Page 1 of 2 12 LastLast
Results 1 to 40 of 47

Thread: Odd scam alert

  1. #1
    Join Date
    Jul 2007
    Location
    Tech Belt
    Posts
    7,802

    Odd scam alert

    I've noticed a rather odd "copyright infringement" notice in my inbox today and the headers pretty much gave it away.

    Code:
    Return-path: <[email protected]>
    Envelope-to: <<snip>>
    Delivery-date: Fri, 27 May 2011 13:07:37 -0400
    Received: from s01.gt-networks.be ([94.103.146.92])
        (envelope-from <[email protected]>)
        id 1QQ0Vb-0003BG-Bp
        for <<snip>>; Fri, 27 May 2011 13:07:37 -0400
    Received: from apache by s01.gt-networks.be with local (Exim 4.76)
        (envelope-from <[email protected]>)
        id 1QQ0VZ-0006P0-1z
        for <<snip>>; Fri, 27 May 2011 19:07:33 +0200
    To: <<snip>>
    Subject: Cease and desist copyright infrigement!
    X-PHP-Script: adv-roebbenvelkeneers.be/ad/sendme.php for 82.195.232.218
    From: Andrew Webber - Arizonakey.com <[email protected]>
    Reply-To: 
    MIME-Version: 1.0
    Content-Type: text/plain
    Content-Transfer-Encoding: 8bit
    Message-Id: <[email protected]>
    Date: Fri, 27 May 2011 19:07:33 +0200
    Dear Sir,

    Attached is a list of the copyrighted material you are infriging on.
    We are the proprietors of all copyrighted material that is being fringed upon on your companies webste.
    We have reserved all rights regarding these trademarked files.
    Permission was neither asked nor granted to reproduce our copyrighted material, therefore what your company is doing constitutes infringement of our rights. In terms of the Copyright Statutes, we are entitled to an injunction against your continued infringement, as well as to recover damages from you for the loss we have suffered as a result of your infringing conduct.

    In the circumstances, we demand that you immediately:

    1. remove all infringing content and notify us in writing that you have done so;

    2. pay a licensing fee in the amount of 160,000 USD;

    3. immediately cease the use and distribution of copyrighted material;

    We await to hear from you by.

    This is written without prejudice to our rights, all of which are hereby expressly reserved.

    Yours faithfully,
    CEO Andrew Webber
    www.arizonakey.com
    If you see such e-mail, disregard it / throw it away.
    #---.#---###### | Host Mist LLC - Helping People Say Hello World™
    #---.#---#--#--# || Shared, Reseller, Master Reseller, VPS, Dedicated
    ####---#--#--# }| Featuring multiple locations across the US & Germany.
    #---#---#--#--# #| Connecting the world through web hosting.

  2. #2
    Thanks for the heads up!

  3. #3
    We received the same email earlier too.

    Edit: just received it again only with an added attachment as they forgot to add it the first time.

  4. #4
    Join Date
    Mar 2009
    Location
    NL
    Posts
    571
    Same here. Attachment doesn't work (only pdf image) with openoffice
    YISP - High Bandwidth dedicated servers and colocation in YISP-AS(Amsterdam)!

    Website: http://www.yisp.com
    Contact: info "(AT)" yisp.com

  5. #5
    Join Date
    Jan 2008
    Location
    Jax, FL
    Posts
    2,707
    Yeah, I received it as well... But to my personal email account that is not published anywhere o.O

  6. #6
    Join Date
    May 2006
    Location
    NJ, USA
    Posts
    6,456
    Quote Originally Posted by MattS View Post
    I've noticed a rather odd "copyright infringement" notice in my inbox today and the headers pretty much gave it away.

    Code:
    Return-path: <[email protected]>
    Envelope-to: <<snip>>
    Delivery-date: Fri, 27 May 2011 13:07:37 -0400
    Received: from s01.gt-networks.be ([94.103.146.92])
        (envelope-from <[email protected]>)
        id 1QQ0Vb-0003BG-Bp
        for <<snip>>; Fri, 27 May 2011 13:07:37 -0400
    Received: from apache by s01.gt-networks.be with local (Exim 4.76)
        (envelope-from <[email protected]>)
        id 1QQ0VZ-0006P0-1z
        for <<snip>>; Fri, 27 May 2011 19:07:33 +0200
    To: <<snip>>
    Subject: Cease and desist copyright infrigement!
    X-PHP-Script: adv-roebbenvelkeneers.be/ad/sendme.php for 82.195.232.218
    From: Andrew Webber - Arizonakey.com <[email protected]>
    Reply-To: 
    MIME-Version: 1.0
    Content-Type: text/plain
    Content-Transfer-Encoding: 8bit
    Message-Id: <[email protected]>
    Date: Fri, 27 May 2011 19:07:33 +0200
    If you see such e-mail, disregard it / throw it away.
    I got them too. Weird.
    simplywww: directadmin and cpanel hosting that will rock your socks
    Need some work done in a datacenter in the NYC area? NYC Remote Hands can do it.

    Follow my "deals" Twitter for hardware specials.. @dougysdeals

  7. #7
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,034
    you guys have directadmin by any chance?

    the email list DB was hacked 2 days back

    I also got the email on 2 email accounts. one of them private, the other not private but also not used for things like registrations.
    Chris Collins
    Hostingfreak.net
    Directadmin Hosting in europe
    www.hostingfreak.net

  8. #8
    We got it too - first time without attachment. Second one with an attached 'Document.doc' which has an embedded exe disguised to look like a pdf. Bad spelling, mistakes etc, obviously a scam. I have alerted the arizonakey.com website.
    * www.valuevps.co.uk - Quality VPS's at affordable prices, UK and USA
    * Full and part cabinets - Dedicated Servers - Colocation - cPanel Hosting - Windows VPS - DirectAdmin Hosting - Reseller Accounts

  9. #9
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,034
    incidently both MSE and nod32 say there is no malware but I am going to submit the file regardless.
    Chris Collins
    Hostingfreak.net
    Directadmin Hosting in europe
    www.hostingfreak.net

  10. #10
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    11,868
    Got the same too, and I do have an account with DA.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  11. #11
    Join Date
    May 2006
    Location
    NJ, USA
    Posts
    6,456
    Quote Originally Posted by Chrysalis View Post
    you guys have directadmin by any chance?

    the email list DB was hacked 2 days back

    I also got the email on 2 email accounts. one of them private, the other not private but also not used for things like registrations.
    I do indeed have DirectAdmin account. Tsk tsk..
    simplywww: directadmin and cpanel hosting that will rock your socks
    Need some work done in a datacenter in the NYC area? NYC Remote Hands can do it.

    Follow my "deals" Twitter for hardware specials.. @dougysdeals

  12. #12
    Quote Originally Posted by Jedito View Post
    I do have an account with DA.
    So do I...

  13. #13
    Join Date
    Jan 2010
    Location
    San Francisco
    Posts
    1,799
    Quote Originally Posted by Chrysalis View Post
    you guys have directadmin by any chance?

    the email list DB was hacked 2 days back

    I also got the email on 2 email accounts. one of them private, the other not private but also not used for things like registrations.
    Yep, I have a DA account. It's most likely the same attacker. These emails were sent to 3 of my addresses and DA is the only place I've used all 3 to communicate with in the past.

    Crafty to use a subject that most web hosts would care about -- copyright infringing files on our servers.

  14. #14
    Join Date
    May 2006
    Location
    NJ, USA
    Posts
    6,456
    Quote Originally Posted by WickedFactor View Post
    Yep, I have a DA account. It's most likely the same attacker. These emails were sent to 3 of my addresses and DA is the only place I've used all 3 to communicate with in the past.

    Crafty to use a subject that most web hosts would care about -- copyright infringing files on our servers.
    I opened the email + attachment on my phone for lols..

    Its just a 2 year old blackberry, I could use a new phone anyway
    simplywww: directadmin and cpanel hosting that will rock your socks
    Need some work done in a datacenter in the NYC area? NYC Remote Hands can do it.

