Wednesday, May 10, 2006

Romania emailed me with some pfresh phish!

Romania emailed me with some pfresh phish!

Oh Dear another eBay unpaid item dispute today! Whatever shall I do.

Here is the latest scam to hit my inbox today.

Looks like the client sending this is in Romania : 86-107-49-159.asconet.ro (86.107.49.159)


X-Apparently-To: mrlinuxhead@yahoo.com via 68.142.200.99; Wed, 10 May 2006 17:26:38 -0700
X-Originating-IP: [63.247.69.130]
Return-Path:
Authentication-Results: mta180.mail.re4.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from 63.247.69.130 (EHLO server3.unifiedns.com) (63.247.69.130) by mta180.mail.re4.yahoo.com with SMTP; Wed, 10 May 2006 17:26:36 -0700
Received: from 86-107-49-159.asconet.ro ([86.107.49.159] helo=User) by server3.unifiedns.com with esmtpa (Exim 4.52) id 1Fdz0J-0006v8-EQ; Wed, 10 May 2006 20:26:07 -0400
Reply-to:
From: "eBay" Add to Address BookAdd to Address Book Add Mobile Alert
Subject: eBay Unpaid Item Dispute #4870988286 -- response required
Date: Thu, 11 May 2006 03:27:55 +0300
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server3.unifiedns.com
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - ebay.com
X-Source:
X-Source-Args:
X-Source-Dir:
Content-Length: 688

eBay Unpaid Item Dispute #4870988286 -- response required


Dear member,

eBay member alkaza has indicated that they already paid for item #4870988286

Review the submitted details regarding the payment.

Regards,
eBay International AG

Here is the URL of the scammers:
http://shop.whg-walzstahl.de/.sign/eBayISAPI.dllSignInco_partnerIdpUserIdsiteidpageTypepa1i1bshowgifUsingSSL862984con462msgMNSIEhufem37ajhd84Sllencrypt378/signin.ebay.com/


Lets look these up.

Client is here:
http://www.dnsstuff.com/tools/ipall.ch?domain=86.107.49.159

IP address: 86.107.49.159
Reverse DNS: 86-107-49-159.asconet.ro.
Reverse DNS authenticity: [Verified]
ASN: 0
ASN Name: IANA-RSVD-0
IP range connectivity: 0
Registrar (per ASN): Unknown
Country (per IP registrar): RO [Romania]
Country Currency: ROL [Romania Lei]
Country IP Range: 86.104.0.0 to 86.107.255.255
Country fraud profile: High

ISP info in Romania as follows:

inetnum: 86.107.48.0 - 86.107.55.255
netname: SC-ASCO-SYSTEMS-SRL
descr: SC Asco Systems SRL
descr: Calea Dumbravii nr.89
descr: Sibiu 550399 Romania
country: ro
admin-c: AN951-RIPE
tech-c: AN951-RIPE
status: ASSIGNED PA
remarks: Registered trough http://www.jump.ro/ip.html
mnt-by: RO-MNT
mnt-lower: RO-MNT
mnt-routes: ASCONET-MNT
changed: hostmaster@jump.ro 20051114
source: RIPE

role: Asconet NOC
address: Calea Dumnbravii nr.89
address: 550399 Sibiu, Romania
phone: +40269233914
phone: +40369591003
phone: +40788327170
fax-no: +40269214505
org: ORG-AA80-RIPE
e-mail: tech@asconet.ro
admin-c: EC655-RIPE
admin-c: OC297-RIPE
admin-c: SL1371-RIPE
tech-c: EC655-RIPE
tech-c: OC297-RIPE
nic-hdl: AN951-RIPE
remarks: Spam mail/news complaints: abuse@asconet.ro
remarks: Security complaints: abuse@asconet.ro
remarks: Call center (24x7) +40269233914
abuse-mailbox: abuse@asconet.ro
notify: tech@asconet.ro
mnt-by: ASCONET-MNT
changed: hostmaster@asconet.ro 20031009
changed: hostmaster@asconet.ro 20031010
changed: hostmaster@asconet.ro 20040724
changed: hostmaster@asconet.ro 20051016
source: RIPE

% Information related to '86.107.48.0/21AS29523'

route: 86.107.48.0/21
descr: Asco Networks
origin: AS29523
mnt-by: ASCONET-MNT
changed: hostmaster@asconet.ro 20051115
source: RIPE

The email server is server3.unifiedns.com (63.247.69.130)
Link is here: http://www.dnsstuff.com/tools/ipall.ch?domain=63.247.69.130

WHOIS info for this netblock is:
OrgName: Global Net Access, LLC
OrgID: GNAL-2
Address: 55 Marietta St, NW
Address: Suite 1720
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US

ReferralServer: rwhois://rwhois.gnax.net:4321

NetRange: 63.247.64.0 - 63.247.95.255
CIDR: 63.247.64.0/19
NetName: GNAXNET
NetHandle: NET-63-247-64-0-1
Parent: NET-63-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.GNAX.NET
NameServer: DNS2.GNAX.NET
Comment: Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment: Comment: ********************************************
Comment: Comment: Reassignment information for this block is
Comment: Comment: available at rwhois.gnax.net port 4321
Comment: Comment: ********************************************
RegDate: 2003-04-11
Updated: 2004-02-06

OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-404-230-9150
OrgAbuseEmail: abuse@gnax.net

WHOIS info on server3.unifiedns.com is locked. Don't know who owns the domain...


