Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #MalwareMustDie | Fri Oct 26 23:00:49 JST 2012 | @unixfreaxjp
- // Found interesting urls..
- h00p://milapapier.pl/wp-content/uploads/2012/10/cn/2012/Alert/verification/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_connexiononline_securSecurity-paypal.htm
- ---------------------------------investigations--------------------------------------------------------
- // tor wouldn't access it..
- "h00p_proxy = blash"
- --output-document="./sample"
- --referer="h00p://www.google.com/search?q=youtube"
- --user-agent="Mozila/4.3 (X11; U; MacOSX i686)"
- "h00p://milapapier.pl/wp-content/uploads/2012/10/cn/2012/Alert/verification/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_connexiononline_securSecurity-paypal.htm"
- --21:55:01-- h00p://milapapier.pl/wp-content/uploads/2012/10/cn/2012/Alert/veri
- fication/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_conne
- xiononline_securSecurity-paypal.htm
- => `./sample'
- Connecting to 192.168.7.11:8118... connected.
- Proxy request sent, awaiting response... 403 Forbidden
- 21:55:04 ERROR 403: Forbidden.
- // gatling IP also won't....
- --output-document="./sample" --referer="h00p://www.google.com/search?q=youtube" --user-agent="Mozilla/4.3 (X11; U; MacOSX i686)" "h00p://milapapier.pl/wp-content/uploads/2012/10/cn/2012/Alert/verification/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_connex
- iononline_securSecurity-paypal.htm"
- --21:46:15-- h00p://milapapier.pl/wp-content/uploads/2012/10/cn/2012/Alert/veri
- fication/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_conne
- xiononline_securSecurity-paypal.htm
- => `./sample'
- Resolving milapapier.pl... 79.96.188.139
- Connecting to milapapier.pl|79.96.188.139|:80... connected.
- h00p request sent, awaiting response... 403 Forbidden
- 21:46:17 ERROR 403: Forbidden.
- --------------------------who's the owner? what site? what server?--------------------
- // regist details...
- DOMAIN NAME: milapapier.pl
- registrant type: organization
- nameservers: dns3.home.pl. [95.211.105.225]
- dns.home.pl. [62.129.252.30]
- dns2.home.pl. [62.129.252.40]
- created: 2009.07.28 14:42:40
- last modified: 2012.07.14 11:23:16
- renewal date: 2013.07.28 14:42:40
- dnssec: Unsigned
- REGISTRAR:
- Home.pl S.A.
- pl. Rodla 9
- 70-419 Szczecin
- Polska/Poland
- +48.914325555
- +48.801445555
- info@home.pl
- //host checks...I am on solaris now :-)
- milapapier.pl has address 79.96.188.139
- milapapier.pl mail is handled by 10 milapapier.home.pl.
- milapapier.pl has SOA record dns.home.pl. admin.home.pl.
- 1342257796 10800 3600 604800 3600
- milapapier.pl name server dns.home.pl.
- milapapier.pl name server dns3.home.pl.
- milapapier.pl name server dns2.home.pl.
- // snip dig for the rest...
- dns.home.pl. 2762 IN A 62.129.252.31
- dns.home.pl. 2762 IN A 62.129.252.30
- dns2.home.pl. 2762 IN A 62.129.252.40
- dns2.home.pl. 2762 IN A 62.129.252.41
- dns3.home.pl. 2762 IN A 95.211.105.225
- // what do we have here....
- PORT STATE SERVICE
- 20/tcp closed ftp-data
- 21/tcp open ftp
- 24/tcp closed priv-mail
- 25/tcp open smtp
- 80/tcp open h00p
- 81/tcp closed hosts2-ns
- 110/tcp open pop3
- 111/tcp closed rpcbind
- 143/tcp open imap
- 443/tcp open h00ps
- 444/tcp closed snpp
- 465/tcp open smtps
- 587/tcp open submission
- 990/tcp open ftps
- 993/tcp open imaps
- 995/tcp open pop3s
- 996/tcp closed xtreelic
- 1433/tcp closed ms-sql-s
- 3306/tcp open mysql
- 5432/tcp open postgres
- 49400/tcp closed compaqdiag
- 54320/tcp closed bo2k
- 61439/tcp closed netprowler-manager
- 61440/tcp closed netprowler-manager2
- 61441/tcp closed netprowler-sensor
- 65301/tcp closed pcanywhere
- TCP/IP fingerprint:
- TCP ISN Seq. Numbers: 449DBB18 FA2DD2E9 9ECE7486 AAA0C984 7BA81B40 10CD69CD
- SInfo(V=3.70%P=i686-redhat-linux-gnu%D=10/26%Time=508A8C48%O=21%C=20)
- TSeq(Class=TR%IPID=Z)
- T1(Resp=Y%DF=Y%W=3890%ACK=S++%Flags=AS%Ops=MNNTNW)
- T2(Resp=N)
- T3(Resp=N)
- T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
- T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
- T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
- T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
- PU(Resp=N)
- // I saw the posix system...
