I got a phishing email today.

Told me to click on the HTML and sort out my bank.

A bit of inspection of teh attached code showed that it wanted me using
a direct copy of my banks login page, to submit my details to a machine
in Australia. Registered address was a Richard someone or other.

Armed with the IP address of said spammers machine, I managed to
ascertain it was running a mail system. Better still,. it accepted mail
to 'root@localhost' (most machines will).

He has mail..

I do have under development on a centrally located server with
gigabytes of bandwidth a mail client that will send mail to any IP
address directly..the thought of flooding his mailbox with 1000 mails a
second appeals..

OTOH I may just register the IP address with spamhaus

:-(

On Feb 23, 2:00 pm, The Natural Philosopher
wrote:
I got a phishing email today.

Told me to click on the HTML and sort out my bank.

A bit of inspection of teh attached code showed that it wanted me using
a direct copy of my banks login page, to submit my details to a machine
in Australia. Registered address was a Richard someone or other.

Armed with the IP address of said spammers machine, I managed to
ascertain it was running a mail system. Better still,. it accepted mail
to 'root@localhost' (most machines will).

He has mail..

I do have under development on a centrally located server with
gigabytes of bandwidth a mail client that will send mail to any IP
address directly..the thought of flooding his mailbox with 1000 mails a
second appeals..

OTOH I may just register the IP address with spamhaus

:-(

was poor Richard directly responsible or had his domain been hacked by
miscreants?

Jim K

On Feb 23, 2:13*pm, Jim K wrote:


was poor Richard directly responsible or had his domain been hacked by
miscreants?

Jim K

If "poor Richard" has been hacked receipt of 1000 mails a second might
make him more careful with his system security in future.

On Feb 23, 3:01*pm, 82045 wrote:
On Feb 23, 2:13*pm, Jim K wrote:



was poor Richard directly responsible or had his domain been hacked by
miscreants?

Jim K

If "poor Richard" has been hacked receipt of 1000 mails a second might
make him more careful with his system security in future.

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.


NT

Jim K wrote:
On Feb 23, 2:00 pm, The Natural Philosopher
wrote:
I got a phishing email today.

Told me to click on the HTML and sort out my bank.

A bit of inspection of teh attached code showed that it wanted me using
a direct copy of my banks login page, to submit my details to a machine
in Australia. Registered address was a Richard someone or other.

Armed with the IP address of said spammers machine, I managed to
ascertain it was running a mail system. Better still,. it accepted mail
to 'root@localhost' (most machines will).

He has mail..

I do have under development on a centrally located server with
gigabytes of bandwidth a mail client that will send mail to any IP
address directly..the thought of flooding his mailbox with 1000 mails a
second appeals..

OTOH I may just register the IP address with spamhaus

:-(

was poor Richard directly responsible or had his domain been hacked by
miscreants?


well that's up to him to sort out.

But the machine looked pretty tight to me.



Jim K

82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote:

was poor Richard directly responsible or had his domain been hacked by
miscreants?

Jim K

If "poor Richard" has been hacked receipt of 1000 mails a second might
make him more careful with his system security in future.

Precisely do.

NT wrote:
On Feb 23, 3:01 pm, 82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote:



was poor Richard directly responsible or had his domain been hacked by
miscreants?
Jim K
If "poor Richard" has been hacked receipt of 1000 mails a second might
make him more careful with his system security in future.

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.



Dear boy it was not an 'email addy' it was a physical linux machine.
And it was where, if I had been stupid enough to fall for the scam, the
supplied form would have sent my bank account details and password.

Now Richard may be entirely innocent, but if he is his machine is
running a lot of code he doesn't know about including a whole webserver
and set of PHP scripts.






NT

Tim Streater wrote:
In article
,
NT wrote:

On Feb 23, 3:01 pm, 82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote:

was poor Richard directly responsible or had his domain been
hacked by
miscreants?

If "poor Richard" has been hacked receipt of 1000 mails a second might
make him more careful with his system security in future.

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.

The OP said that Richard was running a mail server.

He was running a web server to gather phished data.

In which case if he
set that up, he should know better. If he didn't, and he's just a bot,
then 1000 mails a second should fill his disk up PDQ and the machine
will fall over.


Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say -


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.

This form takes 99% of your own banks website, but with one crucial
difference, Instead of submitting the form to your bank, it submits it
to the phishing web server.. I didn't try doing that to see what would
happen.

eg in it is this line

form name="form1"
action="http://www.drabcdfirstaid.com.au/.images/a.php" method="post"

At that point whatever you keyed in is now available to the phisher.

Anyway, I identified that server, and discovered it would accept emails.

#whois drabcdfirstaid.com.au
Domain Name: drabcdfirstaid.com.au
Last Modified: 30-Aug-2011 10:55:39 UTC
Registrar ID: NetRegistry
Registrar Name: NetRegistry
Status: ok

Registrant: LLOYD, RICHARD MILES
Eligibility Type: Sole Trader
Eligibility ID: ABN 35521483210
......

so

#telnet www.drabcdfirstaid.com.au 25
Trying 64.251.30.196...
Connected to drabcdfirstaid.com.au.
Escape character is '^]'.
220 spxxxx.int.infolink.com ESMTP Postfix (Ubuntu)

tells me its a ubuntu machine running postfix mail. Now I know that if I
carry on with this telnet into the SMTP port, its very likely that
root@localhost will be accepted as a direct recipient into the root
users mailbox.

So I sent one. And it was.

The email came via an oregon ISP. From a completely different source
entirely.

Now its possible looking at the above that poor old richard doesn't know
he has a nasty file stuffed in a hidden directory (.image) on his web
server.

OTOH I did not do anything nasty. He knows he's been violated at one
level or another so if he doesn't get down and check his server out, and
see lots of unusual access, he's a first grade dope anyway.

On 23/02/2012 15:53, NT wrote:
More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.

You may call him Richard, we'll just call him Dick.

Andy

On Feb 23, 8:46 pm, Andy Champ wrote:
On 23/02/2012 15:53, NT wrote:

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.

You may call him Richard, we'll just call him Dick.

Andy

or Dick Unwittington perchance?

Jim K

The Natural Philosopher :
Tim Streater wrote:
In article
oups.com,
NT wrote:

On Feb 23, 3:01 pm, 82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote:

was poor Richard directly responsible or had his domain been
hacked by
miscreants?

If "poor Richard" has been hacked receipt of 1000 mails a second
might
make him more careful with his system security in future.

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.
The OP said that Richard was running a mail server.

He was running a web server to gather phished data.

In which case if he
set that up, he should know better. If he didn't, and he's just a
bot, then 1000 mails a second should fill his disk up PDQ and the
machine will fall over.


Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say - customer-


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.

Do I understand you correctly, that some e-mail clients will accept an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.

--
Mike Barnes

In article , Mike Barnes
writes
Do I understand you correctly, that some e-mail clients will accept an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.


For very many people, their email client is a web browser.


Adrian
--
To Reply :
replace "news" with "adrian" and "nospam" with "ffoil"
Sorry for the rigmarole, If I want spam, I'll go to the shops
Every time someone says "I don't believe in trolls", another one dies.

Tim Streater :
In article ,
Mike Barnes wrote:

The Natural Philosopher :
Tim Streater wrote:
In article
oups.com,
NT wrote:

On Feb 23, 3:01 pm, 82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote:

was poor Richard directly responsible or had his domain been
hacked by
miscreants?

If "poor Richard" has been hacked receipt of 1000 mails a second
might
make him more careful with his system security in future.

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.
The OP said that Richard was running a mail server.

He was running a web server to gather phished data.

In which case if he
set that up, he should know better. If he didn't, and he's just a
bot, then 1000 mails a second should fill his disk up PDQ and the
machine will fall over.


Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say - customer-


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.
Do I understand you correctly, that some e-mail clients will accept
an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.

No, there is an attachment to the email. You are encouraged to open it
and if you do your browser does so and runs it as a local file. It will
be a very good facsimile of some bank or other (I've had Barclays and
NatWest in the last few days) and it asks for all your bank details.
When you click submit your browser sends all that to the phisher.

I see, thanks. So, nothing like an address in your browser window that
tells you that the form didn't come from a trusted domain.

--
Mike Barnes

Mike Barnes wrote:
The Natural Philosopher :
Tim Streater wrote:
In article
oups.com,
NT wrote:

On Feb 23, 3:01 pm, 82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote:
was poor Richard directly responsible or had his domain been
hacked by
miscreants?
If "poor Richard" has been hacked receipt of 1000 mails a second
might
make him more careful with his system security in future.
More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.
The OP said that Richard was running a mail server.
He was running a web server to gather phished data.

In which case if he
set that up, he should know better. If he didn't, and he's just a
bot, then 1000 mails a second should fill his disk up PDQ and the
machine will fall over.

Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say - customer-


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.

Do I understand you correctly, that some e-mail clients will accept an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.

No, clicking on the form WOULD have invoked my browser and looked like I
was logging in to my bank. And after pressing the button, would have
taken me TO my bank, and possibly even logged me in there as well. I
didn't try it!

BUT may login details would have been stolen on the way.

The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :

Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say - customer-


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.
Do I understand you correctly, that some e-mail clients will accept
an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.

No, clicking on the form WOULD have invoked my browser and looked like
I was logging in to my bank.

Presumably it would have looked like you were logging in to your bank
only if you ignored the browser's address bar when the form was
displayed.

--
Mike Barnes

On Thu, 23 Feb 2012 23:04:06 +0000, Tim Streater
wrote:

[-snip-]

No, there is an attachment to the email. You are encouraged to open it
and if you do your browser does so and runs it as a local file. It will
be a very good facsimile of some bank or other (I've had Barclays and
NatWest in the last few days) and it asks for all your bank details.
When you click submit your browser sends all that to the phisher.

The clue is that it doesn't mention your name, it says "Dear Valued
Customer", and also actual banks NEVER send out mails asking you to
complete such forms.

They *should* never do this. However, IME, banks do sometimes do
stupid things.

--
(\__/) M.
(='.'=) If a man stands in a forest and no woman is around
(")_(") is he still wrong?

Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say - customer-


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.
Do I understand you correctly, that some e-mail clients will accept
an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.

No, clicking on the form WOULD have invoked my browser and looked like
I was logging in to my bank.

Presumably it would have looked like you were logging in to your bank
only if you ignored the browser's address bar when the form was
displayed.


The form was attached to the email so was in fact in my inbox. I am not
sure what the location bar says with a file.

As I said the ONLY place where the 'foreign' web site was mentioned was
as a FORM target.

In which case my browser at least does not say where the form target is
when e.g. hovering over a submit button.

The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say - customer-


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.
Do I understand you correctly, that some e-mail clients will accept
an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.

No, clicking on the form WOULD have invoked my browser and looked like
I was logging in to my bank.
Presumably it would have looked like you were logging in to your
bank
only if you ignored the browser's address bar when the form was
displayed.


The form was attached to the email so was in fact in my inbox. I am not
sure what the location bar says with a file.

Something relatively meaningless such as "file://C|/temp/1h23.html" I
would think.

As I said the ONLY place where the 'foreign' web site was mentioned was
as a FORM target.

What's relevant is not where the foreign site address was or was not
displayed, but the fact that the real site's address *wasn't* displayed
in the address bar. Neither was the secure site padlock displayed. So it
really didn't look like you were logging in to your bank, if you were
looking in the right places.

--
Mike Barnes

Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say - customer-


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.
Do I understand you correctly, that some e-mail clients will accept
an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.

No, clicking on the form WOULD have invoked my browser and looked like
I was logging in to my bank.
Presumably it would have looked like you were logging in to your
bank
only if you ignored the browser's address bar when the form was
displayed.

The form was attached to the email so was in fact in my inbox. I am not
sure what the location bar says with a file.

Something relatively meaningless such as "file://C|/temp/1h23.html" I
would think.


file:/tmp./lloyds-bank.html actually

As I said the ONLY place where the 'foreign' web site was mentioned was
as a FORM target.

What's relevant is not where the foreign site address was or was not
displayed, but the fact that the real site's address *wasn't* displayed
in the address bar. Neither was the secure site padlock displayed. So it
really didn't look like you were logging in to your bank, if you were
looking in the right places.


What you fail to realises is you fill out the form which is on your
computer, hit the submit button and it TAKES you - as far as you can
tell - TO your banks real secure website. You wouldn't notice it took
you somewhere else that immedaitely redirected you to the real bank site.

Having stolen your login first.

dennis@home wrote:


"The Natural Philosopher" wrote in message
...


No, clicking on the form WOULD have invoked my browser and looked like
I was logging in to my bank. And after pressing the button, would have
taken me TO my bank, and possibly even logged me in there as well. I
didn't try it!

BUT may login details would have been stolen on the way.

Wouldn't it have triggered the cross site scripting prevention in the
browser?


There was no cross site scripting.

dennis@home wrote:



"Huge" wrote in message
...
On 2012-02-23, Tim Streater wrote:

What's to stop him being the phisher?

Nothing, but the chances are it's just a zombie.

Its a linux machine, he probably doesn't know it can be hacked or what to
look for to ensure it hasn't been, like most linux users.

Shall I bite?

Nah - it would be like fishing for trout in a barrel with a hand grenade...
--
Tim Watts

"Tim Watts" wrote in message
...
dennis@home wrote:

Its a linux machine, he probably doesn't know it can be hacked or what to
look for to ensure it hasn't been, like most linux users.

Shall I bite?

Bite? Its a statement of fact.


Nah - it would be like fishing for trout in a barrel with a hand
grenade...
--
Tim Watts

"dennis@home" :


"The Natural Philosopher" wrote in message
...


No, clicking on the form WOULD have invoked my browser and looked
like I was logging in to my bank. And after pressing the button,
would have taken me TO my bank, and possibly even logged me in there
as well. I didn't try it!

BUT may login details would have been stolen on the way.

Wouldn't it have triggered the cross site scripting prevention in the
browser?

No.

--
Mike Barnes

The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say - customer-


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.
Do I understand you correctly, that some e-mail clients will accept
an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.

No, clicking on the form WOULD have invoked my browser and looked like
I was logging in to my bank.
Presumably it would have looked like you were logging in to your
bank
only if you ignored the browser's address bar when the form was
displayed.

The form was attached to the email so was in fact in my inbox. I am not
sure what the location bar says with a file.
Something relatively meaningless such as "file://C|/temp/1h23.html"
I
would think.


file:/tmp./lloyds-bank.html actually

As I said the ONLY place where the 'foreign' web site was mentioned was
as a FORM target.
What's relevant is not where the foreign site address was or was not
displayed, but the fact that the real site's address *wasn't* displayed
in the address bar. Neither was the secure site padlock displayed. So it
really didn't look like you were logging in to your bank, if you were
looking in the right places.


What you fail to realises is you fill out the form which is on your
computer, hit the submit button and it TAKES you - as far as you can
tell - TO your banks real secure website. You wouldn't notice it took
you somewhere else that immedaitely redirected you to the real bank
site.

Having stolen your login first.

Oh, I realise that.

What you don't seem to realise is that it's a seriously bad idea to type
your bank login details into a form without checking the form out first.
Even if the fake form hadn't redirected you to the real bank site, your
details could have been used to access your account before you realised
you'd been had.

--
Mike Barnes

dennis@home wrote:



"Tim Watts" wrote in message
...
dennis@home wrote:

Its a linux machine, he probably doesn't know it can be hacked or what
to look for to ensure it hasn't been, like most linux users.

Shall I bite?

Bite? Its a statement of fact.

In the parallel universe known as the Dennis Dimension...

Most people who run linux as a conscious decision (so I am not counting
phones, TVs etc) are far more likely to have nous than people who run
whatever it came with from the shop (some form of MS Windows unless it's an
Apple).

Therefore such people are usually more clueful. Many distros offer the same
auto updating as Windows and many have helpful auto confugure scripts for
common services.

That would leave a fairly small number of people who are hand configuring a
system but are cocking it up.

I much smaller number of people than the set of people with zombied MS
windows installations.
--
Tim Watts

Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say - customer-


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.
Do I understand you correctly, that some e-mail clients will accept
an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.

No, clicking on the form WOULD have invoked my browser and looked like
I was logging in to my bank.
Presumably it would have looked like you were logging in to your
bank
only if you ignored the browser's address bar when the form was
displayed.

The form was attached to the email so was in fact in my inbox. I am not
sure what the location bar says with a file.
Something relatively meaningless such as "file://C|/temp/1h23.html"
I
would think.

file:/tmp./lloyds-bank.html actually

As I said the ONLY place where the 'foreign' web site was mentioned was
as a FORM target.
What's relevant is not where the foreign site address was or was not
displayed, but the fact that the real site's address *wasn't* displayed
in the address bar. Neither was the secure site padlock displayed. So it
really didn't look like you were logging in to your bank, if you were
looking in the right places.

