Wednesday, March 29, 2006

Return of the Phisherman. He's French.

I got another email from the Phisher today posing as an eBay buyer. The text of the message goes like this:

To:mrlinuxhead@yahoo.com
Subject: Message from eBay Member regarding Item #4624463216
From:"eBay Member precisionlaptops4u"
Date: Wed, 29 Mar 2006 23:36:45 +0200 (CEST)




eBay sent this message to you.
Your registered name is included to show this message originated from eBay. Learn more.
Question about Item -- Respond Now eBay
eBay sent this message on behalf of an eBay member via My Messages. Responses sent using email will go to the eBay member directly and will include your email address. Click the Respond Now button below to send your response via My Messages (your email address will not be included).
 Question from capitalmal
Item: (4624463216)
This message was sent while the listing was active.
precisionlaptops4u is a potential buyer.
how can i pay for this item? im interested in this item. thanks.
Respond to this question in My Messages.
Respond Now

Item Details

Item number: 4624463216
End date: Mar-28-06Â 03:24:04 PST
View item description:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=4624463216&sspagename=ADME:B:AAQ:US:1
Thank you for using eBay!
http://www.ebay.com/




The link for eBay.com points to a bougus URL. The link is :

http://1342912795/intranet/forum/templates/subSilver/images/wsbleh/ebay/index.html

Who the hell is this and what is the ip address?

1342912795 sounds like a phone number not an IP address!

C:\WINDOWS\system32\drivers\etc>ping 1342912795

Pinging 80.11.57.27 with 32 bytes of data:

Reply from 80.11.57.27: bytes=32 time=250ms TTL=239
Reply from 80.11.57.27: bytes=32 time=222ms TTL=239
Reply from 80.11.57.27: bytes=32 time=245ms TTL=239
Reply from 80.11.57.27: bytes=32 time=228ms TTL=239

Gotcha sucker. 80.11.57.27 resolves to a French netblock:
LAubervilliers-151-13-20-27.w80-11.abo.wanadoo.fr

Hello, Paris. Or really, outside Paris about 45 miles.

IP address:                     80.11.57.27
Reverse DNS: laubervilliers-151-13-20-27.w80-11.abo.wanadoo.fr.
Reverse DNS authenticity: [Verified]
ASN: 3215
ASN Name: AS3215 (France Telecom Transpac)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): FR [France]
Country Currency: EUR [euros]
Country IP Range: 80.8.0.0 to 80.15.255.255
Country fraud profile: Normal
City (per outside source): Paris, Ile-De-France
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No


Pinging 80.11.57.27 [80.11.57.27]:

Ping #1: Got reply from 80.11.57.27 in 133ms [TTL=246]
Ping #2: Got reply from 80.11.57.27 in 132ms [TTL=246]
Ping #3: Got reply from 80.11.57.27 in 134ms [TTL=246]
Ping #4: Got reply from 80.11.57.27 in 132ms [TTL=246]
Looks like out target, I mean host is up. Let's see what his is running....



I did a Google for subSilver and found out a few things there.

subSilver is a launuage add-on for the phpBBS system that is known to have a big security problem, and It's Probably Hacked..

I Google for wsbleh and found THIS: wsbleh@hanmail.net at this URL:

Address Book Gray Version - [ Translate this page ]우상범 wsbleh@hanmail.net 1977년 05월 27일(-), (H)경북 김천시 부곡동 364 번지 (H)054-435-7613 (PCS)010-6477-2131, 수정하기 · 삭제하기 ...
urban.hannam.ac.kr/family_ez/family.cgi?page=6 - 17k - Supplemental Result - Cached - Similar pages - Remove result


and

quchrfdqovld@generic4less.biz => liens vers une autre liste ... - [ Translate this page ]quchrfdqovld@generic4less.biz => liens vers une autre liste, uok8otr4mcr@263.net => liens vers une autre liste, dkvemcjfu0uqa7wi@thatwillchangelife.biz ...
izforge.yellis.net/www/spam_trap.php?id=1232 - Supplemental Result - Similar pages



both got hits.




0 Comments:

Post a Comment

<< Home