Seems to be a vulnerable/poorly configured horde (v 3.0.5) that is wide open.. This version of horde has a readily available exploit that could have been used. Also everything from /horde/ on down to the actual phishing directory seems to be visible... The site owner might want to check that they haven't been also used as an open proxy.
Just my .02 cents, Jake On 2/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Reported .. it's an IP off .IT servers. The auction is still live and reported to eBay as fraud. Also, the seller's account has been taken over .. a typical pattern. By that pattern, my bet is this originates in .RO. Do you have the full header, by any chance? Tnx. On 20 Feb 2007 at 11:13, dan wrote: > You guys seen this one yet? > > I haven't investigated it, I just got the mail now.. > > the hex 'ip' resolves using ping, interestingly enough (nifty! I > didn't know you could ping a hex address!) > > [EMAIL PROTECTED]:~$ ping 0x5148ed5a > PING 0x5148ed5a (81.72.237.90) 56(84) bytes of data. > 64 bytes from 81.72.237.90: icmp_seq=1 ttl=50 time=251 ms > > [EMAIL PROTECTED]:~$ nmap 81.72.237.90 > > Starting Nmap 4.20 ( http://insecure.org ) at 2007-02-20 11:06 PST > Interesting ports on > host90-237-static.72-81-b.business.telecomitalia.it (81.72.237.90): > Not shown: 1686 filtered ports PORT STATE SERVICE 21/tcp open > ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain > 80/tcp open http 110/tcp open pop3 113/tcp closed auth 143/tcp > open imap 443/tcp open https 993/tcp open imaps 995/tcp open > pop3s > > > Also, anonymous ftp is open > > [EMAIL PROTECTED]:~$ ncftp 81.72.237.90 > NcFTP 3.2.0 (Aug 05, 2006) by Mike Gleason > (http://www.NcFTP.com/contact/). Connecting to 81.72.237.90... > Benvenuti nel sito ftp della CAR-TECH S.r.L. Logging in... Login > successful. Logged in to 81.72.237.90. ncftp / > ls pub/ ncftp / > cd > pub Directory successfully changed. ncftp /pub > ls b105.zip > > > > -------- Original Message -------- > Subject: Message from eBay Member regarding Item #160086558071 > Date: Tue, 20 Feb 2007 14:01:58 -0500 > From: eBay Member wwwdirectbynetcom<[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > > > > eBay *eBay sent this message from wwwdirectbynetcom.* > > > > > *Question about Item -- Respond Now* > > > > > eBay sent this message on behalf of an eBay member through My > Messages. Responses sent using email will go to the eBay member > directly and will include your email address. > > > > > > Question from wwwdirectbynetcom > *wwwdirectbynetcom <http://myworld.ebay.com/wwwdirectbynetcom>( 367 > <http://feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&userid=wwwdire > ctbynetcom>)* > > Positive feedback: 99.5% > Member since: Jun-07-04 > Location: United States > Registered on: www.ebay.com > > Item:*2000 Kia : Sportage RUNS GREAT* (160086558071 > <http://0x5148ed5a/horde/services/portal/images/SigninPIdllSignInpUser > Id=co_partnerId=siteid=0pageType=-1pa1=UsingSSL-1bshowgif-favoriteav-e > rrmsg-8ebayISAPI-dllUPdateINFOwww-ebay-com8pp-8pa2-8errmsg/%20>) > > This message was sent while the listing was *active*. > wwwdirectbynetcom is a *potential buyer*. > > Money was sent today.Please e-mail me as soon as possible because I > want to know when I receive my package. Thank you > > *Respond to this question* > Respond Now > <http://0x5148ed5a/horde/services/portal/images/SigninPIdllSignInpUser > Id=co_partnerId=siteid=0pageType=-1pa1=UsingSSL-1bshowgif-favoriteav-e > rrmsg-8ebayISAPI-dllUPdateINFOwww-ebay-com8pp-8pa2-8errmsg/%20> > > /Responses in My Messages will not include your email address./ > > > Thank you, > eBay > > *Details for item number:160086558071* > Item URL: > http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=160086558071&sspage > name=ADME:B:AAQ:US:1 > <http://0x5148ed5a/horde/services/portal/images/SigninPIdllSignInpUser > Id=co_partnerId=siteid=0pageType=-1pa1=UsingSSL-1bshowgif-favoriteav-e > rrmsg-8ebayISAPI-dllUPdateINFOwww-ebay-com8pp-8pa2-8errmsg/> > > End date: Wednesday, Feb-21-07 19:30:00 PST > > > Marketplace Safety Tip *Marketplace Safety Tip > <http://pages.ebay.com/securitycenter>* > > *Always remember to complete your transactions on eBay - it's the > safer way to trade.* > > Is this message an offer to buy your item directly through email > without winning the item on eBay? If so, please help make the eBay > marketplace safer by reporting it to us. These "outside of eBay" > transactions may be unsafe and are against eBay policy. Learn more > about trading safely > <http://pages.ebay.com/securitycenter/selling_safely.html>. > > Is this email inappropriate? Does it violate eBay policy > <http://pages.ebay.com/help/policies/rfe-unwelcome-email-misuse.html>? > Help protect the Community by reporting it > <http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?ReportEmailAbuseshow&report > eruserid=princeofthe831&reporteduserid=wwwdirectbynetcom&emaildate=200 > 6/10/02:12:33:57&emailtype=0&emailtext=Money+was+sent+today.Please+e-m > ail+me+as+soon+as+possible+because+I+want+to+know+when+I+receive+my+pa > ckage.%0AThank+you%0D%0Athanks&trackId=160086558071>. > > > > Learn how you can protect yourself from spoof (fake) emails at: > http://pages.ebay.com/education/spooftutorial > > This eBay notice was sent to you on behalf of another eBay member > through the eBay platform and in accordance with our Privacy Policy. > If you would like to receive this email in text format, change your > notification preferences > <http://cgi4.ebay.com/ws/eBayISAPI.dll?OptinLoginShow>. > > See our Privacy Policy and User Agreement if you have questions about > eBay's communication policies. Privacy Policy: > http://pages.ebay.com/help/policies/privacy-policy.html User > Agreement: http://pages.ebay.com/help/policies/user-agreement.html > > Copyright (c) 2007 eBay, Inc. All Rights Reserved. > Designated trademarks and brands are the property of their respective > owners. eBay and the eBay logo are registered trademarks or trademarks > of eBay, Inc. eBay is located at 2145 Hamilton Avenue, San Jose, CA > 95125. > > > > _______________________________________________ phishing mailing list [email protected] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
_______________________________________________ phishing mailing list [email protected] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
