george Posted December 15, 2009 Share Posted December 15, 2009 Got an email from our friends at Project Honey Pot. Some interesting facts I'd like to share with you: from Project Honey Pot Team <[email protected]> to George date Tue, Dec 15, 2009 at 22:09 subject [Project Honey Pot] 1 Billion Spammers Served Dear George: On Wednesday, December 9, 2009 at 06:20 (GMT), Project Honey Pot achieved a milestone: receiving its 1 billionth spam message. The billionth message was an United States Internal Revenue Service phishing scam sent to an email address that had been harvested more than two years ago. More than just a single spam email, the billionth message represents the collective work of you and tens of thousands of other web and email administrators like you in more than 170 countries around the world. Together we have built Project Honey Pot into the largest community tracking online fraud and abuse. To celebrate this milestone, we sifted through five years of data to learn more about spam and the spammers who send it. As a small token of thanks for your help, we wanted to share some of our more interesting preliminary findings. Click the following link for the Full Report: http://www.projecthoneypot.org/1_billionth...ssage_stats.php Highlights include: - Monday is the busiest day of the week for email spam, Saturday is the quietest - 12:00 (GMT) is the busiest hour of the day for spam, 23:00 (GMT) is the quietest - Malicious bots have increased at a compound annual growth rate (CAGR) of 378% since Project Honey Pot started - Over the last five years, you'd have been 9 times more likely to get a phishing message for Chase Bank than Bank of America, however Facebook is rapidly becoming the most phished organization online - Finland has some of the best computer security in the world, China some of the worst - It takes the average spammer 2 and a half weeks from when they first harvest your email address to when they send you your first spam message, but that's twice as fast as they were five years ago - Every time your email address is harvested from a website, you can expect to receive more than 850 spam messages - Spammers take holidays too: spam volumes drop nearly 21% on Christmas Day and 32% on New Year's Day - And much more..... We have published it under the Creative Commons Attribution license, so don't hesitate to share anything you find interesting. In the end, we couldn't have gathered this data without you. Thank you for all your help over the last five years. Here's to wishing you happy holidays and a relatively spam-free New Year. Sincerely, The Project Honey Pot Team Link to comment Share on other sites More sharing options...
elcent Posted December 15, 2009 Share Posted December 15, 2009 got that too ... I'm a member there for 2 years now One more thing besides honeypot Watch out for this Chinese IP address. It's not a false positive. Security attacks stopped Total impact: 36 Affected tags: xss, csrf, id, rfe, lfi Variable: REQUEST.DescriptionMe.0 | Value: SEC1T7 <a href=\"http://itvpcrociwey.com/\">itvpcrociwey</a>, glxqgejjgcxz, [link=http://nirgnsddrhrk.com/]nirgnsddrhrk[/link], http://pfsjgoakvpfi.com/ Impact: 9 | Tags: xss, csrf, id, rfe, lfi Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20 Description: Detects url injections and RFE attempts | Tags: id, rfe, lfi | ID: 61 Variable: REQUEST.DescriptionMe.1 | Value: SEC1T7 <a href=\"http://itvpcrociwey.com/\">itvpcrociwey</a>, glxqgejjgcxz, [link=http://nirgnsddrhrk.com/]nirgnsddrhrk[/link], http://pfsjgoakvpfi.com/ Impact: 9 | Tags: xss, csrf, id, rfe, lfi Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20 Description: Detects url injections and RFE attempts | Tags: id, rfe, lfi | ID: 61 Variable: POST.DescriptionMe.0 | Value: SEC1T7 <a href=\"http://itvpcrociwey.com/\">itvpcrociwey</a>, glxqgejjgcxz, [link=http://nirgnsddrhrk.com/]nirgnsddrhrk[/link], http://pfsjgoakvpfi.com/ Impact: 9 | Tags: xss, csrf, id, rfe, lfi Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20 Description: Detects url injections and RFE attempts | Tags: id, rfe, lfi | ID: 61 Variable: POST.DescriptionMe.1 | Value: SEC1T7 <a href=\"http://itvpcrociwey.com/\">itvpcrociwey</a>, glxqgejjgcxz, [link=http://nirgnsddrhrk.com/]nirgnsddrhrk[/link], http://pfsjgoakvpfi.com/ Impact: 9 | Tags: xss, csrf, id, rfe, lfi Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20 Description: Detects url injections and RFE attempts | Tags: id, rfe, lfi | ID: 61 REMOTE_ADDR: 123.124.209.65 HTTP_X_FORWARDED_FOR: HTTP_CLIENT_IP: SCRIPT_FILENAME: /home/xxxxxxx/public_html/xxxxx.com/join.php QUERY_STRING: REQUEST_URI: /join.php QUERY_STRING: SCRIPT_NAME: /join.php PHP_SELF: /join.php ... this security attack finding has nothing to do with honeypot. Link to comment Share on other sites More sharing options...