And the web server that's serveing up this tasty phish treat is here:

http://www.dnsstuff.com/tools/ipall.ch?domain=83.236.133.102


IP address: 83.236.133.102
Reverse DNS: port-83-236-133-102.static.qsc.de.
Reverse DNS authenticity: [Verified]
ASN: 20676
ASN Name: QSC-1 (QSC AG)
IP range connectivity: 4
Registrar (per ASN): RIPE
Country (per IP registrar): DE [Germany]
Country Currency: EUR [euros]
Country IP Range: 83.236.0.0 to 83.236.255.255
Country fraud profile: Normal
City (per outside source): Frankfurt, Hessen
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 83.236.133.102

http://shop.whg-walzstahl.de/.sign/eBayISAPI.dllSignInco_partnerIdpUserIdsiteidpageTypepa1i1bshowgifUsingSSL862984con462msgMNSIEhufem37ajhd84Sllencrypt378/signin.ebay.com/

Here is a port scan. It's running Apache on Suse Linux.



The web server (shop.whg-walzstahl.de) resolves to : 83.236.133.102

http://www.dnsstuff.com/tools/ipall.ch?domain=83.236.133.102

This is the domain info..


Domain: whg-walzstahl.de
Nserver: ns01.qsc.de
Nserver: ns02.qsc.de
Status: connect
Changed: 2005-12-03T07:18:29+01:00

[Holder]
Type: PERSON
Name: The Company
Address: WHG WALZSTAHL Handels GmbH&Co. KG
Address: Uferstr. 14
Pcode: 45881
City: Gelsenkirchen
Country: DE
Changed: 2005-12-03T06:58:06+01:00

[Admin-C]
Type: PERSON
Name: Renate Behrs
Address: WHG WALZSTAHL Handels GmbH&Co. KG
Address: Uferstr. 14
Pcode: 45881
City: Gelsenkirchen
Country: DE
Changed: 2005-12-02T21:19:07+01:00

[Tech-C][Zone-C]
Type: PERSON
Name: The BDSL-Support
Address: QSC AG
Address: Mathias-Brueggen-Str. 55
Pcode: 50829
City: Koeln
Country: DE
Phone: +4942120259876
Fax: +494212025969
Email: bdsl-support@qsc.de
Changed: 2005-09-07T09:05:08+02:00


And this is the netblock information:

inetnum: 83.236.133.102 - 83.236.133.102
netname: QSC-CUSTOMER-538736-105045
descr: WHG Walzstahl-GmbH &
country: DE
admin-c: QSC1-RIPE
tech-c: QSC1-RIPE
status: ASSIGNED PA
mnt-by: QSC-NOC
mnt-lower: QSC-NOC
changed: inetnum-robot@qsc.de 20060331
source: RIPE

role: QSC Internet Services
address: QSC AG
address: Mathias-Brueggen-Str. 55
address: D-50829 Koeln
address: Germany
phone: +49 221 66 98 000
fax-no: +49 221 66 98 009
e-mail: abuse@qsc.de
remarks: ********************************************
remarks: QSC AG - Network Design Department
remarks:
remarks: Fuer Fragen zu SPAM, Portscans, Trojanern
remarks: usw. wenden Sie sich bitte an abuse@qsc.de
remarks:
remarks: To report SPAM/UCE/Portscans/Hacks please
remarks: contact abuse@qsc.de.
remarks:
remarks: For peering requests, BGP policy changes
remarks: etc. contact peering@NOSPAM.qsc.de. For
remarks: Routing issues noc-ip@NOSPAM.qsc.de. Please
remarks: remove NOSPAM. from email address.
remarks: ********************************************
admin-c: RH168-RIPE
tech-c: RH168-RIPE
tech-c: OS101-RIPE
tech-c: RW590-RIPE
tech-c: BF359-RIPE
tech-c: MD1900-RIPE
nic-hdl: QSC1-RIPE
mnt-by: QSC-NOC
changed: rha@NOSPAM.qsc.de 20040127
source: RIPE

% Information related to '83.236.0.0/16AS20676'

route: 83.236.0.0/16
descr: QSC AG
origin: AS20676
mnt-by: QSC-NOC
mnt-lower: QSC-NOC
changed: ralf.weber@NOSPAM.qsc.de 20040212
source: RIPE

OK, So email these people about the client who sent out these emails:

The ISP in Romainia : abuse@asconet.ro
The email server : server3.unifiedns.com netblock owner abuse@gnax.net
The web admin : abuse@qsc.de postmaster@unifiedns.com

OK jobs done. Who wants some phish for dinner?


