It really doesn't usually snow this much around here...
Thursday, 5 February 2009
Monday, 2 February 2009
Snow bear
The heaviest snowfall for a zillion years or something in the UK.. it appears to have brought out this snow bear which is lurking in the garden.
I think he's probably harmless enough.
I think he's probably harmless enough.
Labels:
snow
Drive-by cloning of RFID passports
Here's a different type of drive-by attack than the usual one.. security researcher Chris Paget shows that it is possible to read RFID tages from a passing moving vehicle and clone all the information they contain.. for the price of $250 worth of kit off eBay.
Labels:
Privacy
UkrTeleGroup vanishes, morphs.
First some good news (via the WaPo Security Fix blog): well known black hat web host UkrTeleGroup appears to have vanished from the internet. The bad news is that seems to have morphed into a company called Internet Path which is masquerading as a US company.
Unfortunately, it does not appear that this is an Atrivo / McColo / Estdomains style situation where the bad guys are permanently shut down.. yet. But perhaps continued pressure on upstream providers might have some effect.. who knows?
Unfortunately, it does not appear that this is an Atrivo / McColo / Estdomains style situation where the bad guys are permanently shut down.. yet. But perhaps continued pressure on upstream providers might have some effect.. who knows?
Sunday, 1 February 2009
Uh-oh
No doubt the whole of the south of England will grind to a halt under this stuff, to the amusement of people who get REAL snow.. but a rear wheel drive sports car with no snow tyres is not exactly ideal for these conditions.
Labels:
Smart Roadster,
snow
"Zhudian Machinery" / zhudian-m.com scam
A strange, tersely worded email from some scammer or other:
Oddly, the domain is registered with a set of fake details pointing at the UK:
Domain name: ZHUDIAN-M.COM
Created on: 2008-11-05
Updated on: 2008-11-05
Expires on: 2009-11-05
Registrant Name: PETER LLEWELLYN-JONES
Contact: Peter Llewellyn-Jones
Registrant Address: no 43567 broad street
Registrant City: england
Registrant Postal Code: ch1 1lt
Registrant Country: GB
Administrative Contact Organization: Peter Llewellyn-Jones
Administrative Contact Name: Peter Llewellyn-Jones
Administrative Contact Address: no 43567 broad street
Administrative Contact City: england
Administrative Contact Postal Code: ch1 1lt
Administrative Contact Country: GB
Administrative Contact Email: kedenor@gmail.com
Administrative Contact Tel: +44 701 1130444
Administrative Contact Fax: +44 701 1130444
Technical Contact Organization: Technical Support
Technical Contact Name:
Technical Contact Address: Via A Ponti, 6
Technical Contact City: Bergamo
Technical Contact Postal Code: 24126
Technical Contact Country: IT
Technical Contact Email: support@register.it
Technical Contact Phone: +39 035 3230400
Technical Contact Fax: +39 035 3230312
Primary Name Server Hostname: NS1.REGISTER.IT
Secondary Name Server Hostname: NS2.REGISTER.IT
The "CH1 1LT" postcode given is the Chester Grosvenor Hotel but the rest of the address doesn't match and is clearly nonsense. The +44 701 1130444 number given looks like a UK number, but in fact it's a "follow me anywhere" number that is probably just forwarding to another number outside the UK.
Originating IP address is 206.47.199.87 which is well known for spam. Email address was harvested from a "free webspace provider".
Subject: Representative NeededHow would I feel? Well, alarmed and upset probably when the police kick down my door with a warrant because of the money laundering I've been doing for this so called "Zhudian Machinery".
