An interesting problem

Data that travels over the air and how to protect (or decipher) it

An interesting problem

Post by Tsadkiel on Fri Mar 11, 2011 1:01 pm
([msg=54927]see An interesting problem[/msg])

Greetings all!

I have recently started receiving account confirmation emails from websites i have never visited. After changing my passwords i took a better look at them and noticed that one of emails gave an ip address for the accounts creator. tracking the address leads to a location in fort Lauderdale Florida (i'm in Colorado). street view shows that this particular end of town is primarily residential apartments and budget housing. an OS scan using nmap yields the following.

Starting Nmap 5.00 ( http://nmap.org ) at 2011-03-11 09:46 MST
Interesting ports on 64.38.217.37:
Not shown: 975 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
513/tcp open login
514/tcp open shell
898/tcp open sun-manageconsole
4045/tcp open lockd
5666/tcp open nrpe
5987/tcp open unknown
5988/tcp open unknown
7100/tcp open font-service
9090/tcp open zeus-admin
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32781/tcp open unknown
32782/tcp open unknown
32783/tcp open unknown
Device type: general purpose
Running: Sun Solaris 9|10
OS details: Sun Solaris 9 or 10
Network Distance: 10 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.76 seconds


the fact that the OS is a version of Solaris makes me think that it probably isn't a personal machine, but rather a server or router of some kind (maybe something managing the connections in one of the local apartments).

the http and https ports error out through zeus technologies when accessed with the address bar of a browser. the management console isn't available (port 898). the zeus admin requires a username and password.

based on the nature of the account names and passwords created i suspect that it's a bot of some kind. ideally i would like to inform the owner of the system that they need to check the machine for malicious software. This requires getting access to the machine itself and finding some kind of information there in that would pinpoint its exact location. thoughts?
Tsadkiel
New User
New User
 
Posts: 3
Joined: Fri Jan 15, 2010 11:36 am
Blog: View Blog (0)


Re: An interesting problem

Post by RevengeDriven on Sun Mar 27, 2011 3:21 pm
([msg=55617]see Re: An interesting problem[/msg])

I would be checking my own machine. If you are receiving email notifications for joining websites that you have never joined it sounds like somebody is using your i.p. as a bot machine or you have a trojan running on it. I wouldn't be concerned with notifying anyone that supposedly created an account on my behalf.
User avatar
RevengeDriven
New User
New User
 
Posts: 22
Joined: Thu Feb 03, 2011 9:26 am
Blog: View Blog (0)


Re: An interesting problem

Post by insomaniacal on Sun Mar 27, 2011 7:34 pm
([msg=55620]see Re: An interesting problem[/msg])

RevengeDriven wrote:If you are receiving email notifications for joining websites that you have never joined it sounds like somebody is using your i.p. as a bot machine or you have a trojan running on it.

Wut? Emails aren't mapped to IP's at all, meaning that someone simply entered your email when they tried to sign up. This might be a random guy trying to use a fake email address to sign up, or someone who has access to your account. Changing your password should be enough to take care of the problem. If he got your password by using a Trojan, then make sure you run a scan, and upgrade all your software to the latest version.
It's not who votes that counts, it's who counts the votes
insomaniacal.blog.com
User avatar
insomaniacal
Addict
Addict
 
Posts: 1210
Joined: Sun May 24, 2009 10:21 am
Blog: View Blog (0)


Re: An interesting problem

Post by RevengeDriven on Mon Mar 28, 2011 11:55 am
([msg=55641]see Re: An interesting problem[/msg])

insomaniacal wrote:
RevengeDriven wrote:If you are receiving email notifications for joining websites that you have never joined it sounds like somebody is using your i.p. as a bot machine or you have a trojan running on it.

Wut? Emails aren't mapped to IP's at all, meaning that someone simply entered your email when they tried to sign up. This might be a random guy trying to use a fake email address to sign up, or someone who has access to your account. Changing your password should be enough to take care of the problem. If he got your password by using a Trojan, then make sure you run a scan, and upgrade all your software to the latest version.


Depending on what ISP he has his email accounts are most definitely linked to his i.p. i have a cable connection and have had the same i.p. for almost a year. When I send out emails that same i.p. is linked to my email account and can be discovered by viewing the headers of the email of course.

I was eluding to the fact that the o.p may have something that is joining sites on his behalf that may have originated from his email or from something running on his computer. If its happening multiple times as the o.p says I doubt its a simple 'mistake' by someone typing in the wrong email or a fake email. Somewhere someone got his email. Now it could be just that someone found it on a forum and decided to have some malicious fun OR someone has hacked into his computer and gotten his email account that way OR possibly he has a key logger running on it.

That is why I said not to worry about contacting the guy who's (bogus most likely) information appears in one of the emails.
User avatar
RevengeDriven
New User
New User
 
Posts: 22
Joined: Thu Feb 03, 2011 9:26 am
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests

cron