How to get access to other mailboxes on mail.ru
The other day, a friend asked to see what strange letters are being dumped on his mailbox.
We open his mail, I see the letter:
the details of the letter are hidden so that the attacker will not chase a friend
The link naturally leads to the fake authentication page:
')
and this would be the end of the story if in the caps of the letter I did not find the host and the script from which the mailing was sent:
Google gave the source of this script, and the name of the log file is log.txt
The log contains the IP addresses of the person who sent the fakes - 78.36.109.183 , 209.73.132.218
A little googling on the title intitle: "Sender Anonym Email" I found another "live" version of the script, and for him, and the logs:
anonim-servis.hak-club.ru/log.txt ( mirror )
newamn.h18.ru/log.txt
and in them, too, ip 78.36.109.183 and 213.87.128.72, most likely the bad guy walks directly.
Having learned the logs, it became clear to me that the “hacker” uses alinashevchykova@mail.ru mail as a test mail before sending fakes to the victims.
Then it turned out that on the fake host the folder index is not closed:
and file c contains the passwords of the users who got on the fake:
list of victims:
Morale is not.
Warn users does not make sense - after all, again, they peck at the next "fake".
There is no point in writing to the hoster - the scripts will simply move to other free hosting sites.
Calculate by ip? There is no date and time in the log.
We open his mail, I see the letter:
the details of the letter are hidden so that the attacker will not chase a friend
The link naturally leads to the fake authentication page:
')
and this would be the end of the story if in the caps of the letter I did not find the host and the script from which the mailing was sent:
Google gave the source of this script, and the name of the log file is log.txt
The log contains the IP addresses of the person who sent the fakes - 78.36.109.183 , 209.73.132.218
A little googling on the title intitle: "Sender Anonym Email" I found another "live" version of the script, and for him, and the logs:
anonim-servis.hak-club.ru/log.txt ( mirror )
newamn.h18.ru/log.txt
and in them, too, ip 78.36.109.183 and 213.87.128.72, most likely the bad guy walks directly.
Having learned the logs, it became clear to me that the “hacker” uses alinashevchykova@mail.ru mail as a test mail before sending fakes to the victims.
Then it turned out that on the fake host the folder index is not closed:
and file c contains the passwords of the users who got on the fake:
list of victims:
forceoil@mail.ru
omnispb@mail.ru
petrolgroup@mail.ru
agenttr@mail.ru
irik14@mail.ru
an600po@mail.ru
tihonovilya@bk.ru
dizel-toplivo@mail.ruMorale is not.
Warn users does not make sense - after all, again, they peck at the next "fake".
There is no point in writing to the hoster - the scripts will simply move to other free hosting sites.
Calculate by ip? There is no date and time in the log.
Source: https://habr.com/ru/post/135562/
All Articles