After months of inactivity, the honeypot got “broken into” again. There wasn’t much hardship for the haxor, since I had installed the new version of VNC but left it without a password. This to circumvent the problem of Chaosreader being unable to replay sessions that contain use the flawed authentication method (more accurately, it prevented the VNC viewer from continuing after the “unknown authentication result” error). Before, this required rewriting part of the capture file, and was a bit hit and miss. Laziness does not permit this, nor yet indeed adapting Chaosreader. Now, it turns out that it still doesn’t work, but never mind.
As all you avid followers will know, my Big Server is no longer doing this on account of the humongous electricity bills generated by him. Pressed into action is my old Compaq laptop, which was having a pretty evil time with this. So it was with gratitude that I received some memory sticks off eBay. Having seen 1GB sets going for anything up to £30, I was well pleased with my £13 winnings. If only this memory had been installed from the day of purchase… The difference is absolutely amazing. The CPU is maxed out at all times, to be fair, but the Virtual Machines are not suffering from any kind of slowness anymore. In fact, before I was unable to run Server 2003. But, enough of this.
Some VNC probing took place a few days ago, and before long a haxor had settled in. At first, the plan was to run a scanner for more vulnerable VNC servers out there, but this is blocked so instead an attempt was made to visit websites which take payment. This is also blocked. At long last, the haxor settled on spamming with Phish.
To this end he had set up an account with Servage.net which was loaded up with some fake Paypal pages, as well as a script that would let the spamming commence and an email address ready to receive the influx of PayPal details that would no doubt be pouring in before long. After all, whenever my PayPal seems to be blocked for mysterious reasons, the first thing I do is put my credit card details online somewhere. It’s standard procedure, isn’t it?
Phisherman copies and pastes these lengthy lists of email addresses into the mass spam sender page. (Click here to see a non-working version. Beware: this thing is absolutely lurid.) A quick search using a famous web indexer reveals there are a few of these mailers hanging around the internet, and were found to be working (!). He also copies and pastes the text of the phish mail. Here it is, and how very “realistic” too.
Cher client en ligne PayPal,
C’est votre notification officielle du PayPal Nous avons enumeres au regret de vous informer que nous avons du verrouiller votre acces en ligne PayPal, car nous avons des raisons de croire que votre compte (paypal) compromis par l’exterieur ce compte. En tant que parties. Afin de proteger vos informations sensibles, nous temporairement suspendu votre compte.
Pour reactiver votre compte, cliquez sur le lien ci-dessous et confirmer votre identite en remplissant le for mulaire securise ce qui va apparaitre.
EXPIRATION: 15 MAI 2009
cliquez ici pour activer votre compte
Nous avons vu peu de tentatives de connexion sur votre compte personnel,
confirmation concernant votre compte de ses seuls pour des raisons de securite.
Bank 2009 PayPal. Tous droits reserves
Yeah it’s in French. The recipients are mostly french email addresses, so at least he’s got that one sorted. But he has got a problem with these lists.
I have absolutely no idea how one would go about getting a list of spam victims, but presumably they are traded somewhere, after being generated somewhere. One of his lists has the letter “n” in front of every single address — all 3500 of them. Whoops. Doesn’t stop him using them, though, and the mailer does not check for errors.
The next day he comes back with a freshly registered domain called “rortalost.com” which is the same servage.net hosting account as he used before. This was a case of blink-and-you’ve-missed-it, and reveals one of the more irritating features of the internet — the transcience of it. Having forgotten to copy and paste the whois-output, a repeat perfomance of same the next day revealed that “this domain has never been registered”. Which clearly isn’t true. Either is is Servage being really on the ball against Phishers (yeah right) or else his payment for the domain was bounced somehow?
In the mean time, I had concocted a plan to thwart the phisheries somewhat. This involved setting up a webserver with a virtual host and a dns redirection to this. I got all his files off his servage account (to which he kindly supplied me with the log-in credentials) and placed them on mine. Several hours of wrestling with the Apache documentation later I had this whole setup working! And then they took away his domain name.
Luckily the phisher is not deterred, and gets himself another domain. This time it’s called fankouchs.com. Funnily enough, he searches for his domains in MSN Live search or whatever this is called nowadays. Microsoft indexes here sometimes, so maybe he’ll have some joy now…
For some reason it is stupidly difficult to get the webserver’s configuration changed so it actually works again, but eventually it does. As the sendmail program is simply not working on this server, none of his scripts have any joy sending their spams. When he logs back in to try his new domain, he is clearly not comprehending this at all. He keeps sending himself test spams which never arrive in his in-box. He stops being careful, and gives me the log-in for his webmail.
Which shows that he isn’t going to break into the server for a couple of days. He’s off to Montpellier for a couple of days.
Have fun, and see you later, Laurent!