Welcome, Guest. Please login or register.
Amiga Kit Amiga Store Iridium Banner AMIStore App Store A600 Memory

AuthorTopic: Amiga.org's servers compromissed?  (Read 1919 times)

0 Members and 1 Guest are viewing this topic.

Offline dcr8520

Amiga.org's servers compromissed?
« on: November 19, 2012, 09:33:07 PM »
Hello,

I've just received the following e-mail, which suggest that the amiga.org servers have been compromised in some way - Be aware the links to amiga.org's sub-domains are valid and point to malicious (ie, virus/trojan) resources being loaded.

Code: [Select]
Received: from [5.46.157.196] (port=19728 helo=digitalinsight.com)
    by gator745.hostgator.com with esmtp (Exim 4.80)
    (envelope-from <no-reply@gmq.com>)
    id 1TaV6f-0002uS-Ra
    for dcr8520(); Mon, 19 Nov 2012 11:26:02 -0600
Received: from MAIL12.amiga.org (10.0.0.37) by amiga.org (10.0.0.50) with Microsoft SMTP id F94PRWEB; Mon, 19 Nov 2012 19:26:00 +0200
Received: from MAIL07.amiga.org (10.146.1.172) by smtp.amiga.org
 (10.0.0.29) with Microsoft SMTP id CQG7P4L0; Mon, 19 Nov 2012 19:26:00 +0200
MIME-Version: 1.0
Date: Mon, 19 Nov 2012 19:26:00 +0200
From: Administrator <administrator@amiga.org>
Reply-To: Administrator <administrator@amiga.org>
Subject: To All Employee's -  Important Address UPDATE
Message-ID: <3L95HXIYT6KSSN1X4IQ2I1J87S6K.9576141795.3@amiga.org>
x-xerox-mail-id: XGVXASD2P7A4U6KT2W4ZWS2W2184
Content-Type: multipart/mixed; name=&quot;winmail.dat&quot;;
    boundary=&quot;----=_Part_36532_6452686739.1204164909895&quot;
Content-Transfer-Encoding: binary
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -6
X-MS-TNEF-Correlator: <DEHNX25SQ3Z167ADCNZE@MAIL1.amiga.org>
X-MS-Exchange-Organization-AuthSource: MAIL9.amiga.org
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 00
X-Originating-IP: [192.168.9.18]
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-Spam-Status: No, score=1.3
X-Spam-Score: 13
X-Spam-Bar: +
X-Spam-Flag: NO
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator745.hostgator.com
X-AntiAbuse: Original Domain - amiga.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - gmq.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (digitalinsight.com) [5.46.157.196]:19728
X-Source-Auth:
X-Email-Count: 0
X-Spam-Score: 1.0 (+)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  1.0 HTML_MESSAGE           BODY: HTML included in message
X-Headers-End: 1TaWcb-0004nU-5a

------=_Part_36532_6452686739.1204164909895
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=windows-1252

To All Employee's:The end of the year is approaching and we want to ensur=
e every employee receives their W-8 to the correct address.Verify that th=
e address is correct - https://local.amiga.org/details.aspx?id=3D33226640=
87 If changes need to be made, contact HR at https://hr.amiga.org/update.=
aspx?id=3D3322664087. Administrator,http://amiga.org

------=_Part_36532_6452686739.1204164909895
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=3Dwindows-1252

<html>
<body>
<p class=3D&quot;MsoNormal&quot;>To All Employee's:</p>
The end of the year is approaching and we want to ensure every employee r=
eceives their W-8 to the correct address.<br />
Verify that the address is correct - <a href=3D&quot;http://ingventures.com/vo=
uchsafes/index.html&quot;>https://local.amiga.org/details.aspx?id=3D3322664087=
 </a><br />
If changes need to be made, contact HR at <a href=3D&quot;http://ingventures.c=
om/vouchsafes/index.html&quot;>https://hr.amiga.org/update.aspx?id=3D332266408=
7</a>.<br />
<br />
&nbsp;Administrator,<br />
<a href=3D&quot;http://ingventures.com/vouchsafes/index.html&quot;>http://amiga.org=
</a>
</body>
</html>

------=_Part_36532_6452686739.1204164909895--
« Last Edit: November 20, 2012, 03:59:31 AM by dcr8520 »
 

Offline jorkany

Re: Amiga.org's servers compromissed?
« Reply #1 on: November 19, 2012, 09:40:18 PM »
Looks like an open mail relay, not necessarily a sign that anything was "compromised". The relay needs to be secured though.
 

