Security Basics mailing list archives
Re: Malicious PHP site(s)?
From: Wilhelm Wijkander <elrond94 () gmail com>
Date: Thu, 09 Jun 2011 20:05:27 +0200
On 2011-06-08 09:22, Sean G wrote:
OK, for sometime now, I have been receiving odd emails from someone whom I do not know at all.. "Seth Spangler" his email address changing on an irregular basis. Basic it's just an email with a link that ends with .php. I don't have a testing machine at my disposal as of current.. I was wondering if some who knows php rather well, would be able to inform me of what happens when the link is clicked? (I have never clicked out to test it) or if you have heard of this person. If not, I do understand this is a busy list. Feel free to contact me directly as I would like to learn as much as possible about this -- well I assume it is an attack of some sort -- and what the consequences are. From what I have observed thus far is that this person has a long list of email address and is probably phising in one manner or another. Any help would be greatly appreciated.
Hi. As others already noted the server(being a shared webhosting with the U.S. provider HostGo) redirects(HTTP 302) to 91.223.70.168, from the IP range belonging to (if i understand correctly) one or more computer retail stores in Latvia. This server, as well, redirects, this time to http://defender-cmnxp.in/936778ea093f2a51/sa1/16 - a blank page. This domain was created 2011-06-08(!), and resolves to 78.41.203.12 - which we should analyze some more: " inetnum: 78.41.203.12 - 78.41.203.12 netname: WORLD-DEDICATED-NET descr: IP range World Dedicated Ltd country: NL admin-c: AA10575-RIPE <snip> person: Alex Averin address: Russian Federation, Moscow, Lenina st. 10 phone: +79194740626 abuse-mailbox: e57303 () abuse bz <snip> % Information related to '78.41.203.0/24AS42267' route: 78.41.203.0/24 descr: IP Range ServerFFS " It seems to be a VPS/Dedicated server at ServerFFS, a Dutch hosting provider. However, the customer seems to have requested a separate record in the RIPE database on the specific IP in question. The adress in the record leads us to a suburb of Moscow, and I can find no information about the supposedly Dutch company "World Dedicated Ltd" The IP that the mail originated from is belonging to a Taiwanese home ISP. There is a lot more of information out there :-) /Wilhelm ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Malicious PHP site(s)? Sean G (Jun 08)
- Message not available
- Malicious PHP site(s)? Attila Sukosd (Jun 09)
- Message not available
- RE: Malicious PHP site(s)? Sacks, Cailan C (Jun 09)
- Re: Malicious PHP site(s)? Andy Peters (Jun 10)
- Re: Malicious PHP site(s)? gold flake (Jun 12)
- Security requirments michele.maturo (Jun 13)
- Re: Security requirments Todd Haverkos (Jun 13)