SHARE
TWEET

Phishing Infection of "paypalcgi-bin=" and "cgi-binonline"

MalwareMustDie Oct 26th, 2012 168 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #MalwareMustDie | Fri Oct 26 23:00:49 JST 2012 | @unixfreaxjp
  2.  
  3. // Found interesting urls..
  4. h00p://milapapier.pl/wp-content/uploads/2012/10/cn/2012/Alert/verification/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_connexiononline_securSecurity-paypal.htm
  5.  
  6. ---------------------------------investigations--------------------------------------------------------
  7.  
  8. // tor wouldn't access it..
  9. "h00p_proxy = blash"
  10. --output-document="./sample"
  11. --referer="h00p://www.google.com/search?q=youtube"
  12. --user-agent="Mozila/4.3 (X11; U; MacOSX i686)"
  13. "h00p://milapapier.pl/wp-content/uploads/2012/10/cn/2012/Alert/verification/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_connexiononline_securSecurity-paypal.htm"
  14.  
  15. --21:55:01--  h00p://milapapier.pl/wp-content/uploads/2012/10/cn/2012/Alert/veri
  16. fication/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_conne
  17. xiononline_securSecurity-paypal.htm
  18.            => `./sample'
  19. Connecting to 192.168.7.11:8118... connected.
  20. Proxy request sent, awaiting response... 403 Forbidden
  21. 21:55:04 ERROR 403: Forbidden.
  22.  
  23. // gatling IP also won't....
  24.  
  25. --output-document="./sample" --referer="h00p://www.google.com/search?q=youtube" --user-agent="Mozilla/4.3 (X11; U; MacOSX i686)" "h00p://milapapier.pl/wp-content/uploads/2012/10/cn/2012/Alert/verification/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_connex
  26. iononline_securSecurity-paypal.htm"
  27. --21:46:15--  h00p://milapapier.pl/wp-content/uploads/2012/10/cn/2012/Alert/veri
  28. fication/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_conne
  29. xiononline_securSecurity-paypal.htm
  30.            => `./sample'
  31. Resolving milapapier.pl... 79.96.188.139
  32. Connecting to milapapier.pl|79.96.188.139|:80... connected.
  33. h00p request sent, awaiting response... 403 Forbidden
  34. 21:46:17 ERROR 403: Forbidden.
  35.  
  36. --------------------------who's the owner? what site? what server?--------------------
  37.  
  38. // regist details...
  39.  
  40. DOMAIN NAME:           milapapier.pl
  41. registrant type:       organization
  42. nameservers:           dns3.home.pl. [95.211.105.225]
  43.                        dns.home.pl. [62.129.252.30]
  44.                        dns2.home.pl. [62.129.252.40]
  45. created:               2009.07.28 14:42:40
  46. last modified:         2012.07.14 11:23:16
  47. renewal date:          2013.07.28 14:42:40
  48. dnssec:                Unsigned
  49.  
  50. REGISTRAR:
  51. Home.pl S.A.
  52. pl. Rodla 9
  53. 70-419 Szczecin
  54. Polska/Poland
  55. +48.914325555
  56. +48.801445555
  57. info@home.pl
  58.  
  59. //host checks...I am on solaris now :-)
  60. milapapier.pl has address 79.96.188.139
  61. milapapier.pl mail is handled by 10 milapapier.home.pl.
  62. milapapier.pl has SOA record dns.home.pl. admin.home.pl.
  63.               1342257796 10800 3600 604800 3600
  64. milapapier.pl name server dns.home.pl.
  65. milapapier.pl name server dns3.home.pl.
  66. milapapier.pl name server dns2.home.pl.
  67.  
  68. // snip dig for the rest...
  69. dns.home.pl.   2762 IN A   62.129.252.31
  70. dns.home.pl.   2762 IN A   62.129.252.30
  71. dns2.home.pl.  2762 IN A   62.129.252.40
  72. dns2.home.pl.  2762 IN A   62.129.252.41
  73. dns3.home.pl.  2762 IN A   95.211.105.225
  74.  
  75.  
  76. // what do we have here....
  77. PORT      STATE  SERVICE
  78. 20/tcp    closed ftp-data
  79. 21/tcp    open   ftp
  80. 24/tcp    closed priv-mail
  81. 25/tcp    open   smtp
  82. 80/tcp    open   h00p
  83. 81/tcp    closed hosts2-ns
  84. 110/tcp   open   pop3
  85. 111/tcp   closed rpcbind
  86. 143/tcp   open   imap
  87. 443/tcp   open   h00ps
  88. 444/tcp   closed snpp
  89. 465/tcp   open   smtps
  90. 587/tcp   open   submission
  91. 990/tcp   open   ftps
  92. 993/tcp   open   imaps
  93. 995/tcp   open   pop3s
  94. 996/tcp   closed xtreelic
  95. 1433/tcp  closed ms-sql-s
  96. 3306/tcp  open   mysql
  97. 5432/tcp  open   postgres
  98. 49400/tcp closed compaqdiag
  99. 54320/tcp closed bo2k
  100. 61439/tcp closed netprowler-manager
  101. 61440/tcp closed netprowler-manager2
  102. 61441/tcp closed netprowler-sensor
  103. 65301/tcp closed pcanywhere
  104.  
  105. TCP/IP fingerprint:
  106. TCP ISN Seq. Numbers: 449DBB18 FA2DD2E9 9ECE7486 AAA0C984 7BA81B40 10CD69CD
  107. SInfo(V=3.70%P=i686-redhat-linux-gnu%D=10/26%Time=508A8C48%O=21%C=20)
  108. TSeq(Class=TR%IPID=Z)
  109. T1(Resp=Y%DF=Y%W=3890%ACK=S++%Flags=AS%Ops=MNNTNW)
  110. T2(Resp=N)
  111. T3(Resp=N)
  112. T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  113. T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  114. T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  115. T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  116. PU(Resp=N)
  117.  