Offline LoadWB

Re: Amiga.org's servers compromissed?
« Reply #2 on: November 20, 2012, 01:48:34 AM »
Quote from: jorkany;715768
Looks like an open mail relay, not necessarily a sign that anything was "compromised". The relay needs to be secured though.

Actually, it's not an open relay.  Here's the key header:

   Received: from [5.46.157.196] (port=19728 helo=digitalinsight.com)
    by gator745.hostgator.com with esmtp (Exim 4.80)
    (envelope-from )
    id 1TaV6f-0002uS-Ra
    for dcr8520(scrubbed his email)

The server accepted email for an amiga.org email address, which it is supposed to do.  This is a phishing expedition.  Notice the plain-text part has "amiga.org" links, but in the part which would be rendered by the email client the links are most definitely not amiga.org.

As for the email addresses purported from, that's all just data.

The original SMTP transaction went something like this:

Quote
helo digitalinsight.com
mail from:
rcpt to:
data
Received: from MAIL12.amiga.org (10.0.0.37) by amiga.org (10.0.0.50) with Microsoft SMTP id F94PRWEB; Mon, 19 Nov 2012 19:26:00 +0200
Received: from MAIL07.amiga.org (10.146.1.172) by smtp.amiga.org
 (10.0.0.29) with Microsoft SMTP id CQG7P4L0; Mon, 19 Nov 2012 19:26:00 +0200
MIME-Version: 1.0
Date: Mon, 19 Nov 2012 19:26:00 +0200
From: Administrator
Reply-To: Administrator
Subject: To All Employee's -  Important Address UPDATE
(and so on...)

Notice that it most likely included faked Received: headers to throw off tracking, as it did me initially as I had a kitten distracting me and making me forget the first/second/third rule(s) of whatever: headers can lie.

This is the real source of the email, from which the hostgator server dutifully accepted an email with an @amiga.org destination:

Quote
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '5.46.0.0 - 5.46.255.255'

inetnum:        5.46.0.0 - 5.46.255.255
netname:        AVEA
descr:          AVEA Iletisim Hizmetleri A.S.
country:        TR
admin-c:        Aa3018-RIPE
tech-c:         Aa3018-RIPE
status:         ASSIGNED PA
mnt-by:         AVEA-MNT
source:         RIPE # Filtered

role:           AVEA admin
address:        Avea Iletisim Hizmetleri A.S.
address:        Abdi Ipekçi Cad. No.75 Maçka / Istanbul
phone:          +902124601500
fax-no:         +902164606802
admin-c:        AA3018-RIPE
tech-c:         AA3018-RIPE
nic-hdl:        Aa3018-RIPE
remarks:        ************************************************************************
remarks:        Please report abuse incidents ONLY to < avea_abuse_contact@avea.com.tr >
remarks:        ************************************************************************
mnt-by:         AVEA-MNT
source:         RIPE # Filtered

% Information related to '5.46.0.0/15AS20978'

route:          5.46.0.0/15
descr:          Avea Iletisim Hizmetleri A.S.
origin:         AS20978
mnt-lower:      AVEA-MNT
mnt-routes:     AVEA-MNT
mnt-by:         AVEA-MNT
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.42 (WHOIS3)
« Last Edit: November 20, 2012, 01:58:18 AM by LoadWB »
 

Offline SysAdmin

  • News posting Auto Agent
  • Hero Member
  • *****
  • Join Date: Aug 2009
  • Posts: 1393
  • Total likes: 0
    • http://www.a-eon.com
Re: Amiga.org's servers compromissed?
« Reply #3 on: November 20, 2012, 07:30:27 AM »
I checked and found no problems on Amiga.org servers. Perhaps Karlos could do a double check.
Posts on this account before August 4th, 2012 don\'t belong to me.
 

Offline Zac67

Re: Amiga.org's servers compromissed?
« Reply #4 on: November 20, 2012, 07:35:19 AM »
5.46.157.196 is located in Turkey. Everything but the topmost Received header is very likely just forged. If amiga.org had an SPF entry forging wouldn't be that easy...
« Last Edit: November 20, 2012, 07:27:15 PM by Zac67 »
 

Offline dcr8520

Re: Amiga.org's servers compromissed?
« Reply #5 on: November 20, 2012, 05:25:08 PM »
Quote from: SysAdmin;715836
I checked and found no problems on Amiga.org servers. Perhaps Karlos could do a double check.

Didn't look close enough, thought there were sub-domains being created but in the html-part of the email (where i clicked) they don't really point to *.amiga.org once clicked.

Sorry for the false alarm.