What you fail to realises is you fill out the form which is on your
computer, hit the submit button and it TAKES you - as far as you can
tell - TO your banks real secure website. You wouldn't notice it took
you somewhere else that immedaitely redirected you to the real bank
site.

Having stolen your login first.

Oh, I realise that.

What you don't seem to realise is that it's a seriously bad idea to type
your bank login details into a form without checking the form out first.
Even if the fake form hadn't redirected you to the real bank site, your
details could have been used to access your account before you realised
you'd been had.


What you don't realise is that is exactly what I just said.

"The Natural Philosopher" wrote in message
...
snip

so

#telnet www.drabcdfirstaid.com.au 25
Trying 64.251.30.196...
Connected to drabcdfirstaid.com.au.
Escape character is '^]'.
220 spxxxx.int.infolink.com ESMTP Postfix (Ubuntu)

tells me its a ubuntu machine running postfix mail. Now I know that if I
carry on with this telnet into the SMTP port, its very likely that
root@localhost will be accepted as a direct recipient into the root users
mailbox.

So I sent one. And it was.
snip

This tells me that you aren't in the habit of typing in SMTP at the
keyboard, or you could have confirmed the acceptance of the 'root@localhost'
address whilst connected to the server via Telnet.
Then again, I'd have to refresh my memory of the RFCs before attempting it
now :-)

Ah - rereading it may well be that you did as I suggested instead of sending
a seperate email.

For those wondering if it was a mail address, a web server, whatever, a
standard server install of Ubuntu can give you the whole nine yards in one
go.
Posibly the person who set up the system was focussed on installing the web
server and hadn't realised he/she/it had also set up a working mail server
by default.
Then again all the incoming mail may be redirected to '/dev/null'.

Cheers

Dave R

--
No plan survives contact with the enemy.
[Not even bunny]

Helmuth von Moltke the Elder

(\__/)
(='.'=)
(")_(")

The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Mike Barnes wrote:
The Natural Philosopher :
Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say - customer-


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.
Do I understand you correctly, that some e-mail clients will accept
an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.

No, clicking on the form WOULD have invoked my browser and looked like
I was logging in to my bank.
Presumably it would have looked like you were logging in to your
bank
only if you ignored the browser's address bar when the form was
displayed.

The form was attached to the email so was in fact in my inbox. I am not
sure what the location bar says with a file.
Something relatively meaningless such as "file://C|/temp/1h23.html"
I
would think.

file:/tmp./lloyds-bank.html actually

As I said the ONLY place where the 'foreign' web site was mentioned was
as a FORM target.
What's relevant is not where the foreign site address was or was not
displayed, but the fact that the real site's address *wasn't* displayed
in the address bar. Neither was the secure site padlock displayed. So it
really didn't look like you were logging in to your bank, if you were
looking in the right places.

What you fail to realises is you fill out the form which is on your
computer, hit the submit button and it TAKES you - as far as you can
tell - TO your banks real secure website. You wouldn't notice it took
you somewhere else that immedaitely redirected you to the real bank
site.

Having stolen your login first.
Oh, I realise that.
What you don't seem to realise is that it's a seriously bad idea to
type
your bank login details into a form without checking the form out first.
Even if the fake form hadn't redirected you to the real bank site, your
details could have been used to access your account before you realised
you'd been had.


What you don't realise is that is exactly what I just said.

I don't think it is, but if you're saying you agree with me, I'll settle
for that.

--
Mike Barnes

David WE Roberts wrote:

"The Natural Philosopher" wrote in message
...
snip

so

#telnet www.drabcdfirstaid.com.au 25
Trying 64.251.30.196...
Connected to drabcdfirstaid.com.au.
Escape character is '^]'.
220 spxxxx.int.infolink.com ESMTP Postfix (Ubuntu)

tells me its a ubuntu machine running postfix mail. Now I know that if
I carry on with this telnet into the SMTP port, its very likely that
root@localhost will be accepted as a direct recipient into the root
users mailbox.

So I sent one. And it was.
snip

This tells me that you aren't in the habit of typing in SMTP at the
keyboard, or you could have confirmed the acceptance of the
'root@localhost' address whilst connected to the server via Telnet.

I am and I did.


Then again, I'd have to refresh my memory of the RFCs before attempting
it now :-)

Ah - rereading it may well be that you did as I suggested instead of
sending a seperate email.


Yup.


For those wondering if it was a mail address, a web server, whatever, a
standard server install of Ubuntu can give you the whole nine yards in
one go.
Posibly the person who set up the system was focussed on installing the
web server and hadn't realised he/she/it had also set up a working mail
server by default.
Then again all the incoming mail may be redirected to '/dev/null'.


Not usually. You want system error messages - usually from 'root' to
'root' to go somewhere.

That means you need at least a working smtp daemon that can accept mail
from local processes.


Now the choice you make is normally whether or not that should accept
smtp on its Ethernet (as opposed to loopback) interface. NORMALLY for a
personal machine you would not..BUT this machine is on a fixed IP
address on the internet. It probably is NOT at a domestic address.

Its running an internet web server.

have a look - http://www.drabcdfirstaid.com.au/ - there is no real web
site on that address. Only in the hidden directory '/.images/'

It looks like it has in fact either been compromised or its been put
there to LOOK as though its been compromised.

It is a vanilla ubuntu machine.

Possibly the twit didn't set his firewall up quick enough and someone
hacked in somehow.

Possibly he did it himself.

I know than in the 12 hours or so my virtual server was online before I
got it firewalled there were repeated attempts to guess login from many
sites all over the world. But none succeeded because it had no login
capability as first configured, beyond ssh.



Cheers

Dave R

"The Natural Philosopher" wrote in message
...
David WE Roberts wrote:

"The Natural Philosopher" wrote in message
...
snip

so

#telnet www.drabcdfirstaid.com.au 25
Trying 64.251.30.196...
Connected to drabcdfirstaid.com.au.
Escape character is '^]'.
220 spxxxx.int.infolink.com ESMTP Postfix (Ubuntu)

tells me its a ubuntu machine running postfix mail. Now I know that if I
carry on with this telnet into the SMTP port, its very likely that
root@localhost will be accepted as a direct recipient into the root
users mailbox.

So I sent one. And it was.
snip

This tells me that you aren't in the habit of typing in SMTP at the
keyboard, or you could have confirmed the acceptance of the
'root@localhost' address whilst connected to the server via Telnet.

I am and I did.


Then again, I'd have to refresh my memory of the RFCs before attempting
it now :-)

Ah - rereading it may well be that you did as I suggested instead of
sending a seperate email.


Yup.


For those wondering if it was a mail address, a web server, whatever, a
standard server install of Ubuntu can give you the whole nine yards in
one go.
Posibly the person who set up the system was focussed on installing the
web server and hadn't realised he/she/it had also set up a working mail
server by default.
Then again all the incoming mail may be redirected to '/dev/null'.


Not usually. You want system error messages - usually from 'root' to
'root' to go somewhere.

That means you need at least a working smtp daemon that can accept mail
from local processes.


Now the choice you make is normally whether or not that should accept smtp
on its Ethernet (as opposed to loopback) interface. NORMALLY for a
personal machine you would not..BUT this machine is on a fixed IP address
on the internet. It probably is NOT at a domestic address.

Its running an internet web server.

have a look - http://www.drabcdfirstaid.com.au/ - there is no real web
site on that address. Only in the hidden directory '/.images/'

It looks like it has in fact either been compromised or its been put there
to LOOK as though its been compromised.

It is a vanilla ubuntu machine.

Possibly the twit didn't set his firewall up quick enough and someone
hacked in somehow.

Possibly he did it himself.

I know than in the 12 hours or so my virtual server was online before I
got it firewalled there were repeated attempts to guess login from many
sites all over the world. But none succeeded because it had no login
capability as first configured, beyond ssh.

But of course even if a machine receives an email it doesn't mean that a
user ever runs an email program to read it.

He may find out there is a message or two if he runs out of disk space and
he knows how to look in the first place.
Of course its very easy to setup a web server/mail server on ubuntu, there
are plenty of guides on how.
Almost anyone can do it, even someone who doesn't notice the mistakes he may
make and leave his machine vulnerable.
Even experts left their ubuntu machines vulnerable for the best part of year
~2010 due to a bug being reintroduced about 3 months after it had been
fixed. Some may still be compromised as the fix fixed the initial problem
but did nothing about anything that had been done to a compromised machine.

dennis@home wrote:


"The Natural Philosopher" wrote in message
...
David WE Roberts wrote:

"The Natural Philosopher" wrote in message
...
snip

so

#telnet www.drabcdfirstaid.com.au 25
Trying 64.251.30.196...
Connected to drabcdfirstaid.com.au.
Escape character is '^]'.
220 spxxxx.int.infolink.com ESMTP Postfix (Ubuntu)

tells me its a ubuntu machine running postfix mail. Now I know that
if I carry on with this telnet into the SMTP port, its very likely
that root@localhost will be accepted as a direct recipient into the
root users mailbox.

So I sent one. And it was.
snip

This tells me that you aren't in the habit of typing in SMTP at the
keyboard, or you could have confirmed the acceptance of the
'root@localhost' address whilst connected to the server via Telnet.

I am and I did.


Then again, I'd have to refresh my memory of the RFCs before
attempting it now :-)

Ah - rereading it may well be that you did as I suggested instead of
sending a seperate email.


Yup.


For those wondering if it was a mail address, a web server, whatever,
a standard server install of Ubuntu can give you the whole nine yards
in one go.
Posibly the person who set up the system was focussed on installing
the web server and hadn't realised he/she/it had also set up a
working mail server by default.
Then again all the incoming mail may be redirected to '/dev/null'.


Not usually. You want system error messages - usually from 'root' to
'root' to go somewhere.

That means you need at least a working smtp daemon that can accept
mail from local processes.


Now the choice you make is normally whether or not that should accept
smtp on its Ethernet (as opposed to loopback) interface. NORMALLY for
a personal machine you would not..BUT this machine is on a fixed IP
address on the internet. It probably is NOT at a domestic address.

Its running an internet web server.

have a look - http://www.drabcdfirstaid.com.au/ - there is no real web
site on that address. Only in the hidden directory '/.images/'

It looks like it has in fact either been compromised or its been put
there to LOOK as though its been compromised.

It is a vanilla ubuntu machine.

Possibly the twit didn't set his firewall up quick enough and someone
hacked in somehow.

Possibly he did it himself.

I know than in the 12 hours or so my virtual server was online before
I got it firewalled there were repeated attempts to guess login from
many sites all over the world. But none succeeded because it had no
login capability as first configured, beyond ssh.

But of course even if a machine receives an email it doesn't mean that a
user ever runs an email program to read it.


well I COULD send him so many it fills his disk..



He may find out there is a message or two if he runs out of disk space
and he knows how to look in the first place.
Of course its very easy to setup a web server/mail server on ubuntu,
there are plenty of guides on how.
Almost anyone can do it, even someone who doesn't notice the mistakes he
may make and leave his machine vulnerable.
Even experts left their ubuntu machines vulnerable for the best part of
year ~2010 due to a bug being reintroduced about 3 months after it had
been fixed. Some may still be compromised as the fix fixed the initial
problem but did nothing about anything that had been done to a
compromised machine.


Some of us are a bit more professional than that. I am not telling you
HOW I know my machine is not compromised, but I do.

"The Natural Philosopher" wrote in message
...

Some of us are a bit more professional than that. I am not telling you HOW
I know my machine is not compromised, but I do.


So you have put a chainsaw through it?

On 25/02/2012 20:28, dennis@home wrote:


"The Natural Philosopher" wrote in message
...

Some of us are a bit more professional than that. I am not telling you
HOW I know my machine is not compromised, but I do.


So you have put a chainsaw through it?

That works. Not much else does.

I _believe_ my machine is not compromised. I have a HW and a SW
firewall, it's patched up to date, I'm careful about what I do with it,
it exhibits no unusual behaviour - but I'm not certain.

I don't see how TNP can _know_ unless it's a machine so obscure that no
virus has ever been written for it. And that's pretty obscure.

Andy

On 24/02/2012 11:24, Mark wrote:

The clue is that it doesn't mention your name, it says "Dear Valued
Customer", and also actual banks NEVER send out mails asking you to
complete such forms.

They *should* never do this. However, IME, banks do sometimes do
stupid things.

Yes, like trying to get me to give them an e-mail address everytime I
log on to do banking. If I know they don't have an e-mail address to
contact me there's no way I will ever recieve an official bank
communication by e-mail.
:¬)

"Andy Champ" wrote in message
. uk...
On 25/02/2012 20:28, dennis@home wrote:


"The Natural Philosopher" wrote in message
...

Some of us are a bit more professional than that. I am not telling you
HOW I know my machine is not compromised, but I do.


So you have put a chainsaw through it?

That works. Not much else does.

I _believe_ my machine is not compromised. I have a HW and a SW firewall,
it's patched up to date, I'm careful about what I do with it, it exhibits
no unusual behaviour - but I'm not certain.

I don't see how TNP can _know_ unless it's a machine so obscure that no
virus has ever been written for it. And that's pretty obscure.


Turned off at the wall, and all cables unplugged? ;-)


--
No plan survives contact with the enemy.
[Not even bunny]

Helmuth von Moltke the Elder

(\__/)
(='.'=)
(")_(")

Andy Champ wrote:
On 25/02/2012 20:28, dennis@home wrote:


"The Natural Philosopher" wrote in message
...

Some of us are a bit more professional than that. I am not telling you
HOW I know my machine is not compromised, but I do.


So you have put a chainsaw through it?

That works. Not much else does.

I _believe_ my machine is not compromised. I have a HW and a SW
firewall, it's patched up to date, I'm careful about what I do with it,
it exhibits no unusual behaviour - but I'm not certain.

I don't see how TNP can _know_ unless it's a machine so obscure that no
virus has ever been written for it. And that's pretty obscure.


Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Hint: there is no such thing as an undetectable change.




Andy

"The Natural Philosopher" wrote in message
...
Andy Champ wrote:
On 25/02/2012 20:28, dennis@home wrote:


"The Natural Philosopher" wrote in message
...

Some of us are a bit more professional than that. I am not telling you
HOW I know my machine is not compromised, but I do.


So you have put a chainsaw through it?

That works. Not much else does.

I _believe_ my machine is not compromised. I have a HW and a SW
firewall, it's patched up to date, I'm careful about what I do with it,
it exhibits no unusual behaviour - but I'm not certain.

I don't see how TNP can _know_ unless it's a machine so obscure that no
virus has ever been written for it. And that's pretty obscure.


Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and altered
nothing. Or I would *know*. Which makes it 'not compromised'

Hint: there is no such thing as an undetectable change.

So you don't know then!

On 26/02/12 20:58, The Natural Philosopher wrote:

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Absence of evidence is not evidence of absence.


Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion. I think it's probably true
but it's not relevant here because the issue at hand isn't undetectable
change, but undetected change. The two are different.



--
Bernard Peek

dennis@home wrote:


"The Natural Philosopher" wrote in message
...
Andy Champ wrote:
On 25/02/2012 20:28, dennis@home wrote:


"The Natural Philosopher" wrote in message
...

Some of us are a bit more professional than that. I am not telling you
HOW I know my machine is not compromised, but I do.


So you have put a chainsaw through it?

That works. Not much else does.

I _believe_ my machine is not compromised. I have a HW and a SW
firewall, it's patched up to date, I'm careful about what I do with
it, it exhibits no unusual behaviour - but I'm not certain.

I don't see how TNP can _know_ unless it's a machine so obscure that
no virus has ever been written for it. And that's pretty obscure.


Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Hint: there is no such thing as an undetectable change.

So you don't know then!

Yes, I do.

Bernard Peek wrote:
On 26/02/12 20:58, The Natural Philosopher wrote:

Well thats uyouir knowelege limits and I have mine.

I know.

Let's say that if anyone has broken in they have left no trace and
altered nothing. Or I would *know*. Which makes it 'not compromised'

Absence of evidence is not evidence of absence.


Hint: there is no such thing as an undetectable change.

I'd like to see evidence for that assertion.

Are you really stupid?

If a change makes no difference to anything, ipso facto, it is not a
change. All changes therefore must make a difference, and are therefore
detectable.



I think it's probably true
but it's not relevant here because the issue at hand isn't undetectable
change, but undetected change. The two are different.



Right. Given two computers, how can you use one to tell if the others
disk content has changed?

I'll leave you to work it out.