Posted on

Ebay – a bit altered

This message arived today – form an Ebay – I mean, Eday member:

eday

With Outlook, Eday is easily read as Ebay…

Fake of course, sent to obtain credentials.
The header shows it’s origin: Australia – given the names, I’d say Melbourne:

Return-Path: member@eday.com
Received: from mail.southern-ro.com.au (203.46.24.242)
by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Thu, 30 Aug 2007 13:40:27 +0100 (CET)
Received: from User ([195.84.14.70]) by melbserver.southern-ro.com.au with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 30 Aug 2007 21:40:16 +1000
Reply-To: <member@eday.com>
From: "member"<member@eday.com>
Subject: message from member
Date: Thu, 30 Aug 2007 13:40:15 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: member@eday.com
Message-ID: <MELBSERVERAtC33BcZY00000e29@melbserver.southern-ro.com.au>
X-OriginalArrivalTime: 30 Aug 2007 11:40:16.0643 (UTC) FILETIME=[891CAD30:01C7EAFA]
that is: from address 195.84.14.70, and this is NOT an Ebay address, nor is the mailserver that connected (203.46.24.242). Nor would Ebay use Outlook Express. In other words: it is a basic PC. no TO: line either, I wonder how the message got here in the first place.
No name in the message – which is not like ebay would do it.

Almost all links that could require a login, refer to a site at oberleitner.biz. Even the ones wheer you could signal or learn about abuse:

Always remember to complete your transactions on eBay - it's the safer way to trade.</B><BR><BR>Is
this message an offer to buy your item directly through email without
winning the item on eBay? If so, please help make the eBay marketplace
safer by reporting it to us. These external transactions may be unsafe
and are against eBay policy. <A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank><FONT color=#003399>Learn more about trading safely</FONT></A>

A bit more down:

<B>Always remember to complete your transactions on eBay - it's the safer way to trade.</B><BR><BR>Is this message an offer to buy your item directly through email without winning the item on eBay? If so, please help make the eBay marketplace
safer by reporting it to us. These external transactions may be unsafe and are against eBay policy. <A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/"
target=_blank><FONT color=#003399>Learn more about trading safely</FONT></A>

and

Learn how you can protect yourself from spoof (fake) emails at:<BR><A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank><FONT
color=#003399>https://pages.ebay.com/education/spooftutorial</FONT></A>

It looks like Oberleitner.biz’s business is getting user credentials. Or it’s domain is abused.

Posted on

FTP and web abuse attempts.

FTP attempts
I walked the FTP logs for a change – it’s very quiet and I don’t bother too much about script kiddies – the vast majority of the attampts are from scripts, and most of them rely on either badly configured Windows systems running the low-end version of IIS (or using Frontpage), and Linux boxes. Like this one a week ago:

In operator.log the attempt to create a directory showed up:

%%%%%%%%%%% OPCOM 20-AUG-2007 21:58:11.02 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: M2147P027.adsl.highway.telekom.at
Status: NOPRIV -- File access violation
Object: WEB_DISK2:[public.anonymous.070820225850p]

Anonymous_ftp.log shows his login and just a few lines – not all:

20-AUG-2007 21:58:09.46 User:anonymous logged in ident:Jgpuser@home.com from Host:M2147P027.adsl.highway.telekom.at
20-AUG-2007 21:58:10.91 User:anonymous ident:Jgpuser@home.com status:00010001 CWD dir:WEB_DISK2:[public.anonymous]
20-AUG-2007 21:58:12.30 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]tagged
20-AUG-2007 21:58:12.38 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Tagged
20-AUG-2007 21:58:12.45 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]TaGGeD
20-AUG-2007 21:58:12.52 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]data
20-AUG-2007 21:58:12.58 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Data
20-AUG-2007 21:58:12.66 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]^%
20-AUG-2007 21:58:12.72 User:anonymous ident:Jgpuser@home.com logged out

3 seconds – according this log, and one that is seen more often. The full FTP_run.log shows the script tried Windows and Linus default locations – and the failed attempt to create a directory, before the above were tried:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from M2147P027.adsl.highway.telekom.at at 20-AUG-2007 21:58:09.08
%TCPIP-I-FTP_NODE, client host name: M2147P027.adsl.highway.telekom.at
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/

next, the attempt to create the directory:


%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070820225850p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC000EE: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: M2147P027.adsl.highway.telekom.at
%TCPIP-I-FTP_USER, user name: anonymous

which is signalled in OPERATOR.LOG. It goes on: accessing non-existing directories (either Windows or Linux based):


%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/

and finally the ones signalled in anonymous_ftp.log:


%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]TaGGeD
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]^%
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from M2147P027.adsl.highway.telekom.at at 20-AUG-2007 21:58:12.75

There have been more accesses but these seemed to cut the connection:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 57.c-servers.com at 21-AUG-2007 16:29:30.44
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from unknown76.120.65.69.defenderhosting.com at 21-AUG-2007 19:55:13.88
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 202.62.224.90 at 23-AUG-2007 12:06:20.27
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from us1.dnsbu.com at 23-AUG-2007 16:12:06.56
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 69.1.239.133 at 23-AUG-2007 17:40:18.96
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from us1.dnsbu.com at 24-AUG-2007 00:03:16.19
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 78.129.138.101 at 25-AUG-2007 15:08:13.28

The weblog shows it’s finally realised that overrun attempts will surely fail. That FORUM has been disabled shows up in the log: last week gave just one attempt to push a fake registration directly, and one address tried twice – 3 times at a row – to do so by querying the site, and gave up:

219.207.8.140 - - [21/Aug/2007:01:10:03 +0100] "GET http://www.grootersnet.nl/forums/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 403 864
...
66.232.125.138 - - [21/Aug/2007:01:10:29 +0100] "GET http://www.grootersnet.nl/ HTTP/1.0" 403 864
66.232.125.138 - - [21/Aug/2007:01:10:30 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748
66.232.125.138 - - [21/Aug/2007:01:10:31 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748
66.232.125.138 - - [21/Aug/2007:01:10:31 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748
...
66.232.125.138 - - [22/Aug/2007:02:10:56 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748
66.232.125.138 - - [22/Aug/2007:02:10:57 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748
66.232.125.138 - - [22/Aug/2007:02:10:58 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748

There have also been some other attempts I’ve seen before:

193.195.42.197 - - [25/Aug/2007:00:40:33 +0100] "GET /%20+%20/ HTTP/1.0" 404 868
85.17.181.227 - - [25/Aug/2007:06:45:35 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893
85.17.181.227 - - [25/Aug/2007:06:46:43 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893
62.193.242.99 - - [25/Aug/2007:15:55:18 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893

The errors (4xx) show these all failed. Of course.

I want to make some fun: I’m thinking of creating a file Docroot:[w00tw00t.at.ISC.SANS.DFind]índex.html” or redirect that location to “Noservice”.
See what happens…