elcent Posted December 15, 2009 Share Posted December 15, 2009 Another threat coming up. Source http://blogs.zdnet.com/security/?p=5119&tag=nl.e58 Adobe confirms PDF zero-day attacks. Disable JavaScript now Posted by Ryan Naraine @ 9:08 am Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Exploit code... Tags: Adobe Systems Inc., Adobe PDF, JavaScript, Exploit, Zero-day Bug... 12 TalkBacks PrintEmailThumbs UpThumbs Down+10 10 Malicious hackers are exploiting a zero-day (unpatched) vulnerability in Adobe’s ever-present PDF Reader/Acrobat software to hijack data from compromised computers. According to an advisory from Adobe, the critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier versions. It is being exploited in the wild. The company has activated its security response process but declined to offer any more details until an investigation is complete. Unfortunately, the company did not provide any mitigation guidance for customers. The folks at ShadowServer describe the situation as “very bad.” We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad. Here’s what we know so far: We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe. We are fully aware of all the details related to the exploit but do not plan to publish them for a few reasons: There currently is no patch or update available that completely protects against this exploit. There is little to no detection of these malicious PDF files from most of the major Antivirus vendors. With that said we can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult. In the interim, Adobe PDF Reader/Acrobat users are urged to immediately disable java script: Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript Or, better yet, use an alternative PDF Reader software program. ALSO SEE: Link to comment Share on other sites More sharing options...
elcent Posted December 15, 2009 Share Posted December 15, 2009 NOW BACK TO PROJECTHONEYPOT WHEN YOU OPEN THEIR STAT LINK IT SAYS RIGHT ON THE FIRST PARAGRAPH On Wednesday, December 9, 2009 at 06:20 (GMT) Project Honey Pot received its billionth email spam message. The message, a picture of which is displayed below, was a United States Internal Revenue Service (IRS) phishing scam. The spam email was sent by a bot running on a compromised machine in India (122.167.68.1). The spamtrap address to which the message was sent was originally harvested on November 4, 2007 by a particularly nasty harvester (74.53.249.34) that is responsible for 53,022,293 other spam messages that have been received by Project Honey Pot. FROM THE SAME HOST AS 74.53 MY SECURITY SCRIPT RANG THE ALARM BELLS. IT SEEMS AS IF THEY SWITCHED FROM HARVESTING AND SPAMMING INTO BREAKING INTO YOUR DB. I wouldn't even know if our developers wouldn't have integrated a security script recently. Thanks G-D for the security script writer, which scripts' identified the attacks. Here some info from the attacks that get automatically reported, and I had hundreds of them within half an hour, and which is not connected with project honey pot: Total impact: 36 Affected tags: xss, csrf, id, rfe, sqli, lfi Variable: REQUEST.CFGLOBALS | Value: urltoken=CFID#=3548901&CFTOKEN#=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908&jsessionid#=6e307f32aed41b75522c#lastvisit={ts \'2009-12-06 13:01:46\'}#timecreated={ts \'2009-12-06 12:54:46\'}#hitcount=16#cftoken=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908#cfid=3548901# Impact: 18 | Tags: xss, csrf, id, rfe, sqli, lfi Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23 Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31 Description: Detects common comment types | Tags: xss, csrf, id | ID: 35 Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43 Variable: COOKIE.CFGLOBALS | Value: urltoken=CFID#=3548901&CFTOKEN#=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908&jsessionid#=6e307f32aed41b75522c#lastvisit={ts \'2009-12-06 13:01:46\'}#timecreated={ts \'2009-12-06 12:54:46\'}#hitcount=16#cftoken=c13c2e61784f8de-651F72E6-F2D6-72E4-516A6DFF96A23908#cfid=3548901# Impact: 18 | Tags: xss, csrf, id, rfe, sqli, lfi Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23 Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31 Description: Detects common comment types | Tags: xss, csrf, id | ID: 35 Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43 Centrifuge detection data Threshold: 3.49 Ratio: 3.2307692307692 REMOTE_ADDR: 74.53.3.132 HTTP_X_FORWARDED_FOR: HTTP_CLIENT_IP: SCRIPT_FILENAME: /home/xxxxxco/public_html/xxxx.com/index.php QUERY_STRING: bx_photos_mode=top&tags_mode=bx_store&albumType=bx_photos&page={page}&per_page={per_page} REQUEST_URI: /index.php?bx_photos_mode=top&tags_mode=bx_store&albumType=bx_photos&page={page}&per_page={per_page} QUERY_STRING: bx_photos_mode=top&tags_mode=bx_store&albumType=bx_photos&page={page}&per_page={per_page} SCRIPT_NAME: /index.php PHP_SELF: /index.php when I reported to the host, the abuse department said that they will investigate. Now the question is, and since they are seemingly cleared from harvesting and spamming, are they into more serious breaches of law and how can that happen for such a long period of time, even now with continued and altered attacks coming from the same IPs ranges? There are millions out there with basic or no protection of their sites and systems. Now one can figure out the damage. Link to comment Share on other sites More sharing options...
nikster Posted December 16, 2009 Share Posted December 16, 2009 It's baffling that Adobe has JavaScript (??!!?!) enabled in PDF files. The mind boggles. <deleted> are they thinking? I sure hope it doesn't work in Preview (mac PDF viewer)... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now