Howdy, I got an email recently from some stoopid scammer who was phishing for Ebay account info. The email could easily fool a computer newbie, but the HREF for the Ebay URL resolved to ebay.aw1-cgi-updates.com, so I knew it was a scam.
I forwarded the email to [EMAIL PROTECTED] because phishers pizz me off, but I thought it would be interesting to learn a little more about the scammers, so I pulled out ole nmap: [EMAIL PROTECTED] /cygdrive/c/tools/nmap-3.81 $ ./nmap.exe ebay.aw1-cgi-updates.com Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-03-10 21:47 Central Standard Time Interesting ports on 210.66.231.1: (The 1655 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 111/tcp open rpcbind 443/tcp open https 445/tcp filtered microsoft-ds 1720/tcp filtered H.323/Q.931 3306/tcp open mysql 6000/tcp open X11 Hmmm! Looks like some bad guy hax0r has taken over this box and is using it as a remotely controllable phishing platform. And it is interesting that the hax0r has opened all those ports and services; I guess script kiddies need a GUI now to do their dirty deeds? At first, I assumed it was a Windows box running some kinda hacked-up cygwin-X11 install, because we all know how Microsoft redefined "openness". But, a quick check at netcraft.com says that it is a Linux box (http://uptime.netcraft.com/up/graph/?host=ebay.aw1-cgi-updates.com). Question: Is netcraft.com correct? I know a little of how their OS signature checking works, but if it is true, then that means this Linux box has been hacked. Which kinda surprises me, but I guess I had to lose my innocence sooner or later. ;) Another question: How would I contact the owner of the box to tell him the box is hacked? Contact the netblock owner? Or should I just forget about all this and go to bed? Thanks, John __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
