...making Linux just a little more fun!
Benjamin A. Okopnik [ben at linuxgazette.net]
Thu, 15 Feb 2007 20:51:48 -0800
On Mon, Feb 12, 2007 at 08:39:20PM -0800, Mike Orr wrote:
> Another twist on the Paypal phishing scam. > > https://sluggo.scrapping.cc/tmp/cartoon-paypal-fraud-part1.png > https://sluggo.scrapping.cc/tmp/cartoon-paypal-fraud-part2.png
Love that URL in part 2. Freakin' "0xc8.0x2b.0x50.0x74"? You'd think that anyone dumb enough to just click on URLs in these "bank" emails has already been stripped to the bone by sharks, but a) it doesn't kill them off, and 2) There's One Born Every Minute. I guess the spammers and the scammers will never run out of "soft targets".
Just for fun:
ben at Fenrir:~$ perl -wle'print join ".", map hex, "0xc8.0x2b.0x50.0x74" =~ /0x(..)/g' 200.43.80.116 ben at Fenrir:~$ whois 200.43.80.116|egrep '^[a-z-]+:' inetnum: 200.43.80.112/28 status: reallocated owner: Coop.Telef?ica de Villa del Totoral Ltda. ownerid: AR-CVTL-LACNIC responsible: Carlos Sanchez address: Pte.Per?, 551, address: 5236 - Villa del Totoral (Cordoba) - country: AR phone: +54 3524 647574 [] owner-c: CRS3 tech-c: CRS3 created: 20040420 changed: 20040420 inetnum-up: 200.43/16 nic-hdl: CRS3 person: Carlos R. Sanchez e-mail: csanchez24 at COOPTOTORAL.COM.AR address: Pte Peron 551, 0054, 3524470900 address: 5236 - Villa del Totoral - country: AR phone: +0054 3524 470900 [470000] created: 20040213 changed: 20040213Ah, a default install of RHEL that got cracked. I'm feeling a bit too lazy to ping the admin myself... it would be like sweeping back the tide.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * https://LinuxGazette.NET *
David Richardson [dsrich at ieee.org]
Fri, 16 Feb 2007 09:47:43 -0500
On Thu, Feb 15, 2007 at 08:51:48PM -0800, Benjamin A. Okopnik wrote:
> [ Mike, I assume you actually wanted this in TAG instead of Lgang? ] >[snip]
> Just for fun: > > `` > ben at Fenrir:~$ perl -wle'print join ".", map hex, "0xc8.0x2b.0x50.0x74" =~ /0x(..)/g' > 200.43.80.116 > ben at Fenrir:~$ whois 200.43.80.116|egrep '^[a-z-]+:' > inetnum: 200.43.80.112/28 > status: reallocated > owner: Coop.Telef?ica de Villa del Totoral Ltda. > ownerid: AR-CVTL-LACNIC > responsible: Carlos Sanchez > address: Pte.Per?, 551, > address: 5236 - Villa del Totoral (Cordoba) - > country: AR > phone: +54 3524 647574 [] > owner-c: CRS3 > tech-c: CRS3 > created: 20040420 > changed: 20040420 > inetnum-up: 200.43/16 > nic-hdl: CRS3 > person: Carlos R. Sanchez > e-mail: csanchez24 at COOPTOTORAL.COM.AR > address: Pte Peron 551, 0054, 3524470900 > address: 5236 - Villa del Totoral - > country: AR > phone: +0054 3524 470900 [470000] > created: 20040213 > changed: 20040213 > '' > > Ah, a default install of RHEL that got cracked. I'm feeling a bit too > lazy to ping the admin myself... it would be like sweeping back the > tide.Ben:
This makes me feel massively stupid, but I must ask: How do you get from the above info to "default install of RHEL that got cracked"
Thanks,
Dave
-- David \ Richardson \ Imagine whirled peas..... dsrich at ieee.org \ The above is my own opinion - nobody else wants it!
Benjamin A. Okopnik [ben at linuxgazette.net]
Fri, 16 Feb 2007 09:46:52 -0800
On Fri, Feb 16, 2007 at 09:47:43AM -0500, David Richardson wrote:
> On Thu, Feb 15, 2007 at 08:51:48PM -0800, Benjamin A. Okopnik wrote: > > > > `` > > ben at Fenrir:~$ perl -wle'print join ".", map hex, "0xc8.0x2b.0x50.0x74" =~ /0x(..)/g' > > 200.43.80.116 > > ben at Fenrir:~$ whois 200.43.80.116|egrep '^[a-z-]+:' > > inetnum: 200.43.80.112/28 > > status: reallocated > > owner: Coop.Telef?ica de Villa del Totoral Ltda. > > ownerid: AR-CVTL-LACNIC > > responsible: Carlos Sanchez > > address: Pte.Per?, 551, > > address: 5236 - Villa del Totoral (Cordoba) - > > country: AR > > phone: +54 3524 647574 [] > > owner-c: CRS3 > > tech-c: CRS3 > > created: 20040420 > > changed: 20040420 > > inetnum-up: 200.43/16 > > nic-hdl: CRS3 > > person: Carlos R. Sanchez > > e-mail: csanchez24 at COOPTOTORAL.COM.AR > > address: Pte Peron 551, 0054, 3524470900 > > address: 5236 - Villa del Totoral - > > country: AR > > phone: +0054 3524 470900 [470000] > > created: 20040213 > > changed: 20040213 > > '' > > > > Ah, a default install of RHEL that got cracked. I'm feeling a bit too > > lazy to ping the admin myself... it would be like sweeping back the > > tide. > > Ben: > > This makes me feel massively stupid, but I must ask: How do you get > from the above info to "default install of RHEL that got cracked"
Sorry, Dave - didn't mean to make you feel stupid. There's nothing in the above to indicate it, but if you go to the IP/URL (i.e., https://200.43.80.116), it shows the default RHEL "Welcome" banner. [clickety-click] Um, it used to, that is. Perhaps the owner has caught on that he was being used as a mule.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * https://LinuxGazette.NET *
David Richardson [dsrich at ieee.org]
Fri, 16 Feb 2007 13:31:47 -0500
On Fri, Feb 16, 2007 at 09:46:52AM -0800, Benjamin A. Okopnik wrote:
> On Fri, Feb 16, 2007 at 09:47:43AM -0500, David Richardson wrote: > > On Thu, Feb 15, 2007 at 08:51:48PM -0800, Benjamin A. Okopnik wrote: > > > > > > ``[snip]
> > > changed: 20040213 > > > '' > > > > > > Ah, a default install of RHEL that got cracked. I'm feeling a bit too > > > lazy to ping the admin myself... it would be like sweeping back the > > > tide. > > > > Ben: > > > > This makes me feel massively stupid, but I must ask: How do you get > > from the above info to "default install of RHEL that got cracked" > > Sorry, Dave - didn't mean to make you feel stupid. There's nothing in > the above to indicate it, but if you go to the IP/URL (i.e., > https://200.43.80.116), it shows the default RHEL "Welcome" banner. > [clickety-click] Um, it used to, that is. Perhaps the owner has caught > on that he was being used as a mule.
D'oh! And everything is so obvious in the rear-view mirror.
Actually, I have never gotten the RHEL "Welcome" banner, although I seen all too many default windoze IIS installations over the years. Between the lower number of RHEL installations and the higher clue level of Linux user and admin types, I don't generally expect that sort of thing on the open net, hence my failure to look for the (now) obvious.
Perhaps their ISP got wind of their output and did something? Never happens...
-- David \ Richardson \ Imagine whirled peas..... dsrich at ieee.org \ The above is my own opinion - nobody else wants it!