11.11
On a Honeypot-System, a Hacker/Spamer/Phisher loads a .tgz-File down and try to install a Phishing Site for Absa Internet Banking ->
It is nice, he generates a Logfile from all Users which surf on the Phishing-Site:
$fp = fopen("log.txt", "a");
fputs($fp, "IP: $ip - DATE: $date - [URL: $url] | [Agent: $agent] \n");
fclose($fp);
When the Logfiles is bigger than 200000 bytes, he send the Logfile to a Gmail-Account.
But the really interesting stuff is, he had in here phishing-Archiv a .htaccess-File and blocks a lot of IPs like Google, Tor-Servers from the CCC and other Networks.
Here is the complete .htaccess-File:
order allow,deny
deny from 173.254.216.69
deny from 173.254
deny from 196.214.84.44
deny from 196.210
deny from 174.93.39.58
deny from 74.120.12.140
deny from 41.162.7
deny from 74.3.165.39
deny from 85.250.100.210
deny from 83.222
deny from 168.142.192.43
deny from 80.237.226.75
deny from 220.225
deny from 89.160.83.61
deny from 89.145.108
deny from 74.120.13.132
deny from 46.4.118.254
deny from 93.172.68.165
deny from 93.172
deny from 109.186.49.23
deny from 109.186
deny from 91.199.104
deny from 193.200
deny from 69.202
deny from 50.97
deny from 86.35
deny from 69.163
deny from 196.33
deny from 109.67
deny from 109.163
deny from 150.70
deny from 63.251
deny from 184.107
deny from 173.255
deny from 178.217.184
deny from 184.154.169
deny from 149.20
deny from 212.143
deny from 62.213
deny from 173.204
deny from 176.32.64.173
deny from 99.190
deny from 67.78
deny from 209.85.224.93
deny from 109.66
deny from 65.49
deny from 79.182
deny from 79.178
deny from 85.13.235.26
deny from 77.247
deny from 199.48
deny from 79.176
deny from 84.110
deny from 219.117
deny from 217.128
deny from 87.249.110
deny from 109.65
deny from 94.172
deny from 209.85
deny from 74.125
deny from 176.67
deny from 66.249
deny from 199.19
deny from 66.150
deny from 64.125
deny from 64.90
deny from 128.232
deny from 169.202
allow from all
The Timestamp from the .htaccess from the .tgz is:
Size: 1330 Blocks: 16 IO Block: 4096 regular file
Device: 901h/2305d Inode: 12162162 Links: 1
Access: (0666/-rw-rw-rw-) Uid: (xxxxx/ UNKNOWN) Gid: ( 99/ nobody)
Access: 2012-11-11 20:16:12.000000000 +0100
Modify: 2012-08-16 07:40:30.000000000 +0200
Change: 2012-11-11 20:16:12.000000000 +0100
When the IPs from Google does not access to the Phishing-Site, he dont report the Site on Safebrowsing and Google-Alerts or other Security-Companys dont found them automatically.
In the log.txt from the .tgz-Archiv, there are a lot of Entry’s and he use on all Sites the Directory-Name „netservice“
IP: 105.xxx.xxx.xxx - DATE: Monday 05 November 11:04:04 - [URL: /wp-content/plugins/nospamnx/netservice/form.php] | [Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)]
IP: 161.xxx.xxx.xxx - DATE: Monday 05 November 15:31:28 - [URL: /wp-content/plugins/nospamnx/netservice/index.php] | [Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.40607)]
The Drop-boxes are on Google and Hotmail. I report it to msn and gmail, but i think that MSN will shut down the E-Mailaccount earlier than Google (i think Google do nothing….).
Ask us for the Files….
[UPDATE 17.11.2012 20:27 +0100]
We found a new .htaccess Files with more IP-Ranges:
https://blog.blocklist.de/2012/11/17/new-htaccess-to-block-security-ips-and-bots-from-phishing-sites-founded/
[…] found earlier a Phishing-Site, which blocks a lot of IP-Ranges from the Phishing-Site. Now we found one again, but whith more […]