Friday morning I got an interesting email…

Looks like a typical phishing email, right? Sure. There were two things that got my attention though…

1. It got through Gmail’s spam filter.
2. The link went to PayPal’s real login page. WTF?

Usually, a phishing email will use the correct address as the anchor text of a spoof log-in page link. Simply mousing over such a link reveals the true link in your status bar though. So, it’s fairly easy even for a novice computer user to spot as BS.

Example:
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Viewing the source code of the original email revealed an epic fail.

<a class="Style5 Style2"
onmouseover="window.status='https://www.paypal.com/cgi-bin/webscr?cmd=_login-run'; return true" onmouseout="window.status="" target="_blank" href="http://pimpyaho.com/functions/us/"> <font size=3D"2">https://www.paypal.com/cgi-bin/webscr?cmd=3D_login-run</font></a> </font>

The above shows that this retard was trying the old use JavaScript to make the status bar display whatever you want trick. Too bad for this idiot, modern email clients filter JavaScript. In both Gmail and Yahoo that code ended up looking like the below.

<a href="http://pimpyaho.com/functions/us/" target="_blank"><font size="2"></font></a>
<font size="2"><a href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run" target="_blank">https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a>

So, the link ended up pointing to the real PayPal login. Epic fail, indeed.

Digging further, I saw that the phishing page he intended to send people to was on a porn site. The site is part of a lucrative network owned by a guy whom I made an ad buy from in the past. His ad system requires a person to sign up as a regular member of his site before making a purchase. This explained how I ended up getting that email. His user database had obviously been compromised.

I posted some info about this mess on a forum he hangs out on to make sure he knew what was happening and to get more info.

Here’s the skinny:

1. Homeboy hired an outside company to develop a bespoke chat solution for one of the sites sitting on that server.

2. Said company was given shell access to speed up the delivery of the product, etc.

3. A shoutcast server magically began running on the server - pushing 25Mbit of bandwidth.
Side note: The files had been removed so there was no shoutcast config. Once shoutcast has been started, it doesn’t require its own files in Linux to continue to run, so they were obviously removed in an attempt to hide it.

4. “[After discovering / removing the phishing setup] the files popped back [within seconds]… I then shut down pimpyaho.com, so the site physically wasn’t running… still the files came back. This meant the user HAD to have some sort of shell access.”

5. “Have now sorted the breach and made sure it can’t happen again. I can tell you that they managed to get hold of around 16,000 email addresses, however the [other site’s user] database is up around 80k, so at least they didn’t get hold of that.”

Ouchness++

* Links which are not safe for viewing at work are marked as “NSFW” *

The gist:
My buddy Rudy runs one of the many porn site YouTube clones, xxxuploads.com (NSFW). On Easter Sunday he woke up to all sorts of fun. His two media servers had been hacked and over 7500 videos were deleted. The only thing left on those subdomains were index pages entitled “STOP PORNO” with the below message and Muslim Prayer Call video embedded from YouTube:

In the name of Allah, Most Gracious, Most Merciful

No big deal. He could surely just restore everything from his backups, right? Wrong. His admin set them up wrong, so nothing had ever been backed up. Well, couldn’t he just do a restore? Nopers, those boxes were setup with ext3 filesystems. So, he had to start from scratch and all the sites that have pre-hack videos embedded from his site are screwed.

How it was done:
The sysadmin went through the logs and there was no evidence of anyone logging in via SSH or anything like that. His best guess is that they gained FTP access via a proftpd exploit.

continue reading "Online Jihad: Porn site hacked on Easter Sunday"

Imagine this for a moment…

You’re on MySpace (cause that’s where all the fake profiles of hot chicks hang out) and upon entering a forum thread… BAM! You’re greeted by wall-to-wall hardcore scat that makes the infamous TubGirl picture look like a garden full of tulips. And, it’s not just posted in the thread - it’s covering your entire screen and the thread is hidden behind it. You click your back button and see another thread entitled “Don’t go into any of the threads right now - something is horribly wrong”. Naturally, you jump in there to see what in the hell is going on. In there, it’s explained that a script kiddie who’s part of a MySpace troll group is using some very basic CSS to overrun all the threads with that… crap. You click the reply button because you want to add your two cents about this lameness and… Double BAM! Instead of a field opening up to enter your reply, you’re on a web page outside of MySpace. This time you get your eyes filled by a flash loop of a transsexual getting banged up the poop chute while in reverse cowboy - giving you the oh-so-lovely view of his/her meat pistol (penis/dick/schlong/whatever) bouncing up and down. It wasn’t the infamous Meat Spin, but very similar in nature. This not-so-cute little trick was being achieved by overlaying the entire thread with a clear .gif and linking it to that outside page.

continue reading "Delete Scat (Porn with Poo) from MySpace and they’ll delete you?"

*** This page is safe for viewing at work, but following any links on it will likely result in a truck load of boobies splashing across your monitor. ***

A few days back I was catching up on my web surfing when I stopped by the xFanz MySpace page. I wanted to see if they had posted any new videos to YouTube from the 2007 AEE (Adult Entertainment Expo) that went down between January 11th and 13th in Vegas. Well, when clicking on any of the YouTube vids on that page I got the “This video is no longer available” message.

At this point you might be thinking: “No shit Sherlock, of course YouTube deleted a bunch of obscene videos uploaded by some porn site. What did you expect?”

There’s a couple of problems with that train of thought though…

1. xFanz isn’t really a porn site. It’s a mix of adult entertainment news, social networking, porn movie reviews, and blogs. It’s a far cry from being safe for work, but in-your-face-boobage isn’t their thing. More info about them can be found in the xFanz Wikipedia article.

2. The videos they produce are anything but obscene. Thus far, they’ve all been little clips from conventions, interviews, behind the scenes on sets, etc. And, any of them that happen to have boobies in them don’t get posted to their YouTube channel.

Already knowing the above I was left thinking…

continue reading "YouTube To Porn Industry: You’re Not Welcome Here, Clothed Or Otherwise"