Monday, April 14, 2008

sony gets hacked, i get spammed

so i'm sitting at work and i receive three e-mail's from "LiLi_woman@gmail.com" subjugated "Hello!!!". well, my first impression since they were received on an internally known address, are that it's spam. i opened them and they were all the same. they had a link labeled "More beautiful woman information" to some Asian website and, since Thunderbird picked up on it being spam, a blocked image. i was curious what this image was (it was quite large, in size) so i viewed the message source: spoofed address from gmail and relayed through yahoo, looks like standard spammer junk ... ah! i found an image html tag that goes to (note: i split these into two lines so you could see the whole link):

http://219.84.167.230:8888/AD.png?
eid=my_email@domain.com&pid=gao


i copied the address into FireFox, and replaced my e-mail address with the address they spoofed. in my address bar, i entered:

http://219.84.167.230:8888/AD.png?
eid=LiLi_woman@gmail.com&pid=gao


i pressed enter. a blank image appeared on my screen. it instantly clicked in my head what they must be trying to do. they send you an e-mail, you open it and it connects and upon requesting this image it sends your e-mail address to them, confirming you are a real person. they are fishing for real people to spam.

i was curious if they were running apache or micro$oft's iis; i hacked off everything after the last whack:

http://219.84.167.230:8888/

damn! virtual directory listing denied. okay, let's request a document that probably doesn't exist.

http://219.84.167.230:8888/foobar

yes! and it looks like we get the standard iis 404 page not found error. i was still curious who owned this box that had obviously been hacked. i attempted to browse to just the ip address, but nobody was home. i did a reverse dns check on the ip address, which turned up nothing. in my last attempt to find out who this address belonged to, i did a whois and got something:

% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 219.84.0.0 - 219.85.255.255
netname: SONET-NET
country: TW
descr: Sony Network Taiwan Limited
descr: 2Fl., Building E, No. 19-13, San Chung Road
descr: Taipei Taiwan 115
admin-c: JC417-AP
tech-c: CC115-AP
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20031125
mnt-by: MAINT-TW-TWNIC
source: APNIC


looks like our friends at Sony have been exploited, or are supporting it. well, i guess the moral of today's story is that a quitter never wins and never trust micro$oft.