[nsp-sec] Paging Yahoo! - Phishing account
Seth Hall
hall.692 at osu.edu
Mon Jun 2 10:45:00 EDT 2008
On Jun 2, 2008, at 10:21 AM, SURFcert - Peter wrote:
> Seth Hall wrote on 2-6-2008 14:26:
>>
>> We had 217.21.79.166 login to a compromised webmail account here on
>> May19th. The connection didn't have any proxy related headers
>> though.
>> A lot of the logins to compromised webmail accounts here, do have the
>> "Via" header set.
>
> This IP address is also linked to another mail that looks like a fraud
> scheme:
> http://www.repository.izone.me.uk/repository.pl?action=read_email&email=20080417182757&month=May&year=2008
Oh, that repository site is cool. I searched for "217.21.79" in May
and a lot of emails showed up.
For a little followup about the 217.21.79.166 host, it definitely
looks like it's a proxy. Most of the "Via" headers have indicated
that the proxies themselves are running on port 3124/tcp, so I took a
wild stab at it....
seth at Blake3:~$ telnet 217.21.79.166 3124
Trying 217.21.79.166...
Connected to 217.21.79.166.
Escape character is '^]'.
Connection closed by foreign host.
seth at Blake3:~$ telnet 217.21.79.166 3124
Trying 217.21.79.166...
^C
Something disconnected me pretty quickly after that first connection,
and I'm blocked from accessing it now. The same exact thing happened
again when I connected from another host. Definitely something funny
about that host. Does anyone have contacts at IPPlanet?
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the nsp-security
mailing list