Thursday, March 30, 2006

Emergency Boot CD fix Spyware & Virus

The Emergency Boot CD

Is your computer getting slow cannot connect to the internet or suffering from lots of pop-ups? Has your home page been changed without your knowledge?

Do you suspect that your computer may be infected with Spyware Viruses and Worms? If so you may need professional tools like the experts.

I developed the Emergency Boot CD to repair most problems caused by Malware on the Internet. The Emergency Boot CD comes with all of the utilities you need to clean and repair your PC. If you are a computer user you will find it invaluable.

This CD contains powerful utilites for backup restore repair and administration of your Windows PC. It is useful either for casual home users or experienced administrators.
No other boot CD comes close.


Here is a screenshot of the Emergency Boot Cd I am working on. It allows one to boot to a known clean OS and perform tasks like backing up files, scan and clean virus and spyware infections, reset passwords, surf the internet, read Adobe Acrobat PDF files, read Windows product keys, and much more.

Another Phisherman from China


Earlier tonight I got the third "phishing" attempt in a week, this time spoofed as an e-mail from Paypal. The subject was obviously b.s., because Paypal would not email me to " Restore Your Account Access - mrlinuxhead@yahoo.com (Routing Code: XXXXXXXXXXX).

It was just yesterday I got a second spoofed email from the same clown posing as a eBay buyer. After telling eBay, the web server is still up putting out web pages to unsuspecting customers. This is getting to be too much.

Here follows the text of the spoof email:


Date: Fri, 31 Mar 2006 09:04:34 +0530
To: mrlinuxhead@yahoo.com
Subject: Restore Your Account Access - mrlinuxhead@yahoo.com (Routing Code: XXXXXXXXXXXXXXX)
From: "PayPal Security Service"

Web Bug from http://mail.yahoo.com/config/login?/pp.files/pixel.gif

Dear mrlinuxhead@yahoo.com,

It has come to our attention that your PayPal® account information needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website. If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.


However, failure to update your records will result in account suspension.
Please update your records on or before April 02, 2006.

Once you have updated your account records, your PayPal® session will not be
interrupted and will continue as normal.

To update your PayPal® records click on the following link:
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/restrictedaccounts.asp



Thank You.
PayPal® UPDATE TEAM

Accounts Management As outlined in our User Agreement, PayPal® will
periodically send you information about site changes and enhancements.

Visit our Privacy Policy and User Agreement if you have any questions.
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside


I snarfed the URL that points to: Approx. 40 charecters out, the REAL URL appears.

It looks like this:

http://rds.yahoo.com/_ylt%C2%A0LaSV66XXXXXXXXXXXXXXXXXX
XXXXX/**http%3a//ns2.bsasiagroup.com/.run/index.php?
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside

With XXXXXXXXXXXXXXXXXX to keep the curious out of trouble. You get the idea.

The URL's point to a server in Hong Kong. I found this with DNSStuff .

bsasiagroup.com

bsasiagroup.com. MX IN 86400 mail.bsasiagroup.com. [Preference = 10]
bsasiagroup.com. NS IN 86400 ns2.bsasiagroup.com.
bsasiagroup.com. NS IN 86400 ns3.bsasiagroup.com.
mail.bsasiagroup.com. A IN 86400 210.17.251.159

bsasiagroup.com. NS IN 86400 ns2.bsasiagroup.com.
bsasiagroup.com. NS IN 86400 ns3.bsasiagroup.com.
bsasiagroup.com. MX IN 86400 mail.bsasiagroup.com. [Preference = 10]
ns2.bsasiagroup.com. A IN 86400 210.17.251.157
ns3.bsasiagroup.com. A IN 86400 210.17.251.158
mail.bsasiagroup.com. A IN 86400 210.17.251.159

