many other items. Well, who needs cookies
with so precise a fingerprint?

And this pons4.swf file? It is Google's!!! Sorry Googl's.
WAIT. It isn't google's or googl's any more.

The new domain name is fastclickstatus.com.

Recently it was googlsyndications.com's (before that it
was googlesydnication.com's ("dn", not "nd")) tracker
(besides the interface to enable Javascript to access the
profile that flash can extract from your system, this flash
file "calls home" every twenty seconds, a heartbeat tracker).
When they seem to have lost the "Google" domain names
they used the domain name choosebestkeyword.com and have
now switched to fastclickstatus.com.

Since Pharmacy Express continued to use this tracker as it
moved from googlesydnication to googlsyndications even when the
backend for the heartbeat tracker was down for awhile, I would
hazard a guess that googlesydnication.com, googlsyndications.com,
choosebestkeyword.com and now fastclickstatus.com are part of
Pharmacy Express.


PHARMACY EXPRESS TRACKER: http://[varies].fastclickstatus.com

This was originally google.sydnication.com ("dn", not "nd")
until they lost that domain. It then changed to googlsyndications.com.
It then changed to choosebestkeyword.com and is now
fastclickstatus.com.

Where is it now?

NAMESERVERS FOR fastclickstatus.com FROM THE .com SERVERS.
==========================================================
fastclickstatus.com NS ns1.fastclickstatus.com
fastclickstatus.com NS ns2.fastclickstatus.com
ns1.fastclickstatus.com A 107.181.161.193
ns2.fastclickstatus.com A 107.181.161.193

dig @107.181.161.193 fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: fastclickstatus.com A 107.181.161.193

dig @107.181.161.193 u1oysoveuajhae5604spa6slurw4npy2.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: u1oysoveuajhae5604spa6slurw4npy2.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 lpuujcg13c50vbi3yiyr7fgk680652jd.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: lpuujcg13c50vbi3yiyr7fgk680652jd.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 hypxbbwk1gyjjjz4mzurz45hqoh1k2u6.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: hypxbbwk1gyjjjz4mzurz45hqoh1k2u6.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 21auopy4w5z6nj1jfc9xd84sechxfpbt.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 21auopy4w5z6nj1jfc9xd84sechxfpbt.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 8qcqjequenyqxygjs40hez3jf4zcohcm.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 8qcqjequenyqxygjs40hez3jf4zcohcm.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 ydykt8iwdyfvnyg245thqlu45l5e59po.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: ydykt8iwdyfvnyg245thqlu45l5e59po.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 vzfyp07f34v04z1wjlmpjqx817jrf46w.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: vzfyp07f34v04z1wjlmpjqx817jrf46w.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 xbiqdmepsuemigfwsggkghli59q2x81a.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: xbiqdmepsuemigfwsggkghli59q2x81a.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 ijlfvtemp319c9o1dkbi076ebah584je.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: ijlfvtemp319c9o1dkbi076ebah584je.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 1zejmbv3f3bygmvq7gcelov4hlhyktp1.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 1zejmbv3f3bygmvq7gcelov4hlhyktp1.fastclickstatus.com A 107.181.161.193

dig @107.181.161.193 u1oysoveuajhae5604spa6slurw4npy2-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: u1oysoveuajhae5604spa6slurw4npy2-sk.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 lpuujcg13c50vbi3yiyr7fgk680652jd-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: lpuujcg13c50vbi3yiyr7fgk680652jd-sk.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 hypxbbwk1gyjjjz4mzurz45hqoh1k2u6-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: hypxbbwk1gyjjjz4mzurz45hqoh1k2u6-sk.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 21auopy4w5z6nj1jfc9xd84sechxfpbt-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 21auopy4w5z6nj1jfc9xd84sechxfpbt-sk.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 8qcqjequenyqxygjs40hez3jf4zcohcm-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 8qcqjequenyqxygjs40hez3jf4zcohcm-sk.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 ydykt8iwdyfvnyg245thqlu45l5e59po-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: ydykt8iwdyfvnyg245thqlu45l5e59po-sk.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 vzfyp07f34v04z1wjlmpjqx817jrf46w-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: vzfyp07f34v04z1wjlmpjqx817jrf46w-sk.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 xbiqdmepsuemigfwsggkghli59q2x81a-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: xbiqdmepsuemigfwsggkghli59q2x81a-sk.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 ijlfvtemp319c9o1dkbi076ebah584je-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: ijlfvtemp319c9o1dkbi076ebah584je-sk.fastclickstatus.com A 107.181.161.193
dig @107.181.161.193 1zejmbv3f3bygmvq7gcelov4hlhyktp1-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 1zejmbv3f3bygmvq7gcelov4hlhyktp1-sk.fastclickstatus.com A 107.181.161.193
==========================================================
This is a much shortened version. As this heartbeat tracker connects every
twenty seconds and I forgot about the site and left the order page open
I have hundreds of random keys in my logs. It seems they have modified the
Flash file for this time it only saved one entry in Flash's #SharedObjects
directory (not the hundreds I have previously seen - one time, leaving the
order site open in the browser I had 3592 additions to my #SharedObjects
directory). Is this due to using a constant local object "cust" instead of
decoding an encoded version of the string, "cust" (a change that I did notice)?

* Connected to 107.181.161.193:80
: GET /images/tick.gif HTTP/1.1
: Host: u1oysoveuajhae5604spa6slurw4npy2.fastclickstatus.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.7
: Content-Type: application/x-shockwave-flash
: Content-Length: 274


* Connected to 107.181.161.193:80
: GET /images/sprite.gif HTTP/1.1
: Host: fastclickstatus.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.7
: Content-Type: application/x-shockwave-flash
: Content-Length: 0


* Connected to 107.181.161.193:843
: <policy-file-request/>[NULL_BYTE]

: <?xml version="1.0"?>
: <cross-domain-policy>
: <allow-access-from domain="*" to-ports="*" />
: </cross-domain-policy>


* Connected to 107.181.161.193:10843
: u1oysoveuajhae5604spa6slurw4npy2
: [NULL_BYTE]

: <?xml version="1.0"?>
: <cross-domain-policy>
: <allow-access-from domain="*" to-ports="*" />
: </cross-domain-policy>

IP ADDRESS: 107.181.161.193
---------------------------
PHARMACY EXPRESS PROFILER/TRACKER
PHARMACY EXPRESS PROFILER/TRACKER NAMESERVER
107.181.161.193/32 is on the SBL as SBL225881.
Pharmacy Express tracker (fastclickstatus.com)
---------------------------

The flash file calls back to fastclickstatus.com every twenty seconds
(for http://[random].fastclickstatus.com/images/tick.gif[*])

*: tick.gif is a small flash, CWS, file, though
in the past it had come back as "Content-Type: image/gif".

: ...
: 15:43:10 sdgwa72xb8mc2fx0op36n58qznnjj8xn.fastclickstatus.com/images/tick.gif
: 15:43:30 y4f9rwd9zmptdskmnq2e3lhmp7emxa07.fastclickstatus.com/images/tick.gif
: 15:43:50 vlkdxkoi2xzojz9gzuy3i9j1ggyj5l9a.fastclickstatus.com/images/tick.gif
: 15:44:10 xq3joz3kczb6jj7b1b2bef5ayz9ufntr.fastclickstatus.com/images/tick.gif
: 15:44:30 dbfnyueobqsicsmb1229dcd9i15s04ac.fastclickstatus.com/images/tick.gif
: 15:44:50 43hok1vr9rj25jbcr38rbwau9y2qzdac.fastclickstatus.com/images/tick.gif
: 15:45:10 xn7fcf91r08mi02cdnlc4odeeajt82wt.fastclickstatus.com/images/tick.gif
: 15:45:30 8s1ysh4k6nou8oixtwweii2d8ffj70ll.fastclickstatus.com/images/tick.gif
: ...

The resolutions, above, for the hostnames containing "-sk"
are used to resolve a different hostname each time for
connections to port 10843 which, like those to port 843, are
raw connections by the Flash player for policy data.


PRODUCT INFORMATION:

There has been no change in the product listing since
the last time I checked.


____________________________________


Pharmacy EXPRESS SITE: http://doctorolwk.com
Pharmacy Express SITE: http://doctorfisw.com
Pharmacy Express SITE: http://[varies]
: IP address 5.196.57.226: SBL SBL235161
: IP address 85.10.235.142: SBL234648
: IP address 151.236.18.134: on edis.at
: IP address 178.124.140.143: on beltelecom.by,belpak.by

Resolved by the:

Pharmacy Express NAMESERVERS (dedicghqet.com,cloudjfnwe.su,serverdjwnr.com,cloudfheqo.su)
: IP address 37.228.88.169: on mtw.ru
: IP address 61.191.190.8: SBL229468
: IP address 61.191.190.175: SBL229469
: IP address 88.198.219.68: on your-server.de,hetzner.de
: IP address 119.110.107.13: SBL234532
: IP address 178.124.140.143: on beltelecom.by,belpak.by

Pharmacy Express utilizes a profiler and heartbeat tracker.

SEE THE NOTE BELOW:
-------------------
As usual, Pharmacy Express makes use of a flash file, pons4.swf, which
provides a rather comprehensive profile of the visitor's system and
which was provided by google! Googlesydnication.com! Wait ... that is
"dn" not "nd". Well that is what it was until they lost that domain and
then it was google! Ooops ... no ... googl. Googlsyndications.com.

Perhaps Google finally acted. The flash file then used the domain,
choosebestkeyword.com but they have now changed it to fastclickstatus.com.

Besides providing a function which is used by Pharmacy Express for a
thorough profile of the victim's system (so extensive one doesn't
need cookies) via Javascript (the profile is part of the data submitted
to the pharmacy site) the flash file also continually connects back to
fastclickstatus.com on ports 80, 843 (the usual flash policy port)
and 10843 (coded in the flash file itself).

Pharmacy Express PROFILER/TRACKER: fastclickstatus.com
: IP address 62.113.214.122: SBL232525

Resolved by its nameserver at the same IP address.


The order form has changed and now returns a contact even
for rejected orders:

SUPPORT SITE: http://yourliveservice.com
: IP address 85.10.235.142: SBL234648
: IP address 178.124.140.143: on beltelecom.by,belpak.by

This host is also a pharmacy host/proxy.

Resolved by its:

Pharmacy Express (and support site) NAMESERVER (serverienw.com,dfgshost.com):
: IP address 119.110.107.13: SBL234532
Pharmacy Express (and support site) NAMESERVER (serverienw.com,dfgshost.com):
: IP address 178.124.140.143: on beltelecom.by,belpak.by

NOTE:
-----
Today the site I got used an old item. While the pons4.swf file for the
tracker was available and fastclickstatus.com is up, for some reason the
site used pons.swf, an older version whose tracker site, back end, is now
down (the profiler still works) so this time fastclickstatus.com was not
actively involved (though the flash file used is theirs as a decompilation
and comparison to pons.swf shows, it references an older domain name).

Recently I have seen this older flash file, pons.swf, appear a few times.


HERE ARE A FEW OTHER HOSTNAMES
FOR THE PHARMACY SITE.
------------------------------------
doctordqfsh.com A 151.236.18.134
doctordqpk.com A 151.236.18.134
doctoreogwu.com A 151.236.18.134
doctorfisw.com A 151.236.18.134
doctorhvxr.com A 151.236.18.134
doctorjdax.com A 151.236.18.134
doctorjechep.com A 151.236.18.134
doctorkydt.com A 151.236.18.134
doctornfrq.com A 151.236.18.134
doctornhwe.com A 151.236.18.134
doctorrevs.com A 151.236.18.134
doctorsfqz.com A 151.236.18.134
doctorsiy.com A 151.236.18.134
doctorslw.com A 151.236.18.134
doctorsth.com A 151.236.18.134
doctorsuvey.com A 151.236.18.134
doctorvkzq.com A 151.236.18.134
doctorwvhn.com A 151.236.18.134
medicbxux.com A 151.236.18.134
medicdebjp.com A 151.236.18.134
medicfjnqe.com A 151.236.18.134
medicghwno.com A 151.236.18.134
medichsyc.com A 151.236.18.134
medicjdol.com A 151.236.18.134
medicswqo.com A 151.236.18.134
medictqrb.com A 151.236.18.134
doctorpezhs.ru A 151.236.18.134
doctoruvexa.ru A 151.236.18.134
doctorvrdpz.ru A 151.236.18.134
doctorwpukd.ru A 151.236.18.134
doctorxonft.ru A 151.236.18.134
medicbgmdu.ru A 151.236.18.134
mediceang.ru A 151.236.18.134
medicgqht.ru A 151.236.18.134
medicoingw.ru A 151.236.18.134
medicrzmb.ru A 151.236.18.134
medicusuf.ru A 151.236.18.134
urlsbn.ru A 151.236.18.134
doctordwnz.cn.com A 5.196.57.226
doctornnek.cn.com A 5.196.57.226
doctorswmb.cn.com A 5.196.57.226
doctorvneq.cn.com A 5.196.57.226
dnsrbwxr.com A 5.196.57.226
doctormull.com A 5.196.57.226
doctorolwk.com A 5.196.57.226
hebutdoctor.com A 5.196.57.226
inbodoctor.com A 5.196.57.226
kgdoctor.com A 5.196.57.226
lorepdoctor.com A 5.196.57.226
medicrblv.com A 5.196.57.226
ultradoctors.com A 5.196.57.226
velydoctor.com A 5.196.57.226
doctoraccess.eu A 5.196.57.226
doctoragent.eu A 5.196.57.226
doctorbiz.eu A 5.196.57.226
bfzomedics.ru A 5.196.57.226
bgbbmedics.ru A 5.196.57.226
bqlvdoctor.ru A 5.196.57.226
bqmddoctor.ru A 5.196.57.226
bqpadoctor.ru A 5.196.57.226
bqqidoctor.ru A 5.196.57.226
ceromedic.ru A 5.196.57.226
cfxymedics.ru A 5.196.57.226
cfyhmedics.ru A 5.196.57.226
cfypmedics.ru A 5.196.57.226
cfyymedics.ru A 5.196.57.226
cfzsmedics.ru A 5.196.57.226
cohermedic.ru A 5.196.57.226
doctoracfr.ru A 5.196.57.226
doctorbiand.ru A 5.196.57.226
doctorbyqz.ru A 5.196.57.226
doctorbzui.ru A 5.196.57.226
doctorffpk.ru A 5.196.57.226
doctorfpta.ru A 5.196.57.226
doctorfsic.ru A 5.196.57.226
doctorggpn.ru A 5.196.57.226
doctorijdb.ru A 5.196.57.226
doctorjdhen.ru A 5.196.57.226
doctorkinhin.ru A 5.196.57.226
doctorkkcs.ru A 5.196.57.226
doctorkktv.ru A 5.196.57.226
doctorleca.ru A 5.196.57.226
doctorlhex.ru A 5.196.57.226
doctorlqkc.ru A 5.196.57.226
doctorluldhi.ru A 5.196.57.226
doctormihi.ru A 5.196.57.226
doctormjrc.ru A 5.196.57.226
doctormown.ru A 5.196.57.226
doctorofqq.ru A 5.196.57.226
doctorqcxqa.ru A 5.196.57.226
doctorsiten.ru A 5.196.57.226
doctorthesed.ru A 5.196.57.226
doctorutrab.ru A 5.196.57.226
doctoruwxf.ru A 5.196.57.226
doctorvehim.ru A 5.196.57.226
doctorwegq.ru A 5.196.57.226
doctorwesw.ru A 5.196.57.226
doctorxhsum.ru A 5.196.57.226
doctorzdde.ru A 5.196.57.226
dqhhdoctor.ru A 5.196.57.226
dqindoctor.ru A 5.196.57.226
efqimedics.ru A 5.196.57.226
efrdmedics.ru A 5.196.57.226
efrqmedics.ru A 5.196.57.226
efsxmedics.ru A 5.196.57.226
efvdmedics.ru A 5.196.57.226
efvwmedics.ru A 5.196.57.226
efvymedics.ru A 5.196.57.226
efwemedics.ru A 5.196.57.226
forthimedic.ru A 5.196.57.226
fslmdoctor.ru A 5.196.57.226
gacumedics.ru A 5.196.57.226
gdbmmedics.ru A 5.196.57.226
geaqmedics.ru A 5.196.57.226
gebhmedics.ru A 5.196.57.226
gebxmedics.ru A 5.196.57.226
gefgmedics.ru A 5.196.57.226
gefqmedics.ru A 5.196.57.226
gehdmedics.ru A 5.196.57.226
gehjmedics.ru A 5.196.57.226
gehpmedics.ru A 5.196.57.226
gehwmedics.ru A 5.196.57.226
geiumedics.ru A 5.196.57.226
gejhmedics.ru A 5.196.57.226
genhmedics.ru A 5.196.57.226
gephmedics.ru A 5.196.57.226
ggagmedics.ru A 5.196.57.226
ghzrmedics.ru A 5.196.57.226
gqdgmedics.ru A 5.196.57.226
grmqmedics.ru A 5.196.57.226
hecklemedic.ru A 5.196.57.226
hemormedic.ru A 5.196.57.226
hertlighmedic.ru A 5.196.57.226
hertundmedic.ru A 5.196.57.226
hxnemedics.ru A 5.196.57.226
hxnhmedics.ru A 5.196.57.226
hxnpmedics.ru A 5.196.57.226
hxnxmedics.ru A 5.196.57.226
hxofmedics.ru A 5.196.57.226
hxosmedics.ru A 5.196.57.226
hxplmedics.ru A 5.196.57.226
hxpqmedics.ru A 5.196.57.226
hxptmedics.ru A 5.196.57.226
hxrpmedics.ru A 5.196.57.226
hxrxmedics.ru A 5.196.57.226
hxswmedics.ru A 5.196.57.226
inherdoctor.ru A 5.196.57.226
jszlmedics.ru A 5.196.57.226
jtalmedics.ru A 5.196.57.226
jtaumedics.ru A 5.196.57.226
jtcsmedics.ru A 5.196.57.226
jtdimedics.ru A 5.196.57.226
jtgjmedics.ru A 5.196.57.226
letrendoctor.ru A 5.196.57.226
litthermedic.ru A 5.196.57.226
lpfxdoctors.ru A 5.196.57.226
lphodoctors.ru A 5.196.57.226
medicadty.ru A 5.196.57.226
medicaningrigh.ru A 5.196.57.226
medicbamw.ru A 5.196.57.226
medicbwhl.ru A 5.196.57.226
mediccdqj.ru A 5.196.57.226
mediccerit.ru A 5.196.57.226
mediccesb.ru A 5.196.57.226
mediccjyh.ru A 5.196.57.226
medicctcc.ru A 5.196.57.226
medicdgxyd.ru A 5.196.57.226
medicdingsi.ru A 5.196.57.226
medicdjtm.ru A 5.196.57.226
medicdsau.ru A 5.196.57.226
medicegblm.ru A 5.196.57.226
medicexlv.ru A 5.196.57.226
medicfazi.ru A 5.196.57.226
medicfbal.ru A 5.196.57.226
medicfigi.ru A 5.196.57.226
medicfjff.ru A 5.196.57.226
medicfnyf.ru A 5.196.57.226
medicgbud.ru A 5.196.57.226
medicgsje.ru A 5.196.57.226
medicgvwo.ru A 5.196.57.226
medicgyjd.ru A 5.196.57.226
medicgzwe.ru A 5.196.57.226
medichahx.ru A 5.196.57.226
medichapot.ru A 5.196.57.226
medichentan.ru A 5.196.57.226
medicherfort.ru A 5.196.57.226
medichesfort.ru A 5.196.57.226
medichhis.ru A 5.196.57.226
medichmft.ru A 5.196.57.226
medichowde.ru A 5.196.57.226
medichwja.ru A 5.196.57.226
medichynw.ru A 5.196.57.226
medicidwf.ru A 5.196.57.226
medicihhv.ru A 5.196.57.226
mediciohtm.ru A 5.196.57.226
mediciqgf.ru A 5.196.57.226
medicjiirt.ru A 5.196.57.226
medicjkyei.ru A 5.196.57.226
medicjsnc.ru A 5.196.57.226
medickeren.ru A 5.196.57.226
medicketsof.ru A 5.196.57.226
medickfed.ru A 5.196.57.226
medickssw.ru A 5.196.57.226
mediclhechim.ru A 5.196.57.226
mediclqbd.ru A 5.196.57.226
mediclrrt.ru A 5.196.57.226
medicltix.ru A 5.196.57.226
mediclvdc.ru A 5.196.57.226
mediclylq.ru A 5.196.57.226
medicmbfyi.ru A 5.196.57.226
medicmbtn.ru A 5.196.57.226
medicmtsy.ru A 5.196.57.226
medicmwxf.ru A 5.196.57.226
medicndbf.ru A 5.196.57.226
medicnnqti.ru A 5.196.57.226
medicnpyi.ru A 5.196.57.226
medicnqms.ru A 5.196.57.226
medicnrwye.ru A 5.196.57.226
medicnths.ru A 5.196.57.226
medicnyxh.ru A 5.196.57.226
medicoffg.ru A 5.196.57.226
medicoqez.ru A 5.196.57.226
medicoyhsx.ru A 5.196.57.226
medicpdvf.ru A 5.196.57.226
medicpoler.ru A 5.196.57.226
medicpykc.ru A 5.196.57.226
medicqbpv.ru A 5.196.57.226
medicqsbs.ru A 5.196.57.226
medicqvui.ru A 5.196.57.226
medicrdyg.ru A 5.196.57.226
medicresha.ru A 5.196.57.226
medicrmpk.ru A 5.196.57.226
medicrmxh.ru A 5.196.57.226
medicrowpar.ru A 5.196.57.226
medicrtke.ru A 5.196.57.226
medicscrt.ru A 5.196.57.226
medicscyk.ru A 5.196.57.226
medicsemi.ru A 5.196.57.226
medicsgkx.ru A 5.196.57.226
medicsoql.ru A 5.196.57.226
medicsxulj.ru A 5.196.57.226
medictedpar.ru A 5.196.57.226
medictefm.ru A 5.196.57.226
medictngg.ru A 5.196.57.226
medictxud.ru A 5.196.57.226
medicueqg.ru A 5.196.57.226
medicuhfj.ru A 5.196.57.226
medicuwbu.ru A 5.196.57.226
medicvfib.ru A 5.196.57.226
medicvfxh.ru A 5.196.57.226
medicvgsn.ru A 5.196.57.226
medicvuuwf.ru A 5.196.57.226
medicweyh.ru A 5.196.57.226
medicwoif.ru A 5.196.57.226
medicxktef.ru A 5.196.57.226
medicxqhb.ru A 5.196.57.226
medicxqise.ru A 5.196.57.226
medicyzys.ru A 5.196.57.226
mediczaej.ru A 5.196.57.226
mediczkkf.ru A 5.196.57.226
mediczlkc.ru A 5.196.57.226
mediczqcm.ru A 5.196.57.226
mediczwqb.ru A 5.196.57.226
ngbmmedics.ru A 5.196.57.226
nqqudoctors.ru A 5.196.57.226
nqsidoctors.ru A 5.196.57.226
nqsqdoctors.ru A 5.196.57.226
nqszdoctors.ru A 5.196.57.226
nqtqdoctors.ru A 5.196.57.226
nqtydoctors.ru A 5.196.57.226
nquhdoctors.ru A 5.196.57.226
nqwldoctors.ru A 5.196.57.226
nqwtdoctors.ru A 5.196.57.226
nqxjdoctors.ru A 5.196.57.226
pqgqdoctors.ru A 5.196.57.226
pqgydoctors.ru A 5.196.57.226
pqiudoctors.ru A 5.196.57.226
pqjcdoctors.ru A 5.196.57.226
pqjsdoctors.ru A 5.196.57.226
pqkadoctors.ru A 5.196.57.226
pqlgdoctors.ru A 5.196.57.226
pqlodoctors.ru A 5.196.57.226
ranhomedic.ru A 5.196.57.226
recrabmedic.ru A 5.196.57.226
retnemedic.ru A 5.196.57.226
rhwtdoctors.ru A 5.196.57.226
rhxsdoctors.ru A 5.196.57.226
rhyadoctors.ru A 5.196.57.226
rhyidoctors.ru A 5.196.57.226
rhyqdoctors.ru A 5.196.57.226
rhyzdoctors.ru A 5.196.57.226
rhzqdoctors.ru A 5.196.57.226
ricjdoctors.ru A 5.196.57.226
rigkdoctors.ru A 5.196.57.226
rijxdoctors.ru A 5.196.57.226
ronrandoctor.ru A 5.196.57.226
sinormedic.ru A 5.196.57.226
tmxydoctors.ru A 5.196.57.226
tmygdoctors.ru A 5.196.57.226
tmypdoctors.ru A 5.196.57.226
tnamdoctors.ru A 5.196.57.226
tnazdoctors.ru A 5.196.57.226
tncbdoctors.ru A 5.196.57.226
tnecdoctors.ru A 5.196.57.226
tnemdoctors.ru A 5.196.57.226
ughthetmedic.ru A 5.196.57.226
vgacmedics.ru A 5.196.57.226
wwcumedic.ru A 5.196.57.226
wwngdoctor.ru A 5.196.57.226
yxlsdoctors.ru A 5.196.57.226
yxmbdoctors.ru A 5.196.57.226
yxpcdoctors.ru A 5.196.57.226
yxqjdoctors.ru A 5.196.57.226
yxqrdoctors.ru A 5.196.57.226
yxrhdoctors.ru A 5.196.57.226
yxrpdoctors.ru A 5.196.57.226
yxsfdoctors.ru A 5.196.57.226
------------------------------------

