Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Is there a 0day vuln in this phisher's site?

from [lists-security] Network Security [Permanent Link]
Subject: [Full-Disclosure] Is there a 0day vuln in this phisher's site?
Date: Sat, 29 Jan 2005 00:14:55 -0800 
I was annoyed today by a phisher impersonating my favorite bank Washington
Mutual http://www.Wamu.com


The phisher's site: http://220.194.228.91:87/wa/

Obviously any data collected there will be abused by the phishers...but does
it pose a greater risk of being exposed to a much wider audience of
crackers?  Have these phishers hardened their system enough to prevent
attack and maybe even the discovery of their identity?

So I did a quick scan of the "collector" system 220.194.228.91 setup by the
phishers and found the Asia-Pacific based system to have TCP port 87 open
for web, and UDP 7- Echo and UDP 161-SNMP open.  

Browsing the SNMP MIBS showed me a Win2K system with a private address
192.168.0.1 sitting in WORKGROUP with a LANMAN Name ZFZ.  

Network card MAC addresses (VITALCOM) 00e0433a4bbd and 00e0433a4957 and
MTU's of 1500.

sysUpTime TimeTicks 11 hours, 3 minutes, 22 seconds.

Usernames Guest and cclogin 

Mib Oid; Type; Value; Type #; 
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svUserT
able.svUserEntry.svUserName.5.71.117.101.115.116; String; Guest; 4; 
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svUserT
able.svUserEntry.svUserName.7.99.99.108.111.103.105.110; String; cclogin; 4;


Also, looking at the source on the /wa/index.htm and /wa/thank.htm pages
shows that they were grabbed for malicious editing on 10/4/2004

....that is as far as I could take it tonight.  Regarding the open SNMP, I
have seen "a buffer overrun is present in all implementations", but do not
know if the phisher's system is exploitable and have not tried any code to
actually do this.

Once cracked, getting information regarding all connections could lead
closer to the real identity of the phishers, especially if some trojan code
can be placed using an SNMP exploit.  If those phishers are getting wealthy
by stealing identities, it would be possible for them to be trumped by yet
another crook stealing their identity/bank accounts, etc.  

Some questions for the inclined:

 1) What information can still be gathered regarding this fake banking site
using both passive probes and active exploits?

 2) How long has this particular site been active?  

 3) Is the network range repeatedly used for malicious activity, or is this
unusual activity in that network?

 4) While the proliferation of these sites has caused a tremendous amount of
security awareness in businesses and the public, these scams continue to
trick people.  How can phishers be virtually neutered? 

 5) When secure transactions must be done via the web, users must be
verified to the secure site, but web sites are not easily verified by the
average user.  What foolproof device, dongle, etc. could a clueless user
employ to verify a secure site?

 6) Should secure sites employ steganographic watermarking to allow for
forensic tracking of images served by secure sites?  (do they do this
already like my Minolta QMS2300DL does with those little yellow dots?)





  






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-Disclosure] [ Positive Technologies ] Defeating Microsoft Windows XP SP2 Heap protection, pigrelax
Next by Date:  RE: [Full-Disclosure] ICMP Covert channels question, lists-security
Previous by Thread:  [Full-Disclosure] ICMP Covert channels question, cyberpixl
Next by Thread:  RE: [Full-Disclosure] Is there a 0day vuln in this phisher's site?, Paul Kurczaba
Indexes:  [Date] [Thread] [Top] [All Lists]