Monday, April 24, 2006

Another eBay scam artist emailed me tonight.

Another eBay scam artist emailed me tonight. This one was just a little different.

I guess now I have an "Unpaid Item Dispute" Points to 209.216.209.10 as the mail server.

Here is the full email headers and all..

X-Apparently-To: mrlinuxhead@yahoo.com via 68.142.207.116; Mon, 24 Apr 2006 15:56:29 -0700
X-Originating-IP: [209.216.209.10]
Return-Path:
Authentication-Results: mta244.mail.re2.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from 209.216.209.10 (EHLO admin.blackstump.com.au) (209.216.209.10) by mta244.mail.re2.yahoo.com with SMTP; Mon, 24 Apr 2006 15:56:29 -0700
Received: (qmail 15991 invoked by uid 10018); 24 Apr 2006 15:35:41 -0700
Date: 24 Apr 2006 15:35:41 -0700
Message-ID: <20060424223541.15990.qmail@admin.blackstump.com.au>
To: mrlinuxhead@yahoo.com
Subject: eBay Unpaid Item Dispute #4858411651 -- response required
From: aw-confirm@ebay.com

eBay Unpaid Item Dispute #4858411651 -- response required

Dear member,
eBay member moviemars-uk has indicated that they already paid for item #4858411651
Review the submitted details regarding the payment.

Regards,
eBay International AG


Bogus eBay link points to:
http://ns1.zerotrance.net/.sign/eBayISAPI.dllSignInco_partnerIdpUserIdsiteidpageTypepa1i1bshowgifUsingSSL862984con462msgMNSIEhufem37ajhd84Sllencrypt378/signin.ebay.com/

Of couse I email "spoof@ebay.com and paste the bogus link into phishfighting.com.

Using DNSStuff let's see who we are dealing with....

The IP address of the email relay is: 209.216.209.10

And they are .... in San Diego, Califorina. Busted.
This is just the email server that delivered the scam email.

IP address: 209.216.209.10
Reverse DNS: admin.blackstump.com.au.
Reverse DNS authenticity: [Verified]
ASN: 6130
ASN Name: ADN-WEST
IP range connectivity: 0
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 209.216.192.0 to 209.216.255.255
Country fraud profile: Normal
City (per outside source): San Diego, California
Private (internal) IP? No

Sneaky little bastards blocked the WHOIS lookup, but I got the DNS servers..

blackstump.com.au. A IN 3600 209.216.209.10
blackstump.com.au. NS IN 3600 ns2.webintellects.com.
blackstump.com.au. NS IN 3600 ns1.webintellects.com.
ns2.webintellects.com. A IN 3600 209.126.236.3
ns1.webintellects.com. A IN 3600 209.216.201.3

Now lets see who is hosting the bogus web site. . .

ns1.zerotrance.net. A IN 172800 85.234.144.88
zerotrance.net. NS IN 172800 ns1.zerotrance.net.
zerotrance.net. NS IN 172800 ns2.zerotrance.net.
ns1.zerotrance.net. A IN 172800 85.234.144.88
ns2.zerotrance.net. A IN 172800 85.234.144.89

Chatchy name, eh? 85.234.144.88 is the IP of ns1.zerotrance.net

That is located in. . The U.K.

IP address: 85.234.144.88
Reverse DNS: ns1.zerotrance.net.
Reverse DNS authenticity: [Verified]
ASN: 29550
ASN Name: EUROCONNEX-AS (Euroconnex Networks LLP)
IP range connectivity: 5
Registrar (per ASN): RIPE
Country (per IP registrar): GB [United Kingdom]
Country Currency: GBP [United Kingdom Pounds]
Country IP Range: 85.234.128.0 to 85.234.159.255
Country fraud profile: Normal
City (per outside source): Unknown
Private (internal) IP? No

The ISP phone numbers are here:

inetnum: 85.234.128.0 - 85.234.159.255
org: ORG-PIS3-RIPE
netname: UK-POUNDHOST-20050429
descr: PoundHost Internet Services
country: GB
admin-c: MM5420-RIPE
admin-c: KW725-RIPE
tech-c: MM5420-RIPE
status: ALLOCATED PA
remarks: PH-Network (Europe)
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: POUNDHOST
mnt-routes: POUNDHOST
mnt-routes: AS5413-MNT
notify: Matthew@Poundhost.com
changed: hostmaster@ripe.net 20050429
source: RIPE

organisation: ORG-PIS3-RIPE
org-name: PoundHost Internet Services
org-type: LIR
address: PoundHost Internet Services,
Ginchy House,
Marsh Lane,
Taplow,
Maidenhead,
Berkshire.
SL6 0DE
ENGLAND
phone: +44 (0) 870 744 1700
fax-no: +44 1628 639977
e-mail: Info@poundhost.com
admin-c: MM5420-RIPE
admin-c: LP1106-RIPE
mnt-ref: POUNDHOST
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE

person: Matthew Munson
address: Euroconnex Networks LLP,
Marsh Lane,
Taplow,
Maidenhead, UK
phone: +44 870 744 1700
e-mail: matthew@euroconnex.net
nic-hdl: MM5420-RIPE
remarks: ******************************************************
remarks: Please contact abuse@euroconnex.net for any abuse issues
remarks: E-mail sent to other addresses may not be acted upon.
remarks: ******************************************************
mnt-by: EUROCONNEX
changed: matthew@poundhost.com 20050721
source: RIPE

person: Katalin Weigand
address: PoundHost Internet Services,
Marsh Lane,
Taplow,
Maidenhead, UK
phone: +44 870 744 1700
e-mail: Katalin@poundhost.com
nic-hdl: KW725-RIPE
remarks: ******************************************************
remarks: Please contact abuse@PoundHost.com for all abuse issues
remarks: ******************************************************
mnt-by: POUNDHOST
changed: matthew@poundhost.com 20030827
changed: matthew@poundhost.com 20031009
changed: Katalin@poundhost.com 20031010
source: RIPE

% Information related to '85.234.128.0/19AS29550'

route: 85.234.128.0/19
descr: PH-Network Europe, operated by Euroconnex Networks LLP
origin: AS29550
remarks: *********************************************
remarks: For Peering and more info: www.euroconnex.net
remarks: *********************************************
mnt-by: POUNDHOST
changed: Matthew@PoundHost.com 20050601
source: RIPE

email addresses are:
abuse@PoundHost.com
matthew@euroconnex.net
Katalin@poundhost.com


Now, lets see who owns the domain zerotrance.net, shall we..

WHOIS info is blocked by these clowns:
Whois Privacy Protection Service, Inc.

Domain name: zerotrance.net

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007
US

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007
US

Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007
US

Status: Locked

Name Servers:
ns1.zerotrance.net
ns2.zerotrance.net

Creation date: 10 Nov 2005 05:18:38
Expiration date: 10 Nov 2007 05:18:38

I emailed the admin at the UK ISP to shut down these clowns.

Later...

Sunday, April 23, 2006

Another ebay scammer

Another ebay scammer at this address:

http://1044980011/%20/signin.ebay.com/ws/eBayISAPI/index.html

Pasted it into Phishfighing. com and emailed ebay and the ISP in Finland.

