Tux

...making Linux just a little more fun!

Paypal spam

Benjamin A. Okopnik [ben at linuxgazette.net]
Thu, 15 Feb 2007 20:51:48 -0800

On Mon, Feb 12, 2007 at 08:39:20PM -0800, Mike Orr wrote:

> Another twist on the Paypal phishing scam.
> 
> https://sluggo.scrapping.cc/tmp/cartoon-paypal-fraud-part1.png
> https://sluggo.scrapping.cc/tmp/cartoon-paypal-fraud-part2.png

Love that URL in part 2. Freakin' "0xc8.0x2b.0x50.0x74"? You'd think that anyone dumb enough to just click on URLs in these "bank" emails has already been stripped to the bone by sharks, but a) it doesn't kill them off, and 2) There's One Born Every Minute. I guess the spammers and the scammers will never run out of "soft targets".

Just for fun:

ben at Fenrir:~$ perl -wle'print join ".", map hex, "0xc8.0x2b.0x50.0x74" =~ /0x(..)/g'
200.43.80.116
ben at Fenrir:~$ whois 200.43.80.116|egrep '^[a-z-]+:'
inetnum:     200.43.80.112/28
status:      reallocated
owner:       Coop.Telef?ica de Villa del Totoral Ltda.
ownerid:     AR-CVTL-LACNIC
responsible: Carlos Sanchez
address:     Pte.Per?, 551, 
address:     5236 - Villa del Totoral (Cordoba) - 
country:     AR
phone:       +54 3524 647574 []
owner-c:     CRS3
tech-c:      CRS3
created:     20040420
changed:     20040420
inetnum-up:  200.43/16
nic-hdl:     CRS3
person:      Carlos R. Sanchez
e-mail:      csanchez24 at COOPTOTORAL.COM.AR
address:     Pte Peron 551, 0054, 3524470900
address:     5236 - Villa del Totoral - 
country:     AR
phone:       +0054 3524 470900 [470000]
created:     20040213
changed:     20040213
Ah, a default install of RHEL that got cracked. I'm feeling a bit too lazy to ping the admin myself... it would be like sweeping back the tide.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * https://LinuxGazette.NET *

Top    Back


David Richardson [dsrich at ieee.org]
Fri, 16 Feb 2007 09:47:43 -0500

On Thu, Feb 15, 2007 at 08:51:48PM -0800, Benjamin A. Okopnik wrote:

> [ Mike, I assume you actually wanted this in TAG instead of Lgang? ]
> 
[snip]

> Just for fun:
> 
> ``
> ben at Fenrir:~$ perl -wle'print join ".", map hex, "0xc8.0x2b.0x50.0x74" =~ /0x(..)/g'
> 200.43.80.116
> ben at Fenrir:~$ whois 200.43.80.116|egrep '^[a-z-]+:'
> inetnum:     200.43.80.112/28
> status:      reallocated
> owner:       Coop.Telef?ica de Villa del Totoral Ltda.
> ownerid:     AR-CVTL-LACNIC
> responsible: Carlos Sanchez
> address:     Pte.Per?, 551, 
> address:     5236 - Villa del Totoral (Cordoba) - 
> country:     AR
> phone:       +54 3524 647574 []
> owner-c:     CRS3
> tech-c:      CRS3
> created:     20040420
> changed:     20040420
> inetnum-up:  200.43/16
> nic-hdl:     CRS3
> person:      Carlos R. Sanchez
> e-mail:      csanchez24 at COOPTOTORAL.COM.AR
> address:     Pte Peron 551, 0054, 3524470900
> address:     5236 - Villa del Totoral - 
> country:     AR
> phone:       +0054 3524 470900 [470000]
> created:     20040213
> changed:     20040213
> ''
> 
> Ah, a default install of RHEL that got cracked. I'm feeling a bit too
> lazy to ping the admin myself... it would be like sweeping back the
> tide.
Ben:

This makes me feel massively stupid, but I must ask: How do you get from the above info to "default install of RHEL that got cracked"

Thanks,

Dave

-- 
David               \
Richardson           \   Imagine whirled peas.....
dsrich at ieee.org       \
The above is my own opinion - nobody else wants it!

