What is Swedish ISP Phonera serving on its IPs?

I stumbled upon a suspicious looking site today whilst googling for my sister.

http:// 93.158.88.233/  It serves pages with peoples names + nonsensical information. The pages seem to link to other IPs too, most of them hosted on a Swedish ISP called  Phonera (used to be called Port80).

I tried a handful of their IP's to see that they all serve this same kind of content.

93.158.88.210
93.158.88.235
93.158.88.236
93.158.88.237
93.158.88.238

(etc! try the whole ranges)

whois 93.158.88.233

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:
PostalCode: 1001EB
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   93.0.0.0 - 93.255.255.255
CIDR:       93.0.0.0/8
NetName:    93-RIPE
NetHandle:  NET-93-0-0-0-1
Parent:
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: SUNIC.SUNET.SE
NameServer: NS3.NIC.FR
NameServer: NS-EXT.ISC.ORG
NameServer: NS.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2007-03-27
Updated:    2007-04-03

# ARIN WHOIS database, last updated 2008-08-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '93.158.64.0 - 93.158.127.255'

inetnum:        93.158.64.0 - 93.158.127.255
org:            ORG-PA24-RIPE
netname:        SE-PORT80-20080529
descr:          Port80 AB
country:        SE
admin-c:        PORT80-RIPE
tech-c:         PORT80-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      PORT80-MNT
mnt-routes:     PORT80-MNT
source:         RIPE # Filtered

organisation:   ORG-PA24-RIPE
org-name:       Port80 AB
org-type:       LIR
address:        Port80 AB
                Box 92059
                120 06 Stockholm
                Sweden
phone:          +46 8 6510380
fax-no:         +46 8 6511680
admin-c:        RC765-RIPE
admin-c:        ROOL1-RIPE
mnt-ref:        PORT80-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

role:           Port80 Staff
address:        Port80 AB
address:        Box 92059
address:        SE 120 06  STOCKHOLM
address:        Sweden
phone:          +46 8 651 03 80
fax-no:         +46 8 651 16 80
abuse-mailbox:  [email protected]
remarks:        ********************************
remarks:        Abuse related issues is reported
remarks:        to [email protected]
remarks:        ********************************
admin-c:        RC765-RIPE
tech-c:         RC765-RIPE
tech-c:         ROOL1-RIPE
nic-hdl:        PORT80-RIPE
mnt-by:         PORT80-MNT
source:         RIPE # Filtered


Found a romanian comment spammer IP 193.200.51.235 in the sourcecode too...

<a href="http://193.200.51.235http://193.200.51.235/abc.php?auth=45V456b09m&strPassword=XQMWS%5E_N%40ZFU&nLoginId=43">

(Looks like a mistake in the sourcecode...)


My theory is that it's a network running on zombified computers serving nonsense pages and waiting to be crawled by google. After that maybe they will start serving ads from  193.200.51.235 ? But why do I find the same sites on every IP of Phonera that I try?

Fake biographies

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.