http://1044980011/%20/signin.ebay.com/ws/eBayISAPI/index.html

resolves to 62.73.33.43

WHOIS info on 62.73.33.43

IP address: 62.73.33.43
Reverse DNS: [No reverse DNS entry per ns1.auria.fi.]
Reverse DNS authenticity: [Unknown]
ASN: 16044
ASN Name: AURIA (Auria Oy)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): FI [Finland]
Country Currency: EUR [euros]
Country IP Range: 62.73.32.0 to 62.73.63.255
Country fraud profile: Normal
City (per outside source): Unknown
Private (internal) IP? No

inetnum: 62.73.33.0 - 62.73.33.127
netname: AURIA-NET
descr: AURIA Turun Puhelin Oy
descr: Game server pool
descr: DATA-4
descr: 20810, Turku
country: FI
admin-c: KPM-RIPE
tech-c: HOST7-RIPE
status: ASSIGNED PA
remarks: ---------------------------------------------------------
remarks: Please send abuse and spam notifications to abuse@auria.fi
remarks: ---------------------------------------------------------
remarks: INFRA-AW
notify: hostmaster@auria.fi
mnt-by: AURIATP-MNT
changed: kari.solja@auria.fi 20040802
source: RIPE

role: Auria Hostmaster
address: Auria Oy
address: RIPE management
address: PL 231
address: 20101 Turku
phone: +358 2 262121
fax-no: +358 2 261975
e-mail: hostmaster@auria.fi
remarks: trouble: Please send abuse and spam notifications to abuse@auria.fi
remarks: trouble: General information: http://www.auria.fi/
admin-c: KS1112-RIPE
tech-c: MH14627-RIPE
tech-c: RM7972-RIPE
tech-c: KK2824-RIPE
tech-c: JO2466-RIPE
tech-c: KS1112-RIPE
nic-hdl: HOST7-RIPE
notify: hostmaster@auria.fi
mnt-by: AURIATP-MNT
changed: rolf.moller@auria.fi 20041123
source: RIPE
abuse-mailbox: abuse@auria.fi

person: Kimmo Murto
address: Turku Telephone Company
address: Linnankatu 4, FIN-20100 Turku
address: Finland
phone: +358 2 262 1584
fax-no: +358 2 250 0417
e-mail: Kimmo.Murto@turunpuhelin.fi
nic-hdl: KPM-RIPE
changed: hostmaster@kolumbus.fi 19981221
source: RIPE

% Information related to '62.73.32.0/19AS16044'

route: 62.73.32.0/19
descr: Turun Puhelin Oy
origin: AS16044
notify: hostmaster@auria.fi
mnt-by: AURIATP-MNT
changed: marko.hakkarainen@auria.fi 20021014
source: RIPE

Wednesday, April 19, 2006

Caught a new Polish "Phisherman" tonight

Another email from another eBay customer.
Sure. I trust you. Lets fry this clown..

Here is the text of the scam email :

 Question from mmjd1996
Item: (4629414062)
This message was sent while the listing was active.
mmjd1996 is a potential buyer.
Hi, how much would be shipping to Germany? Thanks

Using DNSStuff.com I find out our scammers IP address.

eBay.com URL points to:
http://1393442438/img/...bleh/signin.ebay.com/ws/eBayISAPI.dll/SignIn.htm

1393442438 is decimal for 83.14.62.134

Seems to be a box on some DSL line in Poland..

IP address: 83.14.62.134
Reverse DNS: dyk134.internetdsl.tpnet.pl.
Reverse DNS authenticity: [Verified]
ASN: 5617
ASN Name: TPNET (Polish Telecom's commercial IP network)
IP range connectivity: 2
Registrar (per ASN): RIPE
Country (per IP registrar): PL [Poland]
Country Currency: PLN [Poland Zlotych]
Country IP Range: 83.0.0.0 to 83.31.255.255

The ISP is Poland Telecom. Here are the ISP contact numbers and email addresses.

role: TP S.A. Hostmaster
address: TP S.A. "POLPAK"
address: ul. Nowogrodzka 47A
address: 00-695 Warszawa
address: Poland
phone: +48 22 6252383
fax-no: +48 22 6225182
remarks: trouble: Network problems: hostmaster@tpnet.pl
remarks: trouble: Abuse and spam notification: abuse@tpnet.pl
remarks: trouble: DNS problems: dns@tpnet.pl
remarks: trouble: Routing problems: registry@tpnet.pl
admin-c: TK569-RIPE
tech-c: TK569-RIPE
tech-c: JS1838-RIPE
nic-hdl: TPHT
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
remarks: Please send spam and abuse notification only to abuse@tpnet.pl
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
mnt-by: TPNET
e-mail: hostmaster@tpnet.pl
abuse-mailbox: abuse@tpnet.pl
changed: hostmaster@tpnet.pl 20030122
changed: hostmaster@tpnet.pl 20030904
changed: hostmaster@tpnet.pl 20060306
source: RIPE

Port scan shows nothing but FTP and SSH. No UDP ports open.

So I shoot a quick email to the boys at Polish Telecom (abuse@tpnet.pl).

I also paste the bougus URL into PhishFighing.com.
(That feeds our "Phisherman" with hundreds of bogus usernames and passwords.)

That should keep him busy for a few days.

Just another day ho hum.

The NSA domestic spying program is wrong!

The Bush administration seems to be shreding the fourth admendment as fast as they can, with little or no regard for the Bill of Rights, the Constitution, or any checks and balances imposed by laws or Congress.

Looking at the news lately, I have been outraged, but not shocked at what we have dicovered in the last few weeks from the papers the EFF has filed in court to block AT&T from wholesale eavedropping on ALL internet and phone traffic across the country and around the world.

The thing that got my attention was the equipment being used. It is a pretty high-end gizmo called the Narus STA 6400, which is a semantic traffic analyzer. The Narus STA technology is used by intelligence agencies because it is able to analyze large amounts of data. Like 10 Gigabytes of data per second, tapping into the OC-192 fiber that makes up the backbone of all IP communications worldwide! Here is a little bit about this wonderful device from Narus...

NarusInsight Intercept Suite - Packet-level, flow-level, and application-level usage information is captured and analyzed as well as raw user session packets for forensic analysis, surveillance or in satisfying regulatory compliance for lawful intercept. The capabilities include playback of streaming media (i.e. VoIP), rendering of Web pages, examination of e-mail and the ability to analyze the payload/attachments of e-mail or file transfer protocols. (source: Narus.com)

The NarusInsight Discover Suite (NDS) captures and classifies traffic and data on monitored links in real time at true carrier speeds (up to 10G/OC-192). Detailed layer 3 to layer 7 data are collected and correlated across every link and element on the network.
NDS empowers users to manage IP traffic and applications including VoIP, Skype, P2P (e.g., BitTorrent, e-Donkey/e-Mule, FastTrack/Kazaa, Gnutella, etc.), messaging (AOL IM/ICQ, Yahoo IM, MSN Messenger, Jabber, IRC, MMS), streaming media (RTP, RTCP, RTSP), e-mail (SMTP,POP3,IMAP), Web browsing and push to talk (PTT). (source: Narus)

If it was only being used to spy on "terrorists", and if proper proceedures were followed, nobody would bat an eye. Support would be universal, as long as the laws were followed and a court warrent was obtained in the 72 hour timeframe. FISA was put in place to limit the power the federal goverment had on wire-tapping private citizens after the Nixon administration took massive amounts of wire-tapped phone calls and used it for political purposes.

Knowing a little about the program, it seems my darkest fears are true. I suspected that they were doing exactly what they claim to not be doing, wholesale interception of ALL Internet traffic and phone calls, using packet analyzers to sift thru a ocean of data, looking for a few key words or any suspicious activity.

This means any phone call, any email, any Instant Messaging, any P2P programs, and all of your web surfing has been intercepted and analyized by the NSA and the Bush administration.

If that makes you feel all warm and fuzzy, like he is just trying to "protect" us from the evil-doers, think about this.

This is the guy who exposed a CIA undercover agent for political purposes, to refute the claims her husband was making regarding the facts leading us into war in Iraq. If you think he would do a end-run around Congress and the FISA courts to "protect" us, and not use anything he learns for political purposes, you are badly mistaken. They would use anything they learn to the fullest advantage, to expose some political enemy's dirty secrets, or to extort favors from a business, and Congress is just now finding out about it.

We will see in the next election how much outrage is in the country over this.

WHAT FOLLOWS IS THE ACTUALL LETTER FROM MARK KLEIN.


Statement
--Mark Klein, April 6, 2006


My Background:

For 22 and 1/2 years I worked as an AT&T technician, first in New York and then in California.

What I Observed First-Hand:

In 2002, when I was working in an AT&T office in San Francisco, the site manager told me to expect a visit from a National Security Agency agent, who was to interview a management-level technician for a special job. The agent came, and by chance I met him and directed him to the appropriate people.

In January 2003, I, along with others, toured the AT&T central office on Folsom Street in San Francisco -- actually three floors of an SBC building. There I saw a new room being built adjacent to the 4ESS switch room where the public's phone calls are routed. I learned that the person whom the NSA interviewed for the secret job was the person working to install equipment in this room. The regular technician work force was not allowed in the room.

In October 2003, the company transferred me to the San Francisco building to oversee the Worldnet Internet room, which included large routers, racks of modems for customers' dial-in services, and other equipment. I was responsible for troubleshooting problems on the fiber optic circuits and installing new circuits.