DETAILS:
--------

PHARMACY EXPRESS SITE: http://doctorolwk.com
PHARMACY EXPRESS SITE: http://doctorfisw.com
PHARMACY EXPRESS SITE: http://[varies]

Now they use Javascript and have sites formatted
for mobile users but ... apparently some of the
sites (slightly older ones) are a bit messed up.
While m.[domain_name] should be the mobile site
and [domain_name] should give the full (desktop)
version and mobile users should be redirected to
m.[domain_name], for a few of the sites the
mobile site is at [domain_name] and the full
site is at m.[domain_name] and desktop users may
or may not be redirected to the full site.

The mobile site with Pharmacy Express branding
uses the /205/ directory.

NOTE ABOVE THAT SOME OF THE DOMAIN NAMES RESOLVE
DIFFERENTLY. LET ME CHECK THE RESOLUTIONS FOR
THE HOSTS doctorolwk.com, doctorfisw.com AND THE
SUPPORT SITE, yourliveservice.com (see below),
AND ITS NAMESERVERS.

NAMESERVERS FOR doctorolwk.com, doctorfisw.com AND yourliveservice.com
FROM THE .com SERVERS. RESOLUTIONS FROM THE .com AND .su SERVERS.
======================================================================
doctorolwk.com NS ns1.serverdjwnr.com
doctorolwk.com NS ns2.cloudfheqo.su
doctorfisw.com NS ns1.dedicghqet.com
doctorfisw.com NS ns2.cloudjfnwe.su
yourliveservice.com NS ns1.serverienw.com
yourliveservice.com NS ns2.dfgshost.com
ns1.serverdjwnr.com A 88.198.219.68
ns2.serverdjwnr.com A 61.191.190.175
ns1.cloudfheqo.su A 88.198.219.68
ns2.cloudfheqo.su A 61.191.190.175
ns1.dedicghqet.com A 37.228.88.169
ns2.dedicghqet.com A 61.191.190.8
ns1.cloudjfnwe.su A 37.228.88.169
ns2.cloudjfnwe.su A 61.191.190.8
ns1.serverienw.com A 178.124.140.143
ns2.serverienw.com A 119.110.107.13
ns1.dfgshost.com A 178.124.140.143
ns2.dfgshost.com A 119.110.107.13

dig @88.198.219.68 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorolwk.com A 5.196.57.226
dig @61.191.190.175 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorolwk.com A 5.196.57.226
dig @37.228.88.169 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorolwk.com A 151.236.18.134
dig @61.191.190.8 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorolwk.com A 151.236.18.134
dig @178.124.140.143 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorolwk.com A 85.10.235.142
dig @119.110.107.13 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorolwk.com A 85.10.235.142

dig @88.198.219.68 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorfisw.com A 5.196.57.226
dig @61.191.190.175 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorfisw.com A 5.196.57.226
dig @37.228.88.169 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorfisw.com A 151.236.18.134
dig @61.191.190.8 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorfisw.com A 151.236.18.134
dig @178.124.140.143 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorfisw.com A 85.10.235.142
dig @119.110.107.13 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorfisw.com A 85.10.235.142

dig @88.198.219.68 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 5.196.57.226
dig @61.191.190.175 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 5.196.57.226
dig @37.228.88.169 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 151.236.18.134
dig @61.191.190.8 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 151.236.18.134
dig @178.124.140.143 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 178.124.140.143
dig @119.110.107.13 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 85.10.235.142
======================================================================

The nameservers for doctorolwk.com (61.191.190.175 and 88.198.219.68)
resolve everything to 5.196.57.226.

The nameservers for doctorfisw.com (37.228.88.169 and 61.191.190.8)
resolve everything to 151.236.18.134.

The nameservers for yourliveservice.com (119.110.107.13 and 178.124.140.143)
resolve the pharmacy hostnames to 85.10.235.142.
119.110.107.13 resolves the support hostname to 85.10.235.142
while 178.124.140.143 resolves the support hostname to 178.124.140.143.

If these hosts are used for load balancing one might expect the
site to be up at each IP address so let me check for doctorolwk.com
at the four IP addresses, 5.196.57.226, 85.10.235.142, 151.236.18.134,
and 178.124.140.143.

* Connected to 5.196.57.226:80
: GET / HTTP/1.1
: Host: doctorolwk.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


* Connected to 85.10.235.142:80
: GET / HTTP/1.1
: Host: doctorolwk.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


* Connected to 151.236.18.134:80
: GET / HTTP/1.1
: Host: doctorolwk.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


* Connected to 178.124.140.143:80
: GET / HTTP/1.1
: Host: doctorolwk.com

: HTTP/1.1 200 OK
: Server: nginx/0.7.67
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.

Often there are minor differences among the pages such
as different values for some tags. Not this time.
These pages were byte for byte identical.


IP ADDRESS: 5.196.57.226
------------------------
PHARMACY EXPRESS HOST
5.196.57.226/32 is on the SBL as SBL235161.
Russian botnet drug spammer server
------------------------

IP ADDRESS: 85.10.235.142
-------------------------
PHARMACY EXPRESS HOST
PHARMACY EXPRESS SUPPORT HOST
85.10.235.142/32 is on the SBL as SBL234648.
Pharmacy Express site (and support site) (doctorolwk.com et al.)
-------------------------

IP ADDRESS: 151.236.18.134
--------------------------
PHARMACY EXPRESS HOST
inetnum: 151.236.18.0 - 151.236.18.255
% Abuse contact for '151.236.18.0 - 151.236.18.255' is 'abuse@edis.at'
descr: EDIS Infrastructure in Italy
country: IT
abuse-mailbox: abuse@edis.at
Address 151.236.18.134 maps to srv.uniqgrandspace.com
18.236.151.in-addr.arpa has SOA [omitted]@edis.at
--------------------------

IP ADDRESS: 178.124.140.143
---------------------------
PHARMACY EXPRESS HOST
PHARMACY EXPRESS NAMESERVER
PHARMACY EXPRESS SUPPORT HOST
HARMACY EXPRESS SUPPORT NAMESERVER
Pinetnum: 178.124.136.0 - 178.124.143.255
% Abuse contact for '178.124.136.0 - 178.124.143.255' is 'lir@belpak.by'
descr: RUE BELTELECOM
descr: Minsk, Belarus
country: BY
e-mail: [omitted]@mck.beltelecom.by
140.124.178.in-addr.arpa has SOA [omitted]@dc.beltelecom.by
---------------------------

IP ADDRESS: 37.228.88.169
-------------------------
PHARMACY EXPRESS NAMESERVER
inetnum: 37.228.88.0 - 37.228.93.255
% Abuse contact for '37.228.88.0 - 37.228.93.255' is 'abuse@mtw.ru'
netname: MTW-HOSTING-NET
descr: MTW.RU dedicated/hosting servers
country: RU
abuse-mailbox: abuse@mtw.ru
Address 37.228.88.169 maps to unspecified.mtw.ru
88.228.37.in-addr.arpa has SOA [omitted]@mtw.ru
-------------------------

IP ADDRESS: 61.191.190.8
------------------------
PHARMACY EXPRESS NAMESERVER
61.191.190.8/32 is on the SBL as SBL229468.
Pharmacy Express nameserver
------------------------

IP ADDRESS: 61.191.190.175
--------------------------
PHARMACY EXPRESS NAMESERVER
61.191.190.175/32 is on the SBL as SBL229469.
Pharmacy Express nameserver
--------------------------

IP ADDRESS: 88.198.219.68
-------------------------
PHARMACY EXPRESS NAMESERVER
inetnum: 88.198.219.64 - 88.198.219.95
% Abuse contact for '88.198.219.64 - 88.198.219.95' is 'abuse@hetzner.de'
descr: Internet Technologies
country: DE
abuse-mailbox: [omitted]@hosthost.biz
route: 88.198.0.0/16
descr: HETZNER-RZ-NBG-BLK4
219.198.88.in-addr.arpa has SOA [omitted]@your-server.de
-------------------------

IP ADDRESS: 119.110.107.13
--------------------------
PHARMACY EXPRESS NAMESERVER
PHARMACY EXPRESS SUPPORT NAMESERVER
119.110.107.13/32 is on the SBL as SBL234532.
Pharmacy Express nameserver
--------------------------

IP ADDRESS: 178.124.140.143
---------------------------
PHARMACY EXPRESS HOST
PHARMACY EXPRESS NAMESERVER
PHARMACY EXPRESS SUPPORT HOST
HARMACY EXPRESS SUPPORT NAMESERVER
Pinetnum: 178.124.136.0 - 178.124.143.255
% Abuse contact for '178.124.136.0 - 178.124.143.255' is 'lir@belpak.by'
descr: RUE BELTELECOM
descr: Minsk, Belarus
country: BY
e-mail: [omitted]@mck.beltelecom.by
140.124.178.in-addr.arpa has SOA [omitted]@dc.beltelecom.by
---------------------------

I will check http://doctorolwk.com at 5.196.57.226.

Let's see ... These sites can have different brandings.
Some are branded as Canadian Pharmacy in the title (an old
spamvertized pharmacy site) with a copyright claiming to be
Canadian Health&Care Mall (a current Yambo spam operation
brand) though it is neither - it is Pharmacy Express.

This is one of their sites branded as ... Pharmacy Express.

This uses the /201/ directory (other themes/brandings are in
different directories, such as /204/ for Canadian Health&Care Mall
and /205/ for the mobile version of the Pharmacy Express
branded site).

An encoded phone number appears on all their sites, decoded
to a Javascript variable which is unused on, for example,
Canadian Health&Care Mall sites. The Javascript used to put
the phone number on the page at Pharmacy Express branded sites,
but no longer does.

ENCODED JAVASCRIPT: SHORTER SCRIPTS, NOW ENCODED
------------------------------------------------
They used to use a lot of their own code. Now they use jquery.
Their code used to be plain Javascript source text.
Then their (large) script was doubly encoded (base64 and XOR
with an array of values). This time four sections of code
at the end of the script (including the QuickSearch library)
are encrypted.

The encoded phone number which appears in the home page's HTML code
-------------------------------------------------------------------------------
var msgs = {
: removeProduct: "You are removing %PRODUCT_TITLE% from your cart. Continue?",
: notFound: "Not found",
: emptySearchQuery: "Empty search query",
: search: "Search...",
: minLengthIs: "minimum allowed length is",
: maxLengthIs: "maximum allowed length is",
: characters: "characters",
: emptyCart: "Do you really want to empty cart ?",
: phone: "+k-aee vgb-kevk",
: siteTitle: "Pharmacy Express"
};
-------------------------------------------------------------------------------
is decoded by their translate function in the script file,
http://[hostname]/201/js/_set_main.js?v=e221041eeed140ccd475cf5d07079138

function translate(string,search,replace), which just implements
a simple substitution, transliteration, "tr", function,
: $('.phn').html(translate(msgs.phone, 'kagzrvbehn', '1845962037'));

[The code was originally
: var phone=translate(msgs.phone,'kagzrvbehn','1845962037');
using a separate variable for the decoded phone number
which was then used on the page. Now the 'phone' variable is gone.]
(The substitution had been different in the dim past.)

and, of course:
: echo "+k-aee vgb-kevk" | tr 'kagzrvbehn' '1845962037'

gives the usual phone number: +1-800 642-1061

NOTE:
-----
If your browser does NOT indicate that it supports compression (gzip)
the pages come back uncompressed BUT THE JAVASCRIPT AND/OR STYLE SHEET
FILE MAY COME BACK COMPRESSED ANYWAY. I often configure firefox not to
accept compressed pages so I can do a packet capture and 'grep' through
it for relevant items. Material will be invisible even with Javascript
enabled if the browser is set not to request (or decompress) compressed
content and the Javascript is compressed. At times only the Javascript
file was compressed. At other times only the style sheet was compressed.
Sometimes both come back compressed. Both were compressed this time.

The page style changed some time ago. Besides using Javascript to place messages
(and encoding the phone number - one can no longer 'google' for that number to find
other hosts/pages) there were lines over 50K in size on the starting page.
Those were long style sheet codes. Now separate style sheet files are used
and the longest line I now see on the page is about 17K in size.

Surprisingly the copyright notice at the bottom of the page,
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.
was not encoded as the phone number is though you won't find
"Pharmacy Express" when grep'ing through the page's HTML code
as it appears as "Pha[span]rmacy Express.[/span]".

STYLE SHEET TO POSITION BOOKMARK (facebook, etc.) LINKS OVER IMAGE
---------------------------------------------------------------------------
WHILE I HAVE NOT RECENTLY SEEN THE Facebook AND OTHER SOCIAL NETWORK LINKS
ON THE PAGES USING DIFFERENT BRANDINGS (e.g. "Canadian Pharmacy",
"Canadian Health&Care Mall") THEY DO APPEAR ON THIS PHARMACY EXPRESS SITE.
---------------------------------------------------------------------------
The page has links to various social networking sites such as
[a href="http://www.facebook.com/share.php?u=%site_url%" class="c" title="Save to Facebook"][/a]
in a "div" element, [div class="bookmarks"].

The Javascript contains the code to update the data:
------------------------------------------------
var reSiteURL = new RegExp('\%site_url\%', "g");
var reSiteTitle = new RegExp('\%site_title\%', "g");
$(".bookmarks a").each(function() {
var url = $(this).attr('href');
url = url.replace(reSiteURL, location.protocol + '//' + location.host);
url = url.replace(reSiteTitle, msgs.siteTitle); $(this).attr('href', url);});
------------------------------------------------
When Javascript was first used to update the social site links
there was only a regular expression to change the site_url,
not the site_title, but when they started using multiple brandings
such as 'ED Express' or 'Canadian Pharmacy' the code to set the
title was added.

The bookmark links, such as the above facebook link, have length zero!
How to click on them? The style sheet repositions them over the header image,
: .header .bookmarks{position:absolute;top:177px;left:35px}
: .header .bookmarks a{width:16px;height:16px;display:block;position:relative;
: float:left;margin-right:2px;margin-top:3px}
giving each a width of 16 pixels. They are positioned so that the
clickable region for each social network's link is placed over
that network's icon embedded in the header image,
http://[hostname]/201/img/header/header-bg-usps.jpg
which is often modified to suit the current holiday or celebration
such as header-bg-labor.jpg for Labor Day.

When these sites were hosted on bots (at other times the
spammer gets his own hosting) or for other reasons had
problems with bandwidth the images had often been hosted
elsewhere but I have not seen images loaded from elsewhere
for quite some time.

