MyCanadianPharmacy – My Canadian Pharmacy ~ medsdirectrx.com

Buying Prescription Drugs Online Scam Alert 1
May Be Dangerous
Says Drug Enforcement Administration



DEA Logo - Buying Proscription Drugs

Click Here
National Association of Boards of Pharmacy (NABP)

Warning

“The Canadian Pharmacy, Canadian/European Pharmacy”, “Canadian Healthcare” and “US Drugstore” are brands of one of the most disgusting illegal online pharmacy group well organized CRIMINAL OPERATION of all times. “GREED” is the driving force behind this operation. Don’t let them fool you. They will never send you any genuine drugs. If they ever send anything at all, it may consist of literally anything from sugar to wall plaster, and they certainly don’t care that you will endanger your health by taking those dangerous counterfeit drugs.

Behind The Online Pharmacy

Today a shadowy, transnational network of illicit drug manufacturers, traders, doctors, Web site operators, spammers and criminals makes up the online pharmacy world.

Buying Medication Online Can Be Safe

There are many options out there when it comes to buying medication online. We have looked at websites after websites. Some sites feature offshore pharmacies that do not require a prior prescription. Others feature licensed pharmacies that do require a prescription from your doctor.
Before making a purchase that can effect your health, we strongly recommend that you consult your physician & DO NOT self-medicate. Ordering medication online can be a safe, money-saving experience. When done through licensed online pharmacies that require a prescription, you can be assured that the medication you get is exactly what you need to treat your ailments.

Department of Justice – Ryan Haight Act
Read More Health Canada



Address lookup
canonical name http://www.medsdirectrx.com.
aliases
addresses 86.55.211.122
86.55.211.123
201.7.103.58
213.55.114.132
86.55.211.121
Domain Whois record

Queried whois.internic.net with “dom medsdirectrx.com”…

Domain Name: MEDSDIRECTRX.COM
Registrar: KEY-SYSTEMS GMBH
Whois Server: whois.rrpproxy.net
Referral URL: Key-Systems
Name Server: NS1.MEDSDIRECTRX.COM
Name Server: NS2.MEDSDIRECTRX.COM
Status: ok
Updated Date: 24-sep-2010
Creation Date: 20-sep-2010
Expiration Date: 20-sep-2011

Last update of whois database: Sat, 23 Oct 2010 09:20:26 UTC <<<
Queried whois.rrpproxy.net with “medsdirectrx.com”…

DOMAIN: WWW.MEDSDIRECTRX.COM

RSP: DNReg Limited

owner-nom.contact: P-AOT714
owner-fname: Aleksandr
owner-lname: Tumanov
owner-street: Oktyabrskij pr-kt d.91-97 kv.49
owner-city: Lyubertsy
owner-state: Moskovskaya obl
owner-zip: 140002
owner-country: RU
owner-phone: 7.4959950129
owner-fax: 7.4959950129
owner-email: siesta@fastermail.ru

admin-nom.contact: P-AOT714
admin-fname: Aleksandr
admin-lname: Tumanov
admin-street: Oktyabrskij pr-kt d.91-97 kv.49
admin-city: Lyubertsy
admin-state: Moskovskaya obl
admin-zip: 140002
admin-country: RU
admin-phone: 7.4959950129
admin-fax: 7.4959950129
admin-email: siesta@fastermail.ru

tech-nom.contact: P-AOT714
tech-fname: Aleksandr
tech-lname: Tumanov
tech-street: Oktyabrskij pr-kt d.91-97 kv.49
tech-city: Lyubertsy
tech-state: Moskovskaya obl
tech-zip: 140002
tech-country: RU
tech-phone: 7.4959950129
tech-fax: 7.4959950129
tech-email: siesta@fastermail.ru

billing-nom.contact: P-AOT714
billing-fname: Aleksandr
billing-lname: Tumanov
billing-street: Oktyabrskij pr-kt d.91-97 kv.49
billing-city: Lyubertsy
billing-state: Moskovskaya obl
billing-zip: 140002
billing-country: RU
billing-phone: 7.4959950129
billing-fax: 7.4959950129
billing-email: siesta@fastermail.ru

nameserver: ns1.medsdirectrx.com 201.147.145.254
nameserver: ns2.medsdirectrx.com 218.67.78.181