While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet circuits by splitting off a portion of the light signal. I saw this in a design document available to me, entitled "Study Group 3, LGX/Splitter Wiring, San Francisco" dated Dec. 10, 2002. I also saw design documents dated Jan. 13, 2004 and Jan. 24, 2003, which instructed technicians on connecting some of the already in-service circuits to the "splitter" cabinet, which diverts some of the light signal to the secret room. The circuits listed were the Peering Links, which connect Worldnet with other networks and hence the whole country, as well as the rest of the world.

One of the documents listed the equipment installed in the secret room, and this list included a Narus STA 6400, which is a "Semantic Traffic Analyzer". The Narus STA technology is known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets. The company's advertising boasts that its technology "captures comprehensive customer usage data ... and transforms it into actionable information.... (It) provides complete visibility for all internet applications."

My job required me to connect new circuits to the "splitter" cabinet and get them up and running. While working on a particularly difficult one with a technician back East, I learned that other such "splitter" cabinets were being installed in other cities, including Seattle, San Jose, Los Angeles and San Diego.

What is the Significance and Why Is It Important to Bring These Facts to Light?

Based on my understanding of the connections and equipment at issue, it appears the NSA is capable of conducting what amounts to vacuum-cleaner surveillance of all the data crossing the Internet -- whether that be peoples' e-mail, Web surfing or any other data.

Given the public debate about the constitutionality of the Bush administration's spying on U.S. citizens without obtaining a FISA warrant, I think it is critical that this information be brought out into the open, and that the American people be told the truth about the extent of the administration's warrantless surveillance practices, particularly as it relates to the Internet.

Despite what we are hearing, and considering the public track record of this administration, I simply do not believe their claims that the NSA's spying program is really limited to foreign communications or is otherwise consistent with the NSA's charter or with FISA. And unlike the controversy over targeted wiretaps of individuals' phone calls, this potential spying appears to be applied wholesale to all sorts of Internet communications of countless citizens.

Attorney contact information:

Miles Ehrlich
Ramsey & Ehrlich LLP

Source: Legal Pad

Link to the full story is here.



God help us.

Can you call or write your Senator and Congressmen for me? Not that it will do us any good but it's a start..

Thanks..

Webcam feeds from around our fair planet

I added some webcam feeds from around our fair planet.

So far we have:

La Tonnarella, Sorrento Italy

Saint-Gilles-les-Bains, France

Royal Citadel, Plymouth UK

Boston, Massachusetts

Pensacola Beach, FLA

Houston, TX

Vallejo, California

Kamaole Beach, Maui, Hawaii

Sapporo, Japan

Hong Kong, China

And the list may change at any time. The full size views are at My Back Pages.

They don't display correctly in Internet Explorer. Oh well, I don't use Internet Explorer.

Do yourselves a favor.

Get Firefox.

Tuesday, April 18, 2006

Pensacola Beach Blog

A progressive blog from soomeplace I used to live.

Enjoy!

Pensacola Beach Blog

Bitch | Lab

Quite a good blog for a little edgy whitty sort of humor.

Check it out.

Bitch | Lab

http://blog.pulpculture.org/

random_speak

Absolutly must read for a taste of Southern Culture gone terribly wrong!


random_speak

Sunday, April 16, 2006

» Why Windows is less secure than Linux | Threat Chaos | ZDNet.com

Excellent Security Blog by Richard Stiennon at ZDnet.


The basic argument goes like this. In its long evolution, Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture. A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

A picture is worth a thousand words. See diagram below.

The first picture is of the system calls that occur on a Linux server running Apache.

This second image is of a Windows Server running IIS.


Read the rest of it for an eye opener on Windoze vs. Linux security.

» Why Windows is less secure than Linux | Threat Chaos | ZDNet.com

Saturday, April 15, 2006

CNN.com - Beware of tax refund 'phishing' scams - Apr 14, 2006

CNN.com - Beware of tax refund 'phishing' scams - Apr 14, 2006: "Phishing is an e-mail trick that 'lures' users with a promise of money or an urgent security warning that asks users to update their information. But instead of going to a financial institution or the government, the precious personal data goes to identity thieves.
IRS doesn't e-mail taxpayers

At least during this tax season, Internet users don't even have to try and distinguish real from fake information from the IRS. Anything you get in your inbox with an IRS address is a fraud."

Friday, April 14, 2006

Great story about botnets in the New Yorker

Great artile about botnets in the New Yorker. Makes an excellent read if you want to learn about DDOS counter-measures.

Name of article is: "THE ZOMBIE HUNTERS On the trail of cyberextortionists."
by EVAN RATLIFF

Recomended reading.

The 100 top things I want my girlfriend to say!

This came from craigslist best of. Enjoy!

