Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Something nasty

From: Adam Maloney <adamm () SIHOPE COM>
Date: Wed, 6 Sep 2000 08:53:05 -0500
I've attached an e-mail that I received to a few info@ accounts at a
couple of my domains.  The IP block that this originated from and the URL
references is in .NL, the whois information for upwatch.com is registered
in Amsterdam.

I think it's rather obvious that these people are trying to save time
nmapping the whole internet so they'd rather just have clueless sales
droids fill out the form that I presume would ask for what type/version of
OS, what software is installed, etc.  It would make compromising the box
pretty easy.

I haven't done much more investigation other than the above.  I didn't
want to go to the URL with any of my domains or serial numbers in the URL.

I editted the headers a little to remove some mail handling and
identifying information as to what domains this was sent to, other than
that the message is intact.

Adam Maloney
Systems Administrator
Sihope Communications

---------- Forwarded message ----------
====> ORIGINAL MESSAGE FOLLOWS <====
Received: (from mailroom@localhost)
        by unix1.sihope.com (8.9.3/8.9.0) id SAA12545
        for helpdesk; Tue, 5 Sep 2000 18:22:14 -0500 (CDT)
Received: from upwatch.netland.nl (IDENT:root@[212.19.213.240])
        by unix1.sihope.com (8.9.3/8.9.0) with ESMTP id SAA12534
        for <info () xxxx com>; Tue, 5 Sep 2000 18:22:12 -0500 (CDT)
Received: (from root@localhost)
        by upwatch.netland.nl (8.9.3/8.9.3) id BAA08771;
        Wed, 6 Sep 2000 01:31:21 +0200
Date: Wed, 6 Sep 2000 01:31:21 +0200
Message-Id: <200009052331.BAA08771 () upwatch netland nl>
From: Upwatch Inkoop Team <inkoop () upwatch com>
To: info () xxxx com
Subject: Unix shell account inquiry
Precedence: bulk
Reply-To: Upwatch Inkoop Team <inkoop () upwatch com>

Dear Sir, Madam,

I am looking for Unix Shell Accounts all over the world.
I also need some specific functionality.

Because shell accounts are not as widespread as they once were,
I decided to write to a lot of providers.  On the other hand this
opens up the possibility for receiving *lots* of answers, all in
their own format, and I would have to sort through them: a lot
of work. So I took the liberty in creating a special webpage.

Please fill in the following webpage if you offer Unix Shell Accounts:

http://212.19.213.241/aanbieders.php?domain=xxxx.com&random=419285712

Thank you very much for your cooperation.

Ron Arts

PS: you might need a technical person when filling this in
Previous By Date Next
Previous By Thread Next

Current thread: