*** New worm or what?! *** - GoFuckYourself.com

Marshal · 01-09-2006, 08:44 PM

I've received this e-mail today. I've analyzed the directory where that html document was located (Google Blog from Blogger, hosted on my site) and tried to remove files, but I was unable. Looks like this worm files (or whatever it is?!) have root ownership. I'm not accusing Blogger (Google), because it looks like my Apache server is infected. I was only able to rename the directory...

What do you think I should do now, except to report this to the root of the server?

Quote:

Picture (Metafile) Microsoft Photo Editor 3.0 Picture

Dear Sirs:
Cyota, an anti-fraud and security company, is under contract to assist Royal Bank of Canada and its related entities (?RBC?) - A leading Canadian bank - in preventing or terminating online activity that targets RBC?s clients as potential fraud victims.

Cyota has been made aware that you appear to be providing Internet Services to a fraudulent Web site, which is part of a ?phishing scam?*. This activity violates RBC?s copyright, trademark and other intellectual property rights and may violate the criminal laws of Canada, the United States and other nations.

E-mail messages have been broadly distributed to individuals by a person or entity pretending to be RBC. These e-mails use RBC?s name and identity (including trademarks) without authorization. The e-mails request recipients to verify and submit sensitive details related to their RBC accounts.

Within the fraudulent e-mail message, there is a link that leads the recipients to a fraudulent website displaying RBC?s copyrighted materials and trademarks. The fraudulent website is located at the following URL address http://www.sweetlatin.com/blog/image.../rbunxcgi.html ) to which you provide services and which is under your control.

The fraudulent website not only represents a misuse of RBC?s intellectual property; its purpose is to improperly obtain personal information of RBC customers in order to fraudulently access their bank accounts. The people behind those websites typically perpetrate identity-theft related activities, such as using customer?s credit cards or bank accounts without authorization. In addition, since the vast majority of all of the e-mails are not being sent to actual RBC customers, the actions serve to damage the reputation and image of RBC.

Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website.

We understand that you may not be aware of this improper use of your services and we appreciate your cooperation. We specifically would ask that you also take the following actions:

? Please provide us with a tar/zip file of the source code for this site, so that we may analyze it to help prevent further attacks.

? If any customer data has been captured that is stored on your systems or equipment, please send us that data so that the customers to whom that data relates can be notified and take steps to protect their credit.

? Please provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.

Thank you for your cooperation to prevent and terminate this fraudulent activity.

Sincerely,
Cyota Anti Fraud Command Center
Tel: +44(0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
Fax: +972-9-9728101 (EU)
Fax: +1-212-208-4644 (US)
E-mail: [email protected] <<mailto:[email protected]>>

cc: Royal Bank of Canada
Tamara Vanmeggelen, Counsel, RBC Law Group
Address: 200 Bay St - 14th Flr, North Tower Toronto, Ontario M5J 2J5
Tel: +1 - 416 974-3435
Fax: +1- 416 974-2217

*?Phishing" is an e-mail scam that attempts to trick consumers into revealing personal information, such as their credit or debit account numbers, checking account information, Social Security Numbers, or banking account passwords, through an imposter?s Web site or in a reply e-mail.

jasonir · 01-09-2006, 08:53 PM

Owned.

Marshal · 01-09-2006, 08:59 PM

Looks like this is the truth... This html is sending you to that banking site and using their security flow in url, to redirect to god-knows-whose location and to grab visitor's user:pass for their banking accounts... root is already contacted...

I'm still unable to find out which mechanism they used to inject that worm. Was that Blogger's bug or my server's Apache is exploitable?

Marshal · 01-09-2006, 09:02 PM

probably it is up to blogger...

Marshal · 01-09-2006, 09:07 PM

bump for the cause...

blazi · 01-09-2006, 09:09 PM

another *bump*

tristan_D · 01-10-2006, 02:14 AM

bump for other poster's info

reed_4 · 01-10-2006, 02:17 AM

sorry to hear that nettrust, fucked up times really happens.

SmokeyTheBear · 01-10-2006, 02:33 AM

ouch that sucks.. seems strange its in that directory

SmokeyTheBear · 01-10-2006, 02:35 AM

let them know thi sserver was compromised in the same fashion

http://www.stack.nl/~stefanvz/blog/i..._login-submit/

SmokeyTheBear · 01-10-2006, 02:36 AM

notice the directory there

stack.nl/~stefanvz/blog/images/secure/cgi.paypal.com/osCommerce/pub/webscr/cmd/_login-submit/

beta-tester · 01-10-2006, 06:20 AM

hmm interesting...anyone have an idea what this could be ?

Marshal · 01-11-2006, 09:18 AM

i think blogger has some major problems! where should i report this so guys from google can know?

Marshal · 01-11-2006, 09:27 AM

any idea what should this be?

Ogix · 01-11-2006, 09:30 AM

i had something like this shit when i downloaded crack for Cofee tycoon :D
if i correctly understood the problem...

Marshal · 01-11-2006, 09:33 AM

noone has access ftp access to my root directory. blogger has it's own ftp account on my host (it's hosted there). apparently it is up to blogger... ?! have no idea at all...

Marshal · 01-13-2006, 02:51 PM

i've sent a reply to that company (refer to post #1). they almost shut down the server where's my domain hosted. but once i have replied to them, everything is ok now... still cannot figure out what has happened here... any opinion?

01-09-2006, 08:53 PM	#2
jasonir Confirmed User Join Date: Aug 2002 Location: Toro'no Posts: 1,887	Owned. __________________ ICQ: 61689996

01-09-2006, 08:59 PM	#3
Marshal Biz Dev and SEO Industry Role: Join Date: Jun 2005 Posts: 15,180	Looks like this is the truth... This html is sending you to that banking site and using their security flow in url, to redirect to god-knows-whose location and to grab visitor's user:pass for their banking accounts... root is already contacted... I'm still unable to find out which mechanism they used to inject that worm. Was that Blogger's bug or my server's Apache is exploitable? __________________ --- Busy ranking websites on Google... Last edited by Marshal; 01-09-2006 at 09:02 PM..

01-09-2006, 09:02 PM	#4
Marshal Biz Dev and SEO Industry Role: Join Date: Jun 2005 Posts: 15,180	probably it is up to blogger... __________________ --- Busy ranking websites on Google... Last edited by Marshal; 01-09-2006 at 09:04 PM..

01-09-2006, 09:07 PM	#5
Marshal Biz Dev and SEO Industry Role: Join Date: Jun 2005 Posts: 15,180	bump for the cause... __________________ --- Busy ranking websites on Google...

01-09-2006, 09:09 PM	#6
blazi Confirmed User Join Date: Feb 2003 Location: Closer now Posts: 4,321	another bump __________________ makingcoin.com - 100% payouts coinscuties.com

01-10-2006, 02:14 AM	#7
tristan_D Confirmed User Join Date: Jul 2005 Posts: 7,865	bump for other poster's info __________________ Increase your sales. Up to $4 per click.

01-10-2006, 02:17 AM	#8
reed_4 Confirmed User Join Date: Jul 2005 Posts: 9,640	sorry to hear that nettrust, fucked up times really happens. __________________

01-10-2006, 02:33 AM	#9
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	ouch that sucks.. seems strange its in that directory __________________ hatisblack at yahoo.com

01-10-2006, 02:35 AM	#10
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	let them know thi sserver was compromised in the same fashion http://www.stack.nl/~stefanvz/blog/i..._login-submit/ __________________ hatisblack at yahoo.com

01-10-2006, 02:36 AM	#11
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	notice the directory there stack.nl/~stefanvz/blog/images/secure/cgi.paypal.com/osCommerce/pub/webscr/cmd/_login-submit/ __________________ hatisblack at yahoo.com

01-10-2006, 06:20 AM	#12
beta-tester Rock 'n Roll Baby! Join Date: Sep 2004 Location: USA, temporarly Posts: 22,562	hmm interesting...anyone have an idea what this could be ? __________________ Sig for sale. Affordable prices. Contact me and get a great deal ;) My contact: ICQ: 944-320-46 e-mail: manca {AT} HotFreeSex4All.com

01-11-2006, 09:18 AM	#13
Marshal Biz Dev and SEO Industry Role: Join Date: Jun 2005 Posts: 15,180	i think blogger has some major problems! where should i report this so guys from google can know? __________________ --- Busy ranking websites on Google...

01-11-2006, 09:27 AM	#14
Marshal Biz Dev and SEO Industry Role: Join Date: Jun 2005 Posts: 15,180	any idea what should this be? __________________ --- Busy ranking websites on Google...

01-11-2006, 09:30 AM	#15
Ogix Registered User Join Date: Feb 2005 Location: Banned Posts: 1,025	i had something like this shit when i downloaded crack for Cofee tycoon :D if i correctly understood the problem...

01-11-2006, 09:33 AM	#16
Marshal Biz Dev and SEO Industry Role: Join Date: Jun 2005 Posts: 15,180	noone has access ftp access to my root directory. blogger has it's own ftp account on my host (it's hosted there). apparently it is up to blogger... ?! have no idea at all... __________________ --- Busy ranking websites on Google...

01-13-2006, 02:51 PM	#17
Marshal Biz Dev and SEO Industry Role: Join Date: Jun 2005 Posts: 15,180	i've sent a reply to that company (refer to post #1). they almost shut down the server where's my domain hosted. but once i have replied to them, everything is ok now... still cannot figure out what has happened here... any opinion? __________________ --- Busy ranking websites on Google...