You are not logged in.

#1 2017-05-22 1:47 am

shadowmaster
Member
From: Midwest, USA
Registered: 2014-12-20
Posts: 31
Website

Anyone know what xpymep.exe is?

While checking in on a board I monitor, I seen this in the who is online now area.

Guest IP: 178.210.xxx.xx »
xpymep.exe

I ran the ip but it came up clean, though the arin's who is came up with this:

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:     
PostalCode:     1001EB
Country:        NL
RegDate:       
Updated:        2013-07-29

Amsterdam, spammers haven.

I'm guessing the xpymep is supposed to be the user agent? Also guessing this is some sort of xrunner crap. Not real familiar with all that stuff.

Any insight?

Offline

#2 2017-05-22 2:12 am

Papa Parrot
Member
From: Mexico
Registered: 2011-08-19
Posts: 1,826
Website

Re: Anyone know what xpymep.exe is?

It is a "user agent", and yes it is part of xrunner, the administrator of the forum you "monitor" could easily block it.
What is xpymep.exe ?
------------------

http://www.spambotsecurity.com/forum/vi … ?f=7&t=728

-------------------
https://github.com/pH7Software/pH7-Soci … e.htaccess

 SetEnvIfNoCase User-Agent "^xpymep.exe" bad_bot

Offline

#3 2017-05-22 2:26 am

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 2,420
Website

Re: Anyone know what xpymep.exe is?

You are quoting the organisation that allocated the original netblock. You need to examine IPs at the AS level:

Some examples until I got bored. I used the following commands to obtain the following info:–

$ whois 178.210.0.0
$ whois 178.210.8.0
$ whois 178.210.12.0
$ whois 178.210.16.0
$ whois 178.210.24.0
$ whois 178.210.32.0
$ whois 178.210.33.0

178.210.0.0/19  (178.210.0.0 - 178.210.7.255)   AS31214 (TIS-DIALOG-ISP, dynamic PPP, RU)
178.210.0.0/19  (178.210.8.0 - 178.210.11.255)  AS31214 (TIS-DIALOG-ISP, dynamic PPP, RU)
178.210.0.0/19  (178.210.12.0 - 178.210.15.255) AS31214 (TIS-DIALOG-ISP, dynamic PPP, RU)
178.210.0.0/19  (178.210.16.0 - 178.210.23.255) AS31214 (TIS-DIALOG-ISP, dynamic PPP, RU)
178.210.0.0/19  (178.210.24.0 - 178.210.31.255) AS31214 (TIS-DIALOG-ISP, dynamic PPP, RU)
178.210.32.0/24 (178.210.32.0 - 178.210.32.255) AS43727 (KVANT-TELECOM-MOSCOW, RU)
178.210.33.0/24 (178.210.33.0 - 178.210.33.255) AS43727 (KVANT-TELECOM-SERPUHOV, RU)

...and so on. And remember, the largest spammers in the world are all based in the USA.

spywarelib.com said that 'xpymep.exe' had been fingered as a “Trojan-Downloader”. But of course, that is all academic as this is a site for fighting spammers, not abuse.

Offline

#4 2017-06-04 1:30 am

shadowmaster
Member
From: Midwest, USA
Registered: 2014-12-20
Posts: 31
Website

Re: Anyone know what xpymep.exe is?

Fast answer by you guys, thanks much, and a slow follow up by me, sorry. I'm not really to worried about this, it was just something new I seen.

Thanks for links Garry, I will definitely check them out.


GarryRicketson wrote:

the administrator of the forum you "monitor"

Thats funny, monitor in quotes. While I don't technically own the website I do host it on my account and do what little maintenance there is to do on it, so for all intensive purposes I guess I am the admin on it.

Alex Kemp wrote:

Some examples until I got bored. I used the following commands to obtain the following info:–

$ whois 178.210.0.0
$ whois 178.210.8.0
$ whois 178.210.12.0
$ whois 178.210.16.0
$ whois 178.210.24.0

I guess I'm not much of an administrator, cause I'm not sure where you ran the commands.

Thanks again.

Offline

#5 2017-06-04 3:45 am

Papa Parrot
Member
From: Mexico
Registered: 2011-08-19
Posts: 1,826
Website

Re: Anyone know what xpymep.exe is?

Thats funny, monitor in quotes

Ok, well  your welcome, and I am not sure on the "monitor" , maybe I am mis using the quotes,... it was because I was not sure if you meant monitor,  or administer , to me
they are 2 different things,... for example a forum, I monitor it for spam, and am authorized
to remove the spam,... but I am not authorized to do any other administrative tasks, so
I do not administer the forum. 
  Any way, if you do have administrative privileges, you can block the sources of this mal-ware bot.

Offline

#6 2017-06-04 9:16 am

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 2,420
Website

Re: Anyone know what xpymep.exe is?

shadowmaster wrote:
Alex Kemp wrote:

I used the following commands to obtain the following info:–

$ whois 178.210.0.0

I guess I'm not much of an administrator, cause I'm not sure where you ran the commands.

The dollar ('$') at the beginning indicates that the environment is the Debian (or any other Linux) terminal, issued in this case as a non-admin user.

Once you ID the ASN (Autonomous-System Number) you have identified the network operator of that collection of IPs (it is often best to think of an ASN as the ISP; more info at Wikipedia + CIDR Report). Although we often use the term “Toxic IP” in SFS, it is more accurate to say “Toxic ASN”, since numbers are rarely vicious, whilst humans often are. In addition, there can be some churn in IPs (transfer between operators) which CIDR Report continuously monitors, plus the NoC can be anywhere in the world and may well be separate to the Operator location.

Offline

#7 2017-06-06 12:25 am

shadowmaster
Member
From: Midwest, USA
Registered: 2014-12-20
Posts: 31
Website

Re: Anyone know what xpymep.exe is?

Ok thanks guys. Good info there.

Offline

#8 2017-07-14 10:27 am

TETYYS
Member
Registered: 2012-12-27
Posts: 200

Re: Anyone know what xpymep.exe is?

xpymep = хрумер = xrumer

https://en.wikipedia.org/wiki/XRumer


i love reporting spam

Offline

#9 2017-07-15 9:57 pm

shadowmaster
Member
From: Midwest, USA
Registered: 2014-12-20
Posts: 31
Website

Re: Anyone know what xpymep.exe is?

TETYYS wrote:

xpymep = хрумер = xrumer

That's what I assumed from the get go, although I see I did type " xrunner ".

Last edited by shadowmaster (2017-07-15 9:57 pm)

Offline

Board footer

Powered by FluxBB

Close
Close