This time very few real images are loaded, but from the spamvertized
site itself with URLs such as:
: http://[hostname]/201/img/sprite/most_popular_1.jpg?v=1408401447

NOTE:
-----
Few images are used. For example two images are used for all
the pill images, "sprite" panels (tableaux of pill subimages)
: http://[hostname]/201/img/sprite/most_popular_1.jpg?v=1408401447
: http://[hostname]/201/img/sprite/most_popular_2.jpg?v=1408401447
STYLE SHEET:
: .spr_products_75x75_viagra,.spr_products_75x75_viagra_brand,.spr_products_75x75_cialis,...
: {background-image:url(../img/sprite/most_popular_1.jpg?v=1408401447) !important}
and various selections from the image are carefully placed
: .spr_products_75x75_propecia
: {background-position:-75px 0px !important;width:75px !important;height:75px !important}
so the portion which appears as the background for each
anchor tag/link is just the proper pill image.

A TINY CHANGE. The version I have most often seen has
"background-position:-75px 0px" but sometimes a site uses
"-75px 0"; after all "0px" or "0anything_else" is still the
same size, zero.

One used to find separate images such as
: http://[hostname]/101/img/products/75x75/levitra_brand.jpg
Now the images appear to have a time stamp, net-time, the number
of seconds since 1 January 1970.

Sometimes these sites have a secure order form and sometimes not.
Usually the order site is not secure.

This time upon reaching the CHECKOUT page I found the form:
: [form id="form_checkout" action="/checkout/" method="post"][/form]

Most often, recently, the action has simply been action="/checkout/"
with payment being submitted to the pharmacy site itself.
Sometimes the "action" points to another, order, site such as
the following (lexicographically sorted by domain name).
Note that sometimes (but infrequently) they are secure:
: http://e-billprovider.com
: http://e-billresponse.com
: http://e-billsupport.com
: http://e-buyassist.com
: http://e-buybox.com
: http://e-buyprocess.com
: http://e-cartprocess.com
: http://e-fastestpay.com
: http://e-paymentassist.com
: http://e-paymentservice.com
: http://ebillwebform.com
: http://eclientplace.com
: https://eclientplace.com <== SECURE
: http://ecustomerbill.com
: http://ecustomercheckout.com
: http://ecustomerpay.com
: http://egoodbill.com
: http://epayonlineservice.com
: http://epayviaweb.com
: http://eworldwidepay.com
: http://onlinepaymentsite.com
: http://onlinetransservice.com
: https://paycartservice.com <== SECURE
: http://payquickonline.com
: http://securecartservice.com
: https://securecartservice.com <== SECURE
: http://a5.yourprofileheres.com

PHARMACY EXPRESS ORDER SITE: http://doctorolwk.com/checkout/

* Connected to 5.196.57.226:80
: POST /checkout/ HTTP/1.1
: Host: doctorolwk.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]

In the past the title had been
: [title]Welcome to http://[hostname] Checkout page[/title]

In spite of their assurance that:
"we provide 256bit SSL secure pay page to process your order"
your financial data is submitted unencrypted and insecurely.

Verisign's assurance of security is given in their seal at
: http://[hostname]/201/img/sprite/cart.png?v=1408401447

(part of another sprite tableau) but while in the past the
Verisign seal had been displayed, it is not this time.

THERE HAVE BEEN RECENT CHANGES TO THE ORDER FORM PAGE.
------------------------------------------------------
They used to use very obnoxious Javascript on this page.
It checked and validated each keystroke. On a slightly aged
system, such as mine it was actually quite painful to use
their order form.

Now they use *extremely* obnoxious Javascript on this page.
It spends much more time and is much more CPU expensive while
checking everything every moment and, combined with the flash
tracker which continually runs in the background, connecting
over and over to their tracking site (every twenty seconds
- see below) it is now *very* painful to use their order form
on a slightly aged system such as mine.

If you like the tab key and to tab from form entry to form
entry expecting some sort of sensible arrangement - well,
you will be disappointed here.

There used to be two input boxes for one's email address,
a first and a second, "confirmation" input box to catch
typos. That second box still has the field name "confirm_email"
but is now labeled as 'Alternative e-mail'. They have also
added an input box for a second phone number ("Mobile phone").
Originally "Alternative e-mail" and "Mobile phone" inputs
were required for a successful form submission (though one
could simply enter the same address or phone number in both
input boxes). Now they are optional.

While they seem to have some respect for Verisign and I
did not see the Verisign seal, they seem to have lost all
respect for McAfee as the McAfee SECURE seal at ma.png
: http://[hostname]/checkout/img/ma.png
is back on the page (this seal used to be in a sprite tableau,
transparent_gif_[TIME_STAMP].gif which I no longer see and
had not been on the pages for quite some time) "guaranteeing"
the security of the transaction.
------------------------------------------------------

One connects to the order site, submitting the data:

: i=XXxWQU... This is base 64 encoded data with embedded
: Win/Dos EndsOfLines (%0D%0A). The unescaped
: string had a length pf 5416 characters including
: Win/DOS EOLs and 5276 without the EOL characters.

*: The use of "="'s to pad the string's length to a multiple
of four bytes when necessary suggests some sort of
base 64 encoding but it is not simply encoded plain text
using the standard encoding. The data varies and the
string has had different lengths in the past.

NOTE:
-----
There are two forms appearing on the page at
the pharmacy site (whose data is submitted
to the order site to get the actual order page).
The one with the data does not have an action
submitting it to the order URL.
Javascript simply empties the form going to the
order URL, copies the "i" value from the dummy
form with data to the form going to the order URL
and submits that.

and one gets the order-form page:

: Pharmacy Express Checkout page
: The information you provided will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express

: For quite some time the page had started with:
: ----------------------------------------------
: Pharmacy online-store
: The information you provide will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express

: In the past it had read:
: ------------------------
: Welcome to http://[hostname] Checkout page
: The information you provide will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express
: ------------------------

and before that it had read:
----------------------------
: (c) 2003-2012 Pharmacy Express
: Have a question? Call us back +1-888-738-9650
----------------------------
but now the phone contact is missing.

In the past, when the order site was secure, the text read:
: Welcome to http://[hostname] Secure checkout page
: You have just been redirected to this 256bit SSL secure pay page to process
: your order.
but at the last secure order site, the page omitted the claim of security
as well as the contact phone number.

to which one submits

* Connected to 5.196.57.226:80
: POST /checkout/ HTTP/1.1
: Host: doctorolwk.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]

the data:

: new_customer=1
: &email=[victim's address: email]
: &first_name=[victim's name: first]
: &confirm_email=[victim's address: email] [+]
: &last_name=[victim's name: last]
: &billing_country_id=US
: &billing_city=[victim's address: city]
: &billing_state_id=[victim's address: state]
: &billing_address=[victim's address: street]
: &billing_zip=[victim's address: zip code]
: &phone=[victim's phone number]
: &mobile_phone=[victim's phone number - mobile] [*]
: &shipping_form=on [&]
: &payment_method=visa
: &issuing_bank=[credit card: issuing bank]
: &card_number=[victim's credit card number]
: &cvv=[credit card: private security number]
: &comment=[comment section] [*]
: &birth_year=[victim's birthdate: year]
: &birth_month=[victim's birthdate: month]
: &birth_day=[victim's birthdate: day]
: &expiration_month=[credit card: expiration date: month]
: &expiration_year=[credit card: expiration date: year]
: &utime=[Javascript: Date().toLocaleString()]
: &screen=[Javascript: screen.width+'x'+screen.height+'x'+screen.colorDepth]
: &platform=[Javascript: navigator.platform]
: &srv=[FLASH: fingerprinting system info] [#]
: &fid=[FLASH: flash/session random iD] [#]
: &fnt=[FONTS: fingerprinting font info] [#]
: &uid=[FLASH: SESSION ID] [#]
: &pasted=
: &submit_order=1 [-]

---
+: This now appears on the form as "Alternative e-mail"
Originally it was a required field.
Now it is optional.
---
*: New
Originally this was a required field.
Now it is optional.
---
&: Previously was "as_billing"
---
-: Previously was "submit_order"
---

There have been a few changes.

1: Specifying that the shipping address was the
: same as the billing address resulted in the
: removal/suppression of the shipping_country_id
: and shipping_state_id values which had previously
: been present.

2: submit_order had the string value, "submit_order",
: most recently and how has the value, 1.

3: Two elements (the shipping country and state)
: have disappeared while two new ones,
: mobile_phone and comment have appeared so the
: number of name/value pairs submitted is the same.

and the order of the data submitted has changed a bit.

One thing interested me. The submit button on the
order form is labeled "Confirm data" but that is not a
capital English "C". It is a cyrillic capital "ES" (C).

(Previously the data was submitted in one step but
now one goes through an intermediate "confirmation
page". That page does not repost the data but allows
one to return to the order form page to edit it or
continue - in which case it simply posts the
confirmation data,
: confirm_order=confirm_order
to

* Connected to 5.196.57.226:80
: POST /checkout/ HTTP/1.1
: Host: doctorolwk.com

which sends one on to a status page:

: HTTP/1.1 302 OK
: Server: nginx/1.2.1
: Location: http://doctorolwk.com/checkout/status/


UPDATED CREDIT CARD PAYMENT OPTIONS:
------------------------------------
It seems that they have lost payment options,
for originally
: Visa (payment_method=visa)
: MasterCard (payment_method=mastercard)
: American Express (payment_method=amex)
: JCB (payment_method=jcb) [Japan Credit Bureau]
: Diners Club (payment_method=dinersclub)
: ACH (payment_method=ach) [Automated Clearing House]
were available and then only
: Visa (payment_method=visa)
was available.
American Express had reappeared, was gone for some time
and now is back ("amex").


Isn't Adobe's Shockwave Flash wonderful?
----------------------------------------
A perfect little tool to fingerprint visitors quite
accurately. The order site loads a little flash file,
pons4.swf. It used to be named bridge.swf (and the page
element, a DIV with id="swfContent", contains pons4.swf,
an object with that id, "bridge") then it was named pons.swf
but they have changed it. The file is rather heavily
obfuscated so it took some time to handle).

* Connected to 5.196.57.226:80
: GET /checkout/pons.swf HTTP/1.1
: Host: doctorolwk.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: Content-Type: application/x-shockwave-flash
: Content-Length: 2982

OUCH! The old pons.swf file still exists. It does not
use fastclickstatus.com (which is still up) but
getclickanalysis.com for the tracking back end.

While the flash file tries to get content from
getclickanalysis.com it fails miserably.
-----------------------------------------------------------
www.getclickanalysis.com CNAME free.park-your-domain.com.
-----------------------------------------------------------
THIS IS NOT GOING TO WORK!.

The pons4.swf file exists, too, but somehow they managed
to set the site to load the old, pons.swf file, for which
the tracker backend is not up. However, the old file is
still loaded and performs its function as a profiler.

This same thing, using pons.swf instead of pons4.swf,
also occurred at a Pharmacy Express site I checked
about a week and a half ago and again a few days ago.

You don't see this hidden item (width="1" height="1").
This file creates a callback function:
: flash.external.ExternalInterface.addCallback(...);
which provides an interface for Javascript. This
provides the Javascript at the order site with a
profile of the visitor's system as determined by the
flash file. Two ID variables (fid and uid) are set.
Along with those the flash file is used to get your system
capabilities and store them in a variable, srv, and finally
it gets a full list of all your fonts ("getFontList") and
sets the variable, fnt, to that list (I have over 400 fonts
installed). I wonder if anyone has the same list of fonts
that I have. The system variable, srv, lists your OS
and kernel (e.g. Linux 2.4.32 for kernel 2.4.32 on
Linux) among many other items. Well, who needs cookies
with so precise a fingerprint?

And this pons.swf file? It is Google's!!! Sorry Googl's.
WAIT. It isn't google's or googl's any more.

The new domain name is fastclickstatus.com NOW (pons4.swf)
but pons.swf uses the domain getclickanalysis.com (the same
operation but an old domain name) for its backend.

Recently it was googlsyndications.com's (before that it
was googlesydnication.com's ("dn", not "nd")) tracker
(besides the interface to enable Javascript to access the
profile that flash can extract from your system, this flash
file "calls home" every twenty seconds, a heartbeat tracker).
When they seem to have lost the "Google" domain names
they used the domain name choosebestkeyword.com and have
now switched to fastclickstatus.com.

Since Pharmacy Express continued to use this tracker as it
moved from googlesydnication to googlsyndications even when the
backend for the heartbeat tracker was down for awhile, I would
hazard a guess that googlesydnication.com, googlsyndications.com,
choosebestkeyword.com and now fastclickstatus.com are part of
Pharmacy Express.


PHARMACY EXPRESS TRACKER: http://[varies].fastclickstatus.com

This was originally google.sydnication.com ("dn", not "nd")
until they lost that domain. It then changed to googlsyndications.com.
It then changed to choosebestkeyword.com and is now
fastclickstatus.com.

Where is it now?

NAMESERVERS FOR fastclickstatus.com FROM THE .com SERVERS.
==========================================================
fastclickstatus.com NS ns1.fastclickstatus.com
fastclickstatus.com NS ns2.fastclickstatus.com
ns1.fastclickstatus.com A 62.113.214.122
ns2.fastclickstatus.com A 62.113.214.122

dig @62.113.214.122 fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: fastclickstatus.com A 62.113.214.122
==========================================================

HOWEVER ... this is the newer domain name used by the tracker
(pons4.swf) while, for some reason (perhaps they decided that
it wasn't necessary to use the backend and connect to it every
twenty seconds) this time the web site loaded an older version,
of the flash based profiler/tracker, pons.swf, which performs
its function as a profiler but has no working tracker site
(the domain name it uses is getclickanalysis.com) to which to
connect every twenty seconds (though it does try to!).

SUPPORT SITE: http://yourliveservice.com
SUPPORT CONTACT [email]: support@yourliveservice.com
SUPPORT CONTACT [phone]: +1-212-389-6349

In the past, if a payment was rejected (the site verified
the credit card for the payment before returning the status
page) the status page returned simply indicated a failure.

SOMETIMES in verifying a Visa card it seemed that the backend
did not quickly enough obtain a result in which case the site
provided a default status page indicating that the card was
accepted and providing a further contact (web site or email
and a phone number).

Submitting a fake order using a Visa card sometimes, but very
seldom, would provide the further contact.

They have updated the order form and its activity and now,
even a rejected order submission elicits:

* Connected to 5.196.57.226:80
: GET /checkout/status/ HTTP/1.1
: Host: doctorolwk.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Checkout status[/title]
: Pharmacy Express Checkout page
: We are sorry but the transaction was declined by the bank.
: ...
: If you have any questions about your order, please, contact us:
: phone: +1-212-389-6349
: e-mail: [a href="mailto:support@yourliveservice.com"]support@yourliveservice.com[/a]
: (c) 2003-2014 Pharmacy Express

So, what is at http://yourliveservice.com?

ABOVE WE SAW THE DATA:

NAMESERVERS FOR yourliveservice.com FROM THE .com SERVERS.
RESOLUTIONS FROM THE .com SERVERS.
==========================================================
yourliveservice.com NS ns1.serverienw.com
yourliveservice.com NS ns2.dfgshost.com
ns1.serverienw.com A 178.124.140.143
ns2.serverienw.com A 119.110.107.13
ns1.dfgshost.com A 178.124.140.143
ns2.dfgshost.com A 119.110.107.13

dig @178.124.140.143 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 178.124.140.143
dig @119.110.107.13 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 85.10.235.142
==========================================================

* Connected to 85.10.235.142:80
: GET / HTTP/1.1
: Host: yourliveservice.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]LiveHelp Support[/title]
: Our Support Center helps you to:
: 1. View order status
: 2. Cancel order
: 3. View orders' history
: ...
: (c) 2003-2014 LiveHelp Support Center.


* Connected to 178.124.140.143:80
: GET / HTTP/1.1
: Host: yourliveservice.com

: HTTP/1.1 200 OK
: Server: nginx/0.7.67
: [title]LiveHelp Support[/title]
: Our Support Center helps you to:
: 1. View order status
: 2. Cancel order
: 3. View orders' history
: ...
: (c) 2003-2014 LiveHelp Support Center.

These pages were identical except for some tags such as
: <label for="idm341008">Order ID:</label>
vs.
: <label for="idp253888">Order ID:</label>
and, of course, the "captcha" image:
: /images/captcha/7cf17c2918a1b54f9d99d3e21d3a84f8.png
vs.
: /images/captcha/11898fa746e399f12495faaa8936ceb0.png


In the past the page was a bit longer, including:

: --------------------------------------------------------------
: If you need additional information, please, contact us anytime
: e-mail: [a href="mailto:support@liveserviceonline.com"]support@liveserviceonline.com[/a]
: phone: +1-212-389-6349
: (c) 2003-2014 LiveHelp Support Center.
: --------------------------------------------------------------

and just in case you think that this is an innocent third party
support service:

* Connected to 85.10.235.142:80
: GET / HTTP/1.1
: Host: doctorolwk.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


* Connected to 178.124.140.143:80
: GET / HTTP/1.1
: Host: doctorolwk.com

: HTTP/1.1 200 OK
: Server: nginx/0.7.67
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.

both hosts also provide the spamvertized pharmacy pages
themselves.

IP ADDRESS: 85.10.235.142
-------------------------
PHARMACY EXPRESS HOST
PHARMACY EXPRESS SUPPORT HOST
85.10.235.142/32 is on the SBL as SBL234648.
Pharmacy Express site (and support site) (doctorolwk.com et al.)
-------------------------


IP ADDRESS: 119.110.107.13
--------------------------
PHARMACY EXPRESS NAMESERVER
PHARMACY EXPRESS SUPPORT NAMESERVER
119.110.107.13/32 is on the SBL as SBL234532.
Pharmacy Express nameserver
--------------------------

IP ADDRESS: 178.124.140.143
---------------------------
PHARMACY EXPRESS HOST
PHARMACY EXPRESS NAMESERVER
PHARMACY EXPRESS SUPPORT HOST
HARMACY EXPRESS SUPPORT NAMESERVER
Pinetnum: 178.124.136.0 - 178.124.143.255
% Abuse contact for '178.124.136.0 - 178.124.143.255' is 'lir@belpak.by'
descr: RUE BELTELECOM
descr: Minsk, Belarus
country: BY
e-mail: [omitted]@mck.beltelecom.by
140.124.178.in-addr.arpa has SOA [omitted]@dc.beltelecom.by
---------------------------

PRODUCT INFORMATION:

There has been no change in the product listing since
the last time I checked.

_______________________________________________________

SBL234532 :

Pharmacy Express SITE: http://doctorfisw.com
Pharmacy EXPRESS SITE: http://doctorolwk.com
Pharmacy Express SITE: http://[varies]
: IP address 62.75.202.135: on intergenia.de,plusserver.de [*]
: IP address 78.138.98.176: on dediserv.eu,mesh.eu
: IP address 93.190.142.179: on worldstream.nl

*: Last time this was at 62.75.235.115.

--- DNS lookup for "ns1.dnsthen.com", please wait...
--- contacting nameserver: 119.110.107.13 [119.110.107.13]

ns1.dnsthen.com A 94.242.222.8
dnsthen.com NS ns2.dnsthen.com
dnsthen.com NS ns1.dnsthen.com
ns2.dnsthen.com A 119.110.107.13

--- DNS Lookup completed


Resolved by the:

Pharmacy Express NAMESERVERS (dedicghqet.com,cloudjfnwe.su,serverdjwnr.com,cloudfheqo.su)
: IP address 61.191.190.8: SBL229468
: IP address 61.191.190.175: SBL229469
: IP address 95.130.11.95: SBL231691
: IP address 119.110.107.13: on vads.com,netmyne.com
: IP address 194.58.59.91: SBL232957

Pharmacy Express utilizes a profiler and heartbeat tracker.

SEE THE NOTE BELOW:
-------------------
As usual, Pharmacy Express makes use of a flash file, pons4.swf, which
provides a rather comprehensive profile of the visitor's system and
which was provided by google! Googlesydnication.com! Wait ... that is
"dn" not "nd". Well that is what it was until they lost that domain and
then it was google! Ooops ... no ... googl. Googlsyndications.com.

Perhaps Google finally acted. The flash file then used the domain,
choosebestkeyword.com but they have now changed it to fastclickstatus.com.

Besides providing a function which is used by Pharmacy Express for a
thorough profile of the victim's system (so extensive one doesn't
need cookies) via Javascript (the profile is part of the data submitted
to the pharmacy site) the flash file also continually connects back to
fastclickstatus.com on ports 80, 843 (the usual flash policy port)
and 10843 (coded in the flash file itself).

Pharmacy Express PROFILER/TRACKER: fastclickstatus.com
: IP address 62.113.214.122: SBL232525

Resolved by its nameserver at the same IP address.


The order form has changed and now returns a contact even
for rejected orders:

SUPPORT SITE: http://yourliveservice.com
: IP address 93.190.142.179: on worldstream.nl

This host is also a pharmacy host/proxy.

Resolved by its:

Pharmacy Express (and support site) NAMESERVER (serverienw.com,dfgshost.com):
: IP address 119.110.107.13: on vads.com,netmyne.com

NOTE:
-----
Today the site I got used an old item. While the pons4.swf file for the
tracker was available and fastclickstatus.com is up, for some reason the
site used pons.swf, an older version whose tracker site, back end, is now
down (the profiler still works) so this time fastclickstatus.com was not
actively involved (though the flash file used is theirs as a decompilation
and comparison to pons.swf shows, it references an older domain name).

Recently I have seen this older flash file, pons.swf, appear a few times.


HERE ARE A FEW OTHER HOSTNAMES
FOR THE PHARMACY SITE.
-----------------------------------
bfynmedics.com A 78.138.98.176
dfbdoctors.com A 78.138.98.176
doctordqfsh.com A 78.138.98.176
doctordqpk.com A 78.138.98.176
doctoreogwu.com A 78.138.98.176
doctorfisw.com A 78.138.98.176
doctorhvxr.com A 78.138.98.176
doctorjdax.com A 78.138.98.176
doctorjechep.com A 78.138.98.176
doctorkydt.com A 78.138.98.176
doctornfrq.com A 78.138.98.176
doctornhwe.com A 78.138.98.176
doctorsfqz.com A 78.138.98.176
doctorsiy.com A 78.138.98.176
doctorslw.com A 78.138.98.176
doctorsth.com A 78.138.98.176
doctorsuvey.com A 78.138.98.176
doctorvkzq.com A 78.138.98.176
doctorwvhn.com A 78.138.98.176
medicaoadk.com A 78.138.98.176
medicbxux.com A 78.138.98.176
medicdebjp.com A 78.138.98.176
medicfjnqe.com A 78.138.98.176
medicghwno.com A 78.138.98.176
medichsyc.com A 78.138.98.176
medicjdol.com A 78.138.98.176
medicswqo.com A 78.138.98.176
medictqrb.com A 78.138.98.176
qfxxmedics.com A 78.138.98.176
sqbdoctors.com A 78.138.98.176
sqcvdoctors.com A 78.138.98.176
xasep.com A 78.138.98.176
yfyfmedics.com A 78.138.98.176
doctoricxtz.ru A 78.138.98.176
doctorpezhs.ru A 78.138.98.176
doctorvrdpz.ru A 78.138.98.176
doctorwpukd.ru A 78.138.98.176
doctorxonft.ru A 78.138.98.176
medicbgmdu.ru A 78.138.98.176
mediceang.ru A 78.138.98.176
medicgqht.ru A 78.138.98.176
medicoingw.ru A 78.138.98.176
medicrzmb.ru A 78.138.98.176
medicusuf.ru A 78.138.98.176
urlsbn.ru A 78.138.98.176
doctordwnz.cn.com A 62.75.202.135
doctornnek.cn.com A 62.75.202.135
doctorswmb.cn.com A 62.75.202.135
doctorvneq.cn.com A 62.75.202.135
dnsrbwxr.com A 62.75.202.135
doctormull.com A 62.75.202.135
doctorolwk.com A 62.75.202.135
doctorvhers.com A 62.75.202.135
kgdoctor.com A 62.75.202.135
lorepdoctor.com A 62.75.202.135
medicpuss.com A 62.75.202.135
medicrblv.com A 62.75.202.135
velydoctor.com A 62.75.202.135
doctoraccess.eu A 62.75.202.135
doctoragent.eu A 62.75.202.135
doctorbiz.eu A 62.75.202.135
bfzomedics.ru A 62.75.202.135
bgbbmedics.ru A 62.75.202.135
bqlvdoctor.ru A 62.75.202.135
bqmddoctor.ru A 62.75.202.135
bqpadoctor.ru A 62.75.202.135
bqqidoctor.ru A 62.75.202.135
cfxymedics.ru A 62.75.202.135
cfyhmedics.ru A 62.75.202.135
cfypmedics.ru A 62.75.202.135
cfyymedics.ru A 62.75.202.135
cfzsmedics.ru A 62.75.202.135
cohermedic.ru A 62.75.202.135
doctoracfr.ru A 62.75.202.135
doctorbiand.ru A 62.75.202.135
doctorbtvm.ru A 62.75.202.135
doctorbyqz.ru A 62.75.202.135
doctorbzui.ru A 62.75.202.135
doctordcny.ru A 62.75.202.135
doctorffpk.ru A 62.75.202.135
doctorfpta.ru A 62.75.202.135
doctorfsic.ru A 62.75.202.135
doctorggpn.ru A 62.75.202.135
doctorijdb.ru A 62.75.202.135
doctorjdhen.ru A 62.75.202.135
doctorkkcs.ru A 62.75.202.135
doctorkktv.ru A 62.75.202.135
doctorlhex.ru A 62.75.202.135
doctorlqkc.ru A 62.75.202.135
doctorluldhi.ru A 62.75.202.135
doctormjrc.ru A 62.75.202.135
doctormown.ru A 62.75.202.135
doctorofqq.ru A 62.75.202.135
doctorqcxqa.ru A 62.75.202.135
doctoruwxf.ru A 62.75.202.135
doctorwegq.ru A 62.75.202.135
doctorwesw.ru A 62.75.202.135
doctorxhsum.ru A 62.75.202.135
doctoryfba.ru A 62.75.202.135
doctorzdde.ru A 62.75.202.135
dqhhdoctor.ru A 62.75.202.135
dqindoctor.ru A 62.75.202.135
efqimedics.ru A 62.75.202.135
efrdmedics.ru A 62.75.202.135
efrqmedics.ru A 62.75.202.135
efsxmedics.ru A 62.75.202.135
efvdmedics.ru A 62.75.202.135
efvwmedics.ru A 62.75.202.135
efvymedics.ru A 62.75.202.135
efwemedics.ru A 62.75.202.135
etdamedic.ru A 62.75.202.135
ethqmedic.ru A 62.75.202.135
fijqmedic.ru A 62.75.202.135
gacumedics.ru A 62.75.202.135
gdbmmedics.ru A 62.75.202.135
geaqmedics.ru A 62.75.202.135
gebhmedics.ru A 62.75.202.135
gebxmedics.ru A 62.75.202.135
gefgmedics.ru A 62.75.202.135
gefqmedics.ru A 62.75.202.135
gehdmedics.ru A 62.75.202.135
gehjmedics.ru A 62.75.202.135
gehpmedics.ru A 62.75.202.135
gehwmedics.ru A 62.75.202.135
geiumedics.ru A 62.75.202.135
gejhmedics.ru A 62.75.202.135
genhmedics.ru A 62.75.202.135
gephmedics.ru A 62.75.202.135
ggagmedics.ru A 62.75.202.135
ghzrmedics.ru A 62.75.202.135
gqdgmedics.ru A 62.75.202.135
grmqmedics.ru A 62.75.202.135
hxnhmedics.ru A 62.75.202.135
hxnpmedics.ru A 62.75.202.135
hxnxmedics.ru A 62.75.202.135
hxofmedics.ru A 62.75.202.135
hxosmedics.ru A 62.75.202.135
hxplmedics.ru A 62.75.202.135
hxpqmedics.ru A 62.75.202.135
hxptmedics.ru A 62.75.202.135
hxrpmedics.ru A 62.75.202.135
hxrxmedics.ru A 62.75.202.135
hxswmedics.ru A 62.75.202.135
jszlmedics.ru A 62.75.202.135
jtalmedics.ru A 62.75.202.135
jtaumedics.ru A 62.75.202.135
jtcsmedics.ru A 62.75.202.135
jtdimedics.ru A 62.75.202.135
jtgjmedics.ru A 62.75.202.135
lpfxdoctors.ru A 62.75.202.135
lphodoctors.ru A 62.75.202.135
medicaadl.ru A 62.75.202.135
medicawue.ru A 62.75.202.135
medicbamw.ru A 62.75.202.135
medicbflw.ru A 62.75.202.135
medicbwhl.ru A 62.75.202.135
mediccczv.ru A 62.75.202.135
mediccesb.ru A 62.75.202.135
mediccjyh.ru A 62.75.202.135
medicctcc.ru A 62.75.202.135
medicdgxyd.ru A 62.75.202.135
medicdino.ru A 62.75.202.135
medicdjez.ru A 62.75.202.135
medicdjtm.ru A 62.75.202.135
medicegblm.ru A 62.75.202.135
mediceubl.ru A 62.75.202.135
medicexlv.ru A 62.75.202.135
medicfazi.ru A 62.75.202.135
medicfbal.ru A 62.75.202.135
medicfgqs.ru A 62.75.202.135
medicfigi.ru A 62.75.202.135
medicfjff.ru A 62.75.202.135
medicfnxg.ru A 62.75.202.135
medicfnyf.ru A 62.75.202.135
medicfyvk.ru A 62.75.202.135
medicgbud.ru A 62.75.202.135
medicgrxu.ru A 62.75.202.135
medicgsje.ru A 62.75.202.135
medicgvqn.ru A 62.75.202.135
medicgvwo.ru A 62.75.202.135
medichahx.ru A 62.75.202.135
medichekm.ru A 62.75.202.135
medichhis.ru A 62.75.202.135
medichwja.ru A 62.75.202.135
medichwmm.ru A 62.75.202.135
medichxzy.ru A 62.75.202.135
medichynw.ru A 62.75.202.135
medicidwf.ru A 62.75.202.135
medicihhv.ru A 62.75.202.135
mediciohtm.ru A 62.75.202.135
mediciqgf.ru A 62.75.202.135
mediciuxg.ru A 62.75.202.135
medicivdi.ru A 62.75.202.135
medicjiirt.ru A 62.75.202.135
medicjkfs.ru A 62.75.202.135
medicjmsj.ru A 62.75.202.135
medicjpbh.ru A 62.75.202.135
medicjshu.ru A 62.75.202.135
medicjsnc.ru A 62.75.202.135
medickbek.ru A 62.75.202.135
medickbnw.ru A 62.75.202.135
medicketsof.ru A 62.75.202.135
medickfed.ru A 62.75.202.135
medickict.ru A 62.75.202.135
medickjdw.ru A 62.75.202.135
medickssw.ru A 62.75.202.135
medickxgi.ru A 62.75.202.135
mediclhechim.ru A 62.75.202.135
mediclqbd.ru A 62.75.202.135
mediclrrt.ru A 62.75.202.135
medicltix.ru A 62.75.202.135
mediclvdc.ru A 62.75.202.135
mediclylq.ru A 62.75.202.135
mediclyzb.ru A 62.75.202.135
medicmbfyi.ru A 62.75.202.135
medicmbtn.ru A 62.75.202.135
medicmtsy.ru A 62.75.202.135
medicmwjj.ru A 62.75.202.135
medicmwxf.ru A 62.75.202.135
medicndbf.ru A 62.75.202.135
medicnnqti.ru A 62.75.202.135
medicnpyi.ru A 62.75.202.135
medicnqms.ru A 62.75.202.135
medicnrwye.ru A 62.75.202.135
medicnsja.ru A 62.75.202.135
medicnths.ru A 62.75.202.135
medicnyxh.ru A 62.75.202.135
medicoffg.ru A 62.75.202.135
medicoqez.ru A 62.75.202.135
medicotpv.ru A 62.75.202.135
medicoyhsx.ru A 62.75.202.135
medicpdvf.ru A 62.75.202.135
medicpoler.ru A 62.75.202.135
medicpykc.ru A 62.75.202.135
medicpzfp.ru A 62.75.202.135
medicqbpv.ru A 62.75.202.135
medicqqso.ru A 62.75.202.135
medicqsbs.ru A 62.75.202.135
medicrdyg.ru A 62.75.202.135
medicrmxh.ru A 62.75.202.135
medicrxed.ru A 62.75.202.135
medicsdnv.ru A 62.75.202.135
medicsemi.ru A 62.75.202.135
medicsgkx.ru A 62.75.202.135
medicsltc.ru A 62.75.202.135
medicsoql.ru A 62.75.202.135
medicsxulj.ru A 62.75.202.135
medictcah.ru A 62.75.202.135
medictefm.ru A 62.75.202.135
medictezj.ru A 62.75.202.135
medictxud.ru A 62.75.202.135
medicueqg.ru A 62.75.202.135
medicuhfj.ru A 62.75.202.135
medicuwbu.ru A 62.75.202.135
medicvfib.ru A 62.75.202.135
medicvgsn.ru A 62.75.202.135
medicvhwa.ru A 62.75.202.135
medicvuuwf.ru A 62.75.202.135
medicwoif.ru A 62.75.202.135
medicwomp.ru A 62.75.202.135
medicwsbf.ru A 62.75.202.135
medicxktef.ru A 62.75.202.135
medicxqhb.ru A 62.75.202.135
medicxqise.ru A 62.75.202.135
medicyfyel.ru A 62.75.202.135
medicyzwu.ru A 62.75.202.135
medicyzys.ru A 62.75.202.135
mediczkkf.ru A 62.75.202.135
mediczlkc.ru A 62.75.202.135
mediczqcm.ru A 62.75.202.135
ngbmmedics.ru A 62.75.202.135
nqqudoctors.ru A 62.75.202.135
nqsidoctors.ru A 62.75.202.135
nqsqdoctors.ru A 62.75.202.135
nqszdoctors.ru A 62.75.202.135
nqtqdoctors.ru A 62.75.202.135
nqtydoctors.ru A 62.75.202.135
nquhdoctors.ru A 62.75.202.135
nqwldoctors.ru A 62.75.202.135
nqwtdoctors.ru A 62.75.202.135
nqxjdoctors.ru A 62.75.202.135
pqgemedic.ru A 62.75.202.135
pqgqdoctors.ru A 62.75.202.135
pqgydoctors.ru A 62.75.202.135
pqhcmedic.ru A 62.75.202.135
pqiudoctors.ru A 62.75.202.135
pqjcdoctors.ru A 62.75.202.135
pqjsdoctors.ru A 62.75.202.135
pqkadoctors.ru A 62.75.202.135
pqlgdoctors.ru A 62.75.202.135
pqlodoctors.ru A 62.75.202.135
retnemedic.ru A 62.75.202.135
rhvxmedics.ru A 62.75.202.135
rhwtdoctors.ru A 62.75.202.135
rhxemedics.ru A 62.75.202.135
rhxmmedics.ru A 62.75.202.135
rhxsdoctors.ru A 62.75.202.135
rhyadoctors.ru A 62.75.202.135
rhyidoctors.ru A 62.75.202.135
rhykmedics.ru A 62.75.202.135
rhyqdoctors.ru A 62.75.202.135
rhytmedics.ru A 62.75.202.135
rhyzdoctors.ru A 62.75.202.135
rhzqdoctors.ru A 62.75.202.135
ricjdoctors.ru A 62.75.202.135
rigkdoctors.ru A 62.75.202.135
rihfmedics.ru A 62.75.202.135
rijxdoctors.ru A 62.75.202.135
tmxydoctors.ru A 62.75.202.135
tmxzmedics.ru A 62.75.202.135
tmygdoctors.ru A 62.75.202.135
tmypdoctors.ru A 62.75.202.135
tmyqmedics.ru A 62.75.202.135
tnamdoctors.ru A 62.75.202.135
tnazdoctors.ru A 62.75.202.135
tncbdoctors.ru A 62.75.202.135
tnecdoctors.ru A 62.75.202.135
tnemdoctors.ru A 62.75.202.135
vgacmedics.ru A 62.75.202.135
vjmsmedics.ru A 62.75.202.135
vjqfmedics.ru A 62.75.202.135
vjqvmedics.ru A 62.75.202.135
xcdumedics.ru A 62.75.202.135
xcecmedics.ru A 62.75.202.135
xcfomedics.ru A 62.75.202.135
yqdumedics.ru A 62.75.202.135
yqekmedics.ru A 62.75.202.135
yqggmedics.ru A 62.75.202.135
yqhemedics.ru A 62.75.202.135
yxlsdoctors.ru A 62.75.202.135
yxmbdoctors.ru A 62.75.202.135
yxpcdoctors.ru A 62.75.202.135
yxqjdoctors.ru A 62.75.202.135
yxqrdoctors.ru A 62.75.202.135
yxrhdoctors.ru A 62.75.202.135
yxrpdoctors.ru A 62.75.202.135
yxsfdoctors.ru A 62.75.202.135
-----------------------------------

DETAILS:
--------

PHARMACY EXPRESS SITE: http://doctorfisw.com
PHARMACY EXPRESS SITE: http://doctorolwk.com
PHARMACY EXPRESS SITE: http://[varies]

Now they use Javascript and have sites formatted
for mobile users but ... apparently some of the
sites (slightly older ones) are a bit messed up.
While m.[domain_name] should be the mobile site
and [domain_name] should give the full (desktop)
version and mobile users should be redirected to
m.[domain_name], for a few of the sites the
mobile site is at [domain_name] and the full
site is at m.[domain_name] and desktop users may
or may not be redirected to the full site.

The mobile site with Pharmacy Express branding
uses the /205/ directory.

NOTE ABOVE THAT SOME OF THE DOMAIN NAMES RESOLVE
DIFFERENTLY. LET ME CHECK THE RESOLUTIONS FOR
THE HOSTS doctorfisw.com, doctorolwk.com AND THE
SUPPORT SITE, yourliveservice.com (see below),
AND ITS NAMESERVERS.

NAMSERVERS FOR doctorfisw.com, doctorolwk.com AND yourliveservice.com
FROM THE .com SERVERS. RESOLUTIONS FROM THE .com AND .su SERVERS.
=====================================================================
doctorfisw.com NS ns1.dedicghqet.com
doctorfisw.com NS ns2.cloudjfnwe.su
doctorolwk.com NS ns1.serverdjwnr.com
doctorolwk.com NS ns2.cloudfheqo.su
yourliveservice.com NS ns1.serverienw.com
yourliveservice.com NS ns2.dfgshost.com
ns1.dedicghqet.com A 194.58.59.91
ns2.dedicghqet.com A 61.191.190.8
ns2.cloudjfnwe.su A 61.191.190.8
ns1.cloudjfnwe.su A 194.58.59.91
ns1.serverdjwnr.com A 95.130.11.95
ns2.serverdjwnr.com A 61.191.190.175
ns1.cloudfheqo.su A 95.130.11.95
ns2.cloudfheqo.su A 61.191.190.175
ns1.serverienw.com A 85.25.139.28
ns2.serverienw.com A 119.110.107.13
ns1.dfgshost.com A 85.25.139.28
ns2.dfgshost.com A 119.110.107.13

dig @194.58.59.91 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorfisw.com A 78.138.98.176
dig @61.191.190.8 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorfisw.com A 78.138.98.176
dig @95.130.11.95 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorfisw.com A 62.75.202.135
dig @61.191.190.175 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorfisw.com A 62.75.202.135
dig @85.25.139.28 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; connection timed out
dig @119.110.107.13 A doctorfisw.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorfisw.com A 93.190.142.179

dig @194.58.59.91 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorolwk.com A 78.138.98.176
dig @61.191.190.8 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorolwk.com A 78.138.98.176
dig @95.130.11.95 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorolwk.com A 62.75.202.135
dig @61.191.190.175 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorolwk.com A 62.75.202.135
dig @85.25.139.28 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; connection timed out
dig @119.110.107.13 A doctorolwk.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorolwk.com A 93.190.142.179

dig @194.58.59.91 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 78.138.98.176
dig @61.191.190.8 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 78.138.98.176
dig @95.130.11.95 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 62.75.202.135
dig @61.191.190.175 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 62.75.202.135
dig @85.25.139.28 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; connection timed out
dig @119.110.107.13 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 93.190.142.179
=====================================================================

The nameservers for doctorfisw.com (61.191.190.8 and 194.58.59.91)
resolve everything to 78.138.98.176.

