[nsp-sec] phishing icm.edu.pl

Rob Thomas robt at cymru.com
Fri Jan 29 14:29:47 EST 2010 

Hi, team.

William, apologies for the whois hiccup.  Someone is hitting it fairly
hard and we're working on that.

>   webmail-helpdesk-usersupport3 at sogomail.com
> 
> sogomail.com.        7200    IN    A    97.74.180.1

AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
26496   | 97.74.180.1      | 97.74.180.0/22      | US | arin     |
2008-08-14 | PAH-INC - GoDaddy.com, Inc.

[upstream-whois.cymru.com]
PEER_AS | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
209     | 97.74.180.1      | 97.74.180.0/22      | US | arin     |
2008-08-14 | ASN-QWEST - Qwest Communications Company, LLC
3356    | 97.74.180.1      | 97.74.180.0/22      | US | arin     |
2008-08-14 | LEVEL3 Level 3 Communications
3549    | 97.74.180.1      | 97.74.180.0/22      | US | arin     |
2008-08-14 | GBLX Global Crossing Ltd.
6461    | 97.74.180.1      | 97.74.180.0/22      | US | arin     |
2008-08-14 | MFNX MFN - Metromedia Fiber Network

97.74.180.1 has been connecting to hosts on the realunix.net network.
That's probably not a good sign.

Thanks,
Rob.


> ;; WHEN: Fri Jan 29 11:52:15 2010
> 
> I'd report the ASN and peer, but both v4.whois.cymru.com and
> v4-peer.whois.cymru.com are timing out!
> 
> ===
> 
> Received: from gharial.ui.ac.id ([152.118.24.49]:53643 "EHLO
> gharial.ui.ac.id"
>     rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
>     id S1752022Ab0A2QAd convert rfc822-to-8bit (ORCPT
>     <rfc822;netdev at vger.kernel.org>); Fri, 29 Jan 2010 11:00:33 -0500
> X-Greylist: delayed 408 seconds by postgrey-1.27 at vger.kernel.org;
> Fri, 29 Jan 2010 11:00:32 EST
> Received: from localhost (unknown [152.118.24.147])
>     by gharial.ui.ac.id (Postfix) with ESMTP id C20681CA26A;
>     Fri, 29 Jan 2010 22:52:44 +0700 (WIT)
> X-Virus-Scanned: Debian amavisd-new at kadal.ui.ac.id
> Received: from gharial.ui.ac.id ([152.118.24.49])
>     by localhost (kadal.ui.ac.id [152.118.24.147]) (amavisd-new, port
> 10024)
>     with ESMTP id kk-4gxK6ROd4; Fri, 29 Jan 2010 22:53:28 +0700 (WIT)
> Received: from smtp.ui.ac.id (localhost [127.0.0.1])
>     by gharial.ui.ac.id (Postfix) with ESMTP id C6B0B1CA0F5;
>     Fri, 29 Jan 2010 22:52:36 +0700 (WIT)
> Received: from smtp.ui.ac.id ([152.118.24.129] helo=smtp.ui.ac.id) by
>     gharial.ui.ac.id; 29 Jan 2010 22:52:36 +0700
> Received: from smtp.ui.ac.id (localhost [127.0.0.1])
>     by smtp.ui.ac.id (Postfix) with ESMTP id C06BD2890;
>     Fri, 29 Jan 2010 22:53:28 +0700 (WIT)
> DKIM-Signature:    v=1; a=rsa-sha1; c=relaxed; d=ui.ac.id; h=message-id
>     :date:subject:from:reply-to:mime-version:content-type:to:
>     content-transfer-encoding; s=mail; bh=jCHCoOXJW/Dw8LGyDU5t6AV8WX
>     M=; b=OxtAlJ/twYLKJ9CEnDW6A1qkICKfPUKOmNWR2R9Lhbq2Qlhwoo6rXZBuvX
>     hyrVvmWLDrP6Od8RGYZA21fdx7nt3vcdMBpx1X9lfT1hv2bseBsZTV6dQKfmYmfb
>     tgoFkhhgi9S8eW5tXiciniALu7LReDtJpM3lbAzFqIDsYQkrU=
> DomainKey-Signature: a=rsa-sha1; c=nofws; d=ui.ac.id; h=message-id:date
>     :subject:from:reply-to:mime-version:content-type:to:
>     content-transfer-encoding; q=dns; s=mail; b=xSmOf0hvlu4UBnl5Isc0
>     YLkUhyXUK1j3ErsL2RIo69oXnXtDUE6+27eZmwuh9HyjH+HXQBeMQeL4GQHQXAHz
>     aakxiqyA7W5dnMyJrIpZzFDNL2Tm5CZV9T3EPpvS7tisG7pk5p4A4S3YICireE75
>     0ZbUzJva2SkRHIyWYMvFT+4=
> Received: from webmail.ui.ac.id (alumni.ui.ac.id [152.118.24.119])
>     (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>     (No client certificate requested)
>     (Authenticated sender: budiarso)
>     by smtp.ui.ac.id (Postfix) with ESMTPSA id 0F51CF9D;
>     Fri, 29 Jan 2010 22:53:28 +0700 (WIT)
> Received: from 78.138.3.237
>         (SquirrelMail authenticated user budiarso)
>         by webmail.ui.ac.id with HTTP;
>         Fri, 29 Jan 2010 15:53:27 -0000
> Message-ID: <bef7a7e00028828e8f22d56da177a03e.squirrel at webmail.ui.ac.id>
> Date:    Fri, 29 Jan 2010 15:53:27 -0000
> Subject: Dear User
> From:    "Strona Glowna - icm.edu.pl Webmail Support Center"
>     <budiarso at ui.ac.id>
> Reply-To: webmail-helpdesk-usersupport3 at sogomail.com
> User-Agent: SquirrelMail/1.4.19
> MIME-Version: 1.0
> Content-Type: text/plain;charset=iso-8859-1
> X-Priority: 3 (Normal)
> Importance: Normal
> To:    undisclosed-recipients:;
> Content-Transfer-Encoding: 8BIT
> Sender:    netdev-owner at vger.kernel.org
> Precedence: bulk
> List-ID: <netdev.vger.kernel.org>
> X-Mailing-List:    netdev at vger.kernel.org
> 
> Welcome to Strona Główna - icm.edu.pl Webmail Service.........
> 
> This is to inform you that your (ICM UW  Mail) is infected by virus and we
> need you to assist us in solving the virus problem, so that we can protect
> your e-mail account.
> 
> Verify the below informations and send it back to us immediately. You have
> only 24 hours to get these informations to us or your email account will
> be disabled to protect other email accounts.
> 
> Webmail Account Verification:
> *.Full Names:.......
> *.Email:................
> *.UserID:.........
> *.Password:..........
> *.Phone no:...........
> 
> Thank you for using https://webmail.icm.edu.pl/src/login.php
> Copyright ©2009 Strona Glowna - icm.edu.pl Webmail Support Center
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

-- 
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

More information about the nsp-security mailing list