Network Whois record

Queried whois.ripe.net with “-B 86.55.211.122″…

% Information related to ‘86.55.210.0 – 86.55.211.255’

inetnum: 86.55.210.0 – 86.55.211.255
netname: KLM-INVEST-COM
descr: SC KLM INVEST COM SRL
descr: Str. Elena Doamna Nr. 4
descr: Com. Afumati, Jud. Ilfov
country: RO
admin-c: PM11990-RIPE
tech-c: PM11990-RIPE
status: ASSIGNED PA
mnt-by: EVOLVA-MNT
mnt-lower: EVOLVA-MNT
mnt-routes: ENTER-NET-MNT
notify: ripe@evolva.ro
changed: razvan.toma@evolva.ro 20100323
source: RIPE

person: Paunescu Mihai
address: SC KLM INVEST COM SRL
address: Str. Elena Doamna Nr. 4
address: Com. Afumati, Jud. Ilfov
phone: +40-724-317441
nic-hdl: PM11990-RIPE
mnt-by: EVOLVA-MNT
source: RIPE
changed: razvan.toma@ilink.ro 20100323

% Information related to ‘86.55.210.0/23AS38913’

route: 86.55.210.0/23
descr: ENTER-NET-TEAM
origin: AS38913
mnt-by: ENTER-NET-MNT
changed: noc@romnet.org 20081120
source: RIPE
DNS records

name class type data time to live
medsdirectrx.com IN SOA
server: ns1.medsdirectrx.com
email: admin.medsdirectrx.com
serial: 2009000000
refresh: 600
retry: 900
expire: 1209600
minimum ttl: 43200
600s (00:10:00)
medsdirectrx.com IN NS ns2.medsdirectrx.com 600s (00:10:00)
medsdirectrx.com IN NS ns1.medsdirectrx.com 600s (00:10:00)
medsdirectrx.com IN MX
preference: 10
exchange: mail.medsdirectrx.com
600s (00:10:00)
medsdirectrx.com IN A 86.55.211.122 600s (00:10:00)
medsdirectrx.com IN A 86.55.211.123 600s (00:10:00)
medsdirectrx.com IN A 201.7.103.58 600s (00:10:00)
medsdirectrx.com IN A 213.55.114.132 600s (00:10:00)
medsdirectrx.com IN A 86.55.211.121 600s (00:10:00)
122.211.55.86.in-addr.arpa IN PTR s13.eu 7200s (02:00:00)
— end —


IP address: 86.55.211.121
Host name: medsdirectrx.com
Alias: medsdirectrx.com
86.55.211.121 is from Romania(RO) in region Eastern Europe

TraceRoute to 86.55.211.121 [medsdirectrx.com]
Hop (ms) (ms) (ms) IP Address Host name
1 8 7 16 72.249.128.109 –
2 77 235 219 206.123.64.82 –
3 13 16 6 64.129.174.181 64-129-174-181.static.twtelecom.net
4 24 15 19 66.192.240.94 dal2-pr1-ge-5-0-0-0.us.twtelecom.net
5 60 52 63 72.52.92.62 10gigabitethernet5-2.core1.ash1.he.net
6 127 135 118 72.52.92.138 10gigabitethernet3-1.core1.lon1.he.net
7 156 132 127 72.52.92.34 10gigabitethernet1-1.core1.par1.he.net
8 138 143 139 72.52.92.90 10gigabitethernet1-2.core1.fra1.he.net
9 144 138 137 80.81.192.107 wfrnk-ten82-decix.de.ipv4ilink.net
10 170 176 191 193.19.195.29 wnx-ten81-v9-wfrnk.b.ipv4ilink.net
11 173 175 185 86.55.5.34 stanici-wnx.b.ipv4ilink.net
12 172 170 171 86.55.211.121 s12.eu
Trace complete

Retrieving DNS records for medsdirectrx.com…
DNS servers
ns1.medsdirectrx.com [201.147.145.254]
ns2.medsdirectrx.com [218.67.78.181]

Answer records
medsdirectrx.com SOA
server: ns1.medsdirectrx.com
email: admin@medsdirectrx.com
serial: 2009000000
refresh: 600
retry: 900
expire: 1209600
minimum ttl: 43200
600s
medsdirectrx.com NS ns2.medsdirectrx.com 600s
medsdirectrx.com NS ns1.medsdirectrx.com 600s
medsdirectrx.com MX
preference: 10
exchange: mail.medsdirectrx.com
600s
medsdirectrx.com A 201.7.103.58 600s
medsdirectrx.com A 213.55.114.132 600s
medsdirectrx.com A 86.55.211.121 600s
medsdirectrx.com A 86.55.211.122 600s
medsdirectrx.com A 86.55.211.123 600s