    Follow my "deals" Twitter for hardware specials.. @dougysdeals

  15. #15
    Join Date
    Mar 2002
    Location
    Mobile, AL USA
    Posts
    325
    I just got it too. Pretty sure this is from DirectAdmin hack from yesterday. This sucks.
    Nik Martin
    nfina Technologies, Inc.
    +1.251.243.0043 x1003
    Server Hardware, Storage, and Turnkey systems for Service Providers

  16. #16
    Join Date
    Jan 2010
    Location
    San Francisco
    Posts
    1,799
    Thanks Dougy for informing DA of this thread. Was just about to do the same.

  17. #17
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,034
    yeah I think its DA related since you all confirming.

    Both my email address's I guess are on there, one defenitly is, will need to check the other.
    Chris Collins
    Hostingfreak.net
    Directadmin Hosting in europe
    www.hostingfreak.net

  18. #18
    Join Date
    Mar 2002
    Location
    Mobile, AL USA
    Posts
    325
    Oh, this may be VERY BAD:

    Looking at the mail headers, is this:

    adv-roebbenvelkeneers.be/ad/sendme.php

    That site: adv-roebbenvelkeneers.be
    is a directadmin site. The hackers may have compromised WAAAAY more than we thought
    Nik Martin
    nfina Technologies, Inc.
    +1.251.243.0043 x1003
    Server Hardware, Storage, and Turnkey systems for Service Providers

  19. #19
    Join Date
    May 2006
    Location
    NJ, USA
    Posts
    6,456
    Quote Originally Posted by ServerCorps View Post
    Oh, this may be VERY BAD:

    Looking at the mail headers, is this:

    adv-roebbenvelkeneers.be/ad/sendme.php

    That site: adv-roebbenvelkeneers.be
    is a directadmin site. The hackers may have compromised WAAAAY more than we thought
    That could also just as equally be FUD.
    simplywww: directadmin and cpanel hosting that will rock your socks
    Need some work done in a datacenter in the NYC area? NYC Remote Hands can do it.

    Follow my "deals" Twitter for hardware specials.. @dougysdeals

  20. #20
    Join Date
    Jan 2010
    Location
    San Francisco
    Posts
    1,799
    I could be wrong, but wouldn't that indicate an insecure php mailer script that was being used to relay? I don't think that domain being hosted on a DA server means that DA itself was compromised.

  21. #21
    Join Date
    Jan 2010
    Location
    San Francisco
    Posts
    1,799
    Different header on the later email w/ attachment:

    Return-Path: <[email protected]>
    Delivered-To: <snip>
    Received: (qmail 18076 invoked by uid 0); 27 May 2011 18:34:17 -0000
    Received: from bbdns1.dnsx1.com.au (69.50.198.190)
    by <snip> with (DHE-RSA-AES256-SHA encrypted) SMTP; 27 May 2011 18:34:16 -0000
    Received: from localhost ([127.0.0.1]:42045 helo=bbdns1.dnsx1.com.au)
    by bbdns1.dnsx1.com.au with esmtp (Exim 4.69)
    (envelope-from <[email protected]>)
    id 1QQ1rT-0006j3-3y
    for <snip>; Sat, 28 May 2011 04:34:15 +1000
    Content-Type: multipart/mixed; boundary="===============1632328096=="
    MIME-Version: 1.0
    Subject: Cease and desist copyright infrigement!
    To: Recipients <[email protected]>
    From: Andrew Webber - Arizonakey.com<[email protected]>
    Date: Sat, 28 May 2011 04:34:13 +1000
    X-Mailer: sendmail

