[nsp-sec] Phishing landing site at AS 21788 and AS 46475

Daniel Robert Adinolfi dra1 at cornell.edu
Fri Sep 10 13:08:45 EDT 2010 

Folks,

We got hit with a directed phish this morning.  The script that runs when a user puts their username and password into the bogus site was:

<hxxp://999server-ssl.site50.net/auth7.php>

host 999server-ssl.site50.net
999server-ssl.site50.net has address 64.191.114.182
999server-ssl.site50.net mail is handled by 0 mx.000webhost.com.
NetRange:       64.191.0.0 - 64.191.127.255
CIDR:           64.191.0.0/17
OriginAS:
NetName:        HOSTNOC-3BLK
NetHandle:      NET-64-191-0-0-1
Parent:         NET-64-0-0-0-0
NetType:        Direct Allocation
NameServer:     NS2.HOSTNOC.NET
NameServer:     NS1.HOSTNOC.NET
Comment:        ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:        2002-05-31
Updated:        2003-08-08
Ref:            http://whois.arin.net/rest/net/NET-64-191-0-0-1

OrgName:        Network Operations Center Inc.
OrgId:          NOC
Address:        PO Box 591
City:           Scranton
StateProv:      PA
PostalCode:     18501-0591
Country:        US
RegDate:        2001-04-04
Updated:        2010-03-30
Comment:        Abuse Dept: abuse at hostnoc.net
Ref:            http://whois.arin.net/rest/org/NOC

AS      | IP               | AS Name
21788   | 64.191.114.182   | NOC - Network Operations Center Inc.
PEER_AS | IP               | AS Name
174     | 64.191.114.182   | COGENT Cogent/PSI
2828    | 64.191.114.182   | XO-AS15 - XO Communications
3491    | 64.191.114.182   | BTN-ASN - Beyond The Network America, Inc.
4565    | 64.191.114.182   | MEGAPATH2-US - MegaPath Networks Inc.
6939    | 64.191.114.182   | HURRICANE - Hurricane Electric, Inc.

Can someone from NOC or someone who knows someone from NOC please destroy this site?\

The link that was sent out to our folks was located here:

web2-login-cornell.freevar.com has address 69.162.85.141
AS      | IP               | AS Name
46475   | 69.162.85.141    | LIMESTONENETWORKS - Limestone Networks, Inc.
[namshub:~] dra1% asn-upstream 69.162.85.141
PEER_AS | IP               | AS Name
1299    | 69.162.85.141    | TELIANET TeliaNet Global Network
3561    | 69.162.85.141    | SAVVIS - Savvis

If there are any contacts at AS 46475 that can zot that site too, the world would be grateful.

Thanks.

-Dan


_________________
Daniel Adinolfi, CISSP - AS 26
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 at cornell.edu   phone: 607-255-7657

More information about the nsp-security mailing list