Authority records

Additional records
ns1.medsdirectrx.com A 201.147.145.254 600s
ns2.medsdirectrx.com A 218.67.78.181 600s
mail.medsdirectrx.com A 86.55.211.121 600s
mail.medsdirectrx.com A 86.55.211.122 600s
mail.medsdirectrx.com A 86.55.211.123 600s
mail.medsdirectrx.com A 201.7.103.58 600s
mail.medsdirectrx.com A 213.55.114.132 600s

Whois query for medsdirectrx.com…
Results returned from whois.internic.net:
Whois Server Version 2.0

Domain Name: MEDSDIRECTRX.COM
Registrar: KEY-SYSTEMS GMBH
Whois Server: whois.rrpproxy.net
Referral URL: http://www.key-systems.net
Name Server: NS1.MEDSDIRECTRX.COM
Name Server: NS2.MEDSDIRECTRX.COM
Status: ok
Updated Date: 24-sep-2010
Creation Date: 20-sep-2010
Expiration Date: 20-sep-2011

Last update of whois database: Sat, 23 Oct 2010 15:29:57 UTC

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

DOMAIN: WWW.MEDSDIRECTRX.COM
RSP: DNReg Limited

owner-nom.contact: P-AOT714
owner-fname: Aleksandr
owner-lname: Tumanov
owner-street: Oktyabrskij pr-kt d.91-97 kv.49
owner-city: Lyubertsy
owner-state: Moskovskaya obl
owner-zip: 140002
owner-country: RU
owner-phone: 7.4959950129
owner-fax: 7.4959950129
owner-email: siesta@fastermail.ru

admin-nom.contact: P-AOT714
admin-fname: Aleksandr
admin-lname: Tumanov
admin-street: Oktyabrskij pr-kt d.91-97 kv.49
admin-city: Lyubertsy
admin-state: Moskovskaya obl
admin-zip: 140002
admin-country: RU
admin-phone: 7.4959950129
admin-fax: 7.4959950129
admin-email: siesta@fastermail.ru

tech-nom.contact: P-AOT714
tech-fname: Aleksandr
tech-lname: Tumanov
tech-street: Oktyabrskij pr-kt d.91-97 kv.49
tech-city: Lyubertsy
tech-state: Moskovskaya obl
tech-zip: 140002
tech-country: RU
tech-phone: 7.4959950129
tech-fax: 7.4959950129
tech-email: siesta@fastermail.ru

billing-nom.contact: P-AOT714
billing-fname: Aleksandr
billing-lname: Tumanov
billing-street: Oktyabrskij pr-kt d.91-97 kv.49
billing-city: Lyubertsy
billing-state: Moskovskaya obl
billing-zip: 140002
billing-country: RU
billing-phone: 7.4959950129
billing-fax: 7.4959950129
billing-email: siesta@fastermail.ru

nameserver: ns1.medsdirectrx.com 201.147.145.254
nameserver: ns2.medsdirectrx.com 218.67.78.181

Network IP address lookup:
Whois query for 86.55.211.121

Results returned from whois.arin.net:
The following results may also be obtained via:
http://whois.arin.net/rest/nets;q=86.55.211.121?showDetails=true&showARIN=false

NetRange: 86.0.0.0 – 86.255.255.255
CIDR: 86.0.0.0/8
OriginAS:
NetName: 86-RIPE
NetHandle: NET-86-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: TINNIE.ARIN.NET
NameServer: NS-PRI.RIPE.NET
NameServer: SUNIC.SUNET.SE
NameServer: SEC3.APNIC.NET
NameServer: NS2.LACNIC.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2004-04-01
Updated: 2009-05-18
Ref: http://whois.arin.net/rest/net/NET-86-0-0-0-1

OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2004-12-13
Ref: http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

ARIN WHOIS data and services are subject to the Terms of Use
available at: https://www.arin.net/whois_tou.html

Results returned from whois.ripe.net: This is the RIPE Database query service.
The objects are in RPSL format.
The RIPE Database is subject to Terms and Conditions.
See http://www.ripe.net/db/support/db-terms-conditions.pdf

