lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: EBAY SPOOF  "Your eBay account Registration Suspension"

Ebay spoof making the rounds....

headers below...

------------------------ snip -----------------------------------

----Original Message Follows----
From: eBay custumers service <accounts@...y.com>
Reply-To: accounts@...y.com
To: se_cur_ity@...mail.com
Subject: Your eBay account Registration Suspension
Date: 25 Nov 2003 15:40:20 -0000
MIME-Version: 1.0
Received: from lucky.phpwebhosting.com ([66.132.128.49]) by 
mc8-f29.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 25 Nov 2003 
07:45:32 -0800
Received: (qmail 1644 invoked by uid 99); 25 Nov 2003 15:40:20 -0000
X-Message-Info: 6sSXyD95QpXJES60C4uZZPRQIObKA87K
Message-ID: <20031125154020.1643.qmail@...ky.phpwebhosting.com>
Return-Path: webmaster@...ia82.phpwebhosting.com
X-OriginalArrivalTime: 25 Nov 2003 15:45:33.0205 (UTC) 
FILETIME=[29495450:01C3B36B]

-------------------- snip ----------------------------------

digging a bit we see...

visible url:
http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?accVerify

real url: 
http://203.119.5.31/user492450329847532049857302495730249573204985723049857230495723049758374092387409238data3029847530498574538429756349875639487565348975623498563489756634897563924875634503245623948756234239452137542378541238754219374/index.php


203.119.5.31
is running a FTP ( wu-2.6.2(1), SSH, HTTPD ( apache 1.3.26 ) and a HTTPS

the IP is that of beyondlimits.ph ( not ebay )

203.119.5.31 is in Manila, Phillipines (PH ccTLD)





looking at the source we see...

----- snip ------

Auto Maximize Window Script- By Nick Lowe (nicklowe@...nline.co.uk)
For full source code, 100's more free DHTML scripts, and Terms Of Use
Visit http://www.dynamicdrive.com

------- snip ------

<input type="hidden" name="MfcISAPICommand" 
value="SellerRegistrationEnterBankInfo">
  <input type="hidden" name="cardselected" value="1">
  <input type="hidden" name="cardnumber" value="4190087719349127">
  <input type="hidden" name="expiryday" value="0">
  <input type="hidden" name="expirymonth" value="10">
  <input type="hidden" name="expiryyear" value="2006">
  <input type="hidden" name="cardholdername" value="Leigh A Wadden">
  <input type="hidden" name="address12" value="3305 EP True Pkwy, Unit 801">
  <input type="hidden" name="address2" value="">
  <input type="hidden" name="city2" value="West Des Moines">
  <input type="hidden" name="state" value="IA">
  <input type="hidden" name="zip2" value="50265">
  <input type="hidden" name="country" value="United States">
  <input type="hidden" name="usage" value="1">

----- snip -------

which is very odd indeed.

Donnie Werner
exploitlabs.com

Secur it today®

_________________________________________________________________
Groove on the latest from the hot new rock groups!  Get downloads, videos, 
and more here.  http://special.msn.com/entertainment/wiredformusic.armx
-------------- next part --------------
An embedded message was scrubbed...
From: eBay custumers service <accounts@...y.com>
Subject: Your eBay account Registration Suspension
Date: 25 Nov 2003 15:40:20 -0000
Size: 8337
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031125/f7e3ac4f/attachment.mht

Powered by blists - more mailing lists