Sunday, April 09, 2006

Another "phisherman" emailed me today.

Another "phisherman" emailed me today. I can't count how many but I think they must be about one a week on average. I opened what looked like a regular ebay email. Here is the text.

 Question from bigmoney
Item: (6852613597)
This message was sent while the listing was active.
bigmoney is a potential buyer.
What is the last price for this Item?

Respond to this question in My Messages.
Respond Now

Item Details
Item number: 6852613597
End date: Mar-01-06 18:33:23 PST
View item description:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=7387869660&sspagename=ADME:B:AAQ:US:1
Thank you for using eBay!
http://www.ebay.com/

The ebay URL points to the scam web server: Here is the REAL URL:
http://1088880691/%20/signin.ebay.com/ws/eBayISAPI/index.html

That is a decimal 1088880691 and resolves to IP 64.231.0.51 .

IP address: 64.231.0.51
Reverse DNS: [No reverse DNS entry per ns3.bellglobal.com.]
Reverse DNS authenticity: [Unknown]
ASN: 577
ASN Name: BACOM
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): CA [Canada]
Country Currency: CAD [Canada Dollars]
Country IP Range: 64.228.0.0 to 64.231.255.255
Country fraud profile: Normal
City (per outside source): Toronto, Ontario

That's a Bell Canada IP block:
Bell Canada BELLCANADA-5 (NET-64-228-0-0-1) 64.228.0.0 - 64.231.255.255
Bell Nexxia (HSE) NEXXIAJ10-CA (NET-64-231-0-0-1) 64.231.0.0 - 64.231.95.255

No WHOIS records exist for this IP, and there was no reverse DNS information I could glean.
It is probably a personal computer that has been hacked, and is under someone else's control.

Time for us to take a collection and buy this poor sucker a firewall. Any donations?

Here is a port scan. Our scammer box is infected with the W32.MyDoom virus, like many other hosts.

This is probably the vector for the exploit. I see this on lots of other targets.
I suspect that may be the port that receive control messages.
Also it's running half-life engine (port 27015)! Lots of other exploited servers are as well.
The HTTP deamon is Apache and return the ID Celestix celnx.

Hmmm who could that be I wonder? I Google for "Celestix celnx".
I find a company that makes firewall and VPN products called Celestix.
Here is the web site if anybody cares: http://www.celestix.com/
Here is the blurb from the web site.

"Celestix Networks is the premier developer of Microsoft Windows-based managed security appliances, offering a broad range of ready-to-deploy security appliances and turnkey security solutions. Our appliances are designed to reduce product complexity and provide customers with less expensive, easy to use delivery platforms. Working closely with strategic partners, Celestix ensures that its appliances have the breadth and depth of functions, features and performance to provide the best appliances to meet today's demanding security needs."

Sure that's why your web server is hosting a hacked eBay login page. Yeah right buddy!

Whatever I say let's take them down. I called up phishfighing.com and pasted the URL in. Nothing happened! Whatever this one is doing, nothing shows up in the usernname/password box. He may be actively blocking phishfighing.com because that will poison their list of victims.

Let's see if I can email the ISP and have this box shut down. eBay is a limp noodle with these.

Now how the hell do I find out the email for the ISP? Go call 411? Later.

0 Comments:

Post a Comment

<< Home