Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Something nasty

Something nasty

From: Adam Maloney <adamm_at_SIHOPE.COM>
Date: Wed, 6 Sep 2000 08:53:05 -0500

I've attached an e-mail that I received to a few info@ accounts at a
couple of my domains. The IP block that this originated from and the URL
references is in .NL, the whois information for upwatch.com is registered
in Amsterdam.

I think it's rather obvious that these people are trying to save time
nmapping the whole internet so they'd rather just have clueless sales
droids fill out the form that I presume would ask for what type/version of
OS, what software is installed, etc. It would make compromising the box
pretty easy.

I haven't done much more investigation other than the above. I didn't
want to go to the URL with any of my domains or serial numbers in the URL.

I editted the headers a little to remove some mail handling and
identifying information as to what domains this was sent to, other than
that the message is intact.

Adam Maloney
Systems Administrator
Sihope Communications

---------- Forwarded message ----------
====> ORIGINAL MESSAGE FOLLOWS <====
Received: (from mailroom_at_localhost)
        by unix1.sihope.com (8.9.3/8.9.0) id SAA12545
        for helpdesk; Tue, 5 Sep 2000 18:22:14 -0500 (CDT)
Received: from upwatch.netland.nl (IDENT:root@[212.19.213.240])
        by unix1.sihope.com (8.9.3/8.9.0) with ESMTP id SAA12534
        for <info_at_xxxx.com>; Tue, 5 Sep 2000 18:22:12 -0500 (CDT)
Received: (from root_at_localhost)
        by upwatch.netland.nl (8.9.3/8.9.3) id BAA08771;
        Wed, 6 Sep 2000 01:31:21 +0200
Date: Wed, 6 Sep 2000 01:31:21 +0200
Message-Id: <200009052331.BAA08771_at_upwatch.netland.nl>
From: Upwatch Inkoop Team <inkoop_at_upwatch.com>
To: info_at_xxxx.com
Subject: Unix shell account inquiry
Precedence: bulk
Reply-To: Upwatch Inkoop Team <inkoop_at_upwatch.com>

Dear Sir, Madam,

I am looking for Unix Shell Accounts all over the world.
I also need some specific functionality.

Because shell accounts are not as widespread as they once were,
I decided to write to a lot of providers. On the other hand this
opens up the possibility for receiving *lots* of answers, all in
their own format, and I would have to sort through them: a lot
of work. So I took the liberty in creating a special webpage.

Please fill in the following webpage if you offer Unix Shell Accounts:

http://212.19.213.241/aanbieders.php?domain=xxxx.com&random=419285712

Thank you very much for your cooperation.

Ron Arts

PS: you might need a technical person when filling this in
Received on Sep 06 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos