I don't think it's a phish or a spam. Perhaps a worm gone wrong?


From - Sun Jan 30 14:49:45 2005
X-Account-Key: account2
X-UIDL: 2f5c45a2c6ba3d55f1d7a6193e3ce03b
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Apparently-To:xxx@xxx.com via xx.yy.bb.aa; Sun, 30 Jan 2005 11:37:11 -0800
Authentication-Results: xx.yahoo.com
from=yahoo.com; domainkeys=neutral (no sig)
X-Originating-IP: [xx.yy.bb.aa]
Return-Path: <drwwcelco@yahoo.com>
Received: from xx.yy.bb.aa (EHLO xxx.net) (xx.yy.aa.bb)
by xx.yahoo.com with SMTP; Sun, 30 Jan 2005 11:37:11 -0800
Received: from wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net (wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net [4.26.133.216])
by xxxxxx (Postfix) with SMTP id D251E2B6E31
for <msmittens@msmittens.com>; Sun, 30 Jan 2005 14:37:00 -0500 (EST)
Received: from 184.70.206.179 by 4.26.133.216; Mon, 31 Jan 2005 00:39:29 +0500
Message-ID: <NUIVUVKQIMACBMCIEWEJECBE@yahoo.com>
From: "Summer Fair" <drwwcelco@yahoo.com>
Reply-To: "Summer Fair" <drwwcelco@yahoo.com>
To: msmittens@msmittens.com
Subject: Message subject
Date: Sun, 30 Jan 2005 14:36:29 -0500
X-Mailer: Microsoft Outlook, Build 10.0.2627
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--25678612284291696"
X-Priority: 3
X-MSMail-Priority: Normal

----25678612284291696
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

%CHILL
%DICK

%CONTACT http://%URL/d/1.php

%BYE
%******* t

----25678612284291696--

Hmm, looks like wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net has a web site:

http://wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net/

Perhaps you can ask what the email was for?

mmm, fish and spam sounds good for lunch

To be frank.... It looks like someone might be a little pissed with Ms. M.

Funny, two people really pissed someone off just a few days ago... And Ms. M. is much easier to find than I am..... Ms. M. I would consider making your IDS your best friend if you know what I mean.... It looks like someone already found themselves a way into one box... The one they used to send this email......

The again, this could just be the paranoid me overthinking..... :D

I have an IDS but it's a rather lame attempt if they are pissed. Rather ineffectual when you look at it (and that's the email source, BTW). Definately someone found their way into the box. The files date back to 1997 although the install occurred, it looks like with some minor poking, in 2003. I'm thinking a honeypot of some type or some luser who left a box running and hasn't really updated it.

also, as you pointed out in IRC:

MsMittens: that's why I'm thinking perhaps a worm?
Joaquin: Received: from 184.70.206.179 by 4.26.133.216;
Joaquin: what does that mean?
Joaquin: does that mean the mail came from Received: from 184.70.206.179 to 4.26.133.216 ?
MsMittens: well, 184.70.206.179 resolved to an IANA reserved address (e.g., private addressing!?)
MsMittens: I'm thinking internal or original source addy (spoofed perhaps) and then relayed off/out of 4.26.133.216 through the webserver (a script somewhere)

I doubt it is an email conspiracy.

.. And again..

From - Sun Jan 30 16:16:16 2005
X-Account-Key: account2
X-UIDL: a4d8331a676f036534be27b5adf863db
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-Apparently-To:xxx via xx.yy.bb.aa; Sun, 30 Jan 2005 13:15:50 -0800
Authentication-Results: xx.yy.bb.aa.yahoo.com
from=yahoo.com; domainkeys=neutral (no sig)
X-Originating-IP: [xx.yy.bb.aa]
Return-Path: &lt;vubsuzomytfr@yahoo.com&gt;
Received: from xx.yy.bb.aa (EHLO xx.yy.bb.aa) (xx.yy.bb.aa)
by xx.yy.bb.aa.yahoo.com with SMTP; Sun, 30 Jan 2005 13:15:50 -0800
Received: from pool-141-150-161-74.atc.east.verizon.net (pool-141-150-161-74.atc.east.verizon.net [141.150.161.74])
by mailhub.korax.net (Postfix) with SMTP id B692A2B69D8
for &lt;msmittens@msmittens.com&gt;; Sun, 30 Jan 2005 16:15:40 -0500 (EST)
Received: from 4.36.226.179 by 141.150.161.74; Mon, 31 Jan 2005 09:11:11 -0400
Message-ID: &lt;FPYIHPUEVCJDJGMFKLSU@yahoo.com&gt;
From: "Dorothea Hurd" &lt;vubsuzomytfr@yahoo.com&gt;
Reply-To: "Dorothea Hurd" &lt;vubsuzomytfr@yahoo.com&gt;
To: msmittens@msmittens.com
Subject: Message subject
Date: Mon, 31 Jan 2005 15:09:11 +0200
X-Mailer: AOL 7.0 for Windows US sub 118
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--2734773885062454982"
X-Priority: 3
X-MSMail-Priority: Normal

----2734773885062454982
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

%CHILL
%DICK

%CONTACT http://%URL/d/1.php

%BYE
%******* b

----2734773885062454982--

Don't contact the perpertrator unless you at least single proxy it safely and have tested the proxy unless you do it from work.... 'cos I think that your "friend" already knows where you work.... If he doesn't he's dumber than dumb..... Oh... and don't forget he's probably watching this... ;)

Looks like an infection, because look at the email this time: vubsuzomytfr@yahoo.com looks to me like a dead email from the yahoo domain.

Another thing: Why are all the machines from the Verizon domain? Is Verizon customers being affected right now? Let's see if this person has a web site...

I'm still leaning towards an infection but I'm curious if anyone else has seen emails like this.

Ms. M: That message is not a messed up spam like I see a lot.... It is, however, that is typical of a message from someone with an issue.... If it were a screwed up spam what are the chances that you would get two in fairly quick succession from two different IP's? Low! I see screwed up spammers every day.... This doesn't seem like on of them. Do me a favor.... PM me the url... This IP address will have changed by tomorrow and it's quite well protected.

As to a dead email..... Unless Ms. M. is using SPF you can send an email purporting to be from any domain so the email address is irrelevant.... as is the IP since it is quite possible that any skiddie in the world could have scanned a verizon netblock for machines they have an exploit for and have exploited a few.

When you are talking about security _everything_ is possible.... When you are talking about personal security you write _nothing_ off until _proven_ irrelevant/benign.....

Tiger: the IP info in question is all there. The website we're talking about is direct from the IPs listed there...

Silly me..... The first one wasn't a link.... the second was..... neither of the originating IP's have a 1.php available - only one is reachable by HTTP.....

Note to self: Detail, Detail, Detail.... :o

Great, so the "contact" link is a link to Google and there is no redirection in the whole transaction - per Ethereal too..... I'd suggest that this behaviour goes further to imply that it isn't a screwed up spam..... But it still fits my theory.... S/he doesn't want to be traceable....

I guess the question is "are they going to play silly games sending insulting emails or are they going to try to have more 'fun'?"..... I guess that's a wait and see..... I think I'll give them a quick scan while we wait.... ;)



One common port open..... 139..... Today.... The two scans do not look right... Look...

********************************************************************
C:\NMap-3-75>nmap -sS -P0 -O -vv -T 3 4.26.133.216

Starting nmap 3.75 ( http://www.insecure.org/nmap ) at 2005-01-30 17:34 Eastern
Standard Time
Initiating SYN Stealth Scan against wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net
(4.26.133.216) [1663 ports] at 17:34
Discovered open port 80/tcp on 4.26.133.216
Discovered open port 443/tcp on 4.26.133.216
Discovered open port 5000/tcp on 4.26.133.216
Discovered open port 139/tcp on 4.26.133.216
SYN Stealth Scan Timing: About 47.79% done; ETC: 17:36 (0:00:32 remaining)
The SYN Stealth Scan took 129.42s to scan 1663 total ports.
For OSScan assuming port 80 is open, 1 is closed, and neither are firewalled
Host wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net (4.26.133.216) appears to be u
p ... good.
Interesting ports on wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net (4.26.133.216)
:
(The 1659 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
5000/tcp open UPnP
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Pro or Advan
ced Server, or Windows XP
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=14EC8%TS=0)
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RIPCK=F%UCK=F%ULEN=134%DAT=E)

TCP Sequence Prediction: Class=random positive increments
Difficulty=85704 (Worthy challenge)
TCP ISN Seq. Numbers: 7FED1752 7FEEC3E1 7FEF56AE 7FF367A4 7FF4B94C
IPID Sequence Generation: Busy server or unknown class

Nmap run completed -- 1 IP address (1 host up) scanned in 139.100 seconds
**********************************************************************

The other one...

**********************************************************************
C:\NMap-3-75>nmap -sS -P0 -O -vv -T 3 141.150.161.74

Starting nmap 3.75 ( http://www.insecure.org/nmap ) at 2005-01-30 17:37 Eastern
Standard Time
Initiating SYN Stealth Scan against pool-141-150-161-74.atc.east.verizon.net (14
1.150.161.74) [1663 ports] at 17:37
Increasing send delay for 141.150.161.74 from 0 to 5 due to 11 out of 22 dropped
probes since last increase.
SYN Stealth Scan Timing: About 2.96% done; ETC: 17:54 (0:16:44 remaining)
SYN Stealth Scan Timing: About 8.48% done; ETC: 17:49 (0:11:08 remaining)
Discovered open port 81/tcp on 141.150.161.74
SYN Stealth Scan Timing: About 53.36% done; ETC: 17:46 (0:03:59 remaining)
Discovered open port 139/tcp on 141.150.161.74
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
The SYN Stealth Scan took 566.50s to scan 1663 total ports.
For OSScan assuming port 81 is open, 1 is closed, and neither are firewalled
For OSScan assuming port 81 is open, 1 is closed, and neither are firewalled
For OSScan assuming port 81 is open, 1 is closed, and neither are firewalled
Host pool-141-150-161-74.atc.east.verizon.net (141.150.161.74) appears to be up
... good.
Interesting ports on pool-141-150-161-74.atc.east.verizon.net (141.150.161.74):
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp filtered http
81/tcp open hosts2-ns
139/tcp open netbios-ssn
No exact OS matches for host (If you know what OS is running on it, see http://w
ww.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.75%P=i686-pc-windows-windows%D=1/30%Tm=41FD6410%O=81%C=1)
TSeq(Class=TD%gcd=1%SI=26%IPID=RPI%TS=U)
TSeq(Class=TD%gcd=1%SI=19%IPID=RPI%TS=U)
TSeq(Class=TD%gcd=3%SI=47%IPID=RPI%TS=U)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=S%Flags=R%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RIPCK=F%UCK=F%ULEN=134%DAT=E)


TCP Sequence Prediction: Class=trivial time dependency
Difficulty=71 (Easy)
TCP ISN Seq. Numbers: FD401B5 FD4039B FD403A4 FD403E9
IPID Sequence Generation: Random positive increments

Nmap run completed -- 1 IP address (1 host up) scanned in 603.027 seconds
*********************************************

It's "odd".... I need to think more about what's going on.... But it doesn't seem right.... run Ethereal while you try to connect to 141.150.161.74:81.... It's open but it RST's me.... I dunno..... It isn't right... Need to think about it some more.....