[LINK] Fwd: Tsunami Danger - Spoof

Rick Welykochy rick at praxis.com.au
Fri Dec 3 16:46:08 EST 2004 

Grant Malcolm wrote:

> Hi Linda
> 
> On Fri, 3 Dec 2004, Linda Rouse wrote:
> 
>>Have any other Linkers received the Tsunami Warning alert enclosed
>>below (no attachment and  the html isn't too bad ) ?
> 
> 
> http://www.auscert.org.au/render.html?it=4587
> 
> The site installs a trojan if you're running unpatched Internet Explorer.

I've checked out a few of the dangerour hosts, including
tsunamidanger.com
danger-tsunami.com
tsunwatch.net


and they take forever to download.

Might I conclude the scam is working quite well? It appears the sites
are being slahsdotted as I write this, which doesn't augur too well
for those viewing the site with MS IE :(

BTW: one of the sites (http://waveplanet.org/) has had its home
page removed, possibly as a first line of defense againsst this attack.
Which is quite interesting since it reveals the contents of the
underlying directory. One very interesting log file looks like
it records the details of all the victims who have fallen prey to
the scam.

Sample from http://waveplanet.org/iplog.txt ....`

001102051510:0:0:0:0:tsunami-mkjldkkg:000000003:7:12:26:40:202.146.241.9:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
001102051731:0:0:0:0:tsunami-eflmoema:000000005:10:16:28:40:210.80.194.98:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
001102048200:0:0:0:0:tsunami-aqokkmko:000000002:-8:15:29:27:220.244.224.169:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
001102052275:0:0:0:0:tsunami-qoomkopk:000000005:-5:00:38:16:66.130.254.94:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
001102045934:0:0:0:0:tsunami-hcaddqak:000000000:5:08:50:09:66.185.84.68:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
001102049788:0:0:0:0:tsunami-bkdiakjo:000000000:10:14:56:08:203.84.64.99:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
001102047789:0:0:0:0:tsunami-daifjflf:000000000:10:15:22:56:203.206.244.1:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
001102051468:0:0:0:0:tsunami-logfoqib:000000002:10:16:26:13:61.8.16.194:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
001102051540:0:0:0:0:tsunami-klgipakk:000000003:10:16:13:02:165.228.241.5:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:


Could those be ip addresses in there? Ohmadgawd!

cheers
rickw

-- 
_________________________________
Rick Welykochy || Praxis Services

Small numbers of extremists, who have executed a single successful project
on American soil, have encouraged American society to eat itself.
      -- Roger Clarke

More information about the Link mailing list