  22. #22
    Join Date
    Mar 2002
    Location
    Mobile, AL USA
    Posts
    325
    Quote Originally Posted by Dougy View Post
    That could also just as equally be FUD.
    I hope so!
    Headers:
    Code:
    Delivered-To: [email protected]
    Received: by 10.52.156.169 with SMTP id wf9cs74230vdb;
            Fri, 27 May 2011 10:17:47 -0700 (PDT)
    Received: by 10.227.168.132 with SMTP id u4mr2328399wby.50.1306516666461;
            Fri, 27 May 2011 10:17:46 -0700 (PDT)
    Return-Path: <[email protected]>
    Received: from s01.gt-networks.be (s01.gt-networks.be [94.103.146.92])
            by mx.google.com with ESMTPS id fe21si3953255wbb.84.2011.05.27.10.17.45
            (version=TLSv1/SSLv3 cipher=OTHER);
            Fri, 27 May 2011 10:17:46 -0700 (PDT)
    Received-SPF: pass (google.com: domain of [email protected] designates 94.103.146.92 as permitted sender) client-ip=94.103.146.92;
    Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 94.103.146.92 as permitted sender) [email protected]
    Received: from apache by s01.gt-networks.be with local (Exim 4.76)
    	(envelope-from <[email protected]>)
    	id 1QQ0fS-0002RU-Io
    	for [email protected]; Fri, 27 May 2011 19:17:46 +0200
    To: [email protected]
    Subject: Cease and desist copyright infrigement!
    X-PHP-Script: adv-roebbenvelkeneers.be/ad/sendme.php for 82.195.232.218
    From: Andrew Webber - Arizonakey.com <[email protected]>
    Reply-To: 
    MIME-Version: 1.0
    Content-Type: text/plain
    Content-Transfer-Encoding: 8bit
    Message-Id: <[email protected]>
    Date: Fri, 27 May 2011 19:17:46 +0200
    Last edited by nik martin; 05-27-2011 at 03:27 PM. Reason: added headers
    Nik Martin
    nfina Technologies, Inc.
    +1.251.243.0043 x1003
    Server Hardware, Storage, and Turnkey systems for Service Providers

  23. #23
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    4,845
    Got 3 over here on the same email we contacted DA on for licensing.

    Francisco
    BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
    - All popular VPN methods supported
    - Affordable offloaded MySQL & DDoS protection
    - 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony

  24. #24
    Join Date
    Mar 2009
    Posts
    3,807
    If anyone has the PDF, upload it to virustotal.com and http://wepawet.iseclab.org and link a result page please

  25. #25
    Join Date
    May 2010
    Location
    The Netherlands
    Posts
    1,308
    Yes, i have received it too! It is scam. Do not open it. I'll contact directadmin now!

    Edit: contacted DirectAdmin.
    Last edited by HostSlim-R; 05-27-2011 at 03:35 PM.
    ★★★★★
    HostSlim Europe - Premium Managed Hosting Solutions
    Dedicated & Premium Hosting - Premium Network - 800Gbps DDoS Protection Available - OWN AS/NETWORK/EQUIPMENT
    Resell Whitelabel Dedicated Servers - Twitter: @HostSlim - www.HostSlim.eu - Facebook: @HostSlimBV

  26. #26
    Join Date
    May 2010
    Location
    The Netherlands
    Posts
    1,308
    Same headers here too.
    ★★★★★
    HostSlim Europe - Premium Managed Hosting Solutions
    Dedicated & Premium Hosting - Premium Network - 800Gbps DDoS Protection Available - OWN AS/NETWORK/EQUIPMENT
    Resell Whitelabel Dedicated Servers - Twitter: @HostSlim - www.HostSlim.eu - Facebook: @HostSlimBV

  27. #27
    Join Date
    Jun 2006
    Posts
    1,765
    I got this as well.. Really low.

  28. #28
    Same here I received this most probably infected file by mail .

    First mail arrived without the attachement second one included a word file including a pdf to open .

    This is most probably a new trojan horse or similar .

    <<signatures to be set up in your profile>>
    Last edited by bear; 05-27-2011 at 05:12 PM.

  29. #29
    Join Date
    Jul 2007
    Location
    Tech Belt
    Posts
    7,802
    Quote Originally Posted by Chrysalis View Post
    you guys have directadmin by any chance?

    the email list DB was hacked 2 days back

    I also got the email on 2 email accounts. one of them private, the other not private but also not used for things like registrations.
    Yeah, that would explain it then. I remember their e-mail list was hacked.

    I didn't get the attachment in mine so must've forgot it lol.
    #---.#---###### | Host Mist LLC - Helping People Say Hello World™
    #---.#---#--#--# || Shared, Reseller, Master Reseller, VPS, Dedicated
    ####---#--#--# }| Featuring multiple locations across the US & Germany.
    #---#---#--#--# #| Connecting the world through web hosting.

