[nsp-sec] Yahoo phising account

Seth Hall seth at net.ohio-state.edu
Fri May 23 00:05:52 EDT 2008 

On May 22, 2008, at 5:46 PM, Smith, Donald wrote:

> Joel were the compromised accounts being exploited from 196.207.3.10?
> We have seen that ip abusing the drake webmail service to send spam  
> that
> matches Serge's spam.

We've been seeing that one since the 17th.  The user-agent we saw for  
it was:
   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Avant Browser;  
SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506;  
Tablet PC 2.0)

Here are the addresses we've seen the attackers come from with the  
associated browser user-agents we've seen if I logged it (multiple  
user agents are separated with pipes):
162.114.40.32
196.207.0.227	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;  
Crazy Browser 3.0.0 Beta2)
196.207.10.102
196.207.15.10
196.207.15.201	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;  
Avant Browser) "
203.55.231.100
209.59.56.0		Opera/9.22 (Windows NT 5.1; U; en)|Mozilla/4.0  
(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR  
2.0.50727; .NET CLR 3.0.04506.30)
211.3.203.107	Opera/9.25 (Windows NT 5.1; U; en)
213.160.129.51	Opera/9.25 (Windows NT 5.1; U; en)
213.185.118.201
217.21.79.166
38.99.101.129
38.99.101.130
38.99.101.132
41.204.224.37	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
41.204.224.39	Opera/9.20 (Windows NT 6.0; U; en)|Mozilla/4.0  
(compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727;  
Media Center PC 5.0; .NET CLR 3.0.04506; Crazy Browser 2.0.1)|Mozilla/ 
5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404  
Firefox/2.0.0.14|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)| 
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser  
1.0.5; Acoo Browser)|Opera/9.25 (Windows NT 5.1; U; en)
41.204.224.41	
41.211.246.2
41.220.70.3		Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;  
Acoo Browser)|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET  
CLR 1.1.4322; Crazy Browser 3.0.0 Beta2)|Mozilla/4.0 (compatible; MSIE  
6.0; Windows NT 6.0; en) Opera 8.51|Mozilla/5.0 (Windows; U; Windows  
NT 6.0; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13
41.249.33.142
58.97.1.24		
64.214.231.140
64.72.85.62
65.98.28.226
74.85.13.51		
74.85.13.60		Opera/9.21 (Windows NT 5.1; U;  
en);afcid=Wea289eb35e42ade541968291f83df1b3|Mozilla/4.0 (compatible;  
MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0;  
Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; Seekmo 10.0.406.0; .NET CLR  
2.0.50727; FDM);afcid=Wea289eb35e42ade541968291f83df1b3
77.73.186.83
80.78.18.18
80.88.133.12
80.89.176.35
81.199.149.88
81.199.176.221	Opera/9.25 (Windows NT 5.1; U; en)|Mozilla/4.0  
(compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)
81.199.176.222
81.199.177.14
81.199.62.48
81.199.63.41
81.199.63.42	Opera/9.25 (Windows NT 5.1; U; en)
81.199.63.44
81.199.63.45	Opera/9.26 (Windows NT 5.1; U; en)|Opera/9.25 (Windows NT  
5.1; U; en)
81.199.63.46	Opera/9.10 (Windows NT 5.1; U; en)|Opera/9.26 (Windows NT  
5.1; U; en)|Opera/9.25 (Windows NT 5.1; U; en)|Opera/9.24 (Windows NT  
5.1; U; en)|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FDM)
81.199.63.51
81.199.84.146
81.199.88.131
81.199.88.8		
81.199.89.49
86.96.226.15

Now, here's where it gets interesting.  I started logging http headers  
that would indicate if the remote host is a proxy a while ago and it  
turns out that a number of these addresses are actually proxies (or at  
least were at the time)...

41.204.224.41  Via: 1.1 netcacheus (NetCache NetApp/6.0.4)
81.199.88.8  Via: 1.1 proxy:3124 (squid/2.5.STABLE11)
81.199.63.42  Via: 1.1 proxy:8080 (squid/2.5.STABLE11)
81.199.63.51  Via: 1.1 proxy:8080 (squid/2.5.STABLE11)
212.100.250.230  Via: 1.1 nickel.onspeed.com:3128 (squid/2.6.STABLE18)
162.114.40.32  Via: 1.0 NC6200-2 (NetCache NetApp/6.0.5DEBUG4)
148.233.159.58  Via: 1.0 cache-mex-roma-2 (NetCache NetApp/5.6.2)

Even more interesting than that though, is the one address which  
didn't identify itself as a proxy.  The attackers would use to login  
to the account first, then we'd see multiple logins from other  
addresses that did indicate themselves as proxies.  If anyone has  
visibility on it, it might be worthwhile to poke around at 74.85.13.60  
and find out what else it's up to.

32035   | 74.85.13.60      | US | arin     | CCDT-AS - Telekenex

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the nsp-security mailing list