The nameservers for doctorolwk.com (61.191.190.175 and 95.130.11.95)
resolve everything to 62.75.202.135.

The nameservers for yourliveservice.com (85.25.139.28 and 119.110.107.13)
resolve everything to 93.190.142.179.
Only 119.110.107.13 was responding.

If these hosts are used for load balancing one might expect the
site to be up at each IP address so let me check for doctorfisw.com
at the three IP addresses, 62.75.202.135, 78.138.98.176 and 93.190.142.179.

* Connected to 62.75.202.135:80
: GET / HTTP/1.1
: Host: doctorfisw.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


* Connected to 78.138.98.176:80
: GET / HTTP/1.1
: Host: doctorfisw.com

: HTTP/1.1 200 OK
: Server: nginx/0.7.67
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


* Connected to 93.190.142.179:80
: GET / HTTP/1.1
: Host: doctorfisw.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.

Often there are minor differences among the pages such
as different values for some tags. Not this time.
These pages were byte for byte identical.

IP ADDRESS: 62.75.202.135
-------------------------
PHARMACY EXPRESS HOST
inetnum: 62.75.202.0 - 62.75.202.255
% Abuse contact for '62.75.202.0 - 62.75.202.255' is 'abuse@plusserver.de'
descr: BSB-SERVICE Dedicated Server Hosting
country: DE
remarks: Abuse-Contact: abuse@ip-pool.com
descr: Internet-Hoster
e-mail: [omitted]@intergenia.de
abuse-mailbox: abuse@plusserver.de
mnt-by: INTERGENIA-MNT
Address 62.75.202.135 maps to ulm182.startdedicated.de
135.202.75.62.in-addr.arpa has SOA [omitted]@ptr1.intergenia.de
-------------------------
LAST TIME THIS WAS AT 62.75.235.115.

IP ADDRESS: 78.138.98.176
-------------------------
PHARMACY EXPRESS HOST
inetnum: 78.138.96.0 - 78.138.99.255
% Abuse contact for '78.138.96.0 - 78.138.99.255' is 'abuse@mesh.eu'
netname: DEDISERV
country: DE
notify: [omitted]@mesh.eu
e-mail: [omitted]@dediserv.eu
abuse-mailbox: abuse@dediserv.eu
98.138.78.in-addr.arpa has SOA [omitted]@dediserv.eu
-------------------------

IP ADDRESS: 93.190.142.179
--------------------------
PHARMACY EXPRESS HOST
PHARMACY EXPRESS SUPPORT HOST
inetnum: 93.190.142.0 - 93.190.142.255
% Abuse contact for '93.190.142.0 - 93.190.142.255' is 'abuse@worldstream.nl'
netname: WORLDSTREAM
country: NL
abuse-mailbox: abuse@worldstream.nl
Address 93.190.142.179 maps to customer.worldstream.nl
142.190.93.in-addr.arpa has SOA [omitted]@worldstream.nl
--------------------------

IP ADDRESS: 61.191.190.8
------------------------
PHARMACY EXPRESS NAMESERVER
61.191.190.8/32 is on the SBL as SBL229468.
Pharmacy Express nameserver
------------------------

IP ADDRESS: 61.191.190.175
--------------------------
PHARMACY EXPRESS NAMESERVER
61.191.190.175/32 is on the SBL as SBL229469.
Pharmacy Express nameserver
--------------------------

IP ADDRESS: 95.130.11.95
------------------------
PHARMACY EXPRESS NAMESERVER
95.130.11.95/32 is on the SBL as SBL231691.
Pharmacy Express nameserver
------------------------

IP ADDRESS: 119.110.107.13
--------------------------
PHARMACY EXPRESS NAMESERVER
PHARMACY EXPRESS SUPPORT NAMESERVER
inetnum: 119.110.96.0 - 119.110.111.254
descr: TM VADS DC Hosting
country: MY
e-mail: [omitted]@vads.com
abuse-mailbox: abuse@netmyne.com
mnt-by: MAINT-MY-EASTGATE
Address 119.110.107.13 maps to mail.freedom-09.net
107.110.119.in-addr.arpa has SOA [omitted]@ns01.myloca.com
--------------------------

IP ADDRESS: 194.58.59.91
------------------------
PHARMACY EXPRESS NAMESERVER
194.58.59.91/32 is on the SBL as SBL232957.
Pharmacy Express nameserver
------------------------

I will check http://doctorfisw.com at 78.138.98.176.

Let's see ... These sites can have different brandings.
Some are branded as Canadian Pharmacy in the title (an old
spamvertized pharmacy site) with a copyright claiming to be
Canadian Health&Care Mall (a current Yambo spam operation
brand) though it is neither - it is Pharmacy Express.

This is one of their sites branded as ... Pharmacy Express.

This uses the /201/ directory (other themes/brandings are in
different directories, such as /204/ for Canadian Health&Care Mall
and /205/ for the mobile version of the Pharmacy Express
branded site).

An encoded phone number appears on all their sites, decoded
to a Javascript variable which is unused on, for example,
Canadian Health&Care Mall sites. The Javascript used to put
the phone number on the page at Pharmacy Express branded sites,
but no longer.

ENCODED JAVASCRIPT: SHORTER SCRIPTS, NOW ENCODED
------------------------------------------------
They used to use a lot of their own code. Now they use jquery.
Their code used to be plain Javascript source text.
Then their (large) script was doubly encoded (base64 and XOR
with an array of values). This time four sections of code
at the end of the script (including the QuickSearch library)
are encrypted.

The encoded phone number which appears in the home page's HTML code
-------------------------------------------------------------------------------
var msgs = {
: removeProduct: "You are removing %PRODUCT_TITLE% from your cart. Continue?",
: notFound: "Not found",
: emptySearchQuery: "Empty search query",
: search: "Search...",
: minLengthIs: "minimum allowed length is",
: maxLengthIs: "maximum allowed length is",
: characters: "characters",
: emptyCart: "Do you really want to empty cart ?",
: phone: "+k-aee vgb-kevk",
: siteTitle: "Pharmacy Express"
};
-------------------------------------------------------------------------------
is decoded by their translate function in the script file,
http://[hostname]/201/js/_set_main.js?v=e221041eeed140ccd475cf5d07079138

function translate(string,search,replace), which just implements
a simple substitution, transliteration, "tr", function,
: $('.phn').html(translate(msgs.phone, 'kagzrvbehn', '1845962037'));

[The code was originally
: var phone=translate(msgs.phone,'kagzrvbehn','1845962037');
using a separate variable for the decoded phone number
which was then used on the page. Now the 'phone' variable is gone.]
(The substitution had been different in the dim past.)

and, of course:
: echo "+k-aee vgb-kevk" | tr 'kagzrvbehn' '1845962037'

gives the usual phone number: +1-800 642-1061

NOTE:
-----
If your browser does NOT indicate that it supports compression (gzip)
the pages come back uncompressed BUT THE JAVASCRIPT AND/OR STYLE SHEET
FILE MAY COME BACK COMPRESSED ANYWAY. I often configure firefox not to
accept compressed pages so I can do a packet capture and 'grep' through
it for relevant items. Material will be invisible even with Javascript
enabled if the browser is set not to request (or decompress) compressed
content and the Javascript is compressed. At times only the Javascript
file was compressed. At other times only the style sheet was compressed.
Sometimes both come back compressed. Both were compressed this time.

The page style changed some time ago. Besides using Javascript to place messages
(and encoding the phone number - one can no longer 'google' for that number to find
other hosts/pages) there were lines over 50K in size on the starting page.
Those were long style sheet codes. Now separate style sheet files are used
and the longest line I now see on the page is about 17K in size.

Surprisingly the copyright notice at the bottom of the page,
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.
was not encoded as the phone number is though you won't find
"Pharmacy Express" when grep'ing through the page's HTML code
as it appears as "Pha[span]rmacy Express.[/span]".

STYLE SHEET TO POSITION BOOKMARK (facebook, etc.) LINKS OVER IMAGE
---------------------------------------------------------------------------
WHILE I HAVE NOT RECENTLY SEEN THE Facebook AND OTHER SOCIAL NETWORK LINKS
ON THE PAGES USING DIFFERENT BRANDINGS (e.g. "Canadian Pharmacy",
"Canadian Health&Care Mall") THEY DO APPEAR ON THIS PHARMACY EXPRESS SITE.
---------------------------------------------------------------------------
The page has links to various social networking sites such as
[a href="http://www.facebook.com/share.php?u=%site_url%" class="c" title="Save to Facebook"][/a]
in a "div" element, [div class="bookmarks"].

The Javascript contains the code to update the data:
------------------------------------------------
var reSiteURL = new RegExp('\%site_url\%', "g");
var reSiteTitle = new RegExp('\%site_title\%', "g");
$(".bookmarks a").each(function() {
var url = $(this).attr('href');
url = url.replace(reSiteURL, location.protocol + '//' + location.host);
url = url.replace(reSiteTitle, msgs.siteTitle); $(this).attr('href', url);});
------------------------------------------------
When Javascript was first used to update the social site links
there was only a regular expression to change the site_url,
not the site_title, but when they started using multiple brandings
such as 'ED Express' or 'Canadian Pharmacy' the code to set the
title was added.

The bookmark links, such as the above facebook link, have length zero!
How to click on them? The style sheet repositions them over the header image,
: .header .bookmarks{position:absolute;top:177px;left:35px}
: .header .bookmarks a{width:16px;height:16px;display:block;position:relative;
: float:left;margin-right:2px;margin-top:3px}
giving each a width of 16 pixels. They are positioned so that the
clickable region for each social network's link is placed over
that network's icon embedded in the header image,
http://[hostname]/201/img/header/header-bg-usps.jpg
which is often modified to suit the current holiday or celebration
such as header-bg-labor.jpg for Labor Day.

When these sites were hosted on bots (at other times the
spammer gets his own hosting) or for other reasons had
problems with bandwidth the images had often been hosted
elsewhere but I have not seen images loaded from elsewhere
for quite some time.

This time very few real images are loaded, but from the spamvertized
site itself with URLs such as:
: http://[hostname]/201/img/sprite/most_popular_1.jpg?v=1408401447

NOTE:
-----
Few images are used. For example two images are used for all
the pill images, "sprite" panels (tableaux of pill subimages)
: http://[hostname]/201/img/sprite/most_popular_1.jpg?v=1408401447
: http://[hostname]/201/img/sprite/most_popular_2.jpg?v=1408401447
STYLE SHEET:
: .spr_products_75x75_viagra,.spr_products_75x75_viagra_brand,.spr_products_75x75_cialis,...
: {background-image:url(../img/sprite/most_popular_1.jpg?v=1408401447) !important}
and various selections from the image are carefully placed
: .spr_products_75x75_propecia
: {background-position:-75px 0px !important;width:75px !important;height:75px !important}
so the portion which appears as the background for each
anchor tag/link is just the proper pill image.
(A TINY CHANGE. The version I have most often seen has
"background-position:-75px 0px" but sometimes a site uses
"-75px 0"; after all "0px" or "0anything_else" is still the
same size, zero.)

One used to find separate images such as
: http://[hostname]/101/img/products/75x75/levitra_brand.jpg
Now the images appear to have a time stamp, net-time, the number
of seconds since 1 January 1970.

Sometimes these sites have a secure order form and sometimes not.
Usually the order site is not secure.

This time upon reaching the CHECKOUT page I found the form:
: [form id="form_checkout" action="/checkout/" method="post"][/form]

Most often, recently, the action has simply been action="/checkout/"
with payment being submitted to the pharmacy site itself.
Sometimes the "action" points to another, order, site such as
the following (lexicographically sorted by domain name).
Note that sometimes (but infrequently) they are secure:
: http://e-billprovider.com
: http://e-billresponse.com
: http://e-billsupport.com
: http://e-buyassist.com
: http://e-buybox.com
: http://e-buyprocess.com
: http://e-cartprocess.com
: http://e-fastestpay.com
: http://e-paymentassist.com
: http://e-paymentservice.com
: http://ebillwebform.com
: http://eclientplace.com
: https://eclientplace.com <== SECURE
: http://ecustomerbill.com
: http://ecustomercheckout.com
: http://ecustomerpay.com
: http://egoodbill.com
: http://epayonlineservice.com
: http://epayviaweb.com
: http://eworldwidepay.com
: http://onlinepaymentsite.com
: http://onlinetransservice.com
: https://paycartservice.com <== SECURE
: http://payquickonline.com
: http://securecartservice.com
: https://securecartservice.com <== SECURE
: http://a5.yourprofileheres.com

PHARMACY EXPRESS ORDER SITE: http://doctorfisw.com/checkout/

* Connected to 78.138.98.176:80
: POST /checkout/ HTTP/1.1
: Host: doctorfisw.com

: HTTP/1.1 200 OK
: Server: nginx/0.7.67
: [title]Pharmacy online-store[/title]

In the past the title had been
: [title]Welcome to http://[hostname] Checkout page[/title]

In spite of their assurance that:
"we provide 256bit SSL secure pay page to process your order"
your financial data is submitted unencrypted and insecurely.

Verisign's assurance of security is given in their seal at
: http://[hostname]/201/img/sprite/cart.png?v=1408401447

(part of another sprite tableau) but while in the past the
Verisign seal had been displayed, it is not this time.

THERE HAVE BEEN RECENT CHANGES TO THE ORDER FORM PAGE.
------------------------------------------------------
They used to use very obnoxious Javascript on this page.
It checked and validated each keystroke. On a slightly aged
system, such as mine it was actually quite painful to use
their order form.

Now they use *extremely* obnoxious Javascript on this page.
It spends much more time and is much more CPU expensive while
checking everything every moment and, combined with the flash
tracker which continually runs in the background, connecting
over and over to their tracking site (every twenty seconds
- see below) it is now *very* painful to use their order form
on a slightly aged system such as mine.

If you like the tab key and to tab from form entry to form
entry expecting some sort of sensible arrangement - well,
you will be disappointed here.

There used to be two input boxes for one's email address,
a first and a second, "confirmation" input box to catch
typos. That second box still has the field name "confirm_email"
but is now labeled as 'Alternative e-mail'. They have also
added an input box for a second phone number ("Mobile phone").
Originally "Alternative e-mail" and "Mobile phone" inputs
were required for a successful form submission (though one
could simply enter the same address or phone number in both
input boxes). Now they are optional.

While they seem to have some respect for Verisign and I
did not see the Verisign seal, they seem to have lost all
respect for McAfee as the McAfee SECURE seal at ma.png
: http://[hostname]/checkout/img/ma.png
is back on the page (this seal used to be in a sprite tableau,
transparent_gif_[TIME_STAMP].gif which I no longer see and
had not been on the pages for quite some time) "guaranteeing"
the security of the transaction.
------------------------------------------------------

One connects to the order site, submitting the data:

: i=XXxWQU... This is base 64 encoded data with embedded
: Win/Dos EndsOfLines (%0D%0A). The unescaped
: string had a length pf 5412 characters including
: Win/DOS EOLs and 5272 without the EOL characters.

*: The use of "="'s to pad the string's length to a multiple
of four bytes when necessary suggests some sort of
base 64 encoding but it is not simply encoded plain text
using the standard encoding. The data varies and the
string has had different lengths in the past.

NOTE:
-----
There are two forms appearing on the page at
the pharmacy site (whose data is submitted
to the order site to get the actual order page).
The one with the data does not have an action
submitting it to the order URL.
Javascript simply empties the form going to the
order URL, copies the "i" value from the dummy
form with data to the form going to the order URL
and submits that.

and one gets the order-form page:

: Pharmacy Express Checkout page
: The information you provided will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express

: For quite some time the page had started with:
: ----------------------------------------------
: Pharmacy online-store
: The information you provide will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express

: In the past it had read:
: ------------------------
: Welcome to http://[hostname] Checkout page
: The information you provide will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express
: ------------------------

and before that it had read:
----------------------------
: (c) 2003-2012 Pharmacy Express
: Have a question? Call us back +1-888-738-9650
----------------------------
but now the phone contact is missing.

In the past, when the order site was secure, the text read:
: Welcome to http://[hostname] Secure checkout page
: You have just been redirected to this 256bit SSL secure pay page to process
: your order.
but at the last secure order site, the page omitted the claim of security
as well as the contact phone number.

to which one submits

* Connected to 78.138.98.176:80
: POST /checkout/ HTTP/1.1
: Host: doctorfisw.com

: HTTP/1.1 200 OK
: Server: nginx/0.7.67
: [title]Pharmacy online-store[/title]

the data:

: new_customer=1
: &email=[victim's address: email]
: &first_name=[victim's name: first]
: &confirm_email=[victim's address: email] [+]
: &last_name=[victim's name: last]
: &billing_country_id=US
: &billing_city=[victim's address: city]
: &billing_state_id=[victim's address: state]
: &billing_address=[victim's address: street]
: &billing_zip=[victim's address: zip code]
: &phone=[victim's phone number]
: &mobile_phone=[victim's phone number - mobile] [*]
: &shipping_form=on [&]
: &payment_method=visa
: &issuing_bank=[credit card: issuing bank]
: &card_number=[victim's credit card number]
: &cvv=[credit card: private security number]
: &comment=[comment section] [*]
: &birth_year=[victim's birthdate: year]
: &birth_month=[victim's birthdate: month]
: &birth_day=[victim's birthdate: day]
: &expiration_month=[credit card: expiration date: month]
: &expiration_year=[credit card: expiration date: year]
: &utime=[Javascript: Date().toLocaleString()]
: &screen=[Javascript: screen.width+'x'+screen.height+'x'+screen.colorDepth]
: &platform=[Javascript: navigator.platform]
: &srv=[FLASH: fingerprinting system info] [#]
: &fid=[FLASH: flash/session random iD] [#]
: &fnt=[FONTS: fingerprinting font info] [#]
: &uid=[FLASH: SESSION ID] [#]
: &pasted=
: &submit_order=1 [-]

---
+: This now appears on the form as "Alternative e-mail"
Originally it was a required field.
Now it is optional.
---
*: New
Originally this was a required field.
Now it is optional.
&: Previously was "as_billing"
---
-: Previously was "submit_order"
---

There have been a few changes.

1: Specifying that the shipping address was the
: same as the billing address resulted in the
: removal/suppression of the shipping_country_id
: and shipping_state_id values which had previously
: been present.

2: submit_order had the string value, "submit_order",
: most recently and how has the value, 1.

3: Two elements (the shipping country and state)
: have disappeared while two new ones,
: mobile_phone and comment have appeared so the
: number of name/value pairs submitted is the same.

and the order of the data submitted has changed a bit.

One thing interested me. The submit button on the
order form is labeled "Confirm data" but that is not a
capital English "C". It is a cyrillic capital "ES" (C).

(Previously the data was submitted in one step but
now one goes through an intermediate "confirmation
page". That page does not repost the data but allows
one to return to the order form page to edit it or
continue - in which case it simply posts the
confirmation data,
: confirm_order=confirm_order
to

* Connected to 78.138.98.176:80
: POST /checkout/ HTTP/1.1
: Host: doctorfisw.com

which sends one on to a status page:

: HTTP/1.1 302 OK
: Server: nginx/0.7.67
: Location: http://doctorfisw.com/checkout/status/


UPDATED CREDIT CARD PAYMENT OPTIONS:
------------------------------------
It seems that they have lost payment options,
for originally
: Visa (payment_method=visa)
: MasterCard (payment_method=mastercard)
: American Express (payment_method=amex)
: JCB (payment_method=jcb) [Japan Credit Bureau]
: Diners Club (payment_method=dinersclub)
: ACH (payment_method=ach) [Automated Clearing House]
were available and then only
: Visa (payment_method=visa)
was available.
American Express had reappeared, was gone for some time
and now is back ("amex").