Tuesday, May 09, 2006

Fresh Phish meat to hunt down and kill today!

Hi all,

I love Fresh Phish in the morning!

Here is the headers and body of another phish email today. These people give me cramps.

I sent it to spoof@ebay.com and pasted the URL into phishfighting.com. Go Go Go!


Return-Path:
Authentication-Results: mta163.mail.mud.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from 208.187.180.4 (EHLO web1.octelecom.net) (208.187.180.4) by mta163.mail.mud.yahoo.com with SMTP; Tue, 09 May 2006 02:05:11 -0700
Received: from web1.octelecom.net (localhost.localdomain [127.0.0.1]) by web1.octelecom.net (8.13.1/8.13.1) with ESMTP id k499EL4f022387 for ; Tue, 9 May 2006 03:14:21 -0600
Received: (from test@localhost) by web1.octelecom.net (8.13.1/8.13.1/Submit) id k499ELag022384 for mrlinuxhead@yahoo.com; Tue, 9 May 2006 03:14:21 -0600
Date: Tue, 9 May 2006 03:14:21 -0600
To: mrlinuxhead@yahoo.com
Subject: eBay Member wandasales
Message-ID: <1147166061.70001.qmail@paypal>
From: aw-confirm@ebay.com Add to Address BookAdd to Address Book Add Mobile Alert
Content-Type: text/html
Content-Length: 3699


 Question from wandasales
Item: (6876616738)
This message was sent while the listing was active.
wandasales is a potential buyer.
Hello, What would the shipping cost be to West Virginia zip code 25511?

Email server is at : 208.187.180.4

Here is a port scan.

Just a RH Linux box with too many ports open. Gee I wonder if the owner knows they are sending this crap out? Let see.


Using DNSStuff.com I see the box is at:

IP address: 208.187.180.4
Reverse DNS: web1.octelecom.net.
Reverse DNS authenticity: [Verified]
ASN: 29933
ASN Name: OFF-CAMPUS-TELECOMMUNICATIONS
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 208.184.0.0 to 208.191.255.255
Country fraud profile: Normal
City (per outside source): Provo, Utah

It looks like a campus ISP that is in Provo Utah.

No email address for them but a phone number - call us at 379-3000
(toll-free 1-800-370-1106)
We're located in Provo at 379 North University Avenue, Suite 301.

Well let's call them up and tell them they have a bad person using their RH server.

WHOIS info is blocked but I can probably find the email address.

On to the web site stealing people's passwords and user id's.

Real URL of the scam is at: http://216.122.128.59/~admin/%20%20/index.html

Going back to DNSStuff.com I learn that:

IP address:                     216.122.128.59
Reverse DNS: r59-128-dsl.sea.lightrealm.net.
Reverse DNS authenticity: [Could be forged: hostname r59-128-dsl.sea.lightrealm.net. does not exist]
ASN: 11305
ASN Name: INTERLAND-NET1
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 216.122.0.0 to 216.122.255.255
Country fraud profile: Normal
City (per outside source): Kirkland, Washington

Gotcha sucker, you are in the USA. Busted. Phish fry today!

Looks like Lightrealm is getting upstream pipe from Interland.

Interland, Inc. LR-BLK4 (NET-216-122-0-0-1)
216.122.0.0 - 216.122.255.255
Lightrealm, Inc. LR-ISP-GTEDHCP4-DSL (NET-216-122-128-0-1)
216.122.128.0 - 216.122.128.255


A Google for Lightrealm points to http://www.lightrealm.net/

It's a web hosting company. No surprise there.

"Get your own web site, share your special day!" is on the home page.


One that looks like eBay login page? Maybe that's not what thay had in mind.

Interland is a mass reseller of web hosts and a co-location facillity.

I used to work for a company that was bought by them, Hostcentric.

Here is a port scan of the host:



The web server is running Apache on FreeBSD, got sendmail running as well.

Email server is running as bearcomp.net. Hmm. Who are they?

Asking b.ns.interland.net. for 59.128.122.216.in-addr.arpa PTR record:
Reports r59-128-dsl.sea.lightrealm.net. [from 69.0.145.33]

Answer:
216.122.128.59 PTR record: r59-128-dsl.sea.lightrealm.net. [TTL 1800s] [A=None]
*ERROR* There is no A record (may be cached).
That's our boy! I next find out who runs bearcomp.net with our trusty WHOIS lookup.


SoftPaw

41064 Riverock Lane

Palmdale, CA 93551-1834

US



Domain Name: BEARCOMP.NET


Administrative Contact :

Hess, John

jhh@bearcomp.net

41064 Riverock Lane

Palmdale, CA 93551-1834

US

Phone: 800-725-8910

Fax: (661) 722-9010



Record expires on 26-Aug-2006

Record created on 19-May-2004

Database last updated on 13-Jun-2005

OK game over. Let's call the cops in Palmdale and have them let Mr. Hess know his server is behaving badly.