I didn't vote for either George Bush
I don't tear the tags off my mattresses til I get home
I always stop to pet dogs outside of grocery stores
I'm likely to have a different hair color every time you see me
I'm slippery when wet
I only use the rail when I walk down the stairs 30% of the time ( I love to walk the line ya know)
I've never read Playboy for the articles
I'll make you laugh
I've never been in one of Tommy Lee's movies
I'll never under cook the eggs
I'll never drink your last beer
I can make a mean pot of chili
I'll pretend I didn't see you look at that chick with the big boobs
I'll always be impressed with how strong you are
I know that handcuffs aren't just for the cops
I've never kicked a boy in the balls
I recycle
I do know how many licks it takes to get to the center of a tootsie roll tootsie pop
I won't steal the vicoden out of your medicine cabinet
I'll take care of you when you're sick and sometimes just because I think you're the shit
I'll make fun of you
I come with my own set of ear plugs in case of snoring
I can give a kick ass back rub
I haven't been a house guest of O.J. Simpson
I like porn
I can't stand soaps
I've got a sweet 420 hook up
I don't care if you leave the seat up
I give road head
I think chicks are hot
I have my nipples pierced
I pump my own gas
I don't give a shit if I break a nail
I've got cookies
I don't chew tobacco
I take a shower every day, twice even sometimes
I like it when you pull my hair
I'll let you beat me at pool
I'll keep working until I chip away at your walls
I don't care that you go out with the boys
I don't eat crackers in bed too often
I think it's hot when you come home all dirty from playing hard
I like it when dogs sleep in the bed
I can't stand the mall
My tongue is pierced twice
I don't care what music we listen to in the car
I've never eaten a bon-bon in my life
My closet comes equipped with a shit load of hoodies
I'd never ask you to go to lunch with my mother
When you wash the dishes it turns me on
My heart will jump every time you walk through the door
I don't care if you cut your toe nails in the living room
I'll save everything you ever give me
I won't ever forget your birthday, and remind you when mine is coming
I can pee standing up (it's totally gross though)
I think Project Runway is fucking gay
You just can't stop reading this!
I've never even seen one episode of Dawson's Creek or Gilmore Girls
I always use my nails to scratch a lottery ticket
I know where to put in the oil, and have even done it it
I'll think you're just about the coolest person I know
My friends are hot
I don't have hardly any guy friends
I've never owned one pink thing
I think pizza and a game at the sports bar down the street is the ideal date
I won't fuck your friends
I won't fuck your brother
The kinkier the better
What the hell is "in the box"?
I always open a window when I paint
I've never been on Americas Most Wanted
The only drama I have any part of is on t.v.
I don't care if you watch my girly movies with me
I know how to make a fire
I can tie a cherry stem with my tongue
I've got secret tattoos
My kisses will take your breath away
I dig public sex
I didn't vote for the 25 ft smoking law
I don't care if you leave your socks on
You'll never have to do your laundry again
My best friend isn't a guy
I can't stand John Mayer
My burritos are the bomb
I never drive faster than 30 mph in a school zone
My weird habits you'll find adorable
You'll sleep better when I'm next to you
I have a membership at 3 video stores
I'd fuck Angelina Jolie too
I'll thank you every time you open the door
I'll never waste your love
I'll laugh at every joke even when it's not funny
I'd never give you shit in front of your friends
It gets better every time
Use as much salt as you want I don't care
I won't ever let you leave for work in the morning without your lunch
I'll help you find your keys
I don't stop and ask for directions either
I don't have a big brother, so you don't have to worry about getting your ass kicked ever
I've always got stoner food
I try not to pick my nose, or butt in public
We can watch your movie first
I've never owned anything Hello Kitty
I don't need batteries
I once ate a cricket
I eat red meat
I can kill my own spiders
I'll clean the house perfect every time your mom comes
I'll always have smooth legs
I like it when my hair gets messed up
I used to be able to put my feet behind my neck
I met Tom Green once
I got suspended in high school 3 times
My family is just as fucked up as yours
I don't want to get married
My kid already has a dad
I'll always want more
I like horror movies
I smell pretty good most of the time
I don't litter
When I can I give to charity
I can be ready in 30 minutes or less
I lose at arm wrestling every time
I've got dirty pictures of me on my computer
I look both ways before I cross the street
I have cable and HBO
I never look directly into the sun
I'll look cute in your shirt
I'm not a virgin
You're hotter and more hilarious than anyone I know
I'll show you my boobs at the store when nobody's looking
I probably have more porn on my computer than you
I old enough to remember when the space shuttle crashed
I still get carded almost every time I get booze
I won't ever leave makeup on your shoulder
I've never hung a pair of panty hose on the shower rack in my life
I like it when you call me a whore in bed
I can balance a check book
I'll help you not to forget your moms birthday
I would never yell "fire" in a crowded theatre
I"m really good at sneaking food into the movies
I was Branciforte Jr. Highs spelling bee champion 2 years back to back
I'll never say 'nothings wrong' when there really is
I know how to hold my own hair back when I puke
My fingers can spill out Mary Had A Little Dream on the piano better than Ray Charles
I've never cried over spilt milk
I have never stabbed anyone in the eye
I can count to 100 by 5's
I've never smuggled drugs out of the country
I don't care if you eat dinner without a shirt
I think it's hot when you masturbate
I never overload the washer
What else have you got to do?
I know that whipped cream goes on more than sundaes
I've never auditioned for American Idol
I don't eat yellow snow
I like it when you talk to your friends about me in bed
My sunday morning breakfasts will change your life
My chin fits 'just right' in your shoulder when you hold me close
I'll understand if you get jealous
I'm just that good
I never had sexual relations with Bill Clinton or anyone named Bill ever
I'm a pepper
You're getting very sleepy...
I've never been on Jerry Springer
I may have already won $10,000,000.
I have a subscription to the Herald
You won't be able to get me out of your head
I know that sticks are better than automatics
I'll let you drive every time if you want
I buy a new toothbrush every time the blue wears down
I know that objects in the mirror are bigger than they appear
I would never smoke the last bowl
I would never send you to the store for tampons
Flowers will get you laid every time
I've never gotten caught lip syncing on SNL
I have a $3.24 credit at PayLess Shoes
I have clean socks that you can borrow if you run out
I never leave the engine running while I'm pumping gas
I never run with scissors
I've taken the Coke/Pepsi challenge and won
Almost every time I have a winning bottle top
I know how to keep a secret
If you spell something wrong I just think it's cute
I've never failed a survey
I can almost every time find Waldo
I never put my fingers in the light socket
I'm a gemini
I have all my shots
It's okay I don't really expect you to last longer than 10 minutes anyways
I'm pretty damn funny
I'm not a doctor and I've never played one on t.v. either
I don't care if you eat off my plate
None of my friends are guys I used to have sex with
When you're sleeping I'll always try to be quiet
I have never run out of gas (well I just fucked myself there now, didn't I?)
I know the difference between they're, their, and there
You really kinda would dig having someone to cuddle with on the couch
I know how to get stains out of tshirts
I've seen every episode of "The Shield"
I've got rad hair
I know how to leave you satisfied and hungry for more every time
I'm really good at making lists
After reading this far you've already got too much invested anyways

ebay scam scum again. . .

I got a question from an eBay buyer tonight. How sweet. I don't have anything for sale on eBay.

Game on. Your ass is mine soon. . .

here is your real url: http://3717423647/~silverfoil/index.html/.ws/www.ebay.com/index.html

Here is the the message (for what is matters):

 Question from cdesteve
Item: (8403494162)
This message was sent while the listing was active.
cdesteve is a potential buyer.
Still no answer from you!Will this deal go through?At least send me a message please!

Respond to this question in My Messages.
Respond Now

Item Details
Item number: 8403494162
End date: Apr-13-06 01:39:15 PDT
View item description:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=8403494162&sspagename=ADME:B:AAQ:US:1
Thank you for using eBay!
http://www.ebay.com/

URL is really pointing to : http://3717423647/~silverfoil/index.html/.ws/www.ebay.com/index.html

Do you really think I wont track you down?!

221.147.98.31 - Your IP put you in South Korea.
IP address: 221.147.98.31
Reverse DNS: [No reverse DNS entry per rev1.kornet.net.]
Reverse DNS authenticity: [Unknown]
ASN: 4766
ASN Name: KIXS-AS-KR (Korea Telecom)
IP range connectivity: 5
Registrar (per ASN): APNIC
Country (per IP registrar): KR [Korea-KR]
Country Currency: KRW [Korea (South) Won]
Country IP Range: 221.144.0.0 to 221.159.255.255

IP address is down. Must have got shut down. Good. One less thing I have to deal with.

Thursday, April 13, 2006

Euronext.liffe Shifts Exchange to Linux-Intel Platform

Euronext.liffe is switching its technology to the Linux operating system and the Intel-based processor citing the need to keep up with the growth of algorithmic trading.

The move signals "a fairly substantial shift in the electronic exchange's IT strategy," says Jim Johanek, SVP U.S. Technology Strategy for Euronext.liffe. The futures exchange—which is the derivatives arm of Euronext Group—initiated the process in 2004 right around the time when algorithmic trading in the futures industry began to take off, says Johanek.



"While people would have laughed at you eight years ago if an exchange said it was moving to Linux and Intel, Johanek says, "The calculus has changed." Citing the huge amounts of R&D have gone into the Intel platform, plus the sheer number of systems using the Intel platform have grown, coupled with algorithmic trading as reasons for the IT change.

"Before we counted heads of traders, now we're dealing with traders who operate multiple models at one time," he says. Euronext.liffe's customers were on the Intel architecture. "Our customers were growing in number but the technology they were using was advancing faster than our own," says Johanek.

In addition, the exchange realized it was going to run out of headroom, he says. "Our ability to innovate faster than the demand from our customers" was questionable, he suggests.

"In a nutshell, performance, cost and scalability were the three most important factors, says Johanek. "The technology is 30 times less expensive for the same amount of performance," he says. "We're getting 30 times more bang for our buck in moving over to Linux," adds Johanek.

Johanek says migrating to Linux on Intel-based processors will improve throughput, resulting in a nine-fold increase in the number of contracts it can list on the host, and a seven-fold increase in the number of orders it can process.


Read the full article at: Wall Street & Technology : Euronext.liffe Shifts Exchange to Linux-Intel Platform

Another good quote for today.

This one seems relevant in light of recent disclosures by the Bush administration relating to the Iraq pre-war intelligence.


My sources are unreliable, but their information is fascinating. -- Ashleigh Brilliant

Tuesday, April 11, 2006

BackTrack - A "live" Linux CD could be trouble in the wrong hands

I sat down last night with a REALLY good toolkit for security professionals called BackTrack - A "live" Linux CD could be real trouble in the wrong hands. It is a bootable CD-ROM that runs Linux. Well, you say, what's so new about that? What is new is this has been designed with the computer security professional in mind, and is truly a "Swiss army knife" full of very sharp tools.

It is the product of two different distros merged together for a common purpose. That purpose is to be the main rifle in the white hat's gun belt. I have used both before. Slax Linux was modified with several security scanners, password checkers, and a darn good set of manuals. It was then called WHAX, a name I still like a lot (you got WHAX'ed baby!).

The other distro was Whoppix, a Knoppix spinoff , and later known as Auditor. They have now joined forces, and came out with an truly amazing product called BackTrack.

Someone could do some real damage with this if they go running this new toy. And earn some real "l33t" bragging rights. After a judge sentences you to say, 10 to 15 years, you may not feel so much like bragging. Don't get me wrong, programs for the network admins and "white hats" have been around for years. I ran Bastille on almost all of my Linux boxes, installed tripwire and kept a copy of the CRC checksums in a safe, and tried to exploit them locally and remotely with tools like VeteScan and John the Ripper.


