View Full Version : please update your computer

07-16-2004, 10:55 AM
I just did THOUSANDS of people a favor this morning, and they'll never even know it...

After it was reported to me I quickly tracked down a "storage" site on a server in our data center where everything from yahoo usernames and passwords were stored all the way up to paypal accounts, credit card numbers, and online banking accounts...this automated system was a call back for a recent Internet Explorer key logging exploit...basicly you get the virus, it logs your keystrokes even on SECURE sites, then relays them back to this "database"...no it won't track IM convos or other normal text stuff, it's built for one reason to get your private information on login/account pages.

I ripped the site to another server before informing the owner of the server to remove it now...odds are from the way it looks the server was hacked and this data collection software was put on it, not to mention the FBI and homeland security now know about it since it was traced to someone in russia who started it. but anyway the database of info this thing captured was a 15mb text file....I was looking through it just to see how much shit it actually got and 10% of the way through the file I had enough info to leave the country and live bigtime rich for the rest of my life...so as a word of warning run windows update at least once a week and get some kinda virus software on your pc...I also don't want to hear any "mac's are better" talk because I can show you cute little ways to exploit them as well...you want to call yourself secure? then unplug your computer...this is simply a word of warning to ALL of you...you see the pretty colors and the funny smilies and I see all the shit that goes on behind all that...it's scary even to me and I see it everyday...

below is a small clip of what the data looks like, I've edited it with fake info (duh) but you can get the idea

############################## - 24.90.XXX.XXX- May 25 2004 12:47:41 - ######^M
PayPal - U.S. Postal Service Shipping Label Completed - Microsoft Internet Explorer^M
URL - https://www.paypal.com/us/cgi-bin/webscr?__.../usps-confirm^M (https://www.paypal.com/us/cgi-bin/webscr?__track=_flow:p/ship/usps-confirm^M)
PayPal - My Account - Microsoft Internet Explorer^M
URL - https://www.paypal.com/us/cgi-bin/webscr?cmd=_account^M
PayPal - PayPal Website Payments Details - Microsoft Internet Explorer^M
URL - https://www.paypal.com/us/cgi-bin/webscr?cm...story-details^M (https://www.paypal.com/us/cgi-bin/webscr?cmd=_history-details^M)
############################## - 66.81.XXX.XXX - May 25 2004 12:51:50 - ######^M
WWE EuroShop - Shopping Basket - Microsoft Internet Explorer^M
URL - https://wweeuroshop.com/cart.asp^M
############################## - 66.199.XXX.XXX- May 25 2004 12:52:06 - ######^M
Welcome to MSN.com - Microsoft Internet Explorer provided by BellSouth^M
URL - www.so^M
SouthTrust Bank - Personal Banking - Microsoft Internet Explorer provided by BellSouth^M
URL - https://www.southtrust.com/st/PersonalBanking^M
Account Summary - Microsoft Internet Explorer provided by BellSouth^M
URL - https://southtrustonlinebanking.com/retail/...e_banking.asp^M (https://southtrustonlinebanking.com/retail/frames/masterframe_banking.asp^M)
Check Image - Microsoft Internet Explorer provided by BellSouth^M
URL - https://southtrustonlinebanking.com/retail/...heckImage.asp^M (https://southtrustonlinebanking.com/retail/Transaction_Search/CheckImage.asp^M)
############################## - 68.65.XXX.XXX - May 25 2004 13:02:51 - ######^M
Virginia Tech WebMail - Microsoft Internet Explorer^M
URL - https://webmail.vt.edu/^M
XXXXXXX\'s New-Mail Messages - Microsoft Internet Explorer^M
URL - https://webmail.vt.edu/MBX/XXXXXX/ID=XXXXXX^M
Electronic Pay Stub - Message - Microsoft Internet Explorer^M
URL - https://webmail.vt.edu/MBX/XXXXXX/ID=XXXXXX/MSG:1^M
Virginia Tech Information Gateway Login - Microsoft Internet Explorer^M
URL - https://banweb.banner.vt.edu/pls/bprod/XXXXXX.P_WWWLogin^M
Main Menu - Microsoft Internet Explorer^M
URL - https://banweb.banner.vt.edu/pls/bprod/XXXX...enu.P_MainMnu^M (https://banweb.banner.vt.edu/pls/bprod/XXXXXX.P_GenMenu?name=bmenu.P_MainMnu^M)
############################## - 4.155.XXX.XXX- May 25 2004 14:28:37 - ######^M
Welcome to Home Banking - Microsoft Internet Explorer provided by Compaq^M
URL - https://www.towerfcu.org/onlineserv/HB/Signon.cgi^M
Welcome to Tower Federal Credit Union\'s Internet Account Access - Microsoft Internet Explorer provided by Compaq^M
URL - https://www.towerfcu.org/onlineserv/HB/HomeBanking.cgi^M
https://www.towerfcu.org/onlineserv/HB/ - Microsoft Internet Explorer provided by Compaq^M
URL - https://www.towerfcu.org/onlineserv/HB/^M
Welcome to Home Banking - Microsoft Internet Explorer provided by Compaq^M
URL - https://www.towerfcu.org/onlineserv/HB/Signon.cgi^M
PayPal - Welcome - Microsoft Internet Explorer provided by Compaq^M
URL - https://www.paypal.com/^M
PayPal - Processing Login - Microsoft Internet Explorer provided by Compaq^M
URL - https://www.paypal.com/us/cgi-bin/webscr?cm...in-processing^M (https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-processing^M)
############################## - 209.79.XXX.XXX - May 25 2004 14:36:06 - ######^M
Bank of America | Online Banking | Sign In to Online Banking - Microsoft Internet Explorer^M
URL - https://onlineid.bankofamerica.com/cgi-bin/...ller?state=CA^M (https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller?state=CA^M)
Bank of America | Online Banking | Accounts Overview - Microsoft Internet Explorer^M
URL - https://onlinewest.bankofamerica.com/cgi-bi...n/GotoWelcome^M (https://onlinewest.bankofamerica.com/cgi-bin/ias/XXXXXXXXXXXXXXXXXXXXXXX9oIQy71068/1/bofa/ibd/IAS/presentation/GotoWelcome^M)
Bank of America | Online Banking | Account Activity Print - Microsoft Internet Explorer^M
URL - https://onlinewest.bankofamerica.com/cgi-bi...ol?function=2^M (https://onlinewest.bankofamerica.com/cgi-bin/ias/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9oIQy71068/2/bofa/ibd/IAS/presentation/PreVCNSelectControl?function=2^M)
Bank Of America Online Banking - Microsoft Internet Explorer^M
URL - https://onlinewest.bankofamerica.com/cgi-bi...trol?action=2^M (https://onlinewest.bankofamerica.com/cgi-bin/ias/XXXXXXXXXXXXXXXXXXXXXXXXXXX9oIQy71068/5/bofa/ibd/IAS/presentation/OnlineStatementControl?action=2^M)
############################## - 216.64.XXX.XXX - May 25 2004 14:38:15 - ######^M
U.S. Bank Internet Banking - Microsoft Internet Explorer^M
URL - https://www4.usbank.com/internetBanking/Req...playLoginPage^M (https://www4.usbank.com/internetBanking/RequestRouter?requestCmdId=DisplayLoginPage^M)
############################## - 24.90.XXX.XXX- May 25 2004 14:39:08 - ######^M
USPS - Print Shipping Labels - Microsoft Internet Explorer^M
URL - https://sss-web.usps.com/ds/jsps/ds_landing.jsp^M
USPS - The U.S. Postal Service Sign In Page - Microsoft Internet Explorer^M
URL - https://ecap21.usps.com/cgi-bin/ecapbv/scri...n.jsp?app=GSS^M (https://ecap21.usps.com/cgi-bin/ecapbv/scripts/login.jsp?app=GSS^M)
############################## - 24.15.XXX.XXX - May 25 2004 14:58:10 - ######^M
Scottrade Login - Microsoft Internet Explorer^M
URL - https://www15.scottsave.com/login.asp^M
Welcome to Scottrade - Online Trading With A Personal Touch ™ - Microsoft Internet Explorer^M
URL - https://www15.scottsave.com/GWwwRoot/Scottsave.asp^M
https://www15.scottsave.com/GWwwRoot/Logout...unts/Logout.asp (https://www15.scottsave.com/GWwwRoot/LogoutChangeAccounts/Logout.asp) - Microsoft Internet Explorer^M
URL - https://www15.scottsave.com/GWwwRoot/Logout...ts/Logout.asp^M (https://www15.scottsave.com/GWwwRoot/LogoutChangeAccounts/Logout.asp^M)
Scottrade Login - Microsoft Internet Explorer^M
URL - https://www15.scottsave.com/Login.asp?s=logout^M
TheStreet.com\'s Action Alerts PLUS by Jim Cramer - Microsoft Internet Explorer^M
URL - https://secure2.thestreet.com/cap/login/aap...PID=XXXX-0001^M (https://secure2.thestreet.com/cap/login/aap_bridge_high.jsp?PID=XXXX-0001^M)
############################## - 63.204.XXX.XXX - May 25 2004 14:58:17 - ######^M
############################## - 66.57.XXX.XXX - May 25 2004 15:00:13 - ######^M
Army Knowledge Online - Microsoft Internet Explorer^M
URL - https://www.us.army.mil/XXXXXX/XXXXXXX/comm...jhtml?cpid=49^M (https://www.us.army.mil/XXXXXX/XXXXXXX/community.jhtml?cpid=49^M)
https://www.us.army.mil/XXXXXXX/XXXXXX/aart...rtsdisplay.jhtm (https://www.us.army.mil/XXXXXX/XXXXX/aartsdisplay2.jhtml?_DARGS=/portal/XXXXXX/aartsdisplay.jhtm) - Microsoft Internet Explorer^M
URL - https://www.us.army.mil/XXXXXXXX/jhtml/aart...display.jhtml^M (https://www.us.army.mil/XXXX/jhtml/aartsdisplay2.jhtml?_DARGS=/XXXXXXX/jhtml/aartsdisplay.jhtml^M)
Army Knowledge Online - Microsoft Internet Explorer^M
URL - https://www.us.army.mil/XXXXXX/XXXXXX/commu...jhtml?cpid=46^M (https://www.us.army.mil/XXXXXXXX/jhtml/community.jhtml?cpid=46^M)
https://www.XXXXXXX.army.pentagon.mil/ (https://www.XXXXXXXX.army.pentagon.mil/) - Microsoft Internet Explorer^M
URL - https://www.XXXXXXXXX.army.pentagon.mil/^M (https://XXXXXXXX.atrrs.army.pentagon.mil/^M)
Army Personnel Education Training History - Microsoft Internet Explorer^M
URL - https://www.XXXXXXX.army.pentagon.mil/^M
Army Personnel Education Training History - Military Training - Microsoft Internet Explorer^M
URL - https://www.XXXXXX.army.pentagon.mil/miltng.asp^M (https://www.XXXXXXX.army.pentagon.mil/miltng.asp^M)
ATRRS Course Catalog Search Results - Microsoft Internet Explorer^M
URL - https://www.XXXXXXXX.army.mil/atrrscc/course.asp?FY=2004^M (https://www.XXXXXX.army.mil/atrrscc/course.asp?FY=2004^M)

07-16-2004, 11:28 AM
pretty freaky man.

07-17-2004, 05:33 PM
:ohnoes: :ohnoes9:
Thanks for the warning Hax!

07-17-2004, 10:42 PM
the sad part to all this is that this stuff goes on all the time, it just happens that this was one of the bigger more notable things I've found...ironcily I found on our records when the FBI was hanging out with us last month this was one of the same servers they were interested in.

I took over the server lastnight after the owner failed to do anything about removing the site, so I changed the password, got in, and got all the files together that looked to be of interest and I uploaded about half a gig to another server. So now I have a copy of the software that was doing this and the server is offline. I'm going to pick it apart when I have time and try to reverse engineer it into something useful to play with.