Wednesday, April 26, 2006

 Question from bigmoney

 Question from bigmoney
Item: (6852613597)
This message was sent while the listing was active.
bigmoney is a potential buyer.
What is the last price for this Item?

Respond to this question in My Messages.
Respond Now

Item Details
Item number: 6852613597
End date: Mar-01-06 18:33:23 PST
View item description:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=7387869660&sspagename=ADME:B:AAQ:US:1
Thank you for using eBay!
http://www.ebay.com/

http://1088880691/%20/signin.ebay.com/ws/eBayISAPI/index.html

IP 64.231.0.51 is decimal 1088880691.

IP address: 64.231.0.51
Reverse DNS: [No reverse DNS entry per ns3.bellglobal.com.]
Reverse DNS authenticity: [Unknown]
ASN: 577
ASN Name: BACOM
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): CA [Canada]
Country Currency: CAD [Canada Dollars]
Country IP Range: 64.228.0.0 to 64.231.255.255
Country fraud profile: Normal
City (per outside source): Toronto, Ontario

That's a BellCanada IP block:
Bell Canada BELLCANADA-5 (NET-64-228-0-0-1) 64.228.0.0 - 64.231.255.255
Bell Nexxia (HSE) NEXXIAJ10-CA (NET-64-231-0-0-1) 64.231.0.0 - 64.231.95.255

No WHOIS records exist for this IP, and there was no reverse DNS information I could glean.
It is probably a personal computer that has been hacked, and is under someone else's control.

Time for us to take a collection and buy this poor sucker a firewall. Any donations?

Here is a port scan. Our scammer box is infected with the W32.MyDoom virus, like many other hosts.

This is probably the vector for the exploit. I see this on lots of other targets.
I suspect that may be the port that receive control messages.
Also it's running half-life engine (port 27015)! Lots of other exploited servers are as well.
The HTTP deamon is Apache and return the ID Celestix celnx. Hmmm who could that be I wonder?

WWhatever let's take them down. I called up phishfighing.com and pasted the URL in. Nothing happened!
Whatever this one is doing, nothing shows up in the usernname/password box.
He may be actively blocking phishfighing.com because that will poison their list of victims.

Let's see if I can email the ISP and have this box shut down.

0 Comments:

Post a Comment

<< Home