IrishMASMS (irishmasms) wrote in olug,
IrishMASMS
irishmasms
olug

  • Mood:

PHPNuke Exploit Fixed


A small exploit in PHPNuke allowed a number of email messages to be sent coming from 'webmaster@olug.org' or 'root@olug.org' advertising a executable (EXE) program, freesms.exe.
The exploit in PHPNuke was found and fixed.

Network Associates tags freesms.exe as Spyware. Please delete the message. If you did click on it and install it, please make sure you use a spyware removal tool to seek out and get rid of it.
OLUG does not send .exe or links to .exe programs (especially Windows programs)

Jon Larsen
Technical and Hardware Officer
OLUG



So, a little SQl inkjection has OLUG.org as a spam relay passing out some WinDoz spyware this afternoon.

Here is my SpamCop LART:


Parsing header:

Received: from rly-nc01.mx.aol.com (rly-nc01.mail.aol.com [172.18.151.198]) by air-nc01.mail.aol.com (v98.19) with ESMTP id MAILINNC12-821740969cea1a1; Mon, 03 May 2004 15:26:34 -0500
172.18.151.198 found
host 172.18.151.198 (getting name) no name
172.18.151.198 discarded

Received: from olug.org (olug.org [216.40.17.98]) by rly-nc01.mx.aol.com (v98.5) with ESMTP id MAILRELAYINNC12-66040969ce429f; Mon, 03 May 2004 15:26:28 -0400
216.40.17.98 found
host 216.40.17.98 (getting name) = olug.org.
host olug.org (checking ip) = 216.40.17.98
Possible spammer: 216.40.17.98
216.40.17.98 is an MX for olug.org
216.40.17.98 is mx
Received line accepted

Received: (qmail 4722 invoked by uid 65534); 3 May 2004 19:26:16 -0000
Removed 'by' from uid
Received: (qmail 4722 invoked (uid 65534)); 3 May 2004 19:26:16 -0000
no from
Ignored

Tracking message source: 216.40.17.98:
Routing details for 216.40.17.98
[refresh/show] Cached whois for 216.40.17.98 : noc@novia.net
Using abuse net on noc@novia.net
No abuse net record for novia.net
Using default postmaster contacts postmaster@novia.net
216.40.17.98 not listed in dnsbl.njabl.org
216.40.17.98 not listed in dnsbl.njabl.org
216.40.17.98 not listed in cbl.abuseat.org
216.40.17.98 not listed in dnsbl.sorbs.net
216.40.17.98 not listed in relays.ordb.org.
216.40.17.98 not listed in query.bondedsender.org
216.40.17.98 not listed in iadb.isipp.com

Finding links in message body
Parsing text part

Resolving link obfuscation
http://sky.prohosting.com/deccode/freesms.exe
host 65.113.119.149 = mp3.dns-solutions.net (cached)

Tracking link: http://sky.prohosting.com/deccode/freesms.exe
Resolves to 65.113.119.149

Tracking ip 65.113.119.149
Routing details for 65.113.119.149
[refresh/show] Cached whois for 65.113.119.149 : noc@prohosting.com
Using abuse net on noc@prohosting.com
abuse net prohosting.com = abuse@prohosting.com
Using best contacts abuse@prohosting.com


Re: http://sky.prohosting.com/deccode/freesms.exe (Administrator of network hosting website referenced in spam)
To: abuse@prohosting.com (Notes)


So, prohosting is a hacker & spammer host - bastards!
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments