hacking attempt was Re: [OT] Re: Please Restore Your Account Access

[Stephen Jenkin]

On Sat, 2 Jul 2005, Alex Satrapa wrote:

> On 2 Jul 2005, at 03:22, security at paypal.com wrote:
> 
> > Click here to activate your account
> 
> Is the script in that page broken, is it my browser being cautious,  
> or is that a IE-specific attack?

Nope, it's not IE-specific...
Firefox blocked the popup for me (and sounds like you)
'sysdll.php' redirects to paypal - looks like a 'https' page as well.

It's a very nice 'Man in the Middle' attack apparently... and done with
PHP.  Some sophistication!

nmap -O reveals:
 SInfo(V=3.70%P=i386-redhat-linux-gnu%D=7/2%Time=42C5EA55%O=21%C=20)

Because it's a DNS, should someone be complaining to their ISP or hosting
c/o??  What address abuse at ... or postmaster at .... [cc'd this to address out
of Whois]

Initial URL http://fox.netfield.se/manual/paypal/error.html

> 
> When I click on the link, the page that opens up says "This page has  
> moved, if you are not automatically forwarded to the new page, please  
> click here." With that link calling:
> 
> function Start(page) {
> OpenWin = this.open(page, "CtrlWindow",  
> "ini,toolbar=yes,location=no,status=yes,menubar=yes,scrollbars=no,resiza 
> ble=yes");
> }
> 
> with "page" set to 'sysdll.php'.
> 
> I'd love to see what it does on a Microsoft Windows machine, but to  
> me it looks like the attack is doomed to fail due to the programmer  
> not setting the path correctly.
> 
> Alex
> 
> 


Steve Jenkin, Unix Sys Admin
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://www.tip.net.au/~sjenkin