"DirectAdmin Client Message" Email - Scam/Real?

I got that one too, 2 of them one with a suss word doc attachment. Looking at wht it seems other DA users are getting them
 
Looks like emails are in the wild and we can expect more spam similar to one with copyright theme.
 
I also got one of the copyright infringement emails. It was from a directadmin server (main domain had default DA html skel files). This is a little worrying... is it possible these are external directadmin clients servers that have been exploited?
 
I don't know about anyone else, but I rely on Evolution for email, with everything set to plain text. Sure, I may miss out on the pretty fonts and the pretty colors, and I may miss out on all the funky attachments, but email is a tool. Would you paint pretty flowers on your chainsaw? Nope. So even if you choose Gates or Jobs, set your email client to plain text. I always recommend to my clients to try to view untrusted emails in plain text, that way they can see the underlying text in a link and know that it doesn't go where it claims to go. Basically, educate yourself, then educate your clients. After all, your clients sign your paycheck, right?
 
eger said:
is it possible these are external directadmin clients servers that have been exploited?
Click to expand...
Doubt it very much, but there's no way of knowing - I've just checked http://www.securityfocus.com/bid and saw nothing related to the current version, however, it could be so new no-one has reported it yet.

Then again, if it was that serious, as in a widespread serious issue, Mark or John would say so.
 
Im receiving those emails too, on two different DA Account (one my own company one where i work).

Received 2 for each account so far.

Maybe just blacklist that sender should help, unless they dont change it...

Regards
 
I got both emails, "DirectAdmin Client Message" and "Cease and desist copyright infrigement!".

Regarding the "Cease and desist copyright infrigement!", attached is an screenshot of the page that sent out the messages and some of the interface is in romanian language.

At maximum 2 hours after my screenshot the area got protected with username and password.
 

Attachments

  • Screen shot 2011-05-27 at 9.20.25 PM.png
    Screen shot 2011-05-27 at 9.20.25 PM.png
    100.1 KB · Views: 219
Peter Laws said:
Then again, if it was that serious, as in a widespread serious issue, Mark or John would say so.
Click to expand...

It would be extremely unethical to remain silent if we knew of a widespread security issue. Of course, I can completely understand that customers would have feelings of doubt. We never know if we're getting the full story.

To help alleviate doubt, please remember that:

  • We were transparent about client info being compromised, right from the beginning. All customers received notification less than 24 hours from the incident.
  • There are no reports of DA machines being compromised en masse.
  • We haven't tried to force a DA version update as a disguised attempt to cover some security hole.

None of this makes up for the inconvenience to our customers. However, I wanted to make it clear that this incident does not indicate a universal security hole in DA machines.

Mark
 
Brute Force attempts

Since 5/27 I have seen a significant rise in the number of brute force attempts on sshd and dovecot on my server. I believe that there is a relation to the DA database breach. The attackers may be targeting DA servers. I would encourage everyone to make sure that you are running a firewall and something like APF with BFD to automatically block these login attempts.

Can anyone else confirm a significant rise in the amount of brute force attempts on their server?
 
Does anyone have any information on whether or not the copyright violation notices are being received by anyone not on a server hosted with DirectAdmin? Are they only coming to your email addresses as registered with DirectAdmin?

Jeff
 
shaggy said:
Since 5/27 I have seen a significant rise in the number of brute force attempts on sshd and dovecot on my server. I believe that there is a relation to the DA database breach. The attackers may be targeting DA servers. I would encourage everyone to make sure that you are running a firewall and something like APF with BFD to automatically block these login attempts.

Can anyone else confirm a significant rise in the amount of brute force attempts on their server?
Click to expand...

like that?
###############################################################################
# Copyright 2006-2009, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
# The following IP addresses will be blocked in iptables
# One IP address per line
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
# Only list IP addresses, not domain names (they will be ignored)
#
# Note: If you add the text "do not delete" to the comments of an entry then
# DENY_IP_LIMIT will ignore those entries and not remove them
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp:in/out:s/d=port:s/d=ip
#
# See readme.txt for more information regarding advanced port filtering
#

82.240.17.62 # lfd: *Port Scan* detected from 82.240.17.62 (FR/France/mla78-1-82-240-17-62.fbx.proxad.net). 11 hits in the last 157 seconds - Wed Mar 2 07:44:31 2011
85.20.91.127 # lfd: *Port Scan* detected from 85.20.91.127 (IT/Italy/85-20-91-127-dynamic.albacom.net). 11 hits in the last 173 seconds - Thu Mar 3 15:13:07 2011
128.36.151.169 # lfd: *Port Scan* detected from 128.36.151.169 (US/United States/dhcp128036151169.central.yale.edu). 11 hits in the last 146 seconds - Fri Mar 4 03:09:07 2011
217.133.46.88 # lfd: *Port Scan* detected from 217.133.46.88 (IT/Italy/static-217-133-46-88.clienti.tiscali.it). 11 hits in the last 15 seconds - Fri Mar 4 16:03:08 2011
151.54.70.81 # lfd: *Port Scan* detected from 151.54.70.81 (IT/Italy/-). 11 hits in the last 225 seconds - Fri Mar 4 20:01:43 2011
108.96.188.199 # lfd: *Port Scan* detected from 108.96.188.199 (-/-/108-96-188-199.pools.spcsdns.net). 11 hits in the last 287 seconds - Sun Mar 6 06:49:20 2011
92.249.184.73 # lfd: *Port Scan* detected from 92.249.184.73 (HU/Hungary/92-249-184-73.pool.digikabel.hu). 11 hits in the last 251 seconds - Sun Mar 6 18:09:44 2011
71.246.237.34 # lfd: *Port Scan* detected from 71.246.237.34 (US/United States/fairfax.arcanadev.com). 11 hits in the last 116 seconds - Mon Mar 7 15:59:19 2011
178.88.83.192 # lfd: *Port Scan* detected from 178.88.83.192 (EU/-/-). 11 hits in the last 121 seconds - Tue Mar 8 09:30:55 2011
196.20.124.207 # lfd: *Port Scan* detected from 196.20.124.207 (DZ/Algeria/-). 11 hits in the last 217 seconds - Tue Mar 8 09:57:37 2011
tcp|in|d=25|s=93.58.127.27 # 'lfd: 93.58.127.27 (IT/Italy/93-58-127-27.ip158.fastwebnet.it) RELAY limit exceeded' - Thu Mar 10 09:41:39 2011
134.197.15.197 # lfd: *Port Scan* detected from 134.197.15.197 (US/United States/grid2.research.unr.edu). 11 hits in the last 101 seconds - Thu Mar 10 21:56:41 2011
109.230.246.165 # lfd: *Port Scan* detected from 109.230.246.165 (EU/-/-). 11 hits in the last 191 seconds - Sat Mar 12 03:45:58 2011
60.173.11.56 # lfd: *Port Scan* detected from 60.173.11.56 (CN/China/-). 11 hits in the last 206 seconds - Sat Mar 19 08:44:58 2011
70.31.73.163 # lfd: *Port Scan* detected from 70.31.73.163 (CA/Canada/bas5-oshawa95-1176455587.dsl.bell.ca). 11 hits in the last 277 seconds - Tue Mar 22 11:36:50 2011
87.211.137.45 # lfd: *Port Scan* detected from 87.211.137.45 (NL/Netherlands/ip45-137-211-87.adsl2.static.versatel.nl). 11 hits in the last 206 seconds - Sun Mar 27 20:40:09 2011
70.31.83.5 # lfd: *Port Scan* detected from 70.31.83.5 (CA/Canada/bas5-oshawa95-1176457989.dsl.bell.ca). 11 hits in the last 167 seconds - Thu Mar 31 14:05:39 2011
94.64.110.136 # lfd: *Port Scan* detected from 94.64.110.136 (GR/Greece/ppp-94-64-110-136.home.otenet.gr). 11 hits in the last 266 seconds - Fri Apr 1 19:34:41 2011
94.165.102.145 # lfd: *Port Scan* detected from 94.165.102.145 (IT/Italy/-). 11 hits in the last 36 seconds - Sun Apr 3 14:54:42 2011
86.179.50.95 # lfd: *Port Scan* detected from 86.179.50.95 (GB/United Kingdom/host86-179-50-95.range86-179.btcentralplus.com). 11 hits in the last 196 seconds - Wed Apr 6 09:47:48 2011
98.208.197.96 # lfd: *Port Scan* detected from 98.208.197.96 (US/United States/c-98-208-197-96.hsd1.fl.comcast.net). 11 hits in the last 115 seconds - Sat Apr 9 08:17:04 2011
79.45.242.22 # lfd: *Port Scan* detected from 79.45.242.22 (IT/Italy/host22-242-dynamic.45-79-r.retail.telecomitalia.it). 11 hits in the last 75 seconds - Sun Apr 10 21:44:31 2011
79.160.97.116 # lfd: *Port Scan* detected from 79.160.97.116 (NO/Norway/116.79-160-97.customer.lyse.net). 11 hits in the last 205 seconds - Wed Apr 13 00:31:01 2011
151.61.213.9 # lfd: *Port Scan* detected from 151.61.213.9 (IT/Italy/-). 11 hits in the last 271 seconds - Wed Apr 13 20:38:55 2011
188.40.124.205 # lfd: *Port Scan* detected from 188.40.124.205 (DE/Germany/static.205.124.40.188.clients.your-server.de). 11 hits in the last 250 seconds - Fri Apr 15 17:12:21 2011
124.105.166.228 # lfd: *Port Scan* detected from 124.105.166.228 (PH/Philippines/124.105.166.228.pldt.net). 11 hits in the last 116 seconds - Mon Apr 18 06:44:39 2011
123.157.9.22 # lfd: *Port Scan* detected from 123.157.9.22 (CN/China/-). 11 hits in the last 226 seconds - Wed Apr 20 10:00:44 2011
86.54.80.194 # lfd: *Port Scan* detected from 86.54.80.194 (GB/United Kingdom/-). 11 hits in the last 280 seconds - Sat Apr 23 13:02:29 2011
46.230.239.216 # lfd: *Port Scan* detected from 46.230.239.216 (SE/Sweden/ip-216-239-230-46.dialup.ice.net). 11 hits in the last 196 seconds - Sun Apr 24 16:23:18 2011
221.203.138.7 # lfd: *Port Scan* detected from 221.203.138.7 (CN/China/-). 11 hits in the last 200 seconds - Mon Apr 25 23:00:20 2011
212.124.204.162 # lfd: *Port Scan* detected from 212.124.204.162 (GB/United Kingdom/turtle.ipv6matrix.org). 11 hits in the last 215 seconds - Wed Apr 27 15:58:29 2011
85.18.237.210 # lfd: *Port Scan* detected from 85.18.237.210 (IT/Italy/85-18-237-210.ip.fastwebnet.it). 11 hits in the last 270 seconds - Fri Apr 29 13:33:05 2011
86.180.177.121 # lfd: *Port Scan* detected from 86.180.177.121 (GB/United Kingdom/host86-180-177-121.range86-180.btcentralplus.com). 11 hits in the last 210 seconds - Sat Apr 30 14:52:04 2011
85.1.54.91 # lfd: *Port Scan* detected from 85.1.54.91 (CH/Switzerland/91-54.1-85.cust.bluewin.ch). 11 hits in the last 236 seconds - Sat Apr 30 15:07:29 2011
95.241.134.237 # lfd: *Port Scan* detected from 95.241.134.237 (IT/Italy/host237-134-static.241-95-b.business.telecomitalia.it). 11 hits in the last 245 seconds - Wed May 4 09:19:57 2011
81.25.194.12 # lfd: *Port Scan* detected from 81.25.194.12 (FR/France/eul0800618-pip.eu.verio.net). 11 hits in the last 295 seconds - Wed May 4 19:31:59 2011
83.131.91.175 # lfd: *Port Scan* detected from 83.131.91.175 (HR/Croatia/83-131-91-175.adsl.net.t-com.hr). 11 hits in the last 161 seconds - Fri May 6 02:37:00 2011
71.226.8.239 # lfd: *Port Scan* detected from 71.226.8.239 (US/United States/c-71-226-8-239.hsd1.ga.comcast.net). 11 hits in the last 286 seconds - Sun May 8 13:49:42 2011
71.79.226.13 # lfd: *Port Scan* detected from 71.79.226.13 (US/United States/cpe-71-79-226-13.columbus.res.rr.com). 11 hits in the last 161 seconds - Mon May 9 06:53:54 2011
93.50.164.34 # lfd: *Port Scan* detected from 93.50.164.34 (IT/Italy/93-50-164-34.ip153.fastwebnet.it). 11 hits in the last 276 seconds - Wed May 11 14:59:48 2011
80.123.61.53 # lfd: *Port Scan* detected from 80.123.61.53 (AT/Austria/80-123-61-53.adsl.highway.telekom.at). 11 hits in the last 271 seconds - Wed May 11 18:00:01 2011
93.63.118.54 # lfd: *Port Scan* detected from 93.63.118.54 (IT/Italy/93-63-118-54.ip27.fastwebnet.it). 11 hits in the last 246 seconds - Mon May 16 21:34:44 2011
99.7.26.69 # lfd: *Port Scan* detected from 99.7.26.69 (US/United States/99-7-26-69.lightspeed.iplsin.sbcglobal.net). 11 hits in the last 146 seconds - Tue May 17 18:04:41 2011
79.53.188.170 # lfd: *Port Scan* detected from 79.53.188.170 (IT/Italy/host170-188-dynamic.53-79-r.retail.telecomitalia.it). 11 hits in the last 66 seconds - Tue May 17 21:53:47 2011
80.218.232.206 # lfd: *Port Scan* detected from 80.218.232.206 (CH/Switzerland/80-218-232-206.dclient.hispeed.ch). 11 hits in the last 101 seconds - Wed May 18 00:14:32 2011
94.71.157.97 # lfd: *Port Scan* detected from 94.71.157.97 (GR/Greece/athedsl-4501849.home.otenet.gr). 11 hits in the last 245 seconds - Wed May 18 06:32:23 2011
112.198.79.30 # lfd: *Port Scan* detected from 112.198.79.30 (PH/Philippines/-). 11 hits in the last 206 seconds - Wed May 18 18:22:42 2011
93.71.3.74 # lfd: *Port Scan* detected from 93.71.3.74 (IT/Italy/net-93-71-3-74.cust.dsl.vodafone.it). 11 hits in the last 183 seconds - Wed May 18 20:12:31 2011
72.152.18.235 # lfd: *Port Scan* detected from 72.152.18.235 (US/United States/adsl-72-152-18-235.asm.bellsouth.net). 11 hits in the last 166 seconds - Sat May 21 03:46:24 2011
92.112.173.163 # lfd: *Port Scan* detected from 92.112.173.163 (UA/Ukraine/163-173-112-92.pool.ukrtel.net). 11 hits in the last 251 seconds - Mon May 23 13:17:07 2011
79.8.131.114 # lfd: *Port Scan* detected from 79.8.131.114 (IT/Italy/host114-131-dynamic.8-79-r.retail.telecomitalia.it). 11 hits in the last 155 seconds - Mon May 23 19:36:08 2011
tcp|in|d=25|s=95.224.65.10 # 'lfd: 95.224.65.10 (IT/Italy/host10-65-static.224-95-b.business.telecomitalia.it) AUTHRELAY limit exceeded' - Tue May 24 12:04:56 2011
200.51.82.68 # lfd: *Port Scan* detected from 200.51.82.68 (AR/Argentina/host68.advance.com.ar). 11 hits in the last 281 seconds - Sat May 28 13:28:22 2011
87.12.247.130 # lfd: *Port Scan* detected from 87.12.247.130 (IT/Italy/host130-247-static.12-87-b.business.telecomitalia.it). 11 hits in the last 45 seconds - Tue May 31 14:36:20 2011
94.34.8.138 # lfd: *Port Scan* detected from 94.34.8.138 (IT/Italy/dynamic-adsl-94-34-8-138.clienti.tiscali.it). 11 hits in the last 121 seconds - Tue May 31 21:03:10 2011
93.41.129.145 # lfd: *Port Scan* detected from 93.41.129.145 (IT/Italy/93-41-129-145.ip81.fastwebnet.it). 11 hits in the last 131 seconds - Tue May 31 21:03:20 2011
79.32.121.96 # lfd: *Port Scan* detected from 79.32.121.96 (IT/Italy/host96-121-dynamic.32-79-r.retail.telecomitalia.it). 11 hits in the last 147 seconds - Tue May 31 21:03:35 2011
93.33.146.96 # lfd: *Port Scan* detected from 93.33.146.96 (IT/Italy/93-33-146-96.ip45.fastwebnet.it). 11 hits in the last 252 seconds - Tue May 31 21:05:21 2011
Click to expand...

