[nsp-sec] Credential dropbox at AS 5413 ??

Gabriel Iovino giovino at ren-isac.net
Tue Sep 15 22:49:06 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

I had a trusted source tell me that they have seen several phishing
emails with a phishing form dropbox at:

hxxp://www.updateserver2009.com

(Online as of 10:45 PM EDT)

This person says they are having trouble getting anyone to respond to
their take down requests.

Unfortunately I do not have any example emails but looking at the web
page, it is not a big leap to say this is probably a phishing dropbox.

Do we have any contacts at AS 5413 that could investigate and if it is
indeed a phishing drobox get this taken down?

*****

> whois updateserver2009.com
> 
> Whois Server Version 2.0
> 
> Domain names in the .com and .net domains can now be registered
> with many different competing registrars. Go to http://www.internic.net
> for detailed information.
> 
>    Domain Name: UPDATESERVER2009.COM
>    Registrar: TUCOWS INC.
>    Whois Server: whois.tucows.com
>    Referral URL: http://domainhelp.opensrs.net
>    Name Server: NS.123-REG.CO.UK
>    Name Server: NS2.123-REG.CO.UK
>    Status: clientTransferProhibited
>    Status: clientUpdateProhibited
>    Updated Date: 23-aug-2009
>    Creation Date: 23-aug-2009
>    Expiration Date: 23-aug-2010
> 
>>>> Last update of whois database: Wed, 16 Sep 2009 02:41:51 UTC <<<

*****

> dig www.updateserver2009.com
> 
> ; <<>> DiG 9.5.1-P3 <<>> www.updateserver2009.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14993
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.updateserver2009.com.      IN      A
> 
> ;; ANSWER SECTION:
> www.updateserver2009.com. 86137 IN      A       194.154.164.82
> 
> ;; Query time: 61 msec
> ;; SERVER: x.x.x.x#53(x.x.x.x)
> ;; WHEN: Tue Sep 15 22:38:11 2009
> ;; MSG SIZE  rcvd: 58

*****

> whois -h whois.cymru.com 194.154.164.82
> AS      | IP               | AS Name
> 5413    | 194.154.164.82   | AS5413 GX Networks

*****

> whois -h peer.whois.cymru.com 194.154.164.82
> PEER_AS | IP               | AS Name
> 1299    | 194.154.164.82   | TELIANET TeliaNet Global Network
> 3356    | 194.154.164.82   | LEVEL3 Level 3 Communications
> 10310   | 194.154.164.82   | YAHOO-1 - Yahoo!
> 15606   | 194.154.164.82   | NASK-TRANSIT NASK Transit AS

*****

Thank you

Gabe

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqwUiIACgkQwqygxIz+pTsGEQCgwlTovr63C4qMbZ+36NeEG43T
fAQAoL/IL/9QX5ZG2dDoo2YcPzJ09I/G
=9QPL
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list