- What kind of website is it?
- check the ggl cache...lynx!!
- // looks a good websites...
- // so ftp accounts was used to
- // URL: h00p://webcache.googleusercontent.com/search?q=cache:OEcJIzQH57IJ:milapapier.pl/+&cd=1&hl=en&ct=clnk&client=firefox-a
- Mila Papier
- Handel Papierem | Giełda Papieru | Tablica Ogłoszeń |
- Home
- Tablica Ogłoszeń
- Sprzedaj Papier
- Kup papier
- Poszukuję
- Współpraca
- Papier
- Tuleje tekturowe
- Oferta
- Słownik
- Formaty
- Oferta Maszyn
- Zgłoś ofertę
- Bobiniarka
- Przekrawacze
- Inne
- Prasy
- Katalog Firm
- Katalog Firm
- Dodaj stronę
- Kontakt
- Potrzebny Flash Player w wersji 10 lub nowszej.
- Istniejemy na rynku od blisko 15 lat i specjalizujemy się w sprzedaży papieru oraz maszyn papierniczych.
- Papier
- Zajmujemy się hurtową sprzedażą papieru, tektur i kartonów oraz papieru....
- :
- blah
- :
- // got the contact info...
- :
- :
- Kontakt
- Siedziba firmy
- Mila Papier Sp. z o.o.
- ul. Osiedle Leśne 17-18
- 66-470 Kostrzyn nad Odrą
- NIP: 5992879273
- Regon: 211301675
- Mobile : 0048 607 81 51 70 PL DE RU
- Mobile : 0048 781 50 20 40 PL EN
- Phone : 0048 95 729 9479
- Fax : 0048 95 729 9479
- Email PL : info@milapapier.pl // polandian honest business site...
- Email EN : michal@milapapier.pl
- -------------------------------------------------------------
- // cant get this without cracking the server...
- // I ain't gonna DO the decent people's server!
- // So get other references:
- h00p://usefulnews.org/wp-admin/js/cgi-binonline-security=paypalcgi-bin=_con
- h00p://www.forrestgarvin.com/www/paypalmember/cgi-binonline-security=paypalcgi-bin=_connexiononline_secur/
- h00p://www.thewatchscene.com/wp-content/themes/twentyten/paypal/security/secure/webscr.php?cmd=_login-run&dispatch=5885d80a13c0db1f998ca054efbdf2c29878a435fe324eec2511727fbf3e9efccfea7b32c60498b6947205eb6fe703a8cfea7b32c60498b6947205eb6fe703a8
- h00p://mestniy.ru/wp-admin/css/cgi-binonline-security=paypalcgi-bin=_connexiononline_securSecurity-paypal.htm
- h00p://joshuaprakarsajaya.com/wp-includes/js/tinymce/cn/2012/Alert/verification/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_connexiononline_securSecurity-paypal.htm
- The reference #2
- h00p://usefulnews.org/wp-admin/js/cgi-binonline-security=paypalcgi-bin=_con
- // this is what happened if u access...
- h00p/1.1 404 Not Found
- Date: Fri, 26 Oct 2012 13:28:47 GMT
- Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.35
- X-Powered-By: PHP/5.2.17
- X-Pingback: h00p://usefulnews.org/xmlrpc.php
- Expires: Wed, 11 Jan 1984 05:00:00 GMT
- Cache-Control: no-cache, must-revalidate, max-age=0
- Pragma: no-cache
- Set-Cookie: PHPSESSID=e271ef59454c3095766ba6d7fb2621ab; path=/
- Last-Modified: Fri, 26 Oct 2012 13:28:48 GMT
- Connection: close
- Content-Type: text/html; charset=UTF-8
- // the others are as per case #1....
- // What's this? Phising sites(DORK result)...PoC↓
- h00p://www.phishtank.com/phish_detail.php?phish_id=1585491
- h00p://www.phishtank.com/phish_detail.php?phish_id=1598929
- h00p://www.phishtank.com/phish_detail.php?phish_id=1591936
- h00p://www.phishtank.com/phish_detail.php?phish_id=1584873
- h00p://www.phishtank.com/phish_detail.php?phish_id=1584274
- //RESULT
- // Is a confirmed phishing matters, hands over this to the phising guys..case closed!
- // how they got this phising page in their sites? Credential leaks, definetaly.
- // the keyword is the "paypalcgi-bin=" and "cgi-binonline-security="
- // block the above keyword in your network and you'll be save from this scheme...
- #MalwareMustDie!!!!! Phishing toooo!!
Add Comment
Please, Sign In to add comment