IMPORTANT: WordPress 2.8.6 Security Release

WordPress have released a new version folks. MAKE SURE YOU'RE KEEPING YOURS UPTO DATE!!!!

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

Read more
http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/

Download
http://wordpress.org/download/

Warning: malwareabytes.com & hotpmail.com

Seems Malwarebytes have gotten themselves a fan, alongside the fans already out for MalwareDomainList et al. Just with malwaredomainlist2.com (which sporadically redirects via domains such as ask.com now by the way), this one is currently parked.

Referred to: whois.above.com
By: whois.internic.net

Registration Service Provided By: ABOVE.COM, INC.
Contact: +613.95897946

Domain Name: MALWAREABYTES.COM

Registrant:
Lu Lan
1187/28-601 Nam Natou road
Shanghai

200125
CN
lulan@hotpmail.com
Tel. +86.13671866757
Fax.

Creation date: 2009-11-11
Expiration Date: 2010-11-11

Domain servers in listed order:
ns1.mid-2.com
ns2.mid-2.com

Administrative Contact:
Lu Lan
1187/28-601 Nam Natou road
Shanghai

200125
CN
lulan@hotpmail.com
Tel. +86.13671866757
Fax.

Technical Contact:
Lu Lan
1187/28-601 Nam Natou road
Shanghai

200125
CN
lulan@hotpmail.com
Tel. +86.13671866757
Fax.

Billing Contact:
Lu Lan
1187/28-601 Nam Natou road
Shanghai

200125
CN
lulan@hotpmail.com
Tel. +86.13671866757

Yep, I noticed the "p" in hotpmail.com too, in the registrants e-mail address. The site certainly isn't registered to Microsoft, nor hosted on a Microsoft owned IP.

Referred to: whois.PublicDomainRegistry.com
By: whois.internic.net

Domainname: HOTPMAIL.COM
Creation date: 11-Dec-2008
Expiry date: 11-Dec-2014
Domain status: ACTIVE

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Administrative:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Technical:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Nameservers:
ns7.ns0.com
ns188.pair.com

It did however, redirect to hotmail.com;

#       Result       Protocol       Host       URL       Body       Caching       Content-Type       Process       Comments       Custom
1       301       HTTP       hotpmail.com       /       0              text/html       avant:4476
2       302       HTTP       www.hotmail.com       /       314       no-cache Expires: -1       text/html; charset=utf-8       avant:4476
3       200       HTTP       login.live.com       /login.srf?wa=wsignin1.0&rpsnv=11&ct=1258135091&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=2057&id=64855&mkt=en-gb       2,306       no-cache Expires: Fri, 13 Nov 2009 17:57:14 GMT       text/html; charset=iso-8859-1       avant:4476
4       200       HTTP       login.live.com       /pp700/images/LiveID16nc.gif?1258135090920       388       no-cache        image/gif       avant:4476

A little research shows the chap that registered these domains, also owns a few others, including;

forumactivationlink.com
boysfoog.com
telcelcom.com
dcbdc.com
uncdf.com
data-bg.net
iraklis-fc.com
horse-gams.com
croyscabin.com
filehopo.com
lacasadelpayaso.com

... and I'm sure if I spent more time looking, I could find a heck of alot more, based on what I've seen thus far. Indeed, given the URL's the above take you through, being alot similar (and in some cases, identical), to those malwaredomainlist2.com takes you to, coupled with the same registrar being involved, I don't think it's a stretch to say the same person is responsible for this one too.

Special thanks to Anthony at MalwareURL for informing me about malwareabytes.com.

Info: Network performance this weekend

Just a warning folks. I've just received the following from PlusNet that indicates there's going to be an excessively high amount of traffic this coming weekend, which will see the potential for reduced performance for all of their customers, including those such as myself that have the business package.

Service: Network Capacity (ADSL/20CN)
Posted: Fri, Nov 13 2009 at 17:27:13
Subject: Broadband Network Capacity (285660) - UPDATE

This is an update to the post we made a couple of days ago about the performance problems and speed issues that some customers have been experiencing during peak times when the network is busy.

We have seen an improvement in the performance of the network since carrying out some engineering work earlier in the week. Whilst feedback from customers seems more positive, we are aware that some of you are still experiencing problems with speed and network performance during the evenings.

There are still a number of unresolved problems that our engineers are working to fix and until this happens there will be the potential for things to slow down during peak hours, especially after 6.00pm.

