Tuesday, June 21, 2011

Bad Day at BlackRock?

Whose Paranoid wonders what PR software has to do with things... [More]

4 comments:

jon said...

the log doesn't necessarily suggest anything about an email. the host/ip fields mean that that is the client machine making the request to the webserver.

now it is extremely uncommon for a mail server to up and make an HTTP request while providing a "firefox" user-agent. suspicious, yes.

it is even more uncommon for a mail server to be running windows xp. doubly suspicious, yes.

the person or organization that owns belong2.com may have an actual mailserver there (i don't want to risk anything by checking to see) which has been compromised and is being used as an HTTP proxy. nobody can find out who that is without their permission; they are protected by godaddy and DBP.

it might be a legitimate proxy; a machine doing multiple duties that simply happens to use the typical hostname of a mailserver. that does happen. however, these usually identify themselves as such, not as firefox on winxp -- although this is configurable.

the use of tinyurl is insignificant. it simply shortens the URL to facilitate automatic links in richtext or similar window contexts. it hides nothing about any part of the process.

the referer URL content obviously does not have a tinyurl.com URL anywhere in it; so the referer is manufactured or, again, a product of an HTTP proxy (misbehaving, it would appear). it may be that someone chose or procured an intentionally broken HTTP proxy.

specifically, the intent there is to make the log entry look unimportant; referer-less hits are always interesting, because 90% of those come from someone clicking a link in an email or typing/pasting the URL into their browser right in front of them. the rest come from search engines and other automated systems. all other referers are usually hunted and picked at, for example, "show me everything from .gov that has hit my webserver in the past week."

this would never have been found.

jon said...

to follow up: what does it mean for blackrock?

well i sure as heck wouldn't want that to be my mail server. you don't just up and launch an HTTP proxy on someone else's mailserver without privileged access. meaning, yes, you can probably read all their email, too. and capture the passwords they use to send/receive it.

could be a very bad day for multiple people.

jon said...

one last thing i should add is that nobody should get the idea they ought to step in and do what i won't. do not scan that host. hosts often look precisely this suspicious, in order to entice penetration testers into looking into them, usually turning them into felons.

after all, why would the feds hire and salary college grads? you can just lean on some ambitious kid you've entrapped to do all sorts of unethical things.

WP said...

jon,

The TinyURL's were created by me due to the fact that Blogger would not take the long ixquick proxy URL's. I used ixquick to find out who and what vocuspr is and that is the PRSoftware firm. Further, I used ixquick to find out what belong2 DOT com is too. From that search, I found a robotex page showing that the Black Rock Group is on the same E-mail server as belong2.

Each TINY url is listed below:

1. ixquick proxy Vocuspr
2. Robotex direct
3. ixquick proxy Black Rock
4. ixquick secure Wiki Entry on Black Rock

Whoever it was that came from Vocuspr received an E-mail suggesting my blog entry from yesterday. Vocuspr is a software that is for automated PR and had never heard of them until I noticed that unusual entry in the visitor logs.

I am going to add this to an addendum so there is no confusion.