Simple truth is, if you want to make a good safe OS, you have to use the same tools that the bad guys would use, and try to make it as difficult as you can for them to break in.

This is a very good Linux OS build. It features some nice graphics, and good set of the standard tools like Mozilla Firefox, Evolution for email, GAIM, and the standard OSS applications. When you get to the BackTrack menus, you notice something VERY different. I include screen shots for you enjoyment here. Notice the cool see-through teminal windows. Did I mention that you can install this to your hard disk. Hmmm. Where did I put that laptop. . . .?


This is the popular port scanner "NMAP" running. Knock Knock, anybody home?


Here is one of the coolest tools I have ever seen for network analysis "EtherApe". Real-time network sniffing to track done those bums downloading MP3's at work.


This is the screenshot from the web site. The menu shows some of the tools included on this CD.

I frankly am a little worried that after all of the phishing and jacking and hacking I have been seeing happen lately, that we would dial up the arms race another notch. I guess a good toolkit is a good thing. In the the hands of the good guys, of course.

In the wrong hands however, it could be extremely dangerous! Do not try this at work! Don't even try this at home, in the dark, with your own computer!

(Unless you first sign a release form and a non-disclosure agreement with your self.)

Here is the blurb from the main website:

"BackTrack is the result of the merging of two Innovative Penetration Testing live Linux distributions , Whax and Auditor.

Combining the best features from both distributions, and paying special attention to small details, this is probably the best version of either distributions to ever come out.

Based on SLAX (Slackware), BackTrack provides user modularity. This means the distribution can be easily customized by the user to include personal scripts, additional tools, customized kernels, etc.

Backtrack security collection is a Live-System based on Slax. With no installation whatsoever, the analysis platform is started directly from the CD-Rom or RAM and is fully accessible within minutes. Independent of the hardware in use, the Backtrack security collection offers a standardized working environment, so that the build-up of know-how and remote support is made easier. Even during the planning and development stages, our target was to achieve an excellent user-friendliness combined with an optimal toolkit. Professional open-source programs offer you a complete toolkit to analyze your safety, byte for byte. In order to become quickly proficient within the Backtrack security collection, the menu structure is supported by recognized phases of a security check. (Foot-printing, analysis, scanning, wireless, brute-forcing, cracking).

By this means, you intuitively find the right tool for the appropriate task. In addition to the approx. 300 tools, the Backtrack security collection contains further background information regarding the standard configuration and passwords, as well as word lists from many different areas and languages with approx. 64 million entries. Current productivity tools such as web browser, editors and graphic tools allow you to create or edit texts and pictures for reports, directly within the Backtrack security platform. "

This is from the Auditor web page (now merged with BackTrack).

Monday, April 10, 2006

The future of computing

"The future, according to some scientists, will be exactly like the past, only more expensive."
- John Sladek

"I predict the Internet... will go spectacularly supernova and in 1996 catastrophically collapse,"
Bob Metcalfe, inventor and 3Com founder, 1995

"640K ought to be enough for anybody,"
Bill Gates, chairman of Microsoft, 1981

"There is no reason anyone would want a computer in their home,"
Ken Olson, president, chairman and founder of Digital Equipment, 1977

"Where... the ENIAC is equipped with 18,000 vacuum tubes and weighs 30 tons, computers in the future may have only 1,000 vacuum tubes and weigh only 1.5 tons,"
Popular Mechanics 1949

"I think there is a world market for maybe five computers,"
Thomas Watson, chairman of IBM, 1943.

Yet Another Phishing scam today!

Got another question today from an scammer posing as an eBay buyer!

 Question from snoboy2k
Item: (6863632227)
This message was sent while the listing was active.
snoboy2k is a potential buyer.
What would the shipping cost be to West Virginia zip code 25511?

Respond to this question in My Messages.
Respond Now

Item Details
Item number: 6863632227
End date: Mar-27-06 01:43:11 PST
View item description:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=6863632227&sspagename=ADME:B:AAQ:US:1
Thank you for using eBay!
http://www.ebay.com/

Real URL points to: http://1121800143/test/.index/index.htm

IP resolves to: 66.221.79.207

DNS Stuff reports on that IP:

IP address: 66.221.79.207
Reverse DNS: ez4.propagation.net.
Reverse DNS authenticity: [Verified]
ASN: 14501
ASN Name: CIHOST
IP range connectivity: 2
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 66.221.0.0 to 66.221.255.255
Country fraud profile: Normal
City (per outside source): Ft. Worth, Texas
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No

OrgName: C I Host
OrgID: CIHS
Address: 1851 Central Drive
Address: #110
City: Bedford
StateProv: TX
PostalCode: 76112
Country: US

NetRange: 66.221.0.0 - 66.221.255.255
CIDR: 66.221.0.0/16
NetName: CIHOST7
NetHandle: NET-66-221-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS.CIHOST.COM
NameServer: NS2.CIHOST.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-17
Updated: 2002-06-17

RTechHandle: NC61-ARIN
RTechName: Network Operations Center
RTechPhone: +1-888-868-9931
RTechEmail: noc@cihost.com

OrgAbuseHandle: ABUSE821-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-888-868-9931
OrgAbuseEmail: abuse@cihost.com


Administrative Contact :
Propagation Networks
admin@PROPAGATION.NET
1851 CENTRAL DR STE 110
BEDFORD, TX 76021-5865
US
Phone: 800-607-0123

Technical Contact :
Propagation Networks,
noc@PROPAGATION.NET
1851 Central Drive Suite 110
Bedford, TX 76021
US
Phone: 800-605-5438
Fax: 888-242-7554

Record expires on 31-May-2006
Record created on 01-Jun-1998
Database last updated on 08-Jul-2004

Domain servers in listed order: Manage DNS

NS.PROPAGATION.NET 216.221.160.10
NS2.PROPAGATION.NET 216.221.162.106
NS3.PROPAGATION.NET 63.249.128.204

By the time I got to this one, he was allready off-line. So I guess I am done for today.

Sunday, April 09, 2006

Why phishing works. Even IT Pros get fooled.

I got "phished" a few weeks ago and bit the hook. Too early on a saturday, I woke up, checked my email, and clicked on a link. Happened to me and I can vouch for the feeling. I am an IT guy and I should know better. But bottom line is, it happens, just like automobile accidents, when you least expect it and aren't paying attention.

Now some researchers , Rachna Dhamija at Harvard and J.D. Tygar and Marti Hearst at UC Berkeley have published a document explaining why phishing works. Duuh!

The ten-page document (PDF) details a study that looks at today's standard security used with ecommerce websites. The authors conclude that existing browser measures are ineffective and suggest the need for alternative approaches.

The report also offers some alarming statistics about phishing. Phishing sites were able to fool 90% of participants and that the test group made mistakes on an average of 40% of the time.

The paper should be taken as a wake-up call for browser makers and financial institutions. Two of the document's authors are the same ones who proposed the security skins Firefox extension in a previous paper (PDF).

This paper dicusses security plug-ins for browsers that would make it more difficult for users to be fooled by phony web site. One good tool is the eBay toolbar, regretably only available for Internet Explorer, which I never use. Firefox is the only browser I will use.

One of the browser plugins for Firefox is SpoofStick. It allows users to instantly spot a bogus URL, and works with any web site, not just eBay and Paypal like the eBay toolbar. Another is the TrustWatch Search Extension for Firefox.

More Firefox security extensions can be found at the Mozilla web site.

Stay safe out there.

Another "phisherman" emailed me today.

Another "phisherman" emailed me today. I can't count how many but I think they must be about one a week on average. I opened what looked like a regular ebay email. Here is the text.

 Question from bigmoney
Item: (6852613597)
This message was sent while the listing was active.
bigmoney is a potential buyer.
What is the last price for this Item?

Respond to this question in My Messages.
Respond Now

Item Details
Item number: 6852613597
End date: Mar-01-06 18:33:23 PST
View item description:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=7387869660&sspagename=ADME:B:AAQ:US:1
Thank you for using eBay!
http://www.ebay.com/

The ebay URL points to the scam web server: Here is the REAL URL:
http://1088880691/%20/signin.ebay.com/ws/eBayISAPI/index.html

That is a decimal 1088880691 and resolves to IP 64.231.0.51 .

IP address: 64.231.0.51
Reverse DNS: [No reverse DNS entry per ns3.bellglobal.com.]
Reverse DNS authenticity: [Unknown]
ASN: 577
ASN Name: BACOM
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): CA [Canada]
Country Currency: CAD [Canada Dollars]
Country IP Range: 64.228.0.0 to 64.231.255.255
Country fraud profile: Normal
City (per outside source): Toronto, Ontario

That's a Bell Canada IP block:
Bell Canada BELLCANADA-5 (NET-64-228-0-0-1) 64.228.0.0 - 64.231.255.255
Bell Nexxia (HSE) NEXXIAJ10-CA (NET-64-231-0-0-1) 64.231.0.0 - 64.231.95.255

No WHOIS records exist for this IP, and there was no reverse DNS information I could glean.
It is probably a personal computer that has been hacked, and is under someone else's control.

Time for us to take a collection and buy this poor sucker a firewall. Any donations?

Here is a port scan. Our scammer box is infected with the W32.MyDoom virus, like many other hosts.

This is probably the vector for the exploit. I see this on lots of other targets.
I suspect that may be the port that receive control messages.
Also it's running half-life engine (port 27015)! Lots of other exploited servers are as well.
The HTTP deamon is Apache and return the ID Celestix celnx.

Hmmm who could that be I wonder? I Google for "Celestix celnx".
I find a company that makes firewall and VPN products called Celestix.
Here is the web site if anybody cares: http://www.celestix.com/
Here is the blurb from the web site.

"Celestix Networks is the premier developer of Microsoft Windows-based managed security appliances, offering a broad range of ready-to-deploy security appliances and turnkey security solutions. Our appliances are designed to reduce product complexity and provide customers with less expensive, easy to use delivery platforms. Working closely with strategic partners, Celestix ensures that its appliances have the breadth and depth of functions, features and performance to provide the best appliances to meet today's demanding security needs."

Sure that's why your web server is hosting a hacked eBay login page. Yeah right buddy!

Whatever I say let's take them down. I called up phishfighing.com and pasted the URL in. Nothing happened! Whatever this one is doing, nothing shows up in the usernname/password box. He may be actively blocking phishfighing.com because that will poison their list of victims.

Let's see if I can email the ISP and have this box shut down. eBay is a limp noodle with these.

Now how the hell do I find out the email for the ISP? Go call 411? Later.

INSIDE THE HONEYPOTS

Simply connecting to the Internet — and doing nothing else — exposes your PC to non-stop, automated break-in attempts by intruders looking to take control of your machine surreptitiously.

If an online intruder has infiltrated your Windows PC, you may notice recurring slowdowns of e-mail and Web browsing, or you may notice nothing at all. PC users must shore up defenses on three fronts:

As of early November, all new Windows XP PCs come with Service Pack 2, which includes a firewall and automatic patching.

Owners of Windows XP PCs purchased earlier than that should download Service Pack 2 from www.microsoft.com/athome/ security/protect/default.aspx. Users of older versions of Windows can get security tips at that same Web site.

Distrust all attachments. If you doubt it, delete it. Subscribe to anti-virus software, such as Norton AntiVirus, McAfee VirusScan or ZoneAlarm Security Suite. Keep the subscription current and set it to automatically check for updates.

Consider switching from Internet Explorer, a sieve for spyware, to the Mozilla Firefox browser or the Opera browser. Both are free and can be downloaded, respectively, from mozilla.org or opera.com.

If you continue using Explorer, set security settings to high and use anti-spyware software.

While most break-in tries fail, an unprotected PC can get hijacked within minutes of accessing the Internet. Once hijacked, it is likely to get grouped with other compromised PCs to dispense spam, conduct denial-of-service attacks or carry out identity-theft scams.

Those are key findings of a test conducted by USA TODAY and Avantgarde, a San Francisco tech marketing and design firm. The experiment involved monitoring six "honeypot" computers for two weeks — set up to see what kind of malicious traffic they would attract. Once breached, the test computers were shut down before they could be used to attack other PCs.

The test did not measure Web attacks that require user participation, namely spyware, which gets spread by visiting contagious Web sites, or e-mail viruses, which proliferate via e-mail attachments.

However, the results vividly illustrate how automated cyberattacks have come to saturate the Internet with malicious programs designed to take the quickest route to break into your PC: through security weaknesses in the PC operating system.

"It's a hostile environment out there," says tech security consultant Kevin Mitnick, who served five years in prison for breaking into corporate computer systems in the mid-1990s. "Attackers have become extremely indiscriminate."

Mitnick and Ryan Russell, an independent security researcher and author of Hack Proofing Your Network, were contracted by Avantgarde to set up and carry out the experiment.

Test results underscored the value of keeping up to date with security patches and using a firewall. Computer security experts say firewalls, which restrict online access to the guts of the PC operating system, represent a crucial first line of defense against cyberintruders. Yet, an estimated 67% of consumers do not use a firewall, according to the National Cyber Security Alliance.
The machines tested were types popular with home users and small businesses. They included: four Dell desktop PCs running different configurations of the Window XP operating system, an Apple Macintosh and a Microtel Linspire, which uses the Linux operating system.

Each PC was connected to the Internet via a broadband DSL connection and monitored for two weeks in September. Break-in attempts began immediately and continued at a constant and high level: an average of 341 per hour against the Windows XP machine with no firewall or recent security patches, 339 per hour against the Apple Macintosh and 61 per hour against the Windows Small Business Server. Each was sold without an activated firewall.

By contrast, there were fewer than four attacks per hour against the Windows XP updated with a basic firewall and recent patches (Service Pack 2), the Linspire with basic firewall and the Windows XP with ZoneAlarm firewall.

"The firewalls did their job," says Russell. "If you can't get to them, you can't attack them."


Analysis of a break-in

While attempted break-ins never ceased, successful compromises were limited to nine instances on the minimally protected Windows XP computer and a single break-in of the Windows Small Business Server. There were no successful compromises of the Macintosh, the Linspire or the two Windows XPs using firewalls. That pattern was not surprising, as Windows PCs make up 90% of the computers connected to the Internet, and the vast majority of automated attacks are designed to locate and exploit widely known Windows security weaknesses.

Intruders repeatedly compromised the Windows XP computer through the same two security holes used by the authors of the July 2003 MS Blaster worm and May's headline-grabbing Sasser worm, which overloaded computers in banks, hospitals and transportation systems worldwide.

To hijack the Windows Small Business Server, the attacker finagled his way into a function of the Windows operating system that allows file sharing between computers. He then uploaded a program that gave him full control.

On three occasions, intruders got as far as logging on to an Internet Relay Chat channel, signaling an intent to herd the compromised PC with other hijacked PCs to pursue illicit activities.

IRC channels work like a private instant-messaging service. An intruder in control of such a channel can send instructions to some PCs to spread spam, to others to serve up scamming Web sites, and to others to hijack more PCs.

"Downloading and using other exploits, performing denial-of-service attacks, running spam-relay tools, running identity-theft tools are all very common activities of compromised machines," says Martin Roesch, chief technology officer at tech security firm Sourcefire.

The intruder who cracked the Windows Small Business Server even uploaded a tool to prevent rival attackers from following behind him and gaining access to the system, says researcher Jon Orbeton, of anti-virus and firewall supplier ZoneLabs.

That level of sophistication shows how cyberintrusions are fast becoming an ingrained part of the Internet. Compromised PCs fueled a 150% surge in suspicious security activity per machine per day in the third quarter of this year, compared with a year ago, security vendor VeriSign said in a report in November.

The end game: illicit profits. Compromised PCs supply the computing power for cybercrooks to run increasingly diverse scams, including phishing schemes that lure victims into typing account information at counterfeit Web sites.

In the past month, the first phishing scam to plant a bogus Web link on a legitimate banking Web site surfaced. The scam was probably carried out with hijacked PCs to protect the perpetrator from detection. "It's the most sophisticated, and frightening, phishing scam we've seen," says Susan Larson, vice president of global content at SurfControl, an e-mail security firm.

INSIDE THE HONEYPOTS
From Sept. 10 to Sept. 25, online intruders made 305,922 attempts to break into six computers connected to the Internet via broadband DSL. Attackers successfully compromised the Dell Windows XP computer using Service Pack 1 nine times, and the Dell Windows 2003 Small Business server once. No other machines were breached.
Platform Total attacks Attacks / day Attacks / hour
XP SP1 139,024 8,177 341
OS X 138,647 8,155 339
Win SBS 25,222 1,400 61
XP SP2 1,386 82 3.4
XP w/ZoneAlarm 848 50 2.1
Linspire 795 46 1.9


Monitoring software reveals intruders incessantly probing the Internet for vulnerable PCs on Sept. 10.

10:52:08
Less than four minutes from start of the test, an intruder breaks into Windows XP SP1 through the vulnerability most famously exploited by last May's Sasser worm. Ensuing instructions get garbled.

11:03:30
Eleven minutes later another intruder breaks into XP SP1 through the security hole exploited by the July 2003 MS Blaster worm. Ensuing instructions get garbled.

11:04:04
While the previous break-in is still unfolding, another intruder, using a different attacking computer, breaks into XP SP1 through the Sasser hole. Ensuing instructions get garbled.

20:21:44
An intruder breaks into XP SP1 for the fourth time using the MS Blaster hole. Things go smoothly. He begins uploading commands. He confirms XP SP1 is connected to the Internet, then begins making repeated attempts to connect XP SP1 to a server running an Internet Relay Chat channel, the equivalent of a private Instant Messaging line.

20:22:49
The intruder successfully connects XP SP1 to the IRC channel, which is probably also running on a hijacked PC.

20:23:05
The intruder instructs XP SP1 to navigate to a designated Web site, likely running on yet another hijacked PC. XP SP1 downloads a program, called ie.exe, from the Web site.

20:23:11
XP SP1 begins scanning the Internet, poised to similarly hijack other PCs exhibiting the same unpatched security hole.

Friday, April 07, 2006

Another "Phisherman" today - Matt Ashby

Another email showed up today from a ebay member " prescreened". The text of the message follows:
Question from prescreened
About This Member
prescreened( 5792)
Positive Feedback: 100%
Member Since: Apr-14-99
Location: OH, United States
Registered On: www.ebay.com

Hey ,
I'll send you the money today.When will you send the package ?

Thanks !

Respond to this question in My Messages.
Respond Now

prescreened
Thank you for using eBay!
http://www.ebay.com/

Real url of the ebay.com link is: http://www.steveariss.com/%20/Index.html

Lets see who this poor sucker is. He may be hacked...
Interesting this box has no HTTP server running, just port 8080, SSH, and FTP. Hmm.

WHOIS information reports that domain belongs to:
Registrant:
Steve Ariss
42 Lakefield Road
Brampton, ON L7A 1W5
CA

Domain name: STEVEARISS.COM

Administrative Contact:
Ariss, Steve steveariss@rogers.com
42 Lakefield Road
Brampton, ON L7A 1W5
CA
416 508-8245
Technical Contact:
Ariss, Steve steveariss@rogers.com
42 Lakefield Road
Brampton, ON L7A 1W5
CA
416 508-8245


Registrar of Record: easyDNS Technologies, Inc.

Resolves to 69.194.147.254

Reverse DNS: cpe000393086bfa-cm000f9f7f15b6.cpe.net.cable.rogers.com.
Reverse DNS authenticity: [Verified]
ASN: 812
ASN Name: ROGERS-CABLE
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): CA [Canada]
Country Currency: CAD [Canada Dollars]
Country IP Range: 69.192.0.0 to 69.199.255.255
Country fraud profile: Normal
City (per outside source): Mississauga, Ontario
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No

OK so far got the entry point.
But the scam just starts here. Phishermen are getting sneaky nowdays.
That web site redirects the victim to a server in the UK:

Redirects to: http://www.domainsnipe.co.uk/.ebay/aw-cgi/index.html



This is the REAL web site the phisherman is running the scam on:

Domain name: domainsnipe.co.uk

Registrant:
Matt Ashby

Registrant type:
UK Individual

Registrant's address:
Smallands Hall Farm
Spring Lane
Hatfield Peverel
CM3 2JW
GB

Registrant's agent:
Internet Assist Ltd [Tag = INTERNET-ASSIST]
URL: http://www.i-a.co.uk

Relevant dates:
Registered on: 08-Dec-2005
Renewal date: 08-Dec-2007

Registration status:
Registered until renewal date.

Name servers:
ns1.i-a.co.uk
ns2.i-a.co.uk

IP address: 217.151.101.69
Reverse DNS: rack5.i-a.co.uk.
Reverse DNS authenticity: [Verified]
ASN: 21055
ASN Name: WEBTAPESTRY-AS (Axamba Limited T/As Web Tapestry)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): GB [United Kingdom]
Country Currency: GBP [United Kingdom Pounds]
Country IP Range: 217.151.96.0 to 217.151.111.255
Country fraud profile: Normal
City (per outside source): Unknown
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No

Looks the the server is in Manchester, England, I will email the ISP to take this down.

So I report it to eBay and pop the REAL URL in Phishfighter.com

Just another takedown of a bad guy. Fight the good fight.

Thursday, April 06, 2006

New RSS Feed

Hi All,
I got a new RSS feed going today.
This will change in the next day or so.
I hope to focus on Linux stuff but for now, I will just be experimentiing.

As far as you scumbags out there, be afraid. I will come and hunt you down!
Don't think I won't expose you for the scum you are!

Hope you all enjoy the ride.

Tuesday, April 04, 2006

Another new "Phisherman" Meet Christian Dvorak



I received ANOTHER "Phishing" attempt tonight. This one was a good laugh for me.
It was to welcome me to join something called the "PowerSeller Silver Membership"
What is so funny is I have sold exactly ONE item on eBay.
I really don't think I qualify to be a "Power Seller", silver or any color!

Of course I reported this to eBay, but they seem to be about as good at stopping these clowns as Bush seems to be at catching Osama BinLaden. I thought I would do some snooping on my own.


Here is the subject line. How thoughtful, they want ME to join their little club.

Subject:Your PowerSeller Silver Membership
From: "eBay PowerSellers"
Date: Tue, 04 Apr 2006 22:10:35 +0000


Orignal email link embedded in HTML of spoof email is:
http://www.elitemarine.net/blog/archives/www.anaconda.com

Reverse DNS points us to the evildoers:
elitemarine.net. A IN 14400 66.228.123.163

They are pretty sneaky about their information. They do however leave a email address:(spyhunter2000@bellsouth.net).

Registration Service Provided By: Surpass Hosting
Contact: enom@surpasshosting.com
Visit: http://www.surpasshosting.com

Domain name: elitemarine.net
Registrant Contact:
other
somename somename (spyhunter2000@bellsouth.net)
Fax: somephone
someaddress
somecity, SC somezip

US

A google search for (spyhunter2000@bellsouth.net) lead to a page on www.teamxodus.com. Hmmm.
He is infected with the W32.MyDoom virus as well.


This is only a jumping off point that points to the REAL spoof eBay site, as you will see here...

That URL (www.elitemarine.net/blog/archives/www.anaconda.com) redirects to another site in Austria or Germany:

http://projekt-pd.power-wlan.at/images/.PowerSellerpages.eBay.com/ws/eBayISAPII.dll/SignIn.html

DNS reverse lookup using DNS Stuff

projekt-pd.power-wlan.at. A IN 86400 62.141.48.148

IP address: 62.141.48.148
Reverse DNS: ns.power-web34.net.
Reverse DNS authenticity: [Verified]
ASN: 31103
ASN Name: KEYWEB-AS (Keyweb AG)
IP range connectivity: 0
Registrar (per ASN): RIPE
Country (per IP registrar): DE [Germany]


WHOIS report on projekt-pd.power-wlan.at

domain: power-wlan.at
registrant: CD820810-NICAT
admin-c: CD820810-NICAT
tech-c: CD820810-NICAT
zone-c: CD820810-NICAT
nserver: ns.power-web34.net
remarks: 62.141.48.148
nserver: ns2.power-web34.net
remarks: 62.141.49.148
changed: 20040503 16:31:12
source: AT-DOM

personname: Christian Dvorak
organization: power-web.at
street address: Soedingberg 129
postal code: A-8152
city: Stallhofen
country: Austria
phone: +433142805280
fax-no: +433142805230
e-mail: domreg@power-web.at
nic-hdl: CD820810-NICAT
changed: 20050409 10:35:11
source: AT-DOM

inetnum: 62.141.48.0 - 62.141.55.255
netname: DE-KEYWEB-I
descr: Keyweb AG IP Network
country: DE
admin-c: MERO-RIPE
tech-c: MERO-RIPE
status: ASSIGNED PA
mnt-by: KEYWEB-MNT
changed: hostmaster@keyweb.de 20060217
source: RIPE

