Full Disclosure mailing list archives

RE: 3 new MS patches next week... but none fix 0x01!

From: "David Bartholomew" <dfbarth () akiva com>
Date: Sat, 10 Jan 2004 23:31:42 -0500

It's interesting, too. I grabbed up both the login.htm and tried to get the
form.php (which redirected wget to logged.html) files. Picked through them,
and I've got this question for the list:

This really long 'form action' item
http://www.citibank.com:achaaa9uwdtyazjwvwaaaa9p398haaa9uwdtyazjwvwaboundpyw
wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaoundpywwgc2l
6zt00pjxtvgc2l6zt00pjxvgc2l6zt00pjxt@211.239.150.170/login/form.php

obviously contains the 0x01 exploit. What I'm curious about is the HUGE
amount of crap in between the : and the @ sign. I mean, if the 0x01 exploit
is 'good enough', what's with the extra characters?

.dfbarth

***
David Bartholomew, MCSE, MCSA, MCP, Net+, A+
Technical Lead - Akiva, Inc.
***

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of J G
Sent: Saturday, January 10, 2004 9:10 PM
To: mlande () bellsouth net; nick () virus-l demon co uk;
full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] 3 new MS patches next week... but none
fix 0x01!


Hi Mary,

What's the subject of the Citibank email you just received? I'd like to
block it on our SMTP gateways.

Thanks,

Ray

From: "Mary Landesman" <mlande () bellsouth net>
To: <nick () virus-l demon co uk>, <full-disclosure () lists netsys com>
Subject: Re: [Full-disclosure] 3 new MS patches next week... but none fix
0x01!
Date: Sat, 10 Jan 2004 20:26:20 -0500

There now seems to be an active Citibank phishing email exploiting the 0x01
vulnerability. The message states in part:
------------------------
On January 10th 2004 Citibank had to block some accounts in our system
connected with money laundering, credit card fraud, terrorism and check
fraud activity. The information in regards to those accounts has been
passed
to our correspondent banks, local, federal and international authorities.

Due to our extensive database operations some accounts may have been
changed. We are asking our customers to check their checking and savings
accounts if they are active or if their current balance is correct.

Citibank notifies all it's customers in cases of high fraud or criminal
activity and asks you to check your account's balances. If you suspect or
have found any fraud activity on your account please let us know by logging
in at the link below.
------------------------

The link is a button. When clicked, it takes the user to an address that
"seems" to be citibank.com. Instead it is really
http://211.239.150.170/login/login.htm. I've just received a copy of it and
verified that the site is still active.

The IP resolves to:

[ ISP Organization Information ]
Org Name      : Enterprise Networks
Service Name  : ENTERPRISENET
Org Address   : GNG IDC B/D, 343-1 Yhatap-dong, Pundang-gu, Seongnam

[ ISP IP Admin Contact Information ]
Name          : Hyo-Sun, Chang
Phone         : +82-2-2105-6082
Fax           : +82-2-2105-6100
E-Mail        : ip () epnetworks co kr

[ ISP IP Tech Contact Information ]
Name          : IP
Phone         : +82-2-2105-6016
Fax           : +82-2-2105-6100
E-mail        : ip () epnetworks co kr

[ ISP Network Abuse Contact Information ]
Name          : Postmaster
Phone         : +82-2-2105-6075
Fax           : +82-2-2105-6100
E-mail        : abuse () epnetworks co kr

Regards,
Mary Landesman
Antivirus About.com Guide
http://antivirus.about.com

----- Original Message -----
From: "Nick FitzGerald" asked:

OK -- is HSBC bank a large enough client of Microsoft's??



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_________________________________________________________________
Learn how to choose, serve, and enjoy wine at Wine @ MSN.
http://wine.msn.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: 3 new MS patches next week... but none fix 0x01! Exibar (Jan 09)
- <Possible follow-ups>
- RE: 3 new MS patches next week... but none fix 0x01! tlarholm (Jan 09)
- Re: 3 new MS patches next week... but none fix 0x01! J G (Jan 10)
  - RE: 3 new MS patches next week... but none fix 0x01! David Bartholomew (Jan 10)
    - re: Citibank phishing email Jim Race (Jan 10)
    - RE: [inbox] RE: 3 new MS patches next week... Exibar (Jan 11)
    - RE: 3 new MS patches next week... Can Erkin Acar (Jan 12)
  - Re: 3 new MS patches next week... but none fix 0x01! Mary Landesman (Jan 10)
- Re: 3 new MS patches next week... but none fix 0x01! Ray P (Jan 10)
- RE: 3 new MS patches next week... but none fix 0x01! Paul Szabo (Jan 10)
  - RE: 3 new MS patches next week... but none fix 0x01! David Bartholomew (Jan 11)