Top    Back


Benjamin A. Okopnik [ben at linuxgazette.net]
Fri, 16 Feb 2007 09:46:52 -0800

On Fri, Feb 16, 2007 at 09:47:43AM -0500, David Richardson wrote:

> On Thu, Feb 15, 2007 at 08:51:48PM -0800, Benjamin A. Okopnik wrote:
> > 
> > ``
> > ben at Fenrir:~$ perl -wle'print join ".", map hex, "0xc8.0x2b.0x50.0x74" =~ /0x(..)/g'
> > 200.43.80.116
> > ben at Fenrir:~$ whois 200.43.80.116|egrep '^[a-z-]+:'
> > inetnum:     200.43.80.112/28
> > status:      reallocated
> > owner:       Coop.Telef?ica de Villa del Totoral Ltda.
> > ownerid:     AR-CVTL-LACNIC
> > responsible: Carlos Sanchez
> > address:     Pte.Per?, 551, 
> > address:     5236 - Villa del Totoral (Cordoba) - 
> > country:     AR
> > phone:       +54 3524 647574 []
> > owner-c:     CRS3
> > tech-c:      CRS3
> > created:     20040420
> > changed:     20040420
> > inetnum-up:  200.43/16
> > nic-hdl:     CRS3
> > person:      Carlos R. Sanchez
> > e-mail:      csanchez24 at COOPTOTORAL.COM.AR
> > address:     Pte Peron 551, 0054, 3524470900
> > address:     5236 - Villa del Totoral - 
> > country:     AR
> > phone:       +0054 3524 470900 [470000]
> > created:     20040213
> > changed:     20040213
> > ''
> > 
> > Ah, a default install of RHEL that got cracked. I'm feeling a bit too
> > lazy to ping the admin myself... it would be like sweeping back the
> > tide.
>  
> Ben:
> 
> This makes me feel massively stupid, but I must ask:  How do you get
> from the above info to "default install of RHEL that got cracked"

Sorry, Dave - didn't mean to make you feel stupid. There's nothing in the above to indicate it, but if you go to the IP/URL (i.e., https://200.43.80.116), it shows the default RHEL "Welcome" banner. [clickety-click] Um, it used to, that is. Perhaps the owner has caught on that he was being used as a mule.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * https://LinuxGazette.NET *

Top    Back


David Richardson [dsrich at ieee.org]
Fri, 16 Feb 2007 13:31:47 -0500

On Fri, Feb 16, 2007 at 09:46:52AM -0800, Benjamin A. Okopnik wrote:

> On Fri, Feb 16, 2007 at 09:47:43AM -0500, David Richardson wrote:
> > On Thu, Feb 15, 2007 at 08:51:48PM -0800, Benjamin A. Okopnik wrote:
> > > 
> > > ``
[snip]

> > > changed:     20040213
> > > ''
> > > 
> > > Ah, a default install of RHEL that got cracked. I'm feeling a bit too
> > > lazy to ping the admin myself... it would be like sweeping back the
> > > tide.
> >  
> > Ben:
> > 
> > This makes me feel massively stupid, but I must ask:  How do you get
> > from the above info to "default install of RHEL that got cracked"
> 
> Sorry, Dave - didn't mean to make you feel stupid. There's nothing in
> the above to indicate it, but if you go to the IP/URL (i.e.,
> https://200.43.80.116), it shows the default RHEL "Welcome" banner.
> [clickety-click] Um, it used to, that is. Perhaps the owner has caught
> on that he was being used as a mule.

D'oh! And everything is so obvious in the rear-view mirror.

Actually, I have never gotten the RHEL "Welcome" banner, although I seen all too many default windoze IIS installations over the years. Between the lower number of RHEL installations and the higher clue level of Linux user and admin types, I don't generally expect that sort of thing on the open net, hence my failure to look for the (now) obvious.

Perhaps their ISP got wind of their output and did something? Never happens...

-- 
David               \
Richardson           \   Imagine whirled peas.....
dsrich at ieee.org       \
The above is my own opinion - nobody else wants it!

Top    Back