"DirectAdmin Client Message" Email - Scam/Real?

P

pluk

Verified User
Joined
May 13, 2004
Messages
223
Is this security a SPAM???

From: DirectAdmin <da-mailer@directadmin.com>
Subject: DirectAdmin Client Message

Dear --------,

Please note that currently there is a security vulnerability concerning the current
DirectAdmin version, in order to learn how to protect your server until we can issue
a patch please visit http://www.austinfosec.com.au/update.php


Thank you,
DirectAdmin.com
 
I just got the same exact email...

Return-Path: <directadmin@directadmin.com>
Received: from jbmc-software.com (jbmc-software.com [216.194.67.119])
by mx.google.com with ESMTPS id uz1si1076821icb.37.2011.05.25.13.50.13
(version=TLSv1/SSLv3 cipher=OTHER);
Wed, 25 May 2011 13:50:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of directadmin@directadmin.com designates 216.194.67.119 as permitted sender) client-ip=216.194.67.119;
Received: from apache by jbmc-software.com with local (Exim 4.76)
(envelope-from <directadmin@directadmin.com>)
id 1QPL32-0003rx-8x
 
i recieved this email too.

If this is a spam, how they can get my name and my email address correctly?
 
Fradulent email?

Just received this..

Dear Douglas B Haber,

Please note that currently there is a security vulnerability concerning the current DirectAdmin version, in order to learn how to protect your server until we can issue a patch please visit http://www.austinfosec.xxx.au/update.php


Thank you,
DirectAdmin.com
Click to expand...

Clearly not authentic.. but they have my email.. DirectAdmin hax?
 
Yeah I had my name too. DA admins, can you please clarify?

Received: by 10.90.241.13 with SMTP id o13cs134960agh; Wed, 25 May 2011 13:49:20 -0700 (PDT)
Received: by 10.231.121.216 with SMTP id i24mr55002ibr.5.1306356559690; Wed, 25 May 2011 13:49:19 -0700 (PDT)
Received: from jbmc-software.com (jbmc-software.com [216.194.67.119]) by mx.google.com with ESMTPS id x9si157171ibh.99.2011.05.25.13.49.18 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 25 May 2011 13:49:18 -0700 (PDT)
Received: from apache by jbmc-software.com with local (Exim 4.76) (envelope-from <directadmin@directadmin.com>) id 1QPL29-0002q6-0L for pluk@impressio.ca; Wed, 25 May 2011 14:50:25 -0600
Return-Path: <directadmin@directadmin.com>
Received-Spf: pass (google.com: domain of directadmin@directadmin.com designates 216.194.67.119 as permitted sender) client-ip=216.194.67.119;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of directadmin@directadmin.com designates 216.194.67.119 as permitted sender) smtp.mail=directadmin@directadmin.com
Message-Id: <E1QPL29-0002q6-0L@jbmc-software.com>
 
Spam/Phishing? DirectAdmin Client Message

Just received this mail in my inbox (e-mail):

From: DirectAdmin [mailto:da-mailer@directadmin.com]
Sent: woensdag 25 mei 2011 22:51
To: XXX
Subject: DirectAdmin Client Message

Dear XXX,

Please note that currently there is a security vulnerability concerning the current DirectAdmin version, in order to learn how to protect your server until we can issue a patch please visit http://www.austinfosec.com.au/update.php


Thank you,
DirectAdmin.com
Click to expand...
Is this a valid message? Could not find anything about it on the forum yet.

Headers:
Received: from jbmc-software.com (216.194.67.119) by xxx.xxx.xx
(172.16.250.210) with Microsoft SMTP Server (TLS) id 8.1.436.0; Wed, 25 May
2011 22:49:44 +0200
Received: from apache by jbmc-software.com with local (Exim 4.76)
(envelope-from <directadmin@directadmin.com>) id 1QPL2W-0003Hu-Tx for
xxx@xxx; Wed, 25 May 2011 14:50:48 -0600
To: <xxx@xxx>
Subject: DirectAdmin Client Message
From: DirectAdmin <da-mailer@directadmin.com>
Message-ID: <E1QPL2W-0003Hu-Tx@jbmc-software.com>
Date: Wed, 25 May 2011 14:50:48 -0600
MIME-Version: 1.0
Content-Type: text/plain
Return-Path: directadmin@directadmin.com
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-HelloDomain: jbmc-software.com
X-GFI-SMTP-RemoteIP: 216.194.67.119
Click to expand...
 
Looks like a server is hacked...

Code: 
	Van: 	DirectAdmin <da-mailer@directadmin.com>
	Onderwerp: 	DirectAdmin Client Message
(...)
	Received: 	from server2.filtermail.eu ([85.17.205.251]) by adam.in1klik.nl with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <directadmin@directadmin.com>) id 1QPL3A-0001N8-Lg for randy@aklmedia.nl; Wed, 25 May 2011 22:51:28 +0200
	Received: 	from jbmc-software.com ([216.194.67.119]) by server2.filtermail.eu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <directadmin@directadmin.com>) id 1QPL3z-0003sa-Pc for randy@aklmedia.nl; Wed, 25 May 2011 22:52:28 +0200
	Received: 	from apache by jbmc-software.com with local (Exim 4.76) (envelope-from <directadmin@directadmin.com>) id 1QPL50-0005ls-90 for randy@aklmedia.nl; Wed, 25 May 2011 14:53:22 -0600
	Message-Id: 	<E1QPL50-0005ls-90@jbmc-software.com>
	Received-Spf: 	Received-SPF: pass (server2.filtermail.eu: domain of directadmin.com designates 216.194.67.119 as permitted sender) client-ip=216.194.67.119; envelope-from=directadmin@directadmin.com; helo=jbmc-software.com;
	X-Spf-Result: 	server2.filtermail.eu: domain of directadmin.com designates 216.194.67.119 as permitted sender
	X-Spf: 	pass
	X-Ols-Boguswarn: 	No x-mailer header
	X-Ols-Boguswarn: 	Sent by robot (mfrom)
	X-Ols-Boguswarn: 	Sent by robot (From:)
	X-Fake-Warning: 	OK - 5000 points
	X-Filter-Id: 	XtLePq6GTMn8G68F0EmQve9sOybHbNjwoourtTCVrOvnyrNzTeFPWx66s/MLrrLAS7X5R1anTuIn Gq7k6TFebWQ5ZcPo2zavaIwIuwv2SqA4zRxQJj2DuZ1YYzNQ6Ok4NnDuFQ1kxqTeo7E2me9LrfI8 +gAvTzmvR9boBKdd/1zbnbZw5rlyjpgD1kEPC6KHvewR4GcrMXLS3kY6CAo4/rA7SwKBklAAzGDl H/yt1lHLf5qsjZkwKN1JVK2Kks799R/2gMGq0KWAzmMf+ibVDhO74WP7oig6AJKRgcUl6MZ4UsI+ aSVu1DgAomPoHRPa/b9N3TCpi26Qiqgg+uPHBMqtJwQ5BQh6LHvW/c5BBojIvfSw53BgNF/GB2yS +Ho/HM4PDUthpgkNh9t/fOdpSL64jneVZyLEKWp1aJ10Ql1yyqppsTYzYAtoaMJsxAfweoWeEoK4 kS3whDXu3JqLoPY4ocfmWv3Fe9Iziczdq+A=
	X-Filtermail-Class: 	ham;
	X-Filtermail-Score: 	0.34773902084
	X-Filtermail-Evidence: 	'ole': 0.50; 'crm114': 0.50; 'direct': 0.50; 'spambayes.global_tokens': 0.09; 'pyzor': 0.50; 'sa': 0.50; 'os': 0.42; 'dkim': 0.50; 'dnsbl': 0.75; 'sender': 0.50
	X-Filtermail-Thermostat: 	--
 
Just got another one...


by 10.90.241.13 with SMTP id o13cs135193agh; Wed, 25 May 2011 13:58:04 -0700 (PDT)
Received: by 10.231.82.197 with SMTP id c5mr28076ibl.131.1306357084388; Wed, 25 May 2011 13:58:04 -0700 (PDT)
Received: from jbmc-software.com (jbmc-software.com [216.194.67.119]) by mx.google.com with ESMTPS id c6si174258ibj.12.2011.05.25.13.58.04 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 25 May 2011 13:58:04 -0700 (PDT)
Received: from apache by jbmc-software.com with local (Exim 4.76) (envelope-from <directadmin@directadmin.com>) id 1QPLAc-0001AW-NM for pluk@impressio.ca; Wed, 25 May 2011 14:59:10 -0600
Return-Path: <directadmin@directadmin.com>
Received-Spf: pass (google.com: domain of directadmin@directadmin.com designates 216.194.67.119 as permitted sender) client-ip=216.194.67.119;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of directadmin@directadmin.com designates 216.194.67.119 as permitted sender) smtp.mail=directadmin@directadmin.com
Auto-Submitted: auto-generated
Message-Id: <20110525205910.1eb9cf780d9e@www.directadmin.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
 
This is a phising scam! My antivirus detected an backdoor embedded in the webpage.

Strange fact; The e-mail comes from the DirectAdmin server itsself, plus it addreses me by the name i was known with DirectAdmin..
 
Randy said:
Looks like a server is hacked...

Code: 
	Van: 	DirectAdmin <da-mailer@directadmin.com>
	Onderwerp: 	DirectAdmin Client Message
(...)
	Received: 	from server2.filtermail.eu ([85.17.205.251]) by adam.in1klik.nl with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <directadmin@directadmin.com>) id 1QPL3A-0001N8-Lg for randy@aklmedia.nl; Wed, 25 May 2011 22:51:28 +0200
	Received: 	from jbmc-software.com ([216.194.67.119]) by server2.filtermail.eu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <directadmin@directadmin.com>) id 1QPL3z-0003sa-Pc for randy@aklmedia.nl; Wed, 25 May 2011 22:52:28 +0200
	Received: 	from apache by jbmc-software.com with local (Exim 4.76) (envelope-from <directadmin@directadmin.com>) id 1QPL50-0005ls-90 for randy@aklmedia.nl; Wed, 25 May 2011 14:53:22 -0600
	Message-Id: 	<E1QPL50-0005ls-90@jbmc-software.com>
	Received-Spf: 	Received-SPF: pass (server2.filtermail.eu: domain of directadmin.com designates 216.194.67.119 as permitted sender) client-ip=216.194.67.119; envelope-from=directadmin@directadmin.com; helo=jbmc-software.com;
	X-Spf-Result: 	server2.filtermail.eu: domain of directadmin.com designates 216.194.67.119 as permitted sender
	X-Spf: 	pass
	X-Ols-Boguswarn: 	No x-mailer header
	X-Ols-Boguswarn: 	Sent by robot (mfrom)
	X-Ols-Boguswarn: 	Sent by robot (From:)
	X-Fake-Warning: 	OK - 5000 points
	X-Filter-Id: 	XtLePq6GTMn8G68F0EmQve9sOybHbNjwoourtTCVrOvnyrNzTeFPWx66s/MLrrLAS7X5R1anTuIn Gq7k6TFebWQ5ZcPo2zavaIwIuwv2SqA4zRxQJj2DuZ1YYzNQ6Ok4NnDuFQ1kxqTeo7E2me9LrfI8 +gAvTzmvR9boBKdd/1zbnbZw5rlyjpgD1kEPC6KHvewR4GcrMXLS3kY6CAo4/rA7SwKBklAAzGDl H/yt1lHLf5qsjZkwKN1JVK2Kks799R/2gMGq0KWAzmMf+ibVDhO74WP7oig6AJKRgcUl6MZ4UsI+ aSVu1DgAomPoHRPa/b9N3TCpi26Qiqgg+uPHBMqtJwQ5BQh6LHvW/c5BBojIvfSw53BgNF/GB2yS +Ho/HM4PDUthpgkNh9t/fOdpSL64jneVZyLEKWp1aJ10Ql1yyqppsTYzYAtoaMJsxAfweoWeEoK4 kS3whDXu3JqLoPY4ocfmWv3Fe9Iziczdq+A=
	X-Filtermail-Class: 	ham;
	X-Filtermail-Score: 	0.34773902084
	X-Filtermail-Evidence: 	'ole': 0.50; 'crm114': 0.50; 'direct': 0.50; 'spambayes.global_tokens': 0.09; 'pyzor': 0.50; 'sa': 0.50; 'os': 0.42; 'dkim': 0.50; 'dnsbl': 0.75; 'sender': 0.50
	X-Filtermail-Thermostat: 	--
Click to expand...

I figured that to be the case. I'm concerned how much of my data has been exposed.
 
Spam?

Here's an interesting one. Just got a spam email from someone claiming to be DA. Message source is below:

Code: 
Return-path: <directadmin@directadmin.com>
Envelope-to: [my email address]
Delivery-date: Wed, 25 May 2011 16:53:54 -0400
Received: from mail by illusion.bluespidernetwork.co.uk with spam-scanned (Exim 4.72)
	(envelope-from <directadmin@directadmin.com>)
	id 1QPL5U-0004Jk-GI
	for [my email address]; Wed, 25 May 2011 16:53:54 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	illusion.bluespidernetwork.co.uk
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
	SPF_PASS autolearn=ham version=3.3.1
Received: from jbmc-software.com ([216.194.67.119])
	by illusion.bluespidernetwork.co.uk with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.72)
	(envelope-from <directadmin@directadmin.com>)
	id 1QPL5U-0004Jg-Bt
	for [my email address]; Wed, 25 May 2011 16:53:52 -0400
Received: from apache by jbmc-software.com with local (Exim 4.76)
	(envelope-from <directadmin@directadmin.com>)
	id 1QPL6X-00076l-Sf
	for [my email address]; Wed, 25 May 2011 14:54:57 -0600
To: [my email address]
Subject: DirectAdmin Client Message
From: DirectAdmin <da-mailer@directadmin.com>
Message-Id: <E1QPL6X-00076l-Sf@jbmc-software.com>
Date: Wed, 25 May 2011 14:54:57 -0600
X-Antivirus-Scanner: Clean mail, though you should still use an Antivirus scanner

Dear [my real name],

Please note that currently there is a security vulnerability concerning the current
DirectAdmin version, in order to learn how to protect your server until we can issue
a patch please visit http www austinfosec com au update.php


Thank you,	
DirectAdmin.com

(URL manipulated to prevent search engine spiders picking it up).
The source code to that site has an iframe which directs somewhere else. The code to THAT site has some "encrypted" javascript that runs on load. I can only assume this attempts to do something malicious. Probably doesn't work in Firefox/Linux anyway.

Just making anyone at JBMC aware of this, and any other DA admins that come across this message. What's more interesting is that it has my full and correct name.
 
Last edited:
You must log in or register to reply here.
Back
Top