Isn't Adobe's Shockwave Flash wonderful?
----------------------------------------
A perfect little tool to fingerprint visitors quite
accurately. The order site loads a little flash file,
pons4.swf. It used to be named bridge.swf (and the page
element, a DIV with id="swfContent", contains pons4.swf,
an object with that id, "bridge") then it was named pons.swf
but they have changed it. The file is rather heavily
obfuscated so it took some time to handle).

* Connected to 78.138.98.176:80
: GET /checkout/pons.swf HTTP/1.1
: Host: doctorfisw.com

: HTTP/1.1 200 OK
: Server: nginx/0.7.67
: Content-Type: application/x-shockwave-flash
: Content-Length: 2982

OUCH! The old pons.swf file still exists. It does not
use fastclickstatus.com (which is still up) but
getclickanalysis.com for the tracking back end.

While the flash file tries to get content from
getclickanalysis.com it fails miserably.
-----------------------------------------------------------
www.getclickanalysis.com CNAME free.park-your-domain.com.
-----------------------------------------------------------
THIS IS NOT GOING TO WORK!.

The pons4.swf file exists, too, but somehow they managed
to set the site to load the old, pons.swf file, for which
the tracker backend is not up. However, the old file is
still loaded and performs its function as a profiler.

This same thing, using pons.swf instead of pons4.swf,
also occurred at a Pharmacy Express site I checked
about a week and a half ago and again a few days ago.

You don't see this hidden item (width="1" height="1").
This file creates a callback function:
: flash.external.ExternalInterface.addCallback(...);
which provides an interface for Javascript. This
provides the Javascript at the order site with a
profile of the visitor's system as determined by the
flash file. Two ID variables (fid and uid) are set.
Along with those the flash file is used to get your system
capabilities and store them in a variable, srv, and finally
it gets a full list of all your fonts ("getFontList") and
sets the variable, fnt, to that list (I have over 400 fonts
installed). I wonder if anyone has the same list of fonts
that I have. The system variable, srv, lists your OS
and kernel (e.g. Linux 2.4.32 for kernel 2.4.32 on
Linux) among many other items. Well, who needs cookies
with so precise a fingerprint?

And this pons.swf file? It is Google's!!! Sorry Googl's.
WAIT. It isn't google's or googl's any more.

The new domain name is fastclickstatus.com NOW (pons4.swf)
but pons.swf uses the domain getclickanalysis.com (the same
operation but an old domain name) for its backend.

Recently it was googlsyndications.com's (before that it
was googlesydnication.com's ("dn", not "nd")) tracker
(besides the interface to enable Javascript to access the
profile that flash can extract from your system, this flash
file "calls home" every twenty seconds, a heartbeat tracker).
When they seem to have lost the "Google" domain names
they used the domain name choosebestkeyword.com and have
now switched to fastclickstatus.com.

Since Pharmacy Express continued to use this tracker as it
moved from googlesydnication to googlsyndications even when the
backend for the heartbeat tracker was down for awhile, I would
hazard a guess that googlesydnication.com, googlsyndications.com,
choosebestkeyword.com and now fastclickstatus.com are part of
Pharmacy Express.


PHARMACY EXPRESS TRACKER: http://[varies].fastclickstatus.com

This was originally google.sydnication.com ("dn", not "nd")
until they lost that domain. It then changed to googlsyndications.com.
It then changed to choosebestkeyword.com and is now
fastclickstatus.com.

Where is it now?

NAMESERVERS FOR fastclickstatus.com FROM THE .com SERVERS.
==========================================================
fastclickstatus.com NS ns1.fastclickstatus.com
fastclickstatus.com NS ns2.fastclickstatus.com
ns1.fastclickstatus.com A 62.113.214.122
ns2.fastclickstatus.com A 62.113.214.122

dig @62.113.214.122 fastclickstatus.com A +norec +noauth +noqu +noadd/
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: fastclickstatus.com A 62.113.214.122
==========================================================

HOWEVER ... this is the newer domain name used by the tracker
(pons4.swf) while, for some reason (perhaps they decided that
it wasn't necessary to use the backend and connect to it every
twenty seconds) this time the web site loaded an older version,
of the flash based profiler/tracker, pons.swf, which performs
its function as a profiler but has no working tracker site
(the domain name it uses is getclickanalysis.com) to which to
connect every twenty seconds (though it does try to!).

SUPPORT SITE: http://yourliveservice.com
SUPPORT CONTACT [email]: support@yourliveservice.com
SUPPORT CONTACT [phone]: +1-212-389-6349

In the past, if a payment was rejected (the site verified
the credit card for the payment before returning the status
page) the status page returned simply indicated a failure.

SOMETIMES in verifying a Visa card it seemed that the backend
did not quickly enough obtain a result in which case the site
provided a default status page indicating that the card was
accepted and providing a further contact (web site or email
and a phone number).

Submitting a fake order using a Visa card sometimes, but very
seldom, would provide the further contact.

They have updated the order form and its activity and now,
even a rejected order submission elicits:

* Connected to 78.138.98.176:80
: GET /checkout/status/ HTTP/1.1
: Host: doctorfisw.com

: HTTP/1.1 200 OK
: Server: nginx/0.7.67
: <title>Checkout status</title>
: Pharmacy Express Checkout page
: We are sorry but the transaction was declined by the bank.
: ...
: If you have any questions about your order, please, contact us:
: phone: +1-212-389-6349
: e-mail: [a href="mailto:support@yourliveservice.com"]support@yourliveservice.com[/a]
: (c) 2003-2014 Pharmacy Express

So, what is at http://yourliveservice.com?

ABOVE WE SAW THE DATA:

NAMESERVERS FOR yourliveservice.com FROM THE .com SERVERS.
RESOLUTIONS FROM THE .com SERVERS.
==========================================================
yourliveservice.com NS ns1.serverienw.com
yourliveservice.com NS ns2.dfgshost.com
ns1.serverienw.com A 85.25.139.28
ns2.serverienw.com A 119.110.107.13
ns1.dfgshost.com A 85.25.139.28
ns2.dfgshost.com A 119.110.107.13

dig @85.25.139.28 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; connection timed out
dig @119.110.107.13 A yourliveservice.com +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 93.190.142.179
==========================================================

* Connected to 93.190.142.179:80
: GET / HTTP/1.1
: Host: yourliveservice.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]LiveHelp Support[/title]
: ...
: Our Support Center helps you to:
: 1. View order status
: 2. Cancel order
: 3. View orders' history
: ...
: (c) 2003-2014 LiveHelp Support Center.

In the past the page was a bit longer, including:

: --------------------------------------------------------------
: If you need additional information, please, contact us anytime
: e-mail: [a href="mailto:support@liveserviceonline.com"]support@liveserviceonline.com[/a]
: phone: +1-212-389-6349
: (c) 2003-2014 LiveHelp Support Center.
: --------------------------------------------------------------

and just in case you think that this is an innocent third party
support service:

* Connected to 93.190.142.179:80
: GET / HTTP/1.1
: Host: doctorfisw.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.

It also hosts/proxies the pharmacy site, itself.

IP ADDRESS: 93.190.142.179
--------------------------
PHARMACY EXPRESS HOST
PHARMACY EXPRESS SUPPORT HOST
inetnum: 93.190.142.0 - 93.190.142.255
% Abuse contact for '93.190.142.0 - 93.190.142.255' is 'abuse@worldstream.nl'
netname: WORLDSTREAM
country: NL
abuse-mailbox: abuse@worldstream.nl
Address 93.190.142.179 maps to customer.worldstream.nl
142.190.93.in-addr.arpa has SOA [omitted]@worldstream.nl
--------------------------

IP ADDRESS: 119.110.107.13
--------------------------
PHARMACY EXPRESS NAMESERVER
PHARMACY EXPRESS SUPPORT NAMESERVER
inetnum: 119.110.96.0 - 119.110.111.254
descr: TM VADS DC Hosting
country: MY
e-mail: [omitted]@vads.com
abuse-mailbox: abuse@netmyne.com
mnt-by: MAINT-MY-EASTGATE
Address 119.110.107.13 maps to mail.freedom-09.net
107.110.119.in-addr.arpa has SOA [omitted]@ns01.myloca.com
--------------------------

PRODUCT INFORMATION:

There has been no change in the product listing since
the last time I checked.

_________________________________________________________________



SBL231917 :

Pharmacy Express SITE: http://doctorjyyp.ru
Pharmacy Express SITE: http://doctoreqla.com
Pharmacy Express SITE: http://[varies]
: IP address 176.31.180.172: on ovh.net
: IP address 212.83.147.244: on proxad.net,tiscali.fr,poneytelecom.eu,iliad-entreprises.fr (iliad.fr)
: IP address 144.76.133.115: on your-server.de,hetzner.de
: IP address 5.104.111.99: on fastit.net,myLoc.de

Resolved by the:

Pharmacy Express NAMESERVERS (dnsgeimt.su,hostqpls.com,hosttbap.com,cloudclwq.su)
: IP address 95.130.11.95: SBL231691
: IP address 61.191.190.175: SBL229469
: IP address 91.213.233.71: SBL231197
: IP address 193.124.91.59: on reg.ru,relcom.net

Pharmacy Express utilizes a profiler and heartbeat tracker.

As usual, Pharmacy Express makes use of a flash file, pons4.swf, which
provides a rather comprehensive profile of the visitor's system and
which was provided by google! Googlesydnication.com! Wait ... that is
"dn" not "nd". Well that is what it was until they lost that domain and
then it was google! Ooops ... no ... googl. Googlsyndications.com.

Perhaps Google finally acted. The flash file then used the domain,
choosebestkeyword.com but they have now changed it to fastclickstatus.com.

Besides providing a function which is used by Pharmacy Express for a
thorough profile of the victim's system (so extensive one doesn't
need cookies) via Javascript (the profile is part of the data submitted
to the pharmacy site) the flash file also continually connects back to
fastclickstatus.com on ports 80, 843 (the usual flash policy port)
and 10843 (coded in the flash file itself).

Pharmacy Express PROFILER/TRACKER: fastclickstatus.com
: IP address 37.59.109.225: on ovh.net

Resolved by its nameserver at 37.59.109.225.

The order form has changed and now returns a contact even
for rejected orders:

SUPPORT SITE: http://yourliveservice.com
: IP address 5.104.111.99: on fastit.net,myLoc.de

This host is also a pharmacy host/proxy.

Resolved by its:

Pharmacy Express (and support site) NAMESERVER (serverienw.com,hostgallop.com):
: IP address 193.124.91.59: on reg.ru,relcom.net


HERE ARE A FEW OTHER HOSTNAMES
FOR THE PHARMACY SITE.
----------------------------------
doctordqfsh.com A 212.83.147.244
doctoreqla.com A 212.83.147.244
doctorrlbqk.com A 212.83.147.244
doctortuve.com A 212.83.147.244
medicdebjp.com A 212.83.147.244
medicswqo.com A 212.83.147.244
sqjhdoctors.com A 212.83.147.244
xfxomedics.com A 212.83.147.244
urlsbn.ru A 212.83.147.244
doctornnek.cn.com A 176.31.180.172
doctorswmb.cn.com A 176.31.180.172
doctorciao.com A 176.31.180.172
doctorlest.com A 176.31.180.172
doctormull.com A 176.31.180.172
doctorpull.com A 176.31.180.172
sqdoctors.com A 176.31.180.172
zidoctor.com A 176.31.180.172
aabwmedic.ru A 176.31.180.172
bfzomedics.ru A 176.31.180.172
bifortmedic.ru A 176.31.180.172
bwfnmedics.ru A 176.31.180.172
cfwzmedics.ru A 176.31.180.172
cfxymedics.ru A 176.31.180.172
cgahmedics.ru A 176.31.180.172
cgngmedics.ru A 176.31.180.172
cgpbmedics.ru A 176.31.180.172
cgqgmedics.ru A 176.31.180.172
cgrxmedics.ru A 176.31.180.172
dnnomedic.ru A 176.31.180.172
doctorbvwa.ru A 176.31.180.172
doctorbvyv.ru A 176.31.180.172
doctorbzui.ru A 176.31.180.172
doctorefprx.ru A 176.31.180.172
doctorgfuf.ru A 176.31.180.172
doctorjyyp.ru A 176.31.180.172
doctorltonsrom.ru A 176.31.180.172
doctorluldhi.ru A 176.31.180.172
doctorlzew.ru A 176.31.180.172
doctormahv.ru A 176.31.180.172
doctormdgd.ru A 176.31.180.172
doctormown.ru A 176.31.180.172
doctormvoh.ru A 176.31.180.172
doctorncte.ru A 176.31.180.172
doctornzjk.ru A 176.31.180.172
doctorpefby.ru A 176.31.180.172
doctorpezhs.ru A 176.31.180.172
doctorqcxqa.ru A 176.31.180.172
doctorrolrow.ru A 176.31.180.172
doctorrrnye.ru A 176.31.180.172
doctorthyjo.ru A 176.31.180.172
doctoruxvq.ru A 176.31.180.172
doctorvctcd.ru A 176.31.180.172
doctorvrdpz.ru A 176.31.180.172
doctorxonft.ru A 176.31.180.172
doctorythb.ru A 176.31.180.172
doctorzmv.ru A 176.31.180.172
dsdlmedic.ru A 176.31.180.172
efqrmedics.ru A 176.31.180.172
efrnmedics.ru A 176.31.180.172
eftzmedics.ru A 176.31.180.172
efvdmedics.ru A 176.31.180.172
egjxmedics.ru A 176.31.180.172
ehmpmedic.ru A 176.31.180.172
felighmedic.ru A 176.31.180.172
gacumedics.ru A 176.31.180.172
gcdumedic.ru A 176.31.180.172
gdnrmedic.ru A 176.31.180.172
gdzxmedics.ru A 176.31.180.172
gebxmedics.ru A 176.31.180.172
gehpmedics.ru A 176.31.180.172
gejhmedics.ru A 176.31.180.172
genhmedics.ru A 176.31.180.172
gqdgmedics.ru A 176.31.180.172
hclhmedic.ru A 176.31.180.172
hfncmedics.ru A 176.31.180.172
hxpymedics.ru A 176.31.180.172
iemrmedic.ru A 176.31.180.172
jsztmedics.ru A 176.31.180.172
jtcsmedics.ru A 176.31.180.172
jtermedics.ru A 176.31.180.172
lqewmedic.ru A 176.31.180.172
lxnsmedic.ru A 176.31.180.172
lyncmedic.ru A 176.31.180.172
medicaacg.ru A 176.31.180.172
medicaadl.ru A 176.31.180.172
medicaceo.ru A 176.31.180.172
medicacrja.ru A 176.31.180.172
medicafbi.ru A 176.31.180.172
medicagad.ru A 176.31.180.172
medicajffu.ru A 176.31.180.172
medicaytcf.ru A 176.31.180.172
medicbfgb.ru A 176.31.180.172
medicbgmdu.ru A 176.31.180.172
medicbigu.ru A 176.31.180.172
mediccpnof.ru A 176.31.180.172
mediccvmqh.ru A 176.31.180.172
medicdcomq.ru A 176.31.180.172
medicdgxyd.ru A 176.31.180.172
medicegblm.ru A 176.31.180.172
medicesoh.ru A 176.31.180.172
mediceywh.ru A 176.31.180.172
medicfdaf.ru A 176.31.180.172
medicflmr.ru A 176.31.180.172
medicgchtt.ru A 176.31.180.172
medichekm.ru A 176.31.180.172
medichhcgk.ru A 176.31.180.172
medichrvn.ru A 176.31.180.172
medichxqbd.ru A 176.31.180.172
medichykry.ru A 176.31.180.172
mediciidc.ru A 176.31.180.172
medicijjqv.ru A 176.31.180.172
mediciuaof.ru A 176.31.180.172
medicixdvk.ru A 176.31.180.172
medicjaftu.ru A 176.31.180.172
medicjiirt.ru A 176.31.180.172
medicjshu.ru A 176.31.180.172
medicjtpd.ru A 176.31.180.172
medickfhq.ru A 176.31.180.172
mediclakxh.ru A 176.31.180.172
mediclhechim.ru A 176.31.180.172
mediclhowthe.ru A 176.31.180.172
medicllgdj.ru A 176.31.180.172
medicllorol.ru A 176.31.180.172
mediclvzg.ru A 176.31.180.172
medicmbfyi.ru A 176.31.180.172
medicmjuve.ru A 176.31.180.172
medicmqwp.ru A 176.31.180.172
medicnckv.ru A 176.31.180.172
medicnnqti.ru A 176.31.180.172
medicnrwye.ru A 176.31.180.172
medicnsxgs.ru A 176.31.180.172
medicntdu.ru A 176.31.180.172
medicnywvu.ru A 176.31.180.172
medicocat.ru A 176.31.180.172
medicoingw.ru A 176.31.180.172
medicolcd.ru A 176.31.180.172
medicownm.ru A 176.31.180.172
medicoyhsx.ru A 176.31.180.172
medicpnbcd.ru A 176.31.180.172
medicpyqz.ru A 176.31.180.172
medicrmxh.ru A 176.31.180.172
medicrtci.ru A 176.31.180.172
medicsemi.ru A 176.31.180.172
medicsgtu.ru A 176.31.180.172
medicsltc.ru A 176.31.180.172
medicsuhgg.ru A 176.31.180.172
medicsxulj.ru A 176.31.180.172
medictejf.ru A 176.31.180.172
medicuhefj.ru A 176.31.180.172
medicukker.ru A 176.31.180.172
medicvcnfw.ru A 176.31.180.172
medicvuuwf.ru A 176.31.180.172
medicwomp.ru A 176.31.180.172
medicwytsj.ru A 176.31.180.172
medicxktef.ru A 176.31.180.172
medicxqise.ru A 176.31.180.172
medicyfzd.ru A 176.31.180.172
medicyjwaf.ru A 176.31.180.172
medicymzyo.ru A 176.31.180.172
medicyqha.ru A 176.31.180.172
medicytjf.ru A 176.31.180.172
mediczgex.ru A 176.31.180.172
mediczqt.ru A 176.31.180.172
mediczrb.ru A 176.31.180.172
mediczxnuq.ru A 176.31.180.172
mwptmedic.ru A 176.31.180.172
nqummedic.ru A 176.31.180.172
oksmmedic.ru A 176.31.180.172
pqhvmedic.ru A 176.31.180.172
pqkydoctors.ru A 176.31.180.172
pqvgmedic.ru A 176.31.180.172
pubdmedic.ru A 176.31.180.172
pvwjmedic.ru A 176.31.180.172
retnemedic.ru A 176.31.180.172
rhxumedics.ru A 176.31.180.172
vjnqmedics.ru A 176.31.180.172
wwcumedic.ru A 176.31.180.172
xcdmmedics.ru A 176.31.180.172
xcfwmedics.ru A 176.31.180.172
xcgvmedics.ru A 176.31.180.172
yqfimedics.ru A 176.31.180.172
mediciwqrl.su A 176.31.180.172
medicpatzm.su A 176.31.180.172
----------------------------------

DETAILS:
--------

PHARMACY EXPRESS SITE: http://doctorjyyp.ru
PHARMACY EXPRESS SITE: http://doctoreqla.com
PHARMACY EXPRESS SITE: http://[varies]

Now they use Javascript and have sites formatted
for mobile users but ... apparently some of the
sites (slightly older ones) are a bit messed up.
While m.[domain_name] should be the mobile site
and [domain_name] should give the full (desktop)
version and mobile users should be redirected to
m.[domain_name], for a few of the sites the
mobile site is at [domain_name] and the full
site is at m.[domain_name] and desktop users may
or may not be redirected to the full site.

The mobile site with Pharmacy Express branding
uses the /205/ directory.

NOTE ABOVE THAT SOME OF THE DOMAIN NAMES RESOLVE
DIFFERENTLY. LET ME CHECK THE RESOLUTIONS FOR TWO
HOSTS doctorjyyp.ru AND doctoreqla.com AND CHECK
THE SUPPORT SITE, yourliveservice.com (see below),
AND ITS NAMESERVERS.

NAMESERVERS FOR doctorjyyp.ru, doctoreqla.com AND yourliveservice.com
FROM THE .ru AND .com SERVERS. RESOLUTIONS FROM THE .su AND COM SERVERS.
=====================================================================
doctorjyyp.ru NS ns1.hostqpls.com
doctorjyyp.ru NS ns2.dnsgeimt.su
doctoreqla.com NS ns1.hosttbap.com
doctoreqla.com NS ns2.cloudclwq.su
yourliveservice.com NS ns2.hostgallop.com
yourliveservice.com NS ns1.serverienw.com
ns1.hostqpls.com A 95.130.11.95
ns2.hostqpls.com A 61.191.190.175
ns1.dnsgeimt.su A 95.130.11.95
ns2.dnsgeimt.su A 61.191.190.175
ns1.hosttbap.com A 91.213.233.71
ns2.hosttbap.com A 210.209.77.43
ns1.cloudclwq.su A 46.22.166.246
ns2.cloudclwq.su A 210.209.77.43
ns1.hostgallop.com A 117.41.185.240
ns2.hostgallop.com A 109.68.190.176
ns1.serverienw.com A 193.124.91.59
ns2.serverienw.com A 46.17.63.223

dig @95.130.11.95 doctorjyyp.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorjyyp.ru A 176.31.180.172
dig @61.191.190.175 doctorjyyp.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorjyyp.ru A 176.31.180.172
dig @91.213.233.71 doctorjyyp.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorjyyp.ru A 212.83.147.244
dig @210.209.77.43 doctorjyyp.ru A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @46.22.166.246 doctorjyyp.ru A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @117.41.185.240 doctorjyyp.ru A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @109.68.190.176 doctorjyyp.ru A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @193.124.91.59 doctorjyyp.ru A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctorjyyp.ru A 144.76.133.115
dig @46.17.63.223 doctorjyyp.ru A +norec +noauth +noqu +noadd
: ;; connection timed out

dig @95.130.11.95 doctoreqla.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctoreqla.com A 176.31.180.172
dig @61.191.190.175 doctoreqla.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctoreqla.com A 176.31.180.172
dig @91.213.233.71 doctoreqla.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: doctoreqla.com A 212.83.147.244
dig @210.209.77.43 doctoreqla.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @46.22.166.246 doctoreqla.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @117.41.185.240 doctoreqla.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @109.68.190.176 doctoreqla.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @193.124.91.59 doctoreqla.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: doctoreqla.com A 144.76.133.115
dig @46.17.63.223 doctoreqla.com A +norec +noauth +noqu +noadd
: ;; connection timed out

dig @95.130.11.95 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 176.31.180.172
dig @61.191.190.175 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 176.31.180.172
dig @91.213.233.71 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa ra <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 212.83.147.244
dig @210.209.77.43 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @46.22.166.246 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @117.41.185.240 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @109.68.190.176 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @193.124.91.59 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 5.104.111.99
dig @46.17.63.223 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; connection timed out
=====================================================================

The nameservers for doctorjyyp.ru (95.130.11.95 and 61.191.190.175)
are both up and resolve everything to 176.31.180.172.

Of the nameservers for doctoreqla.com, one is up (91.213.233.71)
which resolves everything to 212.83.147.244.

Of the nameservers for yourliveservice.com, one is up
(193.124.91.59) resolving the pharmacy hostnames
to 144.76.133.115 and the support site's hostname
to 5.104.111.99.

Let me check for the pharmacy site, doctorjyyp.ru, at the four
IP addresses, 176.31.180.172, 212.83.147.244, 144.76.133.115
and 5.104.111.99.

* Connected to 176.31.180.172:80
: GET / HTTP/1.1
: Host: doctorjyyp.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


* Connected to 212.83.147.244:80
: GET / HTTP/1.1
: Host: doctorjyyp.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


* Connected to 144.76.133.115:80
: GET / HTTP/1.1
: Host: doctorjyyp.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.


* Connected to 5.104.111.99:80
: GET / HTTP/1.1
: Host: doctorjyyp.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.

The pages obtained were byte-for-byte identical.
Sometimes there are slight differences such as tags
but not this time.

IP ADDRESS: 176.31.180.172
--------------------------
PHARMACY EXPRESS SITE
inetnum: 176.31.0.0 - 176.31.255.255
% Abuse contact for '176.31.0.0 - 176.31.255.255' is 'abuse@ovh.net'
netname: FR-OVH-20110520
descr: OVH SAS
country: FR
abuse-mailbox: abuse@ovh.net
Address 176.31.180.172 maps to ns3323851.ip-176-31-180.eu
180.31.176.in-addr.arpa has SOA [omitted]@ovh.net
--------------------------

IP ADDRESS: 212.83.147.244
--------------------------
PHARMACY EXPRESS SITE
inetnum: 212.83.128.0 - 212.83.153.255
% Abuse contact for '212.83.128.0 - 212.83.153.255' is 'abuse@proxad.net'
descr: Tiscali France
country: FR
remarks: All abuse requests MUST be sent to 'abuse@tiscali.fr'
e-mail: abuse@iliad-entreprises.fr
abuse-mailbox: abuse@iliad-entreprises.fr
Address 212.83.147.244 maps to 212-83-147-244.rev.poneytelecom.eu
--------------------------

IP ADDRESS: 144.76.133.115
--------------------------
PHARMACY EXPRESS SITE
inetnum: 144.76.133.96 - 144.76.133.127
descr: myidealhost.com
country: DE
notify: [omitted]@hetzner.de
e-mail: [omitted]@yahoo.com
route: 144.76.0.0/16
descr: HETZNER-RZ-BLK-ERX1
org-name: Hetzner Online AG
e-mail: [omitted]@hetzner.de
Address 144.76.133.115 maps to static.115.133.76.144.clients.your-server.de
133.76.144.in-addr.arpa has SOA [omitted]@your-server.de
--------------------------

IP ADDRESS: 5.104.111.99
------------------------
PHARMACY EXPRESS SITE
PHARMACY EXPRESS SUPPORT SITE
inetnum: 5.104.111.0 - 5.104.111.255
% Abuse contact for '5.104.111.0 - 5.104.111.255' is 'abuse@myLoc.de'
netname: MYLOC-SERGEYKARPENKO
country: DE
role: myLoc NOC
abuse-mailbox: abuse@myLoc.de
111.104.5.in-addr.arpa has SOA [omitted]@fastit.net
------------------------

IP ADDRESS: 95.130.11.95
------------------------
PHARMACY EXPRESS NAMESERVER
95.130.11.95/32 is on the SBL as SBL231691.
Pharmacy Express nameserver
------------------------

IP ADDRESS: 61.191.190.175
--------------------------
PHARMACY EXPRESS NAMESERVER
61.191.190.175/32 is on the SBL as SBL229469.
Pharmacy Express nameserver
--------------------------

IP ADDRESS: 91.213.233.71
-------------------------
PHARMACY EXPRESS NAMESERVER
91.213.233.71/32 is on the SBL as SBL231197.
Pharmacy Express nameserver
-------------------------

IP ADDRESS: 193.124.91.59
-------------------------
PHARMACY EXPRESS NAMESERVER
PHARMACY EXPRESS SUPPORT SITE NAMESERVER
inetnum: 193.124.90.0 - 193.124.91.255
% Abuse contact for '193.124.90.0 - 193.124.91.255' is 'abuse@relcom.net'
netname: REG-RU
descr: Reg.Ru Hosting
remarks: SPAM reports: abuse@reg.ru
country: RU
notify: [omitted]@relcom.net
e-mail: [omitted]@relcom.net
91.124.193.in-addr.arpa has SOA [omitted]@ns1.reg.ru
-------------------------

I will check doctorjyyp.ru at 176.31.180.172.

Let's see ... These sites can have different brandings.
Some are branded as Canadian Pharmacy in the title (an old
spamvertized pharmacy site) with a copyright claiming to be
Canadian Health&Care Mall (a current Yambo spam operation
brand) though it is neither - it is Pharmacy Express.

This is one of their sites branded as ... Pharmacy Express.

This uses the /201/ directory (other themes/brandings are in
different directories, such as /204/ for Canadian Health&Care Mall
and /205/ for the mobile version of the Pharmacy Express
branded site).

An encoded phone number appears on all their sites, decoded
to a Javascript variable which is unused on, for example,
Canadian Health&Care Mall sites. The Javascript used to put
the phone number on the page at Pharmacy Express branded sites,
but no longer.

ENCODED JAVASCRIPT: SHORTER SCRIPTS, NOW ENCODED
------------------------------------------------
They used to use a lot of their own code. Now they use jquery.
Their code used to be plain Javascript source text.
Then their (large) script was doubly encoded (base64 and XOR
with an array of values). This time four sections of code
at the end of the script (including the QuickSearch library)
are encrypted.

The encoded phone number which appears in the home page's HTML code
-------------------------------------------------------------------------------
var msgs = {
: removeProduct: "You are removing %PRODUCT_TITLE% from your cart. Continue?",
: notFound: "Not found",
: emptySearchQuery: "Empty search query",
: search: "Search...",
: minLengthIs: "minimum allowed length is",
: maxLengthIs: "maximum allowed length is",
: characters: "characters",
: emptyCart: "Do you really want to empty cart ?",
: phone: "+k-aee vgb-kevk",
: siteTitle: "Pharmacy Express"
};
-------------------------------------------------------------------------------
is decoded by their translate function in the script file,
http://[hostname]/201/js/_set_main.js?v=e221041eeed140ccd475cf5d07079138

function translate(string,search,replace), which just implements
a simple substitution, transliteration, "tr", function,
: $('.phn').html(translate(msgs.phone, 'kagzrvbehn', '1845962037'));

[The code was originally
: var phone=translate(msgs.phone,'kagzrvbehn','1845962037');
using a separate variable for the decoded phone number
which was then used on the page. Now the 'phone' variable is gone.]
(The substitution had been different in the dim past.)

and, of course:
: echo "+k-aee vgb-kevk" | tr 'kagzrvbehn' '1845962037'

gives the usual phone number: +1-800 642-1061

NOTE: If your browser does NOT indicate that it supports compression (gzip)
: the pages come back uncompressed BUT THE JAVASCRIPT AND/OR STYLE SHEET
: FILE MAY COME BACK COMPRESSED ANYWAY. I often configure firefox not to
: accept compressed pages so I can do a packet capture and 'grep' through
: it for relevant items. Material will be invisible even with Javascript
: enabled if the browser is set not to request (or decompress) compressed
: content and the Javascript is compressed. At times only the Javascript
: file was compressed. At other times only the style sheet was compressed.
: Sometimes both come back compressed. Both were compressed this time.

The page style changed some time ago. Besides using Javascript to place messages
(and encoding the phone number - one can no longer 'google' for that number to find
other hosts/pages) there were lines over 50K in size on the starting page.
Those were long style sheet codes. Now separate style sheet files are used
and the longest line I now see on the page is about 17K in size.

Surprisingly the copyright notice at the bottom of the page,
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.
was not encoded as the phone number is though you won't find
"Pharmacy Express" when grep'ing through the page's HTML code
as it appears as "Pha[span]rmacy Express.[/span]".

STYLE SHEET TO POSITION BOOKMARK (facebook, etc.) LINKS OVER IMAGE
---------------------------------------------------------------------------
WHILE I HAVE NOT RECENTLY SEEN THE Facebook AND OTHER SOCIAL NETWORK LINKS
ON THE PAGES USING DIFFERENT BRANDINGS (e.g. "Canadian Pharmacy",
"Canadian Health&Care Mall") THEY DO APPEAR ON THIS PHARMACY EXPRESS SITE.
---------------------------------------------------------------------------
The page has links to various social networking sites such as
[a href="http://www.facebook.com/share.php?u=%site_url%" class="c" title="Save to Facebook"][/a]
in a "div" element, [div class="bookmarks"].

The Javascript contains the code to update the data:
------------------------------------------------
var reSiteURL = new RegExp('\%site_url\%', "g");
var reSiteTitle = new RegExp('\%site_title\%', "g");
$(".bookmarks a").each(function() {
var url = $(this).attr('href');
url = url.replace(reSiteURL, location.protocol + '//' + location.host);
url = url.replace(reSiteTitle, msgs.siteTitle); $(this).attr('href', url);});
------------------------------------------------
When Javascript was first used to update the social site links
there was only a regular expression to change the site_url,
not the site_title, but when they started using multiple brandings
such as 'ED Express' or 'Canadian Pharmacy' the code to set the
title was added.

The bookmark links, such as the above facebook link, have length zero!
How to click on them? The style sheet repositions them over the header image,
: .header .bookmarks{position:absolute;top:177px;left:35px}
: .header .bookmarks a{width:16px;height:16px;display:block;position:relative;
: float:left;margin-right:2px;margin-top:3px}
giving each a width of 16 pixels. They are positioned so that the
clickable region for each social network's link is placed over
that network's icon embedded in the header image,
http://[hostname]/201/img/header/header-bg-usps.jpg
which is often modified to suit the current holiday or celebration
such as header-bg-canada.jpg for Canada Day.

When these sites were hosted on bots (at other times the
spammer gets his own hosting) or for other reasons had
problems with bandwidth the images had often been hosted
elsewhere but I have not seen images loaded from elsewhere
for quite some time.

This time very few real images are loaded, but from the spamvertized
site itself with URLs such as:
: http://[hostname]/201/img/sprite/most_popular_1.jpg?v=1407162132

NOTE: Few images are used. For example two images are used for all
the pill images, "sprite" panels (tableaux of pill subimages)
: http://[hostname]/201/img/sprite/most_popular_1.jpg?v=1407162132
: http://[hostname]/201/img/sprite/most_popular_2.jpg?v=1407162132
STYLE SHEET:
: .spr_products_75x75_viagra,.spr_products_75x75_viagra_brand,.spr_products_75x75_cialis,...
: {background-image:url(../img/sprite/most_popular_1.jpg?v=1407162132) !important}
and various selections from the image are carefully placed
: .spr_products_75x75_propecia
: {background-position:-75px 0 !important;width:75px !important;height:75px !important}
so the portion which appears as the background for each
anchor tag/link is just the proper pill image.
(A TINY CHANGE. The version I have most often seen has
"background-position:-75px 0px" but sometimes a site uses
"-75px 0"; after all "0px" or "0anything_else" is still the
same size, zero.)

One used to find separate images such as
: http://[hostname]/101/img/products/75x75/levitra_brand.jpg
Now the images appear to have a time stamp, net-time, the number
of seconds since 1 January 1970.

Sometimes these sites have a secure order form and sometimes not.
Usually the order site is not secure.

This time upon reaching the CHECKOUT page I found the form:
: [form id="form_checkout" action="/checkout/" method="post"][/form]

Most often, recently, the action has simply been action="/checkout/"
with payment being submitted to the pharmacy site itself.
Sometimes the "action" points to another, order, site such as
the following (lexicographically sorted by domain name).
Note that sometimes (but infrequently) they are secure:
: http://e-billprovider.com
: http://e-billresponse.com
: http://e-billsupport.com
: http://e-buyassist.com
: http://e-buybox.com
: http://e-buyprocess.com
: http://e-cartprocess.com
: http://e-fastestpay.com
: http://e-paymentassist.com
: http://e-paymentservice.com
: http://ebillwebform.com
: http://eclientplace.com
: https://eclientplace.com <== SECURE
: http://ecustomerbill.com
: http://ecustomercheckout.com
: http://ecustomerpay.com
: http://egoodbill.com
: http://epayonlineservice.com
: http://epayviaweb.com
: http://eworldwidepay.com
: http://onlinepaymentsite.com
: http://onlinetransservice.com
: https://paycartservice.com <== SECURE
: http://payquickonline.com
: http://securecartservice.com
: https://securecartservice.com <== SECURE
: http://a5.yourprofileheres.com

PHARMACY EXPRESS ORDER SITE: http://doctorjyyp.ru/checkout/

* Connected to 176.31.180.172:80
: POST /checkout/ HTTP/1.1
: Host: doctorjyyp.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]

In the past the title had been
: [title]Welcome to http://[hostname] Checkout page[/title]

In spite of their assurance that:
"we provide 256bit SSL secure pay page to process your order"
your financial data is submitted unencrypted and insecurely.

Verisign's assurance of security is given in their seal at
: http://[hostname]/201/img/sprite/cart.png?v=1407162132

(part of another sprite tableau) but while in the past the
Verisign seal had been displayed, it is not this time.

THERE HAVE BEEN RECENT CHANGES TO THE ORDER FORM PAGE.
------------------------------------------------------
They used to use very obnoxious Javascript on this page.
It checked and validated each keystroke. On a slightly aged
system, such as mine it was actually quite painful to use
their order form.

Now they use *extremely* obnoxious Javascript on this page.
It spends much more time and is much more CPU expensive while
checking everything every moment and, combined with the flash
tracker which continually runs in the background, connecting
over and over to their tracking site (every twenty seconds
- see below) it is now *very* painful to use their order form
on a slightly aged system such as mine.

If you like the tab key and to tab from form entry to form
entry expecting some sort of sensible arrangement - well,
you will be disappointed here.

There used to be two input boxes for one's email address,
a first and a second, "confirmation" input box to catch
typos. That second box still has the field name "confirm_email"
but is now labeled as 'Alternative e-mail'. They have also
added an input box for a second phone number ("Mobile phone").
Originally "Alternative e-mail" and "Mobile phone" inputs
were required for a successful form submission (though one
could simply enter the same address or phone number in both
input boxes). Now they are optional.

While they seem to have some respect for Verisign and I
did not see the Verisign seal, they seem to have lost all
respect for McAfee as the McAfee SECURE seal at ma.png
: http://[hostname]/checkout/img/ma.png
is back on the page (this seal used to be in a sprite tableau,
transparent_gif_[TIME_STAMP].gif which I no longer see and
had not been on the pages for quite some time) "guaranteeing"
the security of the transaction.
------------------------------------------------------

One connects to the order site, submitting the data:

: i=XXxWQU... This is base 64 encoded data with embedded
: Win/Dos EndsOfLines (%0D%0A). The unescaped
: string had a length pf 5408 characters including
: Win/DOS EOLs and 5268 without the EOL characters.

*: The use of "="'s to pad the string's length to a multiple
: of four bytes when necessary suggests some sort of
: base 64 encoding but it is not simply encoded plain text
: using the standard encoding. The data varies and the
: string has had different lengths in the past.

NOTE: There are two forms appearing on the page at
: the pharmacy site (whose data is submitted
: to the order site).
: The one with the data does not have an action
: submitting it to the order URL.
: Javascript simply empties the form going to the
: order URL, copies the "i" value from the dummy
: form with data to the form going to the order URL
: and submits that.

and one gets the order-form page:

: Pharmacy Express Checkout page
: The information you provided will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express

: For quite some time the page had started with:
: ----------------------------------------------
: Pharmacy online-store
: The information you provide will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express

: In the past it had read:
: ------------------------
: Welcome to http://[hostname] Checkout page
: The information you provide will be submitted to the protected payment
: processing system.
: ...
: (c) 2003-2014 Pharmacy Express
: ------------------------

and before that it had read:
----------------------------
: (c) 2003-2012 Pharmacy Express
: Have a question? Call us back +1-888-738-9650
----------------------------
but now the phone contact is missing.