From: "ZHUDIAN MACHINERY"
How would you feel to work for the Zhudian Machinery and earn good money? Contact Qi
Par via email: employment@zhudian-m.com
Oddly, the domain is registered with a set of fake details pointing at the UK:
Domain name: ZHUDIAN-M.COM
Created on: 2008-11-05
Updated on: 2008-11-05
Expires on: 2009-11-05
Registrant Name: PETER LLEWELLYN-JONES
Contact: Peter Llewellyn-Jones
Registrant Address: no 43567 broad street
Registrant City: england
Registrant Postal Code: ch1 1lt
Registrant Country: GB
Administrative Contact Organization: Peter Llewellyn-Jones
Administrative Contact Name: Peter Llewellyn-Jones
Administrative Contact Address: no 43567 broad street
Administrative Contact City: england
Administrative Contact Postal Code: ch1 1lt
Administrative Contact Country: GB
Administrative Contact Email: kedenor@gmail.com
Administrative Contact Tel: +44 701 1130444
Administrative Contact Fax: +44 701 1130444
Technical Contact Organization: Technical Support
Technical Contact Name:
Technical Contact Address: Via A Ponti, 6
Technical Contact City: Bergamo
Technical Contact Postal Code: 24126
Technical Contact Country: IT
Technical Contact Email: support@register.it
Technical Contact Phone: +39 035 3230400
Technical Contact Fax: +39 035 3230312
Primary Name Server Hostname: NS1.REGISTER.IT
Secondary Name Server Hostname: NS2.REGISTER.IT
The "CH1 1LT" postcode given is the Chester Grosvenor Hotel but the rest of the address doesn't match and is clearly nonsense. The +44 701 1130444 number given looks like a UK number, but in fact it's a "follow me anywhere" number that is probably just forwarding to another number outside the UK.
Originating IP address is 206.47.199.87 which is well known for spam. Email address was harvested from a "free webspace provider".
Labels:
Money Mule,
Scams,
Spam
Friday, 23 January 2009
Asprox: dbrgf.ru
Another domain to look for in SQL injection attacks is dbrgf.ru, still calling script.js. Checking your proxy logs for ".ru/script.js" is a good idea at the moment.
It might also be worth checking for the string "google-analitycs" as the attacks redirect through a subdomain containing that mis-spelled phrase.
It might also be worth checking for the string "google-analitycs" as the attacks redirect through a subdomain containing that mis-spelled phrase.
Labels:
Asprox,
SQL Injection,
Trojans,
Viruses
Wednesday, 21 January 2009
Asprox: lijg.ru and dbrgf.ru
A fresh round of SQL injections seem to be on the march, with (at least) two new domains being injected into vulnerable sites: www.lijg.ru and www.dbrgf.ru, calling a script named script.js.
This script redirects through an IFRAME pointing to google-analitycs.lijg.ru, although the payload is unclear.
Including some older domains, the following list seem to be active, either calling script.js or style.js.
domain: LIJG.RU
type: CORPORATE
nserver: ns2.lijg.ru. 68.4.124.142
nserver: ns5.lijg.ru. 74.129.255.164
nserver: ns1.lijg.ru. 68.6.180.109
nserver: ns3.lijg.ru. 67.38.2.113
nserver: ns4.lijg.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN
domain: DBRGF.RU
type: CORPORATE
nserver: ns5.dbrgf.ru. 74.196.121.117
nserver: ns4.dbrgf.ru. 68.105.25.64
nserver: ns1.dbrgf.ru. 75.156.152.67
nserver: ns2.dbrgf.ru. 68.197.137.239
nserver: ns3.dbrgf.ru. 146.57.249.100
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN
This script redirects through an IFRAME pointing to google-analitycs.lijg.ru, although the payload is unclear.
Including some older domains, the following list seem to be active, either calling script.js or style.js.