WHOIS report on netblock:
Information related to '62.141.48.0 - 62.141.55.255'

person: Holger Amberg
address: Keyweb AG
address: Neuwerkstrasse 45/46
address: 99084 Erfurt
address: Germany
e-mail: ha@keyweb.de
abuse-mailbox: abuse@keyweb.de
phone: +49 361 658530
fax-no: +49 361 6585366
nic-hdl: MERO-RIPE
mnt-by: KEYWEB-MNT
changed: ha@keyweb.de 20050419
source: RIPE


A google for Mr. Christiian Dvorak leads to this web page and this contact info:

POWER-WEB.AT, ING. CHRISTIAN DVORAK
Eintrag korrigieren Kontakt
Strasse / Nr.: SÖDINGBERG 6
PLZ / Ort: 8152 STALLHOFEN
Land ÖSTERREICH
E-Mail: office@power-web.at
Telefon: 03142 80 52 80
Fax: 03142 80 52 30
URL: http://www.power-web.at


It is a web hosting company in SÖDINGBERG Austria.

Someone should let Mr. Dvorak know his server is being bad!



What follows is the text of the email.

To: mrlinuxhead@yahoo.com
Subject:Your PowerSeller Silver Membership
From: "eBay PowerSellers"
Date: Tue, 04 Apr 2006 22:10:35 +0000

Dear eBay Member,

You've been on a super sales streak and since you've done so well, it's time to recognize you for your efforts. You are PowerSeller Silver!

Congratulations! joining the eBay Silver PowerSeller Program. Come and join us. When you join the PowerSeller program, you'll be able to receive more of the support you'll need for continued success. So, why wait? Join now!

PowerSeller icon next to your User ID in recognition of your hard work.
PowerSeller Priority Support via email webform and phone support at Silver level and above.
Exclusive offerings on the PowerSeller portal--check in frequently to see updated program benefits and special offers!
Discussion Board for you to network with other PowerSellers.
Free PowerSeller Business Templates for business cards and letterhead.

Membership to the PowerSeller program is FREE.

Again, congratulations and best wishes for your continued success!

Regards,
eBay PowerSeller Team
If you agree with this rank please Become an eBay Power Seller within 24 hours
You are receiving this communication because you are part of the PowerSeller program. This is a one time communication. There is no need to unsubscribe. eBay will not request personal data (password, credit card/bank numbers) in an email.

Copyright © 2003 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are trademarks of eBay Inc.

I sent a follow up email to the following addresses:

enom@surpasshosting.com
domreg@power-web.at
projekt-pd.power-wlan.at
ha@keyweb.de
abuse@keyweb.de
hostmaster@keyweb.de

And of course, I feed the URL into Phishfighting.com. Great work guys!

BBC NEWS | Americas | 'Miserable failure' links to Bush

BBC NEWS | Americas | 'Miserable failure' links to Bush

Monday, April 03, 2006

WHOIS info on the "French Phisherman"

Domain is listed in WHOIS, using DNS Stuff: mfrchampagne-lorraine.net

mfrchampagne-lorraine.net. MX IN 172800 smtp2.lerelaisinternet.com. [Preference = 20]
mfrchampagne-lorraine.net. MX IN 172800 smtp1.lerelaisinternet.com. [Preference = 10]
mfrchampagne-lorraine.net. NS IN 172800 ns1.lerelaisinternet.com.
mfrchampagne-lorraine.net. NS IN 172800 ns2.lerelaisinternet.com.
ns1.lerelaisinternet.com. A IN 3359 194.206.126.200

Registrant:
ASS FED REG MFR CHAMP ARDENNE (assfed0-org)
ASS FED REG MFR CHAMP ARDENNE
13 RUE Victor Fourcault
52000 CHAUMONT
FRANCE
Registrar....: Nordnet
Web..........: http://www.nordnet.net
Whois........: whois.nordnet.net

Domain Name: mfrchampagne-lorraine.net

Administrative Contact:
. (abcdef120) frmfr.champlor@wanadoo.fr
ASS FED REG MFR CHAMP ARDENNE
13 RUE Victor Fourcault
52000 CHAUMONT
FRANCE
Phone: 330325311764 Fax: 330325311764

Technical Contact:
Contact Technique (tecreg0) technical@lerelaisinternet.com
Le Relais Internet
111, Rue de Croix
59510 Hem
FR
Phone: +33.892702099 Fax: +33.320665669

Billing Contact:
Contact Facturation (bilreg0) billing-reg@lerelaisinternet.com
Le Relais Internet
111, Rue de Croix
59510 Hem
FR
Phone: +33.892702099 Fax: +33.320665669

Record last updated on 2005-Nov-22
Record expires on 2006-Nov-22
Record created on 2002-Nov-22

Domain servers in listed order:

ns1.lerelaisinternet.com
ns2.lerelaisinternet.com
Deposez votre domaine sur le site http://www.nordnet.net

The French Phisherman returns!

Some people just won't quit.
I just received another spoof email from the "French Phisherman"
This clown won't go away quietly. Time to make it hurt.
First thing I did was enterhis url into PhishFighting.com
The URL for this clown is the same as last week:
http://1342912795/intranet/forum/templates/subSilver/images/wsbleh/ebay/index.html
This resolves to 80.11.57.27
Same server in France. Will someone email them in French and shut this scammer down?
Here is the info from DNS Stuff: (http://www.dnsstuff.com/tools/ipall.ch?domain=80.11.57.27)
IP address:                     80.11.57.27
Reverse DNS: laubervilliers-151-13-20-27.w80-11.abo.wanadoo.fr.
Reverse DNS authenticity: [Verified]
ASN: 3215
ASN Name: AS3215 (France Telecom Transpac)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): FR [France]
Country Currency: EUR [euros]
Country IP Range: 80.8.0.0 to 80.15.255.255
Country fraud profile: Normal

MFRCHAMPAGNE-LORRAINE.NET is the server hosting this scammer. Somebody shut him down, now!

City (per outside source): Paris, Ile-De-France

Help Us Impeach George Bush Now! | ImpeachPAC

Help Us Impeach George Bush Now! | ImpeachPAC

Port scan of the Canadian "Phisherman"


Sunday, April 02, 2006

Got a new "Phisherman" today heehee

Got a new "Phisherman" today heehee

Here is the URL:
http://1088880691/%20/signin.ebay.com/ws/eBayISAPI/index.html

Let's see who this poor sucker is....
C:\>ping 1088880691

Pinging 64.231.0.51 with 32 bytes of data:

Reply from 64.231.0.51: bytes=32 time=100ms TTL=238

Gotcha sucker. .. Game on

Here is the text of the email:
 Question from napolitana1
Item: (6852595473)
This message was sent while the listing was active.
napolitana1 is a potential buyer.
What is the last price for this Item?
Respond to this question in My Messages.
Respond Now

Item Details

Item number: 6852595473
End date: Mar-01-06 18:33:23 PST
View item description:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=7387869660&sspagename=ADME:B:AAQ:US:1
Thank you for using eBay!
http://www.ebay.com/


The DNS resolves to
IP address:                     64.231.0.51
Reverse DNS: [No reverse DNS entry per ns3.bellglobal.com.]
Reverse DNS authenticity: [Unknown]
ASN: 577
ASN Name: BACOM
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): CA [Canada]
Country Currency: CAD [Canada Dollars]
Country IP Range: 64.228.0.0 to 64.231.255.255
Country fraud profile: Normal
City (per outside source): Toronto, Ontaro

Saturday, April 01, 2006

PhishFighting.com - Fight back and take down the Phishers.

This site will take the URL and send bogus usernames and passwords to it about once a second. Try it with your next "phisherman".

PhishFighting.com - Fight back and take down the Phishers.

Help Stop Phishing!

Here is a site you can use to report Phishing scams!

Help Stop Phishing!