We would like to make customers aware that there's a high possibility that the network will be *very* busy in the evening this coming Sunday and Monday. The BBC are streaming both Doctor Who and Top Gear in high definition and the ITV are also broadcasting I'm a Celebrity Get Me Out Of Here and The X Factor. Whilst this might sound trivial, the last series of Top Gear that was broadcast in Standard Definition saw iPlayer traffic on our network jump from a base of around 700Mbps to 1.3Gbps. We're fairly confident that iPlayer traffic will exceed 2Gbps this weekend and possibly reach an all time high of 3Gbps+

Because of the above we will be switching back to 'Plan B' operation on Sunday and Monday evening - http://www.plus.net/support/broadband/quality_broadband/load.shtml
This *will* result in degraded performance but should ensure that the quality of web browsing is not significantly affected. Some streaming services may be impacted by this dependent on the account type you are subscribed to.

We would like to extend our utmost thanks and appreciation to customers for their patience during these difficulties. We know it's not been pleasant for some of you however we'd like to assure you that we've been doing everything we can to address the issues.

Sorry once more for the continued inconvenience, we'll provide another update early next week.

Kind Regards,

Bob Pullen
Customer Support

Warning: BT (British Telecom) customers beware!

As if BT ripping you off by charging a fortune for calling people isn't enough (over £2 for under 3 mins to a US number!!!!), the phishers have come up with a little help for our dear BT management and shareholders, in the form of a phishing scam.

I was advised about this a little earlier (sorry folks, was sleeping or would've posted this earlier). I don't have the original headers for the e-mail, but needless to say, the following is about the size of it;

----- Original Message -----
From: BT Billing Support <mailto:ebilling@bt.com>
Sent: Wednesday, November 11, 2009 1:32 PM
Subject: BT Notification: Account Update Needed

BT <http://www.bt.com/>

Dear Customer,

This e-mail has been sent to you by BT to inform you that we were unable to process your most recent payment of bill.This might be due to either of the following reasons:

1. A recent change in your personal information. (eg: billing address, phone)
2. Submitting incorrect information during bill payment process.

Due to this, to ensure that your service is not interrupted, we request you to confirm and update your billing information today by clicking here. <http://rehobothbeachvacationde.com/upgrade/update>

If you have already confirmed your billing information then please disregard this message as we are processing the changes you have made.

Kind regards,

BT Total Broadband team

To ensure future emails from BT are delivered to your inbox and not treated as spam, please add emailsupport@btcomms.com to your address book.
This email was sent by planning-inc, an approved BT supplier, to you
from the domain btcomms.com because its content concerns one of your BT services.


Subscribe to BT emails <http://email.bt.com/keepinformed/?s_cid=con_email_marketing_KEEPINFORMED_FOOTERPROMO_SERVICE> | Log in to BT <https://www2.bt.com/btPortal/application?namespace=security&event=link.login&pageid=profile_centre&siteArea=con.pfc&type=overview&com.bea.event.type=linkclick&portletns=profilecentre> | Contact us <http://www.bt.com/contactus> | Privacy policy <http://www.bt.com/privacypolicy>


British Telecommunications plc. Registered office: 81 Newgate Street London EC1A 7AJ
Registered in England No. 1800000.

The URL in the e-mail, as you can see above, is;

rehobothbeachvacationde.com/upgrade/update

IP: 74.52.15.66
IP PTR: barracuda.websitewelcome.com
ASN: 21844 74.52.0.0/14 THEPLANET-AS - ThePlanet.com Internet Services, Inc.

Registrant:
S & A Services Inc.
1167 Old Wilmington Rd.
Hockessin, Delaware 19707
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: REHOBOTHBEACHVACATIONDE.COM
Created on: 01-Mar-08
Expires on: 01-Mar-10
Last Updated on: 06-Mar-09

Administrative Contact:
Carpenter, James green4spring@gmail.com
S & A Services Inc.
1167 Old Wilmington Rd.
Hockessin, Delaware 19707
United States
(302) 235-7322

Technical Contact:
Carpenter, James green4spring@gmail.com
S & A Services Inc.
1167 Old Wilmington Rd.
Hockessin, Delaware 19707
United States
(302) 235-7322

Domain servers in listed order:
NS245.WEBSITEWELCOME.COM
NS246.WEBSITEWELCOME.COM

WhoIs server: whois.godaddy.com

This redirects you to the following (see screenshot top left);

blonderhapsody.com/images/upgrade/https/bt.com/webscr/en-uk/secure/&i1bshowgif&UsingSSL&ru&pp&pa/Btinternet=userID12549JDk23/

IP: 69.65.3.130
IP PTR: server314.webhostingpad.com
ASN: 32181 69.65.0.0/18 ASN-ECOMD-COLOQUEST - GigeNET

Registration Service Provided By: Webhostingpad.com
Contact: dns@webhostingpad.com

Domain name: blonderhapsody.com

Registrant Contact:

DNS Admin (dns@webhostingpad.com)

Fax:
3655 Torrance Blvd
Torrance, CA 90503
US

Administrative Contact:
Webhostingpad.com
DNS Admin (dns@webhostingpad.com)
+1.8473429199
Fax:
5005 Newport Dr
Rolling Meadows, IL 60008
US

Technical Contact:
Webhostingpad.com
DNS Admin (dns@webhostingpad.com)
+1.8473429199
Fax:
5005 Newport Dr
Rolling Meadows, IL 60008
US

Status: Locked

Name Servers:
ns1.webhostingpad.com
ns2.webhostingpad.com

Creation date: 05 Jul 2009 12:20:07
Expiration date: 05 Jul 2010 12:20:07

After you've given them your username and password, you're then taken to;

blonderhapsody.com/images/upgrade/https/bt.com/webscr/en-uk/secure/&i1bshowgif&UsingSSL&ru&pp&pa/Btinternet=userID12549JDk23/confirm.php

Give them your credit card etc details, and you're then taken to;


Which after a few seconds, redirects you to the real bt.com website.

/update 16:35

I'm happy to report, Webhostingpad.com have gotten back to me and have confirmed they've now taken down the phish at blonderhapsody.com

Crimeware friendly ISP's: EuroConnex

If you've been anywhere online lately, especially Google or the likes, you'll no doubt have noticed or read about, the blackhat SEO campaigns. One of the many ISP's involved, whether deliberately or otherwise, is EuroConnex. This ISP has an excessively large amount of malicious domains currently present within their network.

One of the most recent I came across, was actually whilst writing this, or rather, whilst considering writing this (was deciding whether to write about EuroConnex or Ecatel, thought I'd leave Ecatel till next time). As you can see from the above screenshot, this is you're typical fake scan page, that tells you your computer is so badly infected that you really really really, need their "software" (don't worry, by the time they're finished, it will definately be really really really, infected). The site that is responsible for taking you there (and bear in mind, this is one of thousands), is;

www3.xsssuez.2y.net/seroundrth.html
IP: 94.76.205.176
IP PTR: 94-76-205-176.static.as29550.net
ASN: 29550 94.76.192.0/18 EUROCONNEX-AS Blueconnex Networks Ltd

Which appeared in the Google results. It's worth noting, as with the vast majority of these, it'll only work if you give it the correct referrer. Further, I had flash and ActiveX disabled when clicking it (will load it on the test machine later), so you'll possibly see different results if you've got these enabled (you'll no doubt end up with the same resulting site, and the same infections). The site takes you to the following if you've got Flash/ActiveX disabled;


Clicking either of the "results" shown here, results in your being taken to;

online-spyware-remover.com/secure1/?id=259b4c25aa08557e7c8892c5d64253db
IP: 78.129.166.11
IP PTR: bod11.i0waterford.net
ASN: 29131 78.129.128.0/17 RAPIDSWITCH-AS RapidSwitch Ltd

Side note: No, I'm not surprised to see RapidSwitch here either, but that's for another article

Which then infects you courtesy of;

lisoft.eu/get.php?sc=1&id=259b4c25aa08557e7c8892c5d64253db
IP: 91.212.107.37
IP PTR: Resolution failed
ASN: 29550 91.212.107.0/24 EUROCONNEX-AS Blueconnex Networks Ltd

Which downloads as win_protection_update.exe, which is 1.88MB of malicious goodness.

VirusTotal results
http://www.virustotal.com/analisis/5b98079b510d4b46a2850b972b20f2afed963cc22625373f9e767a5528ebbb02-1258058290

EuroConnex have not surprisingly, been completely unresponsive, just like many others, and due to the sheer amount that is on their network (over 500 recorded domains on 91.212.107.0/24 alone), I wouldn't be surprised to find they're directly involved (note this is only a suspicion, not fact).

I'm posting this article for two main reasons. First and foremost, because I'd like to see people blackholing the networks responsible for this rubbish, until they "clean house" as it were, and secondly because I'd like to hope (yep, I know), that they'll finally take security and responsibility seriously, and boot those responsible for filling their networks with this rubbish, instead of focusing on lining their own pockets instead.