In the past, when the order site was secure, the text read:
: Welcome to http://[hostname] Secure checkout page
: You have just been redirected to this 256bit SSL secure pay page to process
: your order.
but at the last secure order site, the page omitted the claim of security
as well as the contact phone number.

to which one submits

* Connected to 176.31.180.172:80
: POST /checkout/ HTTP/1.1
: Host: doctorjyyp.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]

the data:

: new_customer=1
: &email=[victim's address: email]
: &first_name=[victim's name: first]
: &confirm_email=[victim's address: email] [+]
: &last_name=[victim's name: last]
: &billing_country_id=US
: &billing_city=[victim's address: city]
: &billing_state_id=[victim's address: state]
: &billing_address=[victim's address: street]
: &billing_zip=[victim's address: zip code]
: &phone=[victim's phone number]
: &mobile_phone=[victim's phone number - mobile] [*]
: &shipping_form=on [&]
: &payment_method=visa
: &issuing_bank=[credit card: issuing bank]
: &card_number=[victim's credit card number]
: &cvv=[credit card: private security number]
: &comment=[comment section] [*]
: &birth_year=[victim's birthdate: year]
: &birth_month=[victim's birthdate: month]
: &birth_day=[victim's birthdate: day]
: &expiration_month=[credit card: expiration date: month]
: &expiration_year=[credit card: expiration date: year]
: &utime=[Javascript: Date().toLocaleString()]
: &screen=[Javascript: screen.width+'x'+screen.height+'x'+screen.colorDepth]
: &platform=[Javascript: navigator.platform]
: &srv=[FLASH: fingerprinting system info] [#]
: &fid=[FLASH: flash/session random iD] [#]
: &fnt=[FONTS: fingerprinting font info] [#]
: &uid=[FLASH: SESSION ID] [#]
: &pasted=
: &submit_order=1 [-]

----
+: This now appears on the form as "Alternative e-mail"
Originally it was a required field.
Now it is optional.
----
*: New
Originally this was a required field.
Now it is optional.
----
&: Previously was "as_billing"
----
-: Previously was "submit_order"
----

There have been a few changes.

----
1: Specifying that the shipping address was the
: same as the billing address resulted in the
: removal/suppression of the shipping_country_id
: and shipping_state_id values which had previously
: been present.
----
2: submit_order had the string value, "submit_order",
: most recently and how has the value, 1.
----
3: Two elements (the shipping country and state)
: have disappeared while two new ones,
: mobile_phone and comment have appeared so the
: number of name/value pairs submitted is the same.
----

One thing interested me. The submit button on this
form is labeled "Confirm data" but that is not a
capital English "C". It is a cyrillic capital "ES" (C).

(Previously the data was submitted in one step but
now one goes through an intermediate "confirmation
page". That page does not repost the data but allows
one to return to the order form page to edit it or
continue - in which case it simply posts the
confirmation data,
: confirm_order=confirm_order
to

* Connected to 176.31.180.172:80
: POST /checkout/ HTTP/1.1
: Host: doctorjyyp.ru

which sends one on to a status page:

: HTTP/1.1 302 OK
: Server: nginx/1.2.1
: Location: http://doctorjyyp.ru/checkout/status/

The order of the entries in the submitted data has
changed somewhat.

Here is the prior version:

: OLD DATA AND ORDER:
: -------------------
: new_customer=1
: &email=[victim's address: email]
: &confirm_email=[victim's address: email]
: &phone=[victim's phone number]
: &first_name=[victim's name: first]
: &last_name=[victim's name: last]
: &billing_address=[victim's address: street]
: &billing_city=[victim's address: city]
: &billing_country_id=US
: &billing_state_id=[victim's address: state]
: &billing_zip=[victim's address: zip code]
: &birth_year=[victim's birthdate: year]
: &birth_month=[victim's birthdate: month]
: &birth_day=[victim's birthdate: day]
: &payment_method=visa
: &issuing_bank=[credit card: issuing bank]
: &card_number=[victim's credit card number]
: &expiration_month=[credit card: expiration date: month]
: &expiration_year=[credit card: expiration date: year]
: &cvv=[credit card: private security number]
: &shipping_form=as_billing
: &shipping_country_id=US
: &shipping_state_id=[APPARENTLY THE UNUSED DEFAULT]
: &submit_order=submit_order
: &utime=[Javascript: Date().toLocaleString()]
: &screen=[Javascript: screen.width+'x'+screen.height+'x'+screen.colorDepth]
: &platform=[Javascript: navigator.platform]
: &srv=[FLASH: fingerprinting system info] [#]
: &fid=[FLASH: flash/session random iD] [#]
: &fnt=[FONTS: fingerprinting font info] [#]
: &uid=[FLASH: SESSION ID] [#]
: &pasted=

UPDATED CREDIT CARD PAYMENT OPTIONS:
------------------------------------
It seems that they have lost payment options,
for originally
: Visa (payment_method=visa)
: MasterCard (payment_method=mastercard)
: American Express (payment_method=amex)
: JCB (payment_method=jcb) [Japan Credit Bureau]
: Diners Club (payment_method=dinersclub)
: ACH (payment_method=ach) [Automated Clearing House]
were available and then only
: Visa (payment_method=visa)
was available.
American Express had reappeared, was gone for some time
and now is back ("amex").


Isn't Adobe's Shockwave Flash wonderful?
----------------------------------------
A perfect little tool to fingerprint visitors quite
accurately. The order site loads a little flash file,
pons4.swf. It used to be named bridge.swf (and the page
element, a DIV with id="swfContent", contains pons4.swf,
an object with that id, "bridge") then it was named pons.swf
but they have changed it. The file is rather heavily
obfuscated so it took some time to handle).

* Connected to 176.31.180.172:80
: GET /checkout/pons4.swf HTTP/1.1
: Host: doctorjyyp.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: Content-Type: application/x-shockwave-flash
: Content-Length: 3038

You don't see this hidden item (width="1" height="1").
This file creates a callback function:
: flash.external.ExternalInterface.addCallback(...);
which provides an interface for Javascript. This
provides the Javascript at the order site with a
profile of the visitor's system as determined by the
flash file. Two ID variables (fid and uid) are set.
Along with those the flash file is used to get your system
capabilities and store them in a variable, srv, and finally
it gets a full list of all your fonts ("getFontList") and
sets the variable, fnt, to that list (I have over 400 fonts
installed). I wonder if anyone has the same list of fonts
that I have. The system variable, srv, lists your OS
and kernel (e.g. Linux 2.4.32 for kernel 2.4.32 on
Linux) among many other items. Well, who needs cookies
with so precise a fingerprint?

And this pons4.swf file? It is Google's!!! Sorry Googl's.
WAIT. It isn't google's or googl's any more.

The new domain name is fastclickstatus.com.

Recently it was googlsyndications.com's (before that it
was googlesydnication.com's ("dn", not "nd")) tracker
(besides the interface to enable Javascript to access the
profile that flash can extract from your system, this flash
file "calls home" every twenty seconds, a heartbeat tracker).
When they seem to have lost the "Google" domain names
they used the domain name choosebestkeyword.com and have
now switched to fastclickstatus.com.

Since Pharmacy Express continued to use this tracker as it
moved from googlesydnication to googlsyndications even when the
backend for the heartbeat tracker was down for awhile, I would
hazard a guess that googlesydnication.com, googlsyndications.com,
choosebestkeyword.com and now fastclickstatus.com are part of
Pharmacy Express.


PHARMACY EXPRESS TRACKER: http://[varies].fastclickstatus.com

This was originally google.sydnication.com ("dn", not "nd")
until they lost that domain. It then changed to googlsyndications.com.
It then changed to choosebestkeyword.com and is now
fastclickstatus.com.

Where is it now?

NAMESERVERS FOR fastclickstatus.com FROM THE .com SERVERS.
==========================================================
fastclickstatus.com NS ns1.fastclickstatus.com
fastclickstatus.com NS ns2.fastclickstatus.com
ns1.fastclickstatus.com A 37.59.109.225
ns2.fastclickstatus.com A 37.59.109.225

dig @37.59.109.225 fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: fastclickstatus.com A 37.59.109.225

dig @37.59.109.225 248rzxp0k12alzaicof9ucudx6lfcoix.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 248rzxp0k12alzaicof9ucudx6lfcoix.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 j1nvyky9cx2cxesab9n9h9whnftp5zxt.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: j1nvyky9cx2cxesab9n9h9whnftp5zxt.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 sdyphy6chdh0labu5e8cyntmlkitey3v.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: sdyphy6chdh0labu5e8cyntmlkitey3v.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 8jqazloaov0ss3bhd10qc29y81fcqqde.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 8jqazloaov0ss3bhd10qc29y81fcqqde.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 3tm0jh1ogcb2bywovm59a40aaarnbdzi.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 3tm0jh1ogcb2bywovm59a40aaarnbdzi.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 dmq0i0zanfol4mv3eaq8tz8md9htzrgg.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: dmq0i0zanfol4mv3eaq8tz8md9htzrgg.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 s8u951fgp0xjonm57sep85f2y4547ict.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: s8u951fgp0xjonm57sep85f2y4547ict.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 ys4yank0b7podcdktovh77ajjepg8z7t.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: ys4yank0b7podcdktovh77ajjepg8z7t.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 dn3i43o0ftndsvrjphh679qrgulp561t.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: dn3i43o0ftndsvrjphh679qrgulp561t.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 d7hefop2ry177122aqc49f8bjztdpdlr.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: d7hefop2ry177122aqc49f8bjztdpdlr.fastclickstatus.com A 37.59.109.225

dig @37.59.109.225 248rzxp0k12alzaicof9ucudx6lfcoix-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 248rzxp0k12alzaicof9ucudx6lfcoix-sk.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 j1nvyky9cx2cxesab9n9h9whnftp5zxt-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: j1nvyky9cx2cxesab9n9h9whnftp5zxt-sk.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 sdyphy6chdh0labu5e8cyntmlkitey3v-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: sdyphy6chdh0labu5e8cyntmlkitey3v-sk.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 8jqazloaov0ss3bhd10qc29y81fcqqde-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 8jqazloaov0ss3bhd10qc29y81fcqqde-sk.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 3tm0jh1ogcb2bywovm59a40aaarnbdzi-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: 3tm0jh1ogcb2bywovm59a40aaarnbdzi-sk.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 dmq0i0zanfol4mv3eaq8tz8md9htzrgg-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: dmq0i0zanfol4mv3eaq8tz8md9htzrgg-sk.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 s8u951fgp0xjonm57sep85f2y4547ict-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: s8u951fgp0xjonm57sep85f2y4547ict-sk.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 ys4yank0b7podcdktovh77ajjepg8z7t-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: ys4yank0b7podcdktovh77ajjepg8z7t-sk.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 dn3i43o0ftndsvrjphh679qrgulp561t-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: dn3i43o0ftndsvrjphh679qrgulp561t-sk.fastclickstatus.com A 37.59.109.225
dig @37.59.109.225 d7hefop2ry177122aqc49f8bjztdpdlr-sk.fastclickstatus.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: d7hefop2ry177122aqc49f8bjztdpdlr-sk.fastclickstatus.com A 37.59.109.225
==========================================================
This is a much shortened version. As this heartbeat tracker connects every
twenty seconds and I forgot about the site and left the order page open
I have hundreds of random keys in my logs. It seems they have modified the
Flash file for this time it only saved one entry in Flash's #SharedObjects
directory (not the hundreds I have previously seen - one time, leaving the
order site open in the browser I had 3592 additions to my #SharedObjects
directory). Is this due to using a constant local object "cust" instead of
decoding an encoded version of the string, "cust" (a change that I did notice)?

* Connected to 37.59.109.225:80
: GET /images/tick.gif HTTP/1.1
: Host: 248rzxp0k12alzaicof9ucudx6lfcoix.fastclickstatus.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.7
: Content-Type: application/x-shockwave-flash
: Content-Length: 274


* Connected to 37.59.109.225:80
: GET /images/sprite.gif HTTP/1.1
: Host: fastclickstatus.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.7
: Content-Type: application/x-shockwave-flash
: Content-Length: 0


* Connected to 37.59.109.225:843
: <policy-file-request/>[NULL_BYTE]

: <?xml version="1.0"?>
: <cross-domain-policy>
: <allow-access-from domain="*" to-ports="*" />
: </cross-domain-policy>


* Connected to 37.59.109.225:10843
: 248rzxp0k12alzaicof9ucudx6lfcoix
: [NULL_BYTE]

: <?xml version="1.0"?>
: <cross-domain-policy>
: <allow-access-from domain="*" to-ports="*" />
: </cross-domain-policy>

tick.gif is a small flash, CWS, file, though
in the past it had come back as "Content-Type: image/gif".

The flash file calls back to fastclickstatus.com every twenty seconds
(for http://[random].fastclickstatus.com/images/tick.gif)

: ...
: 13:31:02 gtxm2l0w4i8ulko6jx61szwxxbilillz.fastclickstatus.com/images/tick.gif
: 13:31:22 1ucfnyn7necaodwnn9734ilupkiv8ewd.fastclickstatus.com/images/tick.gif
: 13:31:42 mf9vkyd6poy8xvv2h67go2qg8qtnm3iz.fastclickstatus.com/images/tick.gif
: 13:32:02 kgc8a2n0zsgbom5sdzp51461p4wvzy40.fastclickstatus.com/images/tick.gif
: 13:32:22 1b4d2l8k0pls3wymeoel7p598z0rzx4h.fastclickstatus.com/images/tick.gif
: 13:32:42 9uh5b7jzj0hpfh5colptgf05f9ewpotq.fastclickstatus.com/images/tick.gif
: 13:33:02 1odr8emkisco7a2qqhadfb31mkpbcclo.fastclickstatus.com/images/tick.gif
: 13:33:22 g911cog5jjt8dcz2h7bpi6gg6w4pgjdf.fastclickstatus.com/images/tick.gif
: 13:33:42 nuafvn6ind19hovawyduqp1gitcat3rb.fastclickstatus.com/images/tick.gif
: 13:34:02 f8329mw8sd42agszytplzuqccuirbcbj.fastclickstatus.com/images/tick.gif
: ...

The resolutions, above, for the hostnames containing "-sk"
are used to resolve a different hostname each time for
connections to port 10843 which, like those to port 843,
are raw connections by the Flash player for policy data.

IP ADDRESS: 37.59.109.225
-------------------------
PHARMACY EXPRESS FLASH PROFILER AND TRACKER
inetnum: 37.59.109.128 - 37.59.109.255
netname: IE-OVH
descr: OVH Hosting Limited
country: IE
address: Ireland
abuse-mailbox: abuse@ovh.net
Address 37.59.109.225 maps to 225.ip-37-59-109.eu
109.59.37.in-addr.arpa has SOA [omitted]@ovh.net
------------------------

SUPPORT SITE: http://yourliveservice.com
SUPPORT SITE: http://liveserviceonline.com [NO LONGER RESOLVABLE]
SUPPORT CONTACT [email]: support@yourliveservice.com
SUPPORT CONTACT [email]: support@liveserviceonline.com [NO LONGER ACCESSIBLE]
SUPPORT CONTACT [phone]: +1-212-389-6349

In the past, if a payment was rejected (the site verified
the credit card for the payment before returning the status
page) the status page returned simply indicated a failure.

SOMETIMES in verifying a Visa card it seemed that the backend
did not quickly enough obtain a result in which case the site
provided a default status page indicating that the card was
accepted and providing a further contact (web site or email
and a phone number).

Submitting a fake order using a Visa card sometimes, but very
seldom, would provide the further contact.

They have updated the order form and its activity and now,
even a rejected order submission elicits:

* Connected to 176.31.180.172:80
: GET /checkout/status/ HTTP/1.1
: Host: doctorjyyp.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Checkout status[/title]
: Pharmacy Express Checkout page
: ...
: We are sorry but the transaction was declined by the bank.
: ...
: If you have any questions about your order, please, contact us:
: phone: +1-212-389-6349
: e-mail: [a href="mailto:support@yourliveservice.com"]support@yourliveservice.com[/a]
: (c) 2003-2014 Pharmacy Express

So, what is at http://yourliveservice.com?

ABOVE WE SAW THE DATA:

NAMESERVERS FOR yourliveservice.com FROM THE .com SERVERS.
RESOLUTIONS FROM THE .com SERVERS.
==========================================================
yourliveservice.com NS ns2.hostgallop.com
yourliveservice.com NS ns1.serverienw.com
ns1.hostgallop.com A 117.41.185.240
ns2.hostgallop.com A 109.68.190.176
ns1.serverienw.com A 193.124.91.59
ns2.serverienw.com A 46.17.63.223

dig @117.41.185.240 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @109.68.190.176 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; connection timed out
dig @193.124.91.59 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
: yourliveservice.com A 5.104.111.99
dig @46.17.63.223 yourliveservice.com A +norec +noauth +noqu +noadd
: ;; connection timed out

* Connected to 5.104.111.99:80
: GET / HTTP/1.1
: Host: yourliveservice.com

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]LiveHelp Support[/title]
: ...
: Our Support Center helps you to:
: 1. View order status
: 2. Cancel order
: 3. View orders' history
: ...
: (c) 2003-2014 LiveHelp Support Center.

In the past the page was a bit longer, including:

: --------------------------------------------------------------
: If you need additional information, please, contact us anytime
: e-mail: [a href="mailto:support@liveserviceonline.com"]support@liveserviceonline.com[/a]
: phone: +1-212-389-6349
: (c) 2003-2014 LiveHelp Support Center.
: --------------------------------------------------------------

and just in case you think that this is an innocent third party
support service:

* Connected to 5.104.111.99:80
: GET / HTTP/1.1
: Host: doctorjyyp.ru

: HTTP/1.1 200 OK
: Server: nginx/1.2.1
: [title]Pharmacy online-store[/title]
: ...
: (c) 2003-2014 Pharmacy Express.
: All rights reserved.

It also hosts/proxies the pharmacy site, itself.

IP ADDRESS: 5.104.111.99
------------------------
PHARMACY EXPRESS SITE
PHARMACY EXPRESS SUPPORT SITE
inetnum: 5.104.111.0 - 5.104.111.255
% Abuse contact for '5.104.111.0 - 5.104.111.255' is 'abuse@myLoc.de'
netname: MYLOC-SERGEYKARPENKO
country: DE
role: myLoc NOC
abuse-mailbox: abuse@myLoc.de
111.104.5.in-addr.arpa has SOA [omitted]@fastit.net
------------------------

IP ADDRESS: 193.124.91.59
-------------------------
PHARMACY EXPRESS NAMESERVER
PHARMACY EXPRESS SUPPORT SITE NAMESERVER
inetnum: 193.124.90.0 - 193.124.91.255
% Abuse contact for '193.124.90.0 - 193.124.91.255' is 'abuse@relcom.net'
netname: REG-RU
descr: Reg.Ru Hosting
remarks: SPAM reports: abuse@reg.ru
country: RU
notify: [omitted]@relcom.net
e-mail: [omitted]@relcom.net
91.124.193.in-addr.arpa has SOA [omitted]@ns1.reg.ru
-------------------------

PRODUCT INFORMATION:

Besides the change in the order form, a substantial
change in the list of available drugs was made recently.
About one hundred new items were added.

There has been no change in that expanded listing since
the last time I checked.

________

http://ecomagsrl.it/rlknk.html
>>> http://doctorfcle.com/

--- Found authoritative nameserver: ns1.vdsgmznre.com
--- contacting nameserver: ns1.vdsgmznre.com [193.124.91.59]

doctorfcle.com A 85.25.15.26
com NS ns2.hostsink.su
com NS ns1.dnsthen.com
ns1.dnsthen.com A 193.124.91.59
ns2.hostsink.su A 117.41.185.88

--- DNS Lookup completed

[85.25.15.26]
avidoctors.com
canadian-pharmacyrebills.com
canadianspharmacyrebill.com
dnsoelrjd.com
doctorahewh.com
doctorcyas.com
doctorduqa.com
doctorfcle.com
doctorgeyp.com
doctornrxi.com
doctorsguw.ru
doctorsnets.com
doctorsque.com
doctorwqif.com
e-canadian-pharmacy-rebills.com
e-canadian-pharmacyrebills.com
e-canadianpharmacyrebill.com
e-canadianpharmacyrebills.com
e-pharmacy-express-rebill.com
e-pharmacy-express-rebills.com
e-pharmacyexpress-rebill.com
e-pharmacyexpress-rebills.com
e-rectiledysfunction-rebill.com
ecanadianpharmacyrebill.com
epharmacy-express-rebill.com
erectile-dysfunction-rebills.com
erectiledysfunction-rebills.com
erectiledysfunctionrebills.com
hedttontdoctor.com
pharmacy-mobile-rebills.com
pharmacy-mobiles-rebill.com
serverksjq.com
thatmadoctor.com
uniqrdoctor.com
wehostzb.com
worldsherbal.com


The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: https://www.spamhaus.org/rokso/evidence/ROK10849/

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy