| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: se_cur_ity at hotmail.com (Morning Wood) Subject: EBAY SPOOF "Your eBay account Registration Suspension" Ebay spoof making the rounds.... headers below... ------------------------ snip ----------------------------------- ----Original Message Follows---- From: eBay custumers service <accounts@...y.com> Reply-To: accounts@...y.com To: se_cur_ity@...mail.com Subject: Your eBay account Registration Suspension Date: 25 Nov 2003 15:40:20 -0000 MIME-Version: 1.0 Received: from lucky.phpwebhosting.com ([66.132.128.49]) by mc8-f29.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 25 Nov 2003 07:45:32 -0800 Received: (qmail 1644 invoked by uid 99); 25 Nov 2003 15:40:20 -0000 X-Message-Info: 6sSXyD95QpXJES60C4uZZPRQIObKA87K Message-ID: <20031125154020.1643.qmail@...ky.phpwebhosting.com> Return-Path: webmaster@...ia82.phpwebhosting.com X-OriginalArrivalTime: 25 Nov 2003 15:45:33.0205 (UTC) FILETIME=[29495450:01C3B36B] -------------------- snip ---------------------------------- digging a bit we see... visible url: http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?accVerify real url: http://203.119.5.31/user492450329847532049857302495730249573204985723049857230495723049758374092387409238data3029847530498574538429756349875639487565348975623498563489756634897563924875634503245623948756234239452137542378541238754219374/index.php 203.119.5.31 is running a FTP ( wu-2.6.2(1), SSH, HTTPD ( apache 1.3.26 ) and a HTTPS the IP is that of beyondlimits.ph ( not ebay ) 203.119.5.31 is in Manila, Phillipines (PH ccTLD) looking at the source we see... ----- snip ------ Auto Maximize Window Script- By Nick Lowe (nicklowe@...nline.co.uk) For full source code, 100's more free DHTML scripts, and Terms Of Use Visit http://www.dynamicdrive.com ------- snip ------ <input type="hidden" name="MfcISAPICommand" value="SellerRegistrationEnterBankInfo"> <input type="hidden" name="cardselected" value="1"> <input type="hidden" name="cardnumber" value="4190087719349127"> <input type="hidden" name="expiryday" value="0"> <input type="hidden" name="expirymonth" value="10"> <input type="hidden" name="expiryyear" value="2006"> <input type="hidden" name="cardholdername" value="Leigh A Wadden"> <input type="hidden" name="address12" value="3305 EP True Pkwy, Unit 801"> <input type="hidden" name="address2" value=""> <input type="hidden" name="city2" value="West Des Moines"> <input type="hidden" name="state" value="IA"> <input type="hidden" name="zip2" value="50265"> <input type="hidden" name="country" value="United States"> <input type="hidden" name="usage" value="1"> ----- snip ------- which is very odd indeed. Donnie Werner exploitlabs.com Secur it today® _________________________________________________________________ Groove on the latest from the hot new rock groups! Get downloads, videos, and more here. http://special.msn.com/entertainment/wiredformusic.armx -------------- next part -------------- An embedded message was scrubbed... From: eBay custumers service <accounts@...y.com> Subject: Your eBay account Registration Suspension Date: 25 Nov 2003 15:40:20 -0000 Size: 8337 Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031125/f7e3ac4f/attachment.mht
Powered by blists - more mailing lists