  118. // I saw the posix system...
  119.    What kind of website is it?
  120.    check the ggl cache...lynx!!
  121.  
  122. // looks a good websites...
  123. // so ftp accounts was used to
  124. // URL: h00p://webcache.googleusercontent.com/search?q=cache:OEcJIzQH57IJ:milapapier.pl/+&cd=1&hl=en&ct=clnk&client=firefox-a
  125.  
  126. Mila Papier
  127. Handel Papierem | Giełda Papieru | Tablica Ogłoszeń |
  128.  
  129.    Home
  130.    Tablica Ogłoszeń
  131.        Sprzedaj Papier
  132.        Kup papier
  133.        Poszukuję
  134.        Współpraca
  135.    Papier
  136.        Tuleje tekturowe
  137.        Oferta
  138.        Słownik
  139.        Formaty
  140.    Oferta Maszyn
  141.        Zgłoś ofertę
  142.        Bobiniarka
  143.        Przekrawacze
  144.        Inne
  145.        Prasy
  146.    Katalog Firm
  147.        Katalog Firm
  148.        Dodaj stronę
  149.    Kontakt
  150.  
  151. Potrzebny Flash Player w wersji 10 lub nowszej.
  152. Istniejemy na rynku od blisko 15 lat i specjalizujemy się w sprzedaży papieru oraz maszyn papierniczych.
  153. Papier
  154.  
  155. Zajmujemy się hurtową sprzedażą papieru, tektur i kartonów oraz papieru....
  156.  :
  157.  blah
  158.  :
  159.   // got the contact info...
  160.  :
  161.  :
  162. Kontakt
  163.  
  164. Siedziba firmy
  165.  
  166. Mila Papier Sp. z o.o.
  167. ul. Osiedle Leśne 17-18
  168. 66-470 Kostrzyn nad Odrą
  169. NIP: 5992879273
  170. Regon: 211301675
  171.  
  172. Mobile : 0048 607 81 51 70 PL DE RU
  173. Mobile : 0048 781 50 20 40 PL EN
  174. Phone : 0048 95 729 9479
  175. Fax : 0048 95 729 9479
  176. Email PL : info@milapapier.pl   // polandian honest business site...
  177. Email EN : michal@milapapier.pl
  178.  
  179. -------------------------------------------------------------
  180. // cant get this without cracking the server...
  181. // I ain't gonna DO the decent people's server!
  182. // So get other references:
  183.  
  184. h00p://usefulnews.org/wp-admin/js/cgi-binonline-security=paypalcgi-bin=_con
  185. h00p://www.forrestgarvin.com/www/paypalmember/cgi-binonline-security=paypalcgi-bin=_connexiononline_secur/
  186. h00p://www.thewatchscene.com/wp-content/themes/twentyten/paypal/security/secure/webscr.php?cmd=_login-run&dispatch=5885d80a13c0db1f998ca054efbdf2c29878a435fe324eec2511727fbf3e9efccfea7b32c60498b6947205eb6fe703a8cfea7b32c60498b6947205eb6fe703a8
  187. h00p://mestniy.ru/wp-admin/css/cgi-binonline-security=paypalcgi-bin=_connexiononline_securSecurity-paypal.htm
  188. h00p://joshuaprakarsajaya.com/wp-includes/js/tinymce/cn/2012/Alert/verification/update.account/paypalmember/cgi-binonline-security=paypalcgi-bin=_connexiononline_securSecurity-paypal.htm
  189.  
  190. The reference #2
  191. h00p://usefulnews.org/wp-admin/js/cgi-binonline-security=paypalcgi-bin=_con
  192.  
  193. // this is what happened if u access...
  194. h00p/1.1 404 Not Found
  195. Date: Fri, 26 Oct 2012 13:28:47 GMT
  196. Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.35
  197. X-Powered-By: PHP/5.2.17
  198. X-Pingback: h00p://usefulnews.org/xmlrpc.php
  199. Expires: Wed, 11 Jan 1984 05:00:00 GMT
  200. Cache-Control: no-cache, must-revalidate, max-age=0
  201. Pragma: no-cache
  202. Set-Cookie: PHPSESSID=e271ef59454c3095766ba6d7fb2621ab; path=/
  203. Last-Modified: Fri, 26 Oct 2012 13:28:48 GMT
  204. Connection: close
  205. Content-Type: text/html; charset=UTF-8
  206. // the others are as per case #1....
  207.  
  208. // What's this? Phising sites(DORK result)...PoC↓
  209. h00p://www.phishtank.com/phish_detail.php?phish_id=1585491
  210. h00p://www.phishtank.com/phish_detail.php?phish_id=1598929
  211. h00p://www.phishtank.com/phish_detail.php?phish_id=1591936
  212. h00p://www.phishtank.com/phish_detail.php?phish_id=1584873
  213. h00p://www.phishtank.com/phish_detail.php?phish_id=1584274
  214.  
  215. //RESULT
  216. // Is a confirmed phishing matters, hands over this to the phising guys..case closed!
  217. // how they got this phising page in their sites? Credential leaks, definetaly.
  218. // the keyword is the "paypalcgi-bin=" and "cgi-binonline-security="
  219. // block the above keyword in your network and you'll be save from this scheme...
  220.  
  221. #MalwareMustDie!!!!! Phishing toooo!!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top