Information related to ‘86.55.210.0 – 86.55.211.255’

inetnum: 86.55.210.0 – 86.55.211.255
netname: KLM-INVEST-COM
descr: SC KLM INVEST COM SRL
descr: Str. Elena Doamna Nr. 4
descr: Com. Afumati, Jud. Ilfov
country: RO
admin-c: PM11990-RIPE
tech-c: PM11990-RIPE
status: ASSIGNED PA
mnt-by: EVOLVA-MNT
mnt-lower: EVOLVA-MNT
mnt-routes: ENTER-NET-MNT
notify: ripe@evolva.ro
changed: razvan.toma@evolva.ro 20100323
source: RIPE

person: Paunescu Mihai
address: SC KLM INVEST COM SRL
address: Str. Elena Doamna Nr. 4
address: Com. Afumati, Jud. Ilfov
phone: +40-724-317441
nic-hdl: PM11990-RIPE
mnt-by: EVOLVA-MNT
source: RIPE
changed: razvan.toma@ilink.ro 20100323

Information related to ‘86.55.210.0/23AS38913’

route: 86.55.210.0/23
descr: ENTER-NET-TEAM
origin: AS38913
mnt-by: ENTER-NET-MNT
changed: noc@romnet.org 20081120
source: RIPE

One thought on “MyCanadianPharmacy – My Canadian Pharmacy ~ medsdirectrx.com

  1. Scrub says:

    Here’s an example of the pattern one of these takes:

    URL from the text file:

    hxxp://www.jordancolecciones.com/images/guest.html

    That file contains very simply obfuscated JavaScript which redirects the user to:

    hxxp://www.rxsleepmeds.net

    Watch your browser’s status bar while that site loads. You’ll notice that all of the images, css files and other assets live on a variety of individual IP addresses:

    hxxp://163.22.64.9:8080/images/mcp/logo.jpg
    hxxp://163.22.64.9:8080/images/mcp/pp_valentine.jpg

    Here’s the complete list of IP’s serving out images for this particular site:

    123.100.251.62
    163.22.64.9
    188.132.221.245
    188.132.221.246
    95.154.241.38

    Here’s where, respectively, each of these is hosted:

    Webvisions.net, Singapore
    Asia Pacific Network Centre (APNIC) in (I think) China
    marsglobaldatacenter.com in Prague, Czech Republic (same for the next one)
    Ideal Hosting in Turkey

    Each of those IP addresses has also been hacked by someone suppporting the EvaPharmacy group. They’ve been doing this since at least 2006. Each of them is a Unix, or Linux or FreeBSD server running one or two exploits which were custom written for this group.

    It doesn’t stop there. The IP address for the target URL is 219.143.16.157.

    That’s hosted by Beijing Telecom Corporation. That one may be the only IP actually operated by the EvaPharmacy spammer.

    DNS is provided by ns1.rxsleepmeds.net and ns2.rxsleepmeds.net, hosted on the following server IP’s:

    60.190.201.133 [Shengzhou Teacher Learning School]
    202.100.91.132 [Feitian Internet Company, also in China.]

    Any attempt to visit these raw IP addresses shows that none of these was set up to host this particular website, or its images. Seriously: would a Teacher Learning School be hosting a rogue pharmacy site to pay the bills? I guess it’s possible but come on. Here’s one example:

    hxxp://163.22.64.9/

    Many of them show no website at all, indicating that they weren’t even intended to host a website at all. This explains why these hackers use port 8080. Whatever the server was originally intended to do, it now also hosts images for these websites in a distributed fashion.

    Each of these websites has a very poor, very easy to guess root password. This hacking has been extremely widespread and nobody has done anything about it. Reporting these IP addresses results in absolutely zero action from anyone. The criminals behind EvaPharmacy and their infrastructure know this, and they’ve been provided what is essentially “free” (aka: stolen) web hosting, DNS and asset distribution for many years now. Everything from the server that sends the spam to the server that places the redirections to each of the servers that support the output of the target website has been hacked by this group. For this one site alone I showed eight distinct servers, only one of which may not have been hacked by this group, and that’s on top of Bennet’s server which was also hacked by this group.

    ISP’s are completely ineffective at stopping this or preventing it. As long as that’s still the case, these widespread hacks are going to continue unabated.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.