Posted on

29-Oct-2007

Updates postponed
Due to other priorities, no updates could be installed last weekend. None of them is really critical so they can postponed without problems. It will have to be done some weeks later, there is little space in the coming weeks.
MySQL crash
When accessing the blog this afternoon, the MySQL server crashed – again. Why does the server crash if one thread fails?
Perhaps the value of some variables should be lowered, but why did it work rather well in the past? The server has crashed before, but stability has decreased without obvious reason: just one system parameter changed? It doesn’t make sense….
upload of the logfile fails:
%HTTPD-W-NOTICED, 29-OCT-2007 18:33:41, CGI:1969, not a strict CGI response
-NOTICED-I-SERVICE, http://www.grootersnet.nl:80
-NOTICED-I-CLIENT, 192.168.0.33
-NOTICED-I-URI, POST (72 bytes) /sysblog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1193677653
-NOTICED-I-SCRIPT, /sysblog/wp-admin/upload.php sysblog:[wp-admin]upload.php (cgi_exe:phpwasd.exe) SYSBLOG:[wp-admin]upload.php
-NOTICED-I-CGI, 2553595354454D2D462D485041524954482C206869676820 (129 bytes) %SYSTEM-F-HPARITH, high performance arithmetic trap, Imask=00000000, Fmask=00000002, summary=02, PC=00000000001E9C94, PS=0000001B
-NOTICED-I-RXTX, err:0/0 raw:7643/0 net:1182/0

where it did work uploading a .JPG file this afternoon (before the server crashed). Well, see if I fet the data uploaded some other time.

Posted on

Phishing using Paypal

Sometimes you see interesting attempts.

paypal phishing attempt

The header looks like this:

Return-Path: service@paypal.com
Received: from XXXXXXXXXX.GROOTERSNET.NL (192.168.0.2)
by xxxxxxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Mon, 29 Oct 2007 10:14:17 +0100 (CET)
Received: from www.outsidepride.com ([69.20.59.177] EXTERNAL) (EHLO
www.outsidepride.com) by xxxxxxxxxx.GROOTERSNET.NL ([192.168.0.200])
(PreciseMail V3.0); Sun, 28 Oct 2007 21:34:22 +0100
Received: from User ([89.137.232.120]) (authenticated bits=0) by
www.outsidepride.com (8.12.11.20060308/8.12.11) with ESMTP id l9SKWQo4011442;
Sun, 28 Oct 2007 16:32:27 -0400
Message-Id: <200710282032.l9SKWQo4011442@www.outsidepride.com>
From: "PayPal"<service@paypal.com>
Subject: You have 1 new Security Message Alert !
Date: Sun, 28 Oct 2007 22:32:56 +0200
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by www.outsidepride.com id
l9SKWQo4011442
Blocked by the anti-spam frontend, for the following reasons:

X-PMAS-External: www.outsidepride.com [69.20.59.177] (EHLO
www.outsidepride.com)
X-PMAS-Software: PreciseMail V3.0 [071027] (diana.GROOTERSNET.NL)
X-PMAS-DYN_URI-OK_URL: Dynamic URI check: OK URL (0.000)
X-PMAS-REPUTATION_URI_NONSPAM: URI reputation check (0.000)
X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)
X-PMAS-HDR-MISSING_HEADERS: Missing To: header (1.035)
X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
X-PMAS-HDR-NO_SPACE_FROM: From: header is poorly formatted (no space) (5.000)
X-PMAS-URI-NORMAL_FTP_TO_IP: Uses a dotted-decimal IP address in URL (1.000)
X-PMAS-BDY-IMAGE_LINK: Image that links to web site (3.000)
X-PMAS-BDY-INCREASE_YOUR_SOMETHING: Message has phrase "Increase your..."
(3.000)
X-PMAS-BDY-FOR_MORE_INFO2: Includes "for more information" (1.500)
X-PMAS-META-FORGED_OUTLOOK_HTML: Outlook can't send HTML message only (1.101)
X-PMAS-META-FORGED_OUTLOOK_TAGS: Outlook can't send HTML in this format
(5.000)
X-PMAS-META-1PIXEL_IMG: Message includes 1x1 img link (20.000)
X-PMAS-META-PHISHING_02: Message appears to be a phishing scam (10.000)
X-PMAS-META-PHISHING_03: Message appears to be a PayPal phishing scam (20.000)
X-PMAS-META-DEAR_SOMETHING: Contains generic 'Dear (something)' (1.596)
X-PMAS-META-STOP_RECEIVING: Specific spam text "to stop receiving" (5.000)
X-PMAS-Final-Score: 78.732
X-PMAS-Spam-Level: ********************+
X-PMAS-Spam: Yes

Apart from the fact that the sender server is not within the Paypal domain 🙂

The interesting part is on the inside.
Most often, links refer to some site using the http protocol (never https, of course), but this one is different – twice using FTP got get your data:

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Travelling
confirmation Here</a></td>

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Re-activate your account Here</a></td>

The addresses mentioned are Romanian, at least, two of them.

  • 192.102.104.2 is indeed owned by onix.ro – it is possible that it;s a source of abuse: an internet cafe, probably
  • 217.156.19.129 is owend by vl.ro – named analog Digital Systems Inc. RDS – Radio Data Systems? That makes sense. But ause like this, I doubt it!
  • 62.177.188.59 is owned by bbeyond – a Dutch network operator without a Romanian domain: bbeyond.ro does not exist.

    • The address mentioned in the liks refers to a network operator in Canada, and there is an abuse address in their Whois data. So I’ll forward the message to them.