[nsp-sec] Credential dropbox at AS 5413 ??
Christoph Sprongl
ch at it-austria.net
Wed Sep 16 02:42:37 EDT 2009
replied off-list.
christoph
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings,
>
> I had a trusted source tell me that they have seen several phishing
> emails with a phishing form dropbox at:
>
> hxxp://www.updateserver2009.com
>
> (Online as of 10:45 PM EDT)
>
> This person says they are having trouble getting anyone to respond to
> their take down requests.
>
> Unfortunately I do not have any example emails but looking at the web
> page, it is not a big leap to say this is probably a phishing dropbox.
>
> Do we have any contacts at AS 5413 that could investigate and if it is
> indeed a phishing drobox get this taken down?
>
> *****
>
>> whois updateserver2009.com
>>
>> Whois Server Version 2.0
>>
>> Domain names in the .com and .net domains can now be registered
>> with many different competing registrars. Go to http://www.internic.net
>> for detailed information.
>>
>> Domain Name: UPDATESERVER2009.COM
>> Registrar: TUCOWS INC.
>> Whois Server: whois.tucows.com
>> Referral URL: http://domainhelp.opensrs.net
>> Name Server: NS.123-REG.CO.UK
>> Name Server: NS2.123-REG.CO.UK
>> Status: clientTransferProhibited
>> Status: clientUpdateProhibited
>> Updated Date: 23-aug-2009
>> Creation Date: 23-aug-2009
>> Expiration Date: 23-aug-2010
>>
>>>>> Last update of whois database: Wed, 16 Sep 2009 02:41:51 UTC <<<
>
> *****
>
>> dig www.updateserver2009.com
>>
>> ; <<>> DiG 9.5.1-P3 <<>> www.updateserver2009.com
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14993
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;www.updateserver2009.com. IN A
>>
>> ;; ANSWER SECTION:
>> www.updateserver2009.com. 86137 IN A 194.154.164.82
>>
>> ;; Query time: 61 msec
>> ;; SERVER: x.x.x.x#53(x.x.x.x)
>> ;; WHEN: Tue Sep 15 22:38:11 2009
>> ;; MSG SIZE rcvd: 58
>
> *****
>
>> whois -h whois.cymru.com 194.154.164.82
>> AS | IP | AS Name
>> 5413 | 194.154.164.82 | AS5413 GX Networks
>
> *****
>
>> whois -h peer.whois.cymru.com 194.154.164.82
>> PEER_AS | IP | AS Name
>> 1299 | 194.154.164.82 | TELIANET TeliaNet Global Network
>> 3356 | 194.154.164.82 | LEVEL3 Level 3 Communications
>> 10310 | 194.154.164.82 | YAHOO-1 - Yahoo!
>> 15606 | 194.154.164.82 | NASK-TRANSIT NASK Transit AS
>
> *****
>
> Thank you
>
> Gabe
>
> - --
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x7 Watch Desk +1(317)278-6630
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkqwUiIACgkQwqygxIz+pTsGEQCgwlTovr63C4qMbZ+36NeEG43T
> fAQAoL/IL/9QX5ZG2dDoo2YcPzJ09I/G
> =9QPL
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
>
More information about the nsp-security
mailing list