  30. #30
    My friend got one too. Stupid. Directadmin is hacked badly

  31. #31
    Join Date
    Sep 2009
    Location
    Lancs, UK
    Posts
    2,152
    Got this too, but a few times.

    From different addresses. One from an online mail form and the other from what appears to be an email. We also have a direct admin account.
    Last edited by Matthew_B; 05-27-2011 at 04:17 PM.
    HeroBill - On-premises Enterprise billing software for hosting providers
    █ UK Based, 24/7 Support Phone Support, Migration Services, Inventory Management, etc...
    https://herobill.com

  32. #32
    Join Date
    Dec 2009
    Location
    United Kingdom
    Posts
    203
    I got a few copies.

    I got the same email twice to two different email accounts, however only one version contained an attachment, the others didn't.

    The .doc file contained a PDF apparently, but it looked like it was an exe (hidden as a PDF in the word file) that probably contained a virus, however I couldn't run it anyway as I'm not running on Windows.
    Last edited by MrLadoodle; 05-27-2011 at 04:32 PM.
    NerdyVPS - You Will Be Assimilated
    PiePanel

  33. #33
    Join Date
    Jan 2011
    Location
    Ohio
    Posts
    467
    I got this dang thing too! Sorry for posting a separate thread(thankfully mod got it).

  34. #34
    Join Date
    Jul 2008
    Location
    Portland, Oregon
    Posts
    59
    I got this and it had no virus however it's exe is oddly enough an injector. I have Spybot's resident checker installed and the exe from this malware attack tried to add registry entries to windows.
    Web Hosting, TeamSpeak Servers and Tech Consulting
    Joshua Hina - Mobile: 1 (503) 875-1899
    CEO, Delta Internet and Media Services LLC.
    If you ever have any questions feel free to ask. I'll be glad to help.

  35. #35
    Join Date
    Aug 2008
    Location
    San Francisco
    Posts
    2,410
    Got the same email also, Postini marked it as malicious. Glad I didn't open it.

    Hopefully it gives more clues to who the hacker actually was.

  36. #36
    Looks like I was the first one who uploaded it to VirusTotal.

    To see the infections, simple visit

    http://www.virustotal.com/file-scan/...d34-1306521276

  37. #37
    Join Date
    Oct 2007
    Location
    Chisinau; Hong Kong
    Posts
    34
    Yeah, we received the same to, first without, second with attachment.
    Surely we have an active DA account too

    I am sure Mark has a lot to do the last days and now comes even this.
    I pity him

    Cheers,
    Sven

  38. #38
    Does anybody know what files/registry keys the backdoor creates?

    Thanks.

  39. #39
    Join Date
    Dec 2009
    Location
    United Kingdom
    Posts
    203
    Quote Originally Posted by trabia View Post
    Yeah, we received the same to, first without, second with attachment.
    Surely we have an active DA account too

    I am sure Mark has a lot to do the last days and now comes even this.
    I pity him

    Cheers,
    Sven
    I got exactly the same.

    I just feel sorry for those who ended up actually running the program.
    NerdyVPS - You Will Be Assimilated
    PiePanel

  40. #40
    Join Date
    Apr 2010
    Location
    London
    Posts
    166
    We received 3 - I use my personal address for everything DirectAdmin, so alarm bells rang.

    I guess the hack itself was a PHP attack rather than DA itself.
    Regards,
    Peter
    UK Web Hosting - Professional & Reliable Managed Hosting and OpenVZ VPS Hosting!

Page 1 of 2 12 LastLast

Similar Threads

  1. SCAM Alert ***
    By Gusvision in forum Reseller Hosting
    Replies: 52
    Last Post: 04-26-2010, 10:25 PM
  2. scam alert
    By moreilly in forum Web Hosting Lounge
    Replies: 4
    Last Post: 02-26-2008, 12:52 AM
  3. Scam Alert!!!
    By dtheehost in forum Reseller Hosting
    Replies: 18
    Last Post: 02-12-2005, 02:49 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •