Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 46

Thread: System76 Phishing Email

  1. #21
    Join Date
    Mar 2007
    Location
    Massachusetts
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: System76 Phishing Email

    Quote Originally Posted by kh1116 View Post
    Gotcha
    Nothing to "Gotcha" anyone about. The actual headers are needed to determine the true origin of the message. The spam links in your original message were not. That's why the mod removed them. I hope those are the actual headers and not something you posted so you could type "Gotcha". If they are false, that could cause System76 to spend a lot of unnecessary time trying to track down a problem that doesn't exist.

    If those are the actual headers of the offending message (with your email address <edit>ed out), then it appears the message came from the System76 servers. The IP address 64.13.252.76 is reported as belonging to System76. I will let ISANTOP and System76 do their investigation and respond.

  2. #22
    Join Date
    Aug 2007
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: System76 Phishing Email

    I meant gotcha as in I understand you... I'm done with the flame war, this is the legitimate header... I'll post a screenshot

    http://tinypic.com/view.php?pic=6hqh55&s=7 you can zoom in the picture if you can't read it.

    I'm trying to help system76. I'm not spreading FUD...
    Last edited by kh1116; March 28th, 2011 at 08:43 PM. Reason: screenshot added

  3. #23
    Join Date
    Mar 2007
    Location
    Massachusetts
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: System76 Phishing Email

    Quote Originally Posted by kh1116 View Post
    I meant gotcha as in I understand you...
    Sorry

  4. #24
    Join Date
    Mar 2011
    Beans
    2

    Not just system76 was compromised

    I found this page as I had this happen to my site. The issue it seems is that they are using os commerce for their website and it seems as though the hackers have enough control to read emails, read the store name, and send emails. I'm not sure how this is happening yet but I'm hoping some of the smart people here and at system76 can figure it out.

    Here is another example from another os commerce site that was compromised: http://forums.oscommerce.com/topic/3...r-online-shop/

    Please keep this updated as this seems to be a new exploit that effects possibly all oc commerce users as well as cre loaded sites. I'm still looking for a solution to how they got in and how to fix it.

  5. #25
    Join Date
    Mar 2011
    Beans
    2

    Re: System76 Phishing Email

    I have another update. After reviewing the matter further I now know exactly what happened. Suffice it to say their site (and mine) was exploited. There is an exploit in older oscommerce/creloaded sites that allows someone to bypass the admin user/pass. This allows full access of the store as well as a way to upload backdoors to the site for full control of the site and all of its files.

    It's very serious and asside from spam and serving other web pages (with malware I'm sure) some times they edit the payment modules as well. This would mean the possibility of the hacker getting sent credit card info as well as any other info already included in the order.

    In order to provide help to others and system 76 here is the help I can provide. The suggested fix is to take the site offline (cause the backdoors replicate) and have an expert go through the site with a fine tooth comb (along with a scanner). Then after there is no possible backdoor left you follow the simple fix here: http://www.creloadedexpert.com/secur...curity-exploit

    The store/images folder is a very common place for the backdoor and website serving. For instance a folder inside with a number as its name, .xcache folder, and files that look like goog*.php.

  6. #26
    Join Date
    Aug 2007
    Beans
    Hidden!
    Distro
    Ubuntu

    Talking Re: System76 Phishing Email

    Glad to see someone actually took my post seriously.
    Last edited by kh1116; March 29th, 2011 at 05:30 AM.

  7. #27
    Join Date
    Feb 2010
    Beans
    2

    Re: System76 Phishing Email

    Quote Originally Posted by kh1116 View Post
    Glad to see someone actually took my post seriously.
    I took it seriously--I received same email yesterday AM

  8. #28
    Join Date
    Oct 2007
    Location
    Aurora, CO
    Beans
    2,564
    Distro
    Ubuntu

    Re: System76 Phishing Email

    This is odd. On the top is the header information form the spam email. On the bottom, is header information from a test message sent through the online shop:

    Received: from imta20.westchester.pa.mail.comcast.net (LHLO
    imta20.westchester.pa.mail.comcast.net) (76.96.62.23) by
    sz0052.ev.mail.comcast.net with LMTP; Mon, 28 Mar 2011 05:59:30 +0000 (UTC)
    Received: from system76.com ([64.13.252.76]) by
    imta20.westchester.pa.mail.comcast.net with comcast id
    QVzW1g00y1ffa800LVzWNB; Mon, 28 Mar 2011 05:59:31 +0000
    X-CAA-SPAM: N00001
    Received: by 10.42.222.129 with SMTP id ig1cs52369icb;
    Tue, 29 Mar 2011 08:40:11 -0700 (PDT)
    Received: by 10.43.49.199 with SMTP id vb7mr9657658icb.270.1301413211495;
    Tue, 29 Mar 2011 08:40:11 -0700 (PDT)
    Definitely a disconnect here, but this does show it didn't originate from us.

    From reading that page on the osCommerce site, I think it looks like that's what happened. We'll be looking into this to make sure it doesn't happen again, but it doesn't look like any attacker would have had any access to the database directly.
    Ian Santopietro - System76 Technical Support.
    Open a Support Ticket!
    Ask a Sales Question!

  9. #29
    Join Date
    May 2009
    Location
    Land of Lincoln
    Beans
    1,369
    Distro
    Ubuntu Development Release

    Re: System76 Phishing Email

    Hi isantop!

    Very professional.

    "Definitely a disconnect here, but this does show it didn't originate from us.

    From reading that page on the osCommerce site, I think it looks like that's what happened. We'll be looking into this to make sure it doesn't happen again, but it doesn't look like any attacker would have had any access to the database directly."
    __________________
    KegHead

  10. #30
    Join Date
    Mar 2007
    Location
    Massachusetts
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: System76 Phishing Email

    Quote Originally Posted by isantop View Post
    This is odd. On the top is the header information form the spam email. On the bottom, is header information from a test message sent through the online shop:




    Definitely a disconnect here, but this does show it didn't originate from us.

    From reading that page on the osCommerce site, I think it looks like that's what happened. We'll be looking into this to make sure it doesn't happen again, but it doesn't look like any attacker would have had any access to the database directly.
    I'm not sure I understand how you arrived at your conclusions. It appears that your "test" only showed that the spam message did not originate from the mailer associated with your online shop. The online mailer reports its private internal 10.xxx.xxx.xxx IP adressses in the header.

    However, the spam message reported "Received: from system76.com ([64.13.252.76])...." where 64.13.252.76 is a public IP address that is reported as belonging to System76. Have you checked the 64.13.252.76 server and the entire network it is on to see if any server has been compromised? The hacker/exploiter could have access to that server and could have used it to send out the Spam. And if the hacker/exploiter had access to the 64.13.252.76 server, they very well may have had access to anything on your network including the database. I think you need to do a more thorough investigation and provide us (your customers) with a full explanation. System76 may not store our credit card information, but you do store a great deal of our private information. And since this is not the first time the System76 web site has been compromised, the bar is set higher higher for System76 to regain my trust and future business.

Page 3 of 5 FirstFirst 12345 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •