Hot a well diguised mail from paypal with a highjacked link

[teKillah]

I got a paypal mail ofcourse well disguised with this hidden link for paypal login

http://tilika.aplusgraphixdesign.com/


I tried accessing it but my explorer just closes down, any geeks here who can help as to whats happening ?

 

[Nocturnal]

It probably takes you to some site. Perhaps it is an active x script/exploit that dls a trojan onto your 'puter.

 

[iwearnosox]

root@cuke [~]# wget http://tilika.aplusgraphixdesign.com
--15:38:00-- http://tilika.aplusgraphixdesign.com/
=> `index.html'
Resolving tilika.aplusgraphixdesign.com... done.
Connecting to tilika.aplusgraphixdesign.com[69.42.89.56]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.ipnetwork.co.jp/flash/map/img/.../.update/hide/index2.htm [following]
--15:38:00-- http://www.ipnetwork.co.jp/flash/map/img/.../.update/hide/index2.htm
=> `index2.htm'
Resolving www.ipnetwork.co.jp... done.
Connecting to www.ipnetwork.co.jp[211.9.54.51]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,230 [text/html]

100%[============================================>] 1,230 1.17M/s ETA 00:00

15:38:00 (1.17 MB/s) - `index2.htm' saved [1230/1230]

 

[iwearnosox]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Paypal - verify your account information</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT language=JavaScript1.2>

<!--



/*

Auto Maximize Window Script- By Nick Lowe (nicklowe@ukonline.co.uk)

For full source code, 100's more free DHTML scripts, and Terms Of Use

Visit http://www.dynamicdrive.com

*/



top.window.moveTo(0,0);

if (document.all) {

top.window.resizeTo(screen.availWidth,screen.availHeight);

}

else if (document.layers||document.getElementById) {

if (top.window.outerHeight<screen.availHeight||top.window.outerWidth<screen.availWidth){

top.window.outerHeight = screen.availHeight;

top.window.outerWidth = screen.availWidth;

}

}

//-->

</SCRIPT>
<script language="JavaScript" type="text/JavaScript">
<!--
function closeMe() {
window.opener = self;
window.close();
}
function MM_openBrWindow(theURL,winName,features) { //v2.0
window.open(theURL,winName,features);
}

//-->
</script>
</head>

<body onLoad="closeMe();MM_openBrWindow('sysdll.php','ini','toolbar=yes,location=no,sta$
</body>
</html>

 

[iwearnosox]

I've reviewed the other files, basically he's doing a bad job at trying to create a paypal form. There's no malicous calls to anything else.

There's sysdll.php which is the form processor.
There's log1.htm which is nothing but a carbon copy of the paypal login page.

 

[teKillah]

Wow that was a quick analysis and tear down

Thanks much I was just curious was to what he was upto when no clone paypal login page appeared

 

[iwearnosox]

There's also a call to ppmain.js which looks like a script that just prevents multiple submits.