http://scammer.info/d/19582-18555706851
http://scammer.info/d/19580-18555603754
and almost definitely soon to be more…
playing around with urls, I noticed that /callnow2/index.html is also valid, and while p_num is supplied with $_GET["p_num"](meaning I can't get any numbers this way) this still could be useful. This version attempts to download itself onto the machine.
They seem to be running on a large network of domains, all hooked up to (probably) the same server which is cycling numbers per some length of time.
post more relevant info here.
downloaded file from callnow2 is named auth1.php, and contains this juicy login code for their sql server. get a load of this:
https://docs.google.com/document/d/1CWUrUCFDz3YM6vXxT5GSaoAF_zm05qvnXkNM3yMAOZY/edit?usp=sharing
basically, we got the login info to their sql server. See, php is supposed to be run on the server, with the result sent to the client. We're the client and we have their php. Now what we can do, and what I intend to attempt, is to log into their sql server and find where they store their numbers
cross y'all's fingers for a large and bountiful number harvest :)
What I don't fully understand, and what may very well be terrible coding by idiot scammers, is the login checking later down the page. For muggles, it goes something like:
check if the username and password we just set match up with what the server thinks they should be;
if that doesn't check out, and this hasn't happen before, say that it has happened eleven times. if it has, add one;
if this has happened eighty times, set the location on the header to the document we're already in;
now clearly, there's more going on here, but I need to do more research. If anyone wants to take a stab at getting into the sql server, reply with results.
On another look over, it occurs to me they might not be using sql.