I have at least an attempt to "port scan" every day ... for me at the moment is a normal thing and always has been.
 
Another mail form hacekrs. On the site http://creativno.net is some kind of virus.

Dear Sir,

Attached is a list of the copyrighted material you are infriging on.
As well as hosted on our website at the following address: http://creativno.***/cop**ight.php , under Copyrighted Materials.
We are the proprietors of all copyrighted material that is being fringed upon on your companies webste.
We have reserved all rights regarding these trademarked files.
Permission was neither asked nor granted to reproduce our copyrighted material, therefore what your company is doing constitutes infringement of our rights. In terms of the Copyright Statutes, we are entitled to an injunction against your continued infringement, as well as to recover damages from you for the loss we have suffered as a result of your infringing conduct.

In the circumstances, we demand that you immediately:

1. remove all infringing content and notify us in writing that you have done so;

2. pay a licensing fee in the amount of 160,000 USD;

3. immediately cease the use and distribution of copyrighted material;

We await to hear from you by.

This is written without prejudice to our rights, all of which are hereby expressly reserved.

Yours faithfully,
Senior Legal Advisor,
Andrew Lloyd
http://*reativno.n**
Click to expand...
 
Anyone else get a new copyright infringment email from 'Andrew Lloyd'? Very similar to the last one..
 
You must log in or register to reply here.
Back
Top