Re: Something nasty

[Rich Puhek <rpuhek () ETNSYSTEMS COM>]

I got a couple of these too. Seemed rather strange.

The URL sends you to a page with a form to fill out asking for contact info,
upstream provider name, OS of the shell account, etc. They also ask for a
checklist of things allowed with a shell account like if a compiler is
provided, if a daemon may be left running, if programs may be run as root, if
a process may be restarted automatically every five minutes, etc...

I agree that they're hoping to hit the clueless, but it's strange that they're
asking about shell acounts specifically. It would seem more productive for
them to ask about something more generic like web hosting. That way, a sales
guy is less likely to contact a techie, and more likely to return the
information.

--Rich

Adam Maloney wrote:

> I've attached an e-mail that I received to a few info@ accounts at a
> couple of my domains.  The IP block that this originated from and the URL
> references is in .NL, the whois information for upwatch.com is registered
> in Amsterdam.
>
> I think it's rather obvious that these people are trying to save time
> nmapping the whole internet so they'd rather just have clueless sales
> droids fill out the form that I presume would ask for what type/version of
> OS, what software is installed, etc.  It would make compromising the box
> pretty easy.
>
> I haven't done much more investigation other than the above.  I didn't
> want to go to the URL with any of my domains or serial numbers in the URL.
>
> I editted the headers a little to remove some mail handling and
> identifying information as to what domains this was sent to, other than
> that the message is intact.
>
> Adam Maloney
> Systems Administrator
> Sihope Communications

--

_________________________________________________________

Rich Puhek
ETN Systems Inc.
_________________________________________________________