August 2007 – Page 3 – SYSMGR in the attic

18-Aug-200718-Aug-2007

The price of being famous?

Once again, somone tries to get credentials using EBay-style messages.

As usual, you should be alarmed by the full header:

Return-Path: member@ebay.com Received: from mail.neel.net (71.165.245.13) by xxxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Sat, 18 Aug 2007 20:18:13 +0100 (CET) Received: from User ([202.28.4.25]) by mail.neel.net (Merak 7.6.2) with ASMTP id EAA74438; Thu, 16 Aug 2007 13:13:34 -0700 From: "ebay"<member@ebay.com> Subject: confirm your email address on file at eBay Date: Thu, 16 Aug 2007 11:15:32 +0700 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Outlook Express – so BASIC Internet Explorer – I’m not fooled by such stupidity.
no TO line, and the message actually states:
For security reasons your registered name and email is not included.
Makes sense – since they don’t know it. They want you to supply it to them – and your password….

The mailserver has little or nothing to do with EBay: it’s a Verizon address:

$ dig -x 71.165.245.13

; < <>> DiG 9.3.1 < <>> -x 71.165.245.13 ;; global options: printcmd ;; Got answer: ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 17107 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;13.245.165.71.in-addr.arpa. IN PTR ;; ANSWER SECTION: 13.245.165.71.in-addr.arpa. 69628 IN PTR mail.neel.net. ;; AUTHORITY SECTION: 245.165.71.in-addr.arpa. 69628 IN NS ns2.verizon.net. 245.165.71.in-addr.arpa. 69628 IN NS ns2.bellatlantic.net. 245.165.71.in-addr.arpa. 69628 IN NS ns4.verizon.net. 245.165.71.in-addr.arpa. 69628 IN NS ns1.bellatlantic.net.

EBay may relay over Verizon or Bell Atlantic, but given the sender is from Thailand:

$ dig -x 202.28.4.25

; < <>> DiG 9.3.1 < <>> -x 202.28.4.25 ;; global options: printcmd ;; Got answer: ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 15689 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;25.4.28.202.in-addr.arpa. IN PTR ;; ANSWER SECTION: 25.4.28.202.in-addr.arpa. 86400 IN PTR libmod25.lib.kmutt.ac.th. ;; AUTHORITY SECTION: 4.28.202.in-addr.arpa. 86400 IN NS libmod.lib.kmutt.ac.th.

I have my doubts.

More important: the links for your email contain a link that is NOT Ebay at all:
<div><FONT face="Arial, Verdana" size=2>To confirm your email address on file at eBay, just click the button to the right: </FONT></div> <div><FONT face="Arial, Verdana" size=2>You can also copy and paste the following link into your web browser: <BR><A onclick="return top.js.OpenExtLink(window,event,this)" href="http://0xcfead15b/signin.ebay.com/ws/index.htm" target=_blank>http://cgi4.ebay.com/ws<WBR>/eBayISAPI.dll?ChangeEmailConfi<WBR>rm</A>
The address is coded in HEX: 0xcfead15b, and this translates to 207.234.209.91. This is the owner of the addres:
Affinity Internet, Inc AFFINITY-207-234-128-0 (NET-207-234-128-0-1) 207.234.128.0 - 207.234.255.255 Affinity Internet, Inc AFFINITY-DEDIATED-207-234-209-0 (NET-207-234-209-0-1) 207.234.209.0 - 207.234.209.255

14-Aug-2007

New web layout
get’s a boost!
For the albums on Travels, Tracks, and other sub-webs, a lot of pictures will be published, and to craeet these albums, I use JAlbum – Java based freeware, that suits my needs nicely.
Now there is a JAlbum plugin for WordPress – I’ll have to investigate first but that might just be what I need for image-groups that are too fragmented to put into an album.
But it could jbe just what I need.

I get on – slowly but steady. As stated earlier, Travels is complete – though I had to redo Scotland since I missed one day that was still on the camera only. Getting on with Tracks now – including a directory from where tracks can be downloaded. The start has been made, our Limburg trips of 2004 and last winter have both been added, and I’m working on other short trips we made.

For the restSuse stopped for a moment, need to rebuild a number of packages which takes a LOT of time, and i simply cannot motivate myself enough to work on it.
For the rest – apart from the usual rubbish on my mail, all is perfectly well. after I closed the forums (and removed the logical) that route is closed: the last log showed a number of attempts failing with status 404 – page not found. Good.
The old numbered domain has been marked for deletion, it’s only spam on that mailbox so everting is simply redirected to the trashbin. I expect it to be closed by the end of the month. It will be deleted with all of this type, by the end of the year anyway.

14-Aug-200718-Aug-2007

Kevin tries to be smart…

A message received today, said from account(paypal.com,with subject “Cancel Your Payment” just states the refererence – exactly as shown:

<A HREF=”http://qcp.rice.edu/ganglia/addons/.cgi-bin/cmd=_login-run.html”>
<IMG SRC=”http://www.myspacks.de/uploads/.x/scirosare2.jpg” border=”0″>
</A>

The raw message reads:

Return-Path: kevin@simon-tech.homelinux.com
Received: from 61-219-84-147.HINET-IP.hinet.net (61.219.84.147)
by XXXXXXXXXX.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Tue, 14 Aug 2007 12:36:11 +0100 (CET)
Received: (from kevin@localhost)
by simon-tech.homelinux.com (8.11.6/8.11.6) id l7EAPOh14797;
Tue, 14 Aug 2007 18:25:25 +0800
Date: Tue, 14 Aug 2007 18:25:25 +0800
Message-Id: <200708141025.l7EAPOh14797@simon-tech.homelinux.com>
To: XXXXXXXXXX@grootersnet.nl
Subject: Cancel Your Payment
From: “PayPal Inc.” <account@paypal.com>
Content-Type: text/html

<A HREF=”http://qcp.rice.edu/ganglia/addons/.cgi-bin/cmd=_login-run.html”>
<IMG SRC=”http://www.myspacks.de/uploads/.x/scirosare2.jpg” border=”0″>
</A>

NO hiding of links – just this.

You won’t get very far with this…

(Will be continued. I’ll check the image links tonight – from Diana, of course)

One day earlier, a similar message was received. The header:

Return-Path: account@paypal.com Received: from 80.114.97.2.ip.onderwijs.casematelecom.nl (80.114.97.2) by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Mon, 13 Aug 2007 04:14:06 +0100 (CET) Received: from 116.0.68.84 by ; Mon, 13 Aug 2007 04:13:15 +0100 Message-ID: <SOXRQQULKMMBFKVTWBHAOR@msn.com> From: "PayPal Inc." <account@paypal.com> Reply-To: "PayPal Inc." <account@paypal.com&g'; To: xxxxxxxxxx@grootersnet.nl Subject: Cancel The Payment Date: Mon, 13 Aug 2007 06:11:15 +0300 X-Mailer: AOL 7.0 for Windows US sub 118 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--716555016311414036" X-Priority: 1 X-MSMail-Priority: High
and the contents again just an URL, just as shown here:

<http://qcp.rice.edu/ganglia/addons/.cgi-bin/cmd=_login-run.html>

This Dutch educational server has been abused – as well as MSN. It’s to be seen if something can be arranged…

UPDATE
It seems rice.edu has taken action. qcp.rice.edu is valid:
$ dig qcp.rice.edu


; <<>> DiG 9.3.1 <<>> qcp.rice.edu

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17552

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:

;qcp.rice.edu.                  IN      A

;; ANSWER SECTION: qcp.rice.edu. 3266 IN A 128.42.130.5

but theer is no answer accessing it with a browser.

7-Aug-2007

Etrade Financial

Received today:

I’m not a customer, so this is moset definetly a phing attempt, doomed to fail.

The header shows it didn’t come from the bank at all:
Return-Path: service@etrade.us.com Received: from yyy.yyy.net (203.1.13.7) by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Tue, 7 Aug 2007 18:24:37 +0100 (CET) Received: from zzz.yyy.net (localhost [127.0.0.1]) by yyy.yyy.net (Postfix) with ESMTP id 442F19BBF5; Wed, 8 Aug 2007 02:24:31 +1000 (EST) Received: from zzz.yyy.net (unknown [192.168.0.1]) by ryyy.yyy.net (Postfix) with ESMTP id 267869BBF2; Wed, 8 Aug 2007 02:24:31 +1000 (EST) Received: from User ([86.107.232.208] unverified) by yyy.yyy.net with Microsoft SMTPSVC(5.0.2195.6713); Wed, 8 Aug 2007 02:24:30 +1000 Reply-To: From: "service@etrade.us.com" Subject: Account Locked ! Date: Tue, 7 Aug 2007 19:24:26 +0300 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: <ROJANglUQgbKhR43Cdz00000e75@rojan.rojan.net%gt; X-OriginalArrivalTime: 07 Aug 2007 16:24:30.0690 (UTC) FILETIME=[6E9D7C20:01C7D90F] To: undisclosed-recipients:; X-Virus-Scanned: ClamAV using ClamSMTP

and the single link in it shows a bogus address as well:
<a href="http://paperart.ro/new/etrade.us.com.php" class="style2">Click Here to Unlock your account </a>
Either a bad domain, or a kacked server? The relay is an Autralian IT company – and they have been informed (their server names and domain have been obscured)

7-Aug-20077-Aug-2007

Ebay again…

Again: this is fake since my name is not shown at the top. The message header shows the mail never had its origin at Ebay:
Return-Path: member@eday.com Received: from datumarchitects.us (69.36.176.162) by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Mon, 6 Aug 2007 19:29:02 +0100 (CET) Received: from User ([195.84.14.70]) (authenticated bits=0) by yyyyyyyyyy.us (8.12.11.20060308/8.12.11) with ESMTP id l76HIw5B001374; Mon, 6 Aug 2007 11:19:00 -0600 Message-Id: <200708061719.l76HIw5B001374@yyyyyyyyyy.us> Reply-To: From: "member" Subject: message from en eBay memeber Date: Mon, 6 Aug 2007 19:19:13 +0200 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by yyyyyyyyyy.us id l76HIw5B001374
(I have removed the references to innocent addresses – My guess is that the mailserver of the company mentioned as “yyyyyyyyyy.us” has been hacked, abused as a relay of that one or more machines have been infected. They have been informed.)
Besides sloppy typing (member@eDay) I don’t think Ebay will use Outlook Express.
All links in thius message lead to
<A href="http://yhandros.com/convoca/test/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank>&lr;FONT color=#003399>https://pages.ebay.com/education/spooftutorial</FONT></A>
http://yhandros.com leads to a Spanish blog – in bad need for an update:
<meta name="generator" content="WordPress 2.0.1" />
Getting on with the URL: “…/convoca” leads to a form for updating files. “…/convoca/test” and, below that, “…/ws” are not accessable (Forbidden) and “…eBay_com_Verify_your_eBay_account_files/” shows an “Ebay” page to login – sending username and password to — Well, I couldn’t find out. Assuming the owner of the site has the right attitude: Either the site is hacked – or someone has uploaded the bad page up there. I did some examination of that page but couldn’t find out exactly where the submit-button leads to – it gets a cookie but I couldn’t locate it.
But when this is done deliberately – you’re warned.
UPDATE
The message to the company who’s mailserver was abused bounced back from RoadRunner .com – stating a very different address that seems to be blocked completely. That system may be abused as wel and there is no way to contact them that way.

August 2007
M	T	W	T	F	S	S
« Jul				Sep »
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31