"DirectAdmin Client Message" Email - Scam/Real?

Has someone already taken a look at the source code (as far as possible) of the script(s) where the link in the e-mail is pointing to? Maybe it's possible to know what software is vulnerable (Windows/MAC/Linux and/or which browsers). For example: I just got an e-mail from a customer who has visited the link on his iPhone...as far as I can see there is no AV-scanner for the iPhone available, so how should he know if he's infected with some crap? Any ideas?
 
Last edited:
Has someone already taken a look at the source code (as far as possible) of the script(s) where the link in the e-mail is pointing to? Maybe it's possible to know what software is vulnerable (Windows/MAC/Linux and/or which browsers). For example: I just got an e-mail from a customer who has visited the link on his iPhone...as far as I can see there is no AV-scanner for the iPhone available, so how should he know if he's infected with some crap? Any ideas?

there's "iPhone" in the script, so I guess it tries something

but I don't know anything else
you can try searching for "BlackHole exploit"
 
Also, I visited the link, all the happiness that only a button on either computer. Currently, it scans the Microsoft Essentials and has already found a few threats. On the Iphone/android/linux/windows has DrWeb (www.drweb.com) offers a free virus scanner, and their company as one of the first to define this risk.

- Most are problems in the Cache browser: Opera.
 
Last edited:
Well there is not much point in changing license IDs or anything like that at the moment because we apparently can't even change our passwords. I know it was said that the passwords were hashed, but I'd certainly like mine regenerated all the same.

I'll certainly give the DA staff some time to sort through the incident, but it is disconcerting on a number of fronts. First, assuming they are using DA on this server then it certainly is crucial that we know if there is something to which all DA servers may be vulnerable because they know the IPs of basically every DA server out there. Second, if they are not even using their own software on this server then what does that say about their faith in their own platform?

In any case, I'll wait and hope that it was just some minor bug in a very specific piece of software that doesn't pertain to standard DA installations.
 
I'm going to close this thread for now just to keep things from getting out of hand but we will remain completely transparent. You can e-mail me personally at [email protected] , our live chat at http://www.directadmin.com/chat/ , or DA_Mark on irc.freenode.net .

Just some further updates:

  • We are still working to figure out the hacker's method but I can say with certainly that this is NOT a DA bug and your servers are NOT wide open for a similar attack. Please contact me personally for more details.
  • Although client account passwords are encrypted, we will soon have the ability for you to reset/change your passwords through your client account.

I realize your biggest concern is your servers and your customers. However we have no reason to believe any DA machine is open to attack.

Mark
 
Thread is opened again. For specific security questions please contact me outside of the forum. We aren't looking to hide anything but don't want this blown out of proportion either.

Client account passwords have always been encrypted but now you can login to your DA client account and change your password for extra safety.

Mark
 
Server disconnected

We have received the report that the server which was hosting this site was under our datacenter.

we have taken care of that and have closed the customer server.

If you found any other domain hosted on our network that is doing abuse please write immediately to [email protected]
 
Thanks Mark. Being able to reset passwords is great, so thanks for adding that feature so quickly.

It is also good to get confirmation that this is not indicative of a vulnerability in our DA servers.
 
Please see my pm

I have sent you a pm with some information please look at it urgently.
 
I'd like to show what I am exposed to after clicking the link, I do have NOD32 and the page could only partially be loaded. I also use firefox.

Do you guys know yet what this page does?
 
Mark: I noticed you've said many times that the passwords were encrypted, however could you let us know how well? For example if its just MD5 then its more serious since MD5 is pretty much obsolete.

Were you salting passwords?

Thanks
 
Mark: I noticed you've said many times that the passwords were encrypted, however could you let us know how well? For example if its just MD5 then its more serious since MD5 is pretty much obsolete.

Were you salting passwords?

Thanks

rmwebs; If you did read the posts of Mark, you may have noticed, that he's asking people with more specific questions, to email him directly, since he's not going to post that on the forum ;)
 
same email at 25/05/2011 22:53 (GMT+1 Italy time):
Dear Luigi Bellucci,

Please note that currently there is a security vulnerability concerning the current DirectAdmin version, in order to learn how to protect your server until we can issue a patch please visit http://www.austinfosec.com.au/update.php


Thank you,
DirectAdmin.com

Code:
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 25 May 2011 22:52:02 +0200
Received: from mail by serpico.dierrelido.it with spam-scanned (Exim 4.71)
	(envelope-from <[email protected]>)
	id 1QPL3g-0006du-9z
	for [email protected]; Wed, 25 May 2011 22:52:02 +0200
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	serpico.dierrelido.it
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS
	autolearn=ham version=3.2.5
Received: from jbmc-software.com ([216.194.67.119])
	by serpico.dierrelido.it with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.71)
	(envelope-from <[email protected]>)
	id 1QPL3g-0006dm-0T
	for [email protected]; Wed, 25 May 2011 22:52:00 +0200
Received: from apache by jbmc-software.com with local (Exim 4.76)
	(envelope-from <[email protected]>)
	id 1QPL4h-0005Wf-Rp
	for [email protected]; Wed, 25 May 2011 14:53:03 -0600
To: [email protected]
Subject: DirectAdmin Client Message
From: DirectAdmin <[email protected]>
Message-Id: <[email protected]>
Date: Wed, 25 May 2011 14:53:03 -0600
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
 
I'd like to show what I am exposed to after clicking the link, I do have NOD32 and the page could only partially be loaded. I also use firefox.

Do you guys know yet what this page does?

You can clean your computer pretty quick with TrendCall for example :
http://housecall.trendmicro.com/uk/

I tested the website infected link with a computer dedicated for virus and things like that... whas cleand up fine with TrendCall.
 
Back
Top