IP address: 210.17.251.157
Reverse DNS: [No reverse DNS entry per ns1.pacific.net.hk.]
Reverse DNS authenticity: [Unknown]
ASN: 2706
ASN Name: HKSUPER-HK-AP (Pacific Supernet Limited)
IP range connectivity: 5
Registrar (per ASN): APNIC
Country (per IP registrar): HK [Hong Kong]
Country IP Range: 210.17.128.0 to 210.17.255.255

Website Status: Active
Reverse IP: Web server hosts 18 websites (reverse ip tool requires free login)
Server Type: Apache/1.3.28 (Unix) PHP/4.3.3 mod_ssl/2.8.15 OpenSSL/0.9.7b
(Spry.com also uses Apache)
IP Address: 210.17.251.158 (ARIN & RIPE IP search)
IP Location: - Pacific Internet (hong Kong) Ltd
Blacklist Status: Clear
Cached Whois: 2006-03-30
Record Type: Domain Name
Monitor: Monitor or Backorder
Wildcard search: 'bsasiagroup' or 'sas ia group' in all domains.
Other TLDs:
.com .net .org .info .biz .us
X [5 available domains]
Name Server: NS1.BSASIAGROUP.COM
ICANN Registrar: NETWORK SOLUTIONS, LLC.
Created: 2002-04-29
Expires: 2007-04-29
Status: REGISTRAR-LOCK
Registrant:
LAM, GARY
BananaShake Design
RM 903, Westlands Centre,
20 Westlands Road, Quarry Bay hk
HK

Domain Name: BSASIAGROUP.COM

Administrative Contact:
LAM, GARY garygallery@yahoo.com
BananaShake Design
RM 903, Westlands Centre,
20 Westlands Road, Quarry Bay hk
HK
852 2516 9139 fax: 852 2510 9364

Technical Contact:
Network Solutions, LLC.
13200 Woodland Park Drive
Herndon, VA 20171-3025
US
1-888-642-9675 fax: 571-434-4620

Record expires on 29-Apr-2007.
Record created on 29-Apr-2002.

Domain servers in listed order:

NS1.BSASIAGROUP.COM 210.17.251.156
NS2.BSASIAGROUP.COM 210.17.251.157
NS3.BSASIAGROUP.COM 210.17.251.158

Someone sould call or email Mr. Lam for me and tell him to shut his server off??

Gary Lam (garygallery@yahoo.com) owns the domain.

His mail server (210.17.251.159) is infected my the W32.MyDoom virus.

The French Phishermen web site is at ..

This is what I found so far. The scam eBay web site is on the web server's intranet page under the account "wsbleh". I see a link to the "intranet" page and it prompts for a username and password.

Looking up information on this site I can see they have been "blacklisted" in SORBS, an on-line database to prevent spam and open-relay servers that can be used by scam artists, like our wanna be eBay buyer" precisionlaptops4u". Here is more info on the host web server:

MFRCHAMPAGNE-LORRAINE.NET

mfrchampagne-lorraine.net
Image updated 2005-10-01
Website Title: Les Maisons Familiales Rurales de Champagne-Lorraine
Meta Description: Les MFR vous proposent des formations par alternance et en apprentissage en Champagne et Lorraine, de la 4eme au BTS.
Meta Keywords: formation, formations, alternance, formation continue, apprentissage, MFR, M F R, Maisons Familiales Rurales, Maison Familiale Rurale, 4eme, 3eme, 4ème, quatrième, 3ème, troisième, 4ème-3ème, quatrième-troisième, cap, capa, bep, bepa, bac, bac
Response Code: 200
SSL Cert: No valid SSL on this Host, Get Secure
Alexa Trend/Rank: Not Ranked
Server Type: Apache/1.3.27 (Unix) (Red-Hat/Linux) PHP/4.3.1
(Spry.com also uses Apache)
IP Address: 80.11.57.27 (ARIN & RIPE IP search)
IP Location: - Ile-de-france - Paris - Ip2000-adsl-bas
Blacklist Status: Listed (details)
Record Type: Domain Name
Monitor: Monitor or Backorder
Wildcard search: 'mfrchampagne-lorraine' or 'fr champagne lorraine' in all domains.
Other TLDs:
.com.net.org.info.biz.us
X [5 available domains]
Name Server: NS1.LERELAISINTERNET.COM NS2.LERELAISINTERNET.COM
ICANN Registrar: NORDNET
Created: 22-nov-2002
Expires: 22-nov-2006

Wednesday, March 29, 2006

A quick look at the target . .

It looks like our web server is infected with W32.MyDoom. It's running Apache with PHP, MSSQL, MySQL, OpenSSH, And EDonkey P2P file sharing.

This is one busy little box! And it looks like it's on a cable or DSL line. Wonder who is on it?

Our French Phisherman is infected with w32.MyDoom

The first mail was from mail-cosymed.cosymed.de

The first IP address I was sent this scam from was 
62.157.142.135. That resolves to : mail-cosymed.cosymed.de
Asking i.root-servers.net for 135.142.157.62.in-addr.arpa PTR record:
i.root-servers.net says to go to tinnie.arin.net. (zone: 62.in-addr.arpa.)
Asking tinnie.arin.net. for 135.142.157.62.in-addr.arpa PTR record:
tinnie.arin.net [69.25.34.195] says to go to secondary007.dtag.net. (zone: 157.62.in-addr.arpa.)
Asking secondary007.dtag.net. for 135.142.157.62.in-addr.arpa PTR record: Reports mail-cosymed.cosymed.de. [from 195.244.245.24]

Answer:
62.157.142.135 PTR record: mail-cosymed.cosymed.de. [TTL 172800s] [A=62.157.142.135]
So this is a German server, probably an open relay SMTP mail server.

Whois comes back with:

 This is the RIPE Whois query server #2.

% Information related to '62.157.142.128 - 62.157.142.191'

inetnum: 62.157.142.128 - 62.157.142.191
netname: COSYMED-AG
descr: cosymed AG
country: DE
admin-c: AH4498-RIPE
tech-c: AH4498-RIPE
status: ASSIGNED PA
mnt-by: DTAG-NIC
notify: *******@nic.telekom.de
changed: *******@nic.telekom.de 20021008
source: RIPE

person: Anton Hoffmann
address: Cosymed GmbH
address: Hopfenstr. 10
address: 85098 Grossmehring
address: Germany
phone: +49 8407 8041
e-mail: **********@cosymed.via.t-online.de
nic-hdl: AH4498-RIPE
notify: ***********@t-domain.de
notify: ***@nic.dtag.de
mnt-by: DTAG-NIC
changed: ************@telekom.de 19990719
source: RIPE

% Information related to '62.156.0.0/15AS3320'

route: 62.156.0.0/15
descr: Deutsche Telekom AG, Internet service provider
origin: AS3320
mnt-by: DTAG-RR
changed: **@NIC.DTAG.DE 19980825

Deutsche Telekom
Resource: RIPE

Return of the Phisherman. He's French.

I got another email from the Phisher today posing as an eBay buyer. The text of the message goes like this:

To:mrlinuxhead@yahoo.com
Subject: Message from eBay Member regarding Item #4624463216
From:"eBay Member precisionlaptops4u"
Date: Wed, 29 Mar 2006 23:36:45 +0200 (CEST)




eBay sent this message to you.
Your registered name is included to show this message originated from eBay. Learn more.
Question about Item -- Respond Now eBay
eBay sent this message on behalf of an eBay member via My Messages. Responses sent using email will go to the eBay member directly and will include your email address. Click the Respond Now button below to send your response via My Messages (your email address will not be included).
 Question from capitalmal
Item: (4624463216)
This message was sent while the listing was active.
precisionlaptops4u is a potential buyer.
how can i pay for this item? im interested in this item. thanks.
Respond to this question in My Messages.
Respond Now

Item Details

Item number: 4624463216
End date: Mar-28-06Â 03:24:04 PST
View item description:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=4624463216&sspagename=ADME:B:AAQ:US:1
Thank you for using eBay!
http://www.ebay.com/




The link for eBay.com points to a bougus URL. The link is :

http://1342912795/intranet/forum/templates/subSilver/images/wsbleh/ebay/index.html

Who the hell is this and what is the ip address?

1342912795 sounds like a phone number not an IP address!

C:\WINDOWS\system32\drivers\etc>ping 1342912795

Pinging 80.11.57.27 with 32 bytes of data:

Reply from 80.11.57.27: bytes=32 time=250ms TTL=239
Reply from 80.11.57.27: bytes=32 time=222ms TTL=239
Reply from 80.11.57.27: bytes=32 time=245ms TTL=239
Reply from 80.11.57.27: bytes=32 time=228ms TTL=239

Gotcha sucker. 80.11.57.27 resolves to a French netblock:
LAubervilliers-151-13-20-27.w80-11.abo.wanadoo.fr

Hello, Paris. Or really, outside Paris about 45 miles.

IP address:                     80.11.57.27
Reverse DNS: laubervilliers-151-13-20-27.w80-11.abo.wanadoo.fr.
Reverse DNS authenticity: [Verified]
ASN: 3215
ASN Name: AS3215 (France Telecom Transpac)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): FR [France]
Country Currency: EUR [euros]
Country IP Range: 80.8.0.0 to 80.15.255.255
Country fraud profile: Normal
City (per outside source): Paris, Ile-De-France
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No


Pinging 80.11.57.27 [80.11.57.27]:

Ping #1: Got reply from 80.11.57.27 in 133ms [TTL=246]
Ping #2: Got reply from 80.11.57.27 in 132ms [TTL=246]
Ping #3: Got reply from 80.11.57.27 in 134ms [TTL=246]
Ping #4: Got reply from 80.11.57.27 in 132ms [TTL=246]
Looks like out target, I mean host is up. Let's see what his is running....



I did a Google for subSilver and found out a few things there.

subSilver is a launuage add-on for the phpBBS system that is known to have a big security problem, and It's Probably Hacked..

I Google for wsbleh and found THIS: wsbleh@hanmail.net at this URL:

Address Book Gray Version - [ Translate this page ]우상범 wsbleh@hanmail.net 1977년 05월 27일(-), (H)경북 김천시 부곡동 364 번지 (H)054-435-7613 (PCS)010-6477-2131, 수정하기 · 삭제하기 ...
urban.hannam.ac.kr/family_ez/family.cgi?page=6 - 17k - Supplemental Result - Cached - Similar pages - Remove result


and

quchrfdqovld@generic4less.biz => liens vers une autre liste ... - [ Translate this page ]quchrfdqovld@generic4less.biz => liens vers une autre liste, uok8otr4mcr@263.net => liens vers une autre liste, dkvemcjfu0uqa7wi@thatwillchangelife.biz ...
izforge.yellis.net/www/spam_trap.php?id=1232 - Supplemental Result - Similar pages



both got hits.




Sunday, March 26, 2006

I got "Pished" and took the hook.

I got "Pished" and took the hook. Boy do I feel dumb.

I work as computer consultant. I should know better.

Something happened to me here yesterday that reminded me even computer gurus make mistakes.

Someone posing as a eBay customer sent me a email asking about something for sale.

It was 8 am and as I was rolling out of bed, I clicked on reply.

A ebay username and password page came up and I typed in my username and password.

As soon as I hit enter, I realized I had just done what I tell everyone not to do.

I looked at the URL in the toolbar. http://1050513031/styles/ws/ebay/index.html

That's not even an IP address. Where the hell was this?

A sinking feeling come over me. I had just given someone my eBay username and password.

Dumb as a rock I am. DOH! Homer Simson reference intended for dramatic effect.

It's not like I have a big eBay business. I have sold 1 items and bought 1 item.



Original Message Follows:
------------------------
To: mrlinuxhead@yahoo.com
Subject: Message from eBay Member regarding Item #5876677535
From: "eBay Member precisionlaptops4u"
aw-confirm@ebay.com Add to Address Book
Date: Sat, 25 Mar 2006 07:10:40 -0800 (PST)
Email Body:

� Question from capitalmal

Item: (5876677535) (I checked this one out. This is a Dell Plasma TV W4200 Speakers & Floor Stands H7218. NOT MINE!)


This message was sent while the listing was active.
precisionlaptops4u is a potential buyer.
What would the shipping cost be to West Virginia zip code 25511?

Respond to this question in My Messages.
Respond Now

Item Details
Item number: 5876677535
End date: Mar-09-06 12:50:17 PST
View item description:


Another URL they pulled out of their ass:

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=7387869660&sspagename=ADME:B:AAQ:US:1
(And on checking, this is NOT one of my items. It's a Home Interiors Print!)

Thank you for using eBay!

http://www.ebay.com/

(This was the URL that I clicked on that said "Click here to reply")
Message: http://1050513031/styles/ws/ebay/index.html


So I spent the next few hours changing ALL of my passwords on every Web site I maintain.

I just thought evry one out there would get a good laugh out of it and maybe Learn From My Mistakes.

So I shot eBay a email (not using my yahoo account).


Account Security Fake or suspicious eBay email
Report an email from
eBay that may be fake
Email Header:



I won't put in here what I sent to eBay but here is the reply I got sortly thereafter:



Hello,

Thank you for writing to eBay regarding the email you received.

Emails such as this, commonly referred to as "spoof" or "phished"
messages, are sent in an attempt to collect sensitive personal or
financial information from the recipients.

The email you reported was not sent by eBay. We have reported this email
to the appropriate authorities.

Yada Yada Yada . . . .

Once again, thank you for alerting us to the spoof email you received.
Your efforts help keep eBay a safe and fair place to trade.

Regards,

eBay SafeHarbor
Investigations Team


I do network security and web servers, email server and stuff, so I thought I would do a little snooping around.

With a few Google queries and a little WHOIS lookups, I had a little information I thought I would share with eBay.
And now I think I will share it with you as well.
Here is my email to eBay last night. Enjoy!


Hi eBay,

I did a Google search on the eBay member that sent me the phishing email today.
I thought you may be interested in what came back.

It looks like his store account on eBay is closed but I get a hit on the eBay
member "precisionlaptops4u" in Google:

precisionlaptops4u
Ships to: United States
Item location: Saint Paul, Minnesota United States

Also is the same as:

precisionpcgeeks (338Feedback score is 100 to 499)
Ships to: United States
Item location: Saint Paul, Minnesota United States

This is the same eBay seller i assume.
I do not know if he is the one that sent me the phishing email but
I also got the following hits from Google:

http://rss.groups.yahoo.com/group/luckywang168/rss
This is a RSS feed and is full of abuse comments.

One that caght my eye was:
eBay Safeharbor Department Notice Fraud Alert ID :
00626654 Dear eBay member,

A Google for "luckywang168" got me a few hits. One led to a Chinese company called
"Thai-Oh (Tangshan) Trading Co., Ltd" ran by a man called
"Mr. Lucky Wang Manager, Export Dept."

His contact info is:
# Tel : 86-315-2106-244 / 86-315-2552-848
# Fax : 86-315-3287-669

at the URL

http://luckywang168.en.ecplaza.net/

and also

http://www.thai-oh.net/


WHOIS contact info is:

Registrant:
tangshan unicom fanhua network CO.,LTD
18 beixinxidao lubeiqu tangshan
qinhuangdao city
tangshan, Hebei 063000
CN

Domain Name: THAI-OH.NET

Administrative Contact, Technical Contact:
Lucky, Wang
RM420.Zhongmei,No.132,Xinhua West Road,Tangshan, Hebei, China
tangshan, Hebei 063000
CN
0315-2106244 fax: 0315-3287669

Record expires on 01-Mar-2007.
Record created on 01-Mar-2004.

Domain servers in listed order:

NS1.CNOLNIC.COM 211.99.204.77
NS2.CNOLNIC.COM 211.152.51.15


P.S.
Also shows up on http://finechina.blog.163.com.

163.com is a known open relay for spammers.


Check this guy out for me, ok?


I hope this helps with your investigation.

Mr. LinuxHead




P.S. Here is a little known fact.
The goverment in China is a BIG ISP! And thay run Windows.

BRUUHAA! Game On, Boys.

Youre messing with the wrong people over here.

http://www.thai-oh.net/

Netcraft resolves that to:

OS Windows Server 2003
Server Microsoft-IIS/6.0
Last changed 26-Mar-2006
IP address 220.194.211.38
Netblock Owner China United Telecommunications Corporation


Thursday, March 16, 2006

Bush policy to pre-emptively attack US enemies?

I am deeply troubled by the Bush administration's policy to attack anyone or anywhere they decide are "enemies". They continue to express a willingness to shoot first and ask questions later.

Who decides that a country is an threat to the US? The same administration that invaded Iraq? The one that first tried to change the rationale from ending "weapons of mass destruction" to a mission to spread "freedom" and "democracy" thruout the Middle East.

Gee, I am not so sure I want this same gang that got us into the biggest blunder in the history of the United States to decide who to shoot at next.

I am as pro democracy as the next American, just not spreading it at the point of a gun.

Change happens from within.

Tuesday, March 14, 2006

Still yet more good quotes


You cannot see farther than others by standing on the feet of giants.

What is worth doing is worth the trouble of asking somebody to do it.

If you fool around with something long enough, it will eventually break.

According to the latest official figures, 43% of all statistics are totally worthless.

Experience is what causes a person to make new mistakes instead of old ones.

New Quotes for the week


I don't want to be a millionaire. I just want to live like one.
- Joe E. Lewis

If you can't say something nice, say something surrealistic.
- Zippy the Pinhead

It is impossible to get anywhere without sinning against reason.
- Einstein

If one does not fail at times, then one has not challenged himself.
- Dr. Porsche

Keep your mouth shut and people will think you stupid;
Open it and you remove all doubt.
- Abe Lincon

The shepherd always tries to persuade the sheep that their interest and his own are the same.
- Stendhal (1783-1842)

Mr. Linux Head's Quotes of the Week

Bimbos should be obscene and not heard.
How many weeks are there in a light year?
No man is rich enough to buy back his past.
Music in the soul can be heard by the universe.
Keep America beautiful. Swallow your beer cans.
Never argue with anyone who buys ink by the gallon.
A project not worth doing at all is not worth doing well.
It is better to die on your feet than to live on your knees.
One picture is worth a thousand words. See diagram below.
If life is a bed of roses, then you must be one of the pricks.
A clean, neat, and orderly work place is a sure sign of a sick mind.
Would the last person to leave Michigan please turn out the lights?

New toy of the week : Kororaa Xgl Demo CD

My New toy of the week : Kororaa Xgl "Live" Demo CD.

Kororaa Xgl showcasing Novell's Xgl + Compiz technology is a "live" Linux Cd.

Super pimpin looks : This is soooo cool. Loads nVidia drivers up and Rocks right out of the box!


Just bagged this from the torrent sites and lit it up.

Ooooh this is nice. Accelerated Open GL with squigily windows and lots o eye candy. I like!

One thing to try on this is : Rotate desktop cube = Ctrl + Alt + Left-click on wallpaper and drag

This is the work of two Aussie gentlemen, Chris Smart and Matthew Oliver.

Kudos for a fine bit of work, lads. You get 5 out of 5 penguins!