- www.lijg.ru
- www.dbrgf.ru
- www.bnmd.kz
- www.nvepe.ru
- www.mtno.ru
- www.wmpd.ru
- www.msngk6.ru
- www.dft6s.kz
domain: LIJG.RU
type: CORPORATE
nserver: ns2.lijg.ru. 68.4.124.142
nserver: ns5.lijg.ru. 74.129.255.164
nserver: ns1.lijg.ru. 68.6.180.109
nserver: ns3.lijg.ru. 67.38.2.113
nserver: ns4.lijg.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN
domain: DBRGF.RU
type: CORPORATE
nserver: ns5.dbrgf.ru. 74.196.121.117
nserver: ns4.dbrgf.ru. 68.105.25.64
nserver: ns1.dbrgf.ru. 75.156.152.67
nserver: ns2.dbrgf.ru. 68.197.137.239
nserver: ns3.dbrgf.ru. 146.57.249.100
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN
Labels:
Asprox,
SQL Injection,
Trojans,
Viruses
Tuesday, 20 January 2009
"Soft Fund Ltd" scam
Soft Fund Ltd is a wholly legitimate Ukrainian company. This email claims to be from Soft Fund Ltd, but isn't.
The originating IP is 209.239.38.111. Two sample subject lines are "Not give a convenient time for you extra income" and "We work closely together! Additional income for you!". Avoid.
From: support.softfund@gmail.comAlexander Feigin is a director of the REAL Soft Fund Ltd, but this email is completely fake. It is a standard money mule scam, one of many pretending to be from legitimate IT firms in the Ukraine. Soft Fund Ltd have nothing to do with the email, and you should not respond to it.
Hello Sir/Madam.
I Alex Feigin,
Director of Soft Fund Ltd specializes in innovative IT solutions and complex software projects development.
My company based in Ukraine. We've earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European companies and providing them with reliable software development services in financial and media sectors. Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment and clearing from your country and such delays are harmful to our business. We do not have so much time to accept every wire transfer.
That's why we are currently looking for partners in your country to help us accept and process these payments faster. If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. Please if you are interested in transacting business with us we will be very glad.
Please contact me for more information via email: SoftFundjob@gmail.com
and send us the following information about yourself:
1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age
Please respond and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will be able to earn a bit of extra money fast and easy. Should you have any questions, please feel free to contact us with all your questions.
Thank you,
Director
Alex Feigin ,
Soft Fund Ltd
The originating IP is 209.239.38.111. Two sample subject lines are "Not give a convenient time for you extra income" and "We work closely together! Additional income for you!". Avoid.
Labels:
Money Mule,
Scams,
Spam,
Ukraine
"Polish fine art studio" scam
Is this a money mule scam? A package reshipping scam? Something else? It's certainly a scam.. perhaps an art scam designed to process fraudulently obtained artwork. Jennifer's "from" address says "Max" and the email originates from 189.68.40.112 in Brazil.
Subject: I'm looking for somebody to replace me, A
Hello. I am really sorry to bothering you. I am going to get married and leaving to my husband to Cyprus. I have been working with a reliable partner from Poland for 2 years. I had an additional income of 2.000$-4.000$ per month. Because I am not going to live in the USA I offer my friends to cover this position. I have sent emails to all contacts in my address-book. In the USA I was a representative of a Polish fine art studio. I'm not an artist and don't know a lot about it. I controlled pictures acceptance and customers' payments. I got rejected pictures and then I was sending them to other customers with discounts. Sometimes I had to do little things. 2% turnover award fee is usually was paid in addition to $2000.00 month earning , to keep the team spirit. Before Christmas I earned over $5.000,00. If you are interested, please send your CV and Cover Letter directly to the manager at e-mail vitoldklepatski73@gmail.com . I'll be very pleased if you or somebody of your relatives or friends get this position, but not a strange person from an employment agency. When I first walked in it seemed to me that this work is very difficult, but it is not like that, this is very easy job and they showed and taught me everything about my job, and it took me 2 days to learn. People are very nice there and helpful. I think you don't have to miss an opportunity like this. My Best Regards to you my friends and I hope your had a great holidays.
Good luck! Jennifer
Amusing 419 from "EFCC Investigation Office Nigeria"
A novel take on the 419 scam:
Subject: DID YOU AUTHORIZE MR. JOHN WHEELER FOR YOUR FUND CLAIMS
From: Mooreh Rose {mrsrosemooreh44@yahoo.com.hk}
Date: Tue, January 20, 2009 10:51 am
- Attention; Beneficiary, I am Mrs. Rose Moore (Assistance) Chairman from Efcc Investigation Office Nigeria, there is presently a counter claims on your funds by one MR.JOHN WHEELER, who is presently trying to make us believe that you are dead and even explained that you entered into an agreement with him, to help you in receiving your fund, So here comes the big question. Did you sign any Deed of Assignment in favor of (JOHN WHEELER). thereby making him the current beneficiary
with his following account details: MR JOHN WHEELER, AC/NUMBER: 6503809428. ROUTING/122006743, B/NAME:CITI BANK, ADDRESS:NEW YORK,USA, we shall proceed to issue all payments details to the said Mr. John Wheeler, if we do not hear from you within
the next two working days from today Thanks Mrs. Rose Moore (Assistance) Chairman Efcc Investigation Office Nigeria
Clearly if I was dead then I wouldn't be reading the email. Just to wind this particular scammer up, I replied with the one word "yes". That should confuse them.
Originating IP is 83.138.172.72 which seems to be a favourite with 419ers.
Friday, 16 January 2009
Spamcop.net phish
Here's a phish being sent to Spamcop webmail users - the approach has also been used for other webmail systems, so it isn't just Spamcop being targeted:
Replying to the email gives a reply-to address of account_up_grade@hotmail.com and the originating IP is 216.241.36.13.
Subject: UPDATE YOUR SPAMCOP.NET ACCOUNT NOW
From: "spamcop.net webmail update" {info@yahoo.com}
Dear spamcop.net E-mail owners,
This message is from spamcop.net messaging center to all our email account
owners.
We are currently upgrading our data base and e-mail center due to an unusual
activities identified in our email system. We are de-activating all unused
spamcop.net accounts to create space for new accounts. To prevent your account
from being de-activated, you will have to verify your webmail account by
confirming your Webmail identity So that we will know that it's presently a
used account. We have been sending this notice to all our email account owners
and this is the last notice/verification exercise.
CONFIRM YOUR EMAIL IDENTITY BELOW
Last Name: ...........
Username: .......... .
Password : ...........
YOU ARE REQUIRED TO SEND THESE DETAILS TO THE UPDATE TEAM BY SIMPLY
REPLYING TO THIS EMAIL WITH THE REQUESTED DETAILS.
Warning!!! Account owners who fails to update his or her account on receiving
this notice might loose his or her account.
Warning Code:VX2G99AAJ.spamcop.net
Thank you.
"SPAMCOP.NET IT TEAM"
Replying to the email gives a reply-to address of account_up_grade@hotmail.com and the originating IP is 216.241.36.13.
Wednesday, 14 January 2009
MS09-001 prognosis. Install it now? Leave it for later?
It's patch Tuesday again, with just a single update from Microsoft: MS09-001.
If you are administering a corporate network, then the question that you probably ask yourself each week is "do I need to patch my servers"?
The prognosis for this one seems to be.. "maybe". Microsoft's own bulletin summary gives MS09-001 an exploitability index of "3 - Functioning exploit code unlikely". But the flaw itself is rated "Critical" and could lead to remote code execution.. so there is a low probability of a very serious exploit.
It turns out that it is much more likely that an attempted attack using MS09-001 would blue screen the target system - and that is more likely to be a worry, especially on delicate servers. The Microsoft Security blog has a good writeup and recommends the following priorities:
Some further reading gives mixed signals: Sophos labels this as a medium threat, SC Magazine reports differing opinions, ZDnet also mentions the denial of service risk, ISC rates it as "Critical" but not "Patch now".
Given that it doesn't take long for the bad guys to implement an exploit for these flaws, and the recent well-publicised spread of the Downadup / Conficker worm then perhaps Microsoft's advice is very pertinent - start by protecting those systems that would suffer the most if they crashed, but there is perhaps not the urgency of the MS08-067 patch that came late last year.
If you are administering a corporate network, then the question that you probably ask yourself each week is "do I need to patch my servers"?
The prognosis for this one seems to be.. "maybe". Microsoft's own bulletin summary gives MS09-001 an exploitability index of "3 - Functioning exploit code unlikely". But the flaw itself is rated "Critical" and could lead to remote code execution.. so there is a low probability of a very serious exploit.
It turns out that it is much more likely that an attempted attack using MS09-001 would blue screen the target system - and that is more likely to be a worry, especially on delicate servers. The Microsoft Security blog has a good writeup and recommends the following priorities:
In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine. For example, non-critical workstations could be considered lower priority assuming a system DoS is an acceptable risk. Systems with SMB blocked at the host firewall could also be updated more slowly.
Some further reading gives mixed signals: Sophos labels this as a medium threat, SC Magazine reports differing opinions, ZDnet also mentions the denial of service risk, ISC rates it as "Critical" but not "Patch now".
Given that it doesn't take long for the bad guys to implement an exploit for these flaws, and the recent well-publicised spread of the Downadup / Conficker worm then perhaps Microsoft's advice is very pertinent - start by protecting those systems that would suffer the most if they crashed, but there is perhaps not the urgency of the MS08-067 patch that came late last year.
Tuesday, 13 January 2009
"SLG-Logistics Company" scam
Not to be confused with the legitimate S L G Logistics Ltd based in the UK, "SLG-Logistics Company" is a wholly bogus outfit, probably offering a job in money laundering, parcel reshipping or another criminal enterprise.
Originating IP is 87.205.253.77 in Poland, "from" address is Singapore and doesn't match the name or address in the email. A pretty poor attempt overall.
Originating IP is 87.205.253.77 in Poland, "from" address is Singapore and doesn't match the name or address in the email. A pretty poor attempt overall.
Subject: Job opportunity
From: "Elma Ford" ncbk@pacific.net.sg
Hi, if you are interested in a well-paid part-time(2-3 hours a day) job in a large transportation & logistics company please contact me at e-mail:
pammorrison366@hotmail.com
With best regards,
Pamela Morrison,
Project manager,
SLG-Logistics Company.
Labels:
Job Offer Scams,
Money Mule,
Scams,
Spam
Tuesday, 6 January 2009
Ongoing injection attacks against Chinese domains
This looks like a case of the Chinese hacking the Chinese again, with a very large number of domains being injected into legitimate sites. Two IPs to block are 121.14.152.154 and 59.34.197.15. For most companies outside of AsiaPac it may well be feasible to block or monitor all traffic to .cn domains.
The following domains are being used in the injection attacks (there are probably many others in a similar format):
The following domains are being used in the injection attacks (there are probably many others in a similar format):
- Aznylsf.cn
- Bznylsf.cn
- Ccswzx3.cn
- Ccswzx9.cn
- Cznylsf.cn
- Eqw002.cn
- Eqw003.cn
- Eqw004.cn
- Eqw006.cn
- Eqw008.cn
- Eqw009.cn
- Eznylsf.cn
- Falaliee.cn
- Falaliii.cn
- Falalioo.cn
- Falaliqq.cn
- Falalitt.cn
- Fznylsf.cn
- Gznylsf.cn
- Hhj2.cn
- Hhj3.cn
- Hryspac.cn
- Hryspah.cn
- Hryspan.cn
- Hryspao.cn
- Hryspap.cn
- Hryspaq.cn
- Hryspav.cn
- Hznylsf.cn
- Iznylsf.cn
- Jym562.cn
- Jzll-1.cn
- Jzll-2.cn
- Jzll-4.cn
- Jzll-9.cn
- Jznylsf.cn
- Kznylsf.cn
- Rxgsslla.cn
- Rxgsslld.cn
- Rxgsslll.cn
- Rxgssllt.cn
- Sllanmb.cn
- Sllbnmb.cn
- Slldnmb.cn
- Sllinmb.cn
- Sznylsf.cn
- Tznylsf.cn
- Vvk2.cn
- Wrmfwa.cn
- Wrmfwb.cn
- Wrmfwc.cn
- Wrmfwd.cn
- Wrmfwe.cn
- Wrmfwf.cn
- Wrmfwg.cn
- Wrmfwi.cn
- Wrmfwj.cn
- Wrmfwl.cn
- Wrmfwn.cn
- Wrmfwo.cn
- Wrmfwp.cn
- Wrmfwq.cn
- Wrmfwt.cn
- Wrmfwu.cn
- Wrmfwz.cn
- Wxjyb.cn
- Wznylsf.cn
- Xznylsf.cn
- Yznylsf.cn
- Zdq004.cn
- Zdq005.cn
- Zdq009.cn
- Zdq010.cn
- Zgcgsslle.cn
- Zgcgssllf.cn
- Zghncsa.cn
- Zghncsi.cn
- Zghncsj.cn
- Zghncsl.cn
- Zghncsm.cn
- Zghncsp.cn
- Zghncsr.cn
- Zghncst.cn
- Zgynkmb.cn
- Zgynkmd.cn
- Zgynkmf.cn
- Zgynkmg.cn
- Zgynkmk.cn
- Zgynkms.cn
- Zznylsf.cn
Labels:
SQL Injection,
Viruses
Monday, 5 January 2009
"Dating Service" bogus job offer
This is most likely a money mule operation, or perhaps one of those sophisticated scams where the bad guys recruit a whole virtual office staff to run the scam for them. Either way, avoid at all costs.
Subject: Available positions for new year. Reg.ID: SGF-SF7S8
To Your Attention,
Dating Service announces new job openings in 2009:
Part time employment is now available in our company for USA people.
Feel free to request an application by e-mailing us only at: Dating.Srvc@gmail.com
Best Regards,
Dating Service
Labels:
Dating Scams,
Job Offer Scams,
Scams,
Spam
Sunday, 4 January 2009
"Your new e-mail has been successfuly added" PayPal phish
A slightly different approach from the usual PayPal phish rubbish:
Subject: Your new e-mail has been successfuly addedQuite when PayPal started to send email from a vodafone.net account passed me by. The phish jumps through two legitimate but compromised web sites at ol4b.com and imuze.co.uk before it hits a standard PayPal phishing page. It looks like joemontgo85@sbcglobal.net might be consistent for this spam run though.
From: "service@paypal.com" noreply@vodafone.net
Dear PayPal member,
You have added joemontgo85@sbcglobal.net as a new email address for your PayPal account.
If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your PayPal account.
Thank you for using PayPal!
The PayPal Team
Please do not reply to this email.
This mailbox is not monitored and you will not receive a response.
----------------------------------------------------------------------------------------
Copyright © 1999-2009 PayPal. All rights reserved.
PayPal Email ID PP007
Friday, 2 January 2009
"podmena traffica test" spam
There seem to be some strange spam emails doing the rounds, with a body text of "podmena traffica test".. what gives?
It makes a bit more sense if you transliterate it into Cyrillic, which leaves you with a Russlish phrase "подмена трафика тест" and that simply translates as "spoofing traffic test".
The subject is a random spammy one, the originating IP looks like part of a botnet.
I'm pretty sure these are coming through "to" and "from" the same email address, so it may well be someone enumerating mailservers looking for SMTP spoofing protection.. in other words, testing addresses to see if they work and then recording the server's SMTP response.
Why? Who knows.. spammers don't usually care about efficiency if they are using a botnet, because they are not paying for bandwidth or equipment. These type of "probes" are seen sometimes and can be safely deleted.
It makes a bit more sense if you transliterate it into Cyrillic, which leaves you with a Russlish phrase "подмена трафика тест" and that simply translates as "spoofing traffic test".
The subject is a random spammy one, the originating IP looks like part of a botnet.
I'm pretty sure these are coming through "to" and "from" the same email address, so it may well be someone enumerating mailservers looking for SMTP spoofing protection.. in other words, testing addresses to see if they work and then recording the server's SMTP response.
Why? Who knows.. spammers don't usually care about efficiency if they are using a botnet, because they are not paying for bandwidth or equipment. These type of "probes" are seen sometimes and can be safely deleted.
Labels:
Spam
Monday, 29 December 2008
SQL injection: msngk6.ru, dft6s.kz and mcuve.cn
A new bunch of domains being used in SQL injection attacks at the moment:
Check your proxy logs for .cn/1.js and .ru/style.js plus .kz/style.js to keep on top of these. It is often worth monitoring all traffic to .cn, .ru and .kz domains for manual review.
- www.msngk6.ru
- www.dft6s.kz
domain: MSNGK6.RUThe domain mcuve.cn is different, calling 1.js. This is related to the recent 17gamo.com domain which exploits a number of things including this recent IE7 vulnerability.
type: CORPORATE
nserver: ns2.msngk6.ru. 75.63.155.106
nserver: ns3.msngk6.ru. 146.57.249.100
nserver: ns1.msngk6.ru. 76.240.151.177
nserver: ns4.msngk6.ru. 24.247.215.75
state: REGISTERED, DELEGATED
person: Aleksandr A Zamaraev
phone: +7 495 7412992
e-mail: zamaraev@namebanana.net
registrar: NAUNET-REG-RIPN
created: 2008.12.17
paid-till: 2009.12.17
source: TC-RIPN
Check your proxy logs for .cn/1.js and .ru/style.js plus .kz/style.js to keep on top of these. It is often worth monitoring all traffic to .cn, .ru and .kz domains for manual review.
Labels:
Asprox,
SQL Injection,
Trojans,
Viruses
Monday, 22 December 2008
Asprox SQL injections are back
The Silent Noise blog reports that a fresh round of SQL injection attacks by the Asprox crew are under way. They seem to be using a variety of .ru and .kz domain names, although at the moment they all redirect to 79.135.168.18 in the Lebanon.. the whole 79.135.168.* block is pretty bad and has been covered here before.
Currently active domains are:
inetnum: 79.135.168.0 - 79.135.168.255The endpoint appears to be a PDF exploit running on 79.135.168.18 - it's worth blocking or checking for anyaccess to this server, and also check your logs for accesses to ".kz/style.js" and ".ru/style.js" too.
netname: LB-NET
descr: Lebanon private dedicated service
country: LB
admin-c: MHB1111-RIPE
tech-c: MHB1111-RIPE
remarks: abuse mailbox: moh.b@lubnannetworks.biz
status: ASSIGNED PA
mnt-by: SISTEM-NET-MNT
source: RIPE # Filtered
person: Mohamed Baga
address: Basha Garden bldg, 5th floor LB
address: Jisr El Bacha Main Road
address: Beirut - Lebanon
e-mail: moh.b@lubnannetworks.biz
remarks: abuse mailbox: moh.b@lubnannetworks.biz
phone: +961 1 512341
nic-hdl: MHB1111-RIPE
source: RIPE # Filtered
route: 79.135.160.0/19
descr: Sistemnet Telecom
origin: AS44097
mnt-by: Sistem-Net-MNT
source: RIPE # Filtered
Currently active domains are:
- www.bnmd.kz
- www.nvepe.ru
- www.mtno.ru
- www.wmpd.ru
- frontweb.vuse.vanderbilt.edu (Vanderbilt University)
- maryvillecollege.edu (Maryville College)
- guildford.ac.uk (Guildford University)
- many .gov.ar (Argentina) and .gov.cn (China) sites
- navigationusa.com (Online retailer)
- worldcricketstore.com (Online retailer)
Labels:
Asprox,
SQL Injection
Subscribe to:
Posts (Atom)