eBay security issue — eBay Trust and Safety Department

The following is an email I received the 10 of Marsh 2005. As you can see it includes an address in .nl which has nothing to do with ebay. And I won't mention that I'm not a member so it couldn't really affect me, could it?!

Since the person was connected at the time I checked the email, I got a trace route:

traceroute to 209.174.122.21 (209.174.122.21), 30 hops max, 38 byte packets
 1  cayman (192.168.1.254)  0.468 ms  0.391 ms  0.369 ms
 2  adsl-64-166-38-37.dsl.scrm01.pacbell.net (64.166.38.37)  8.089 ms  7.153 ms  7.408 ms
 3  dist1-vlan60.scrm01.pbi.net (64.171.152.130)  7.859 ms  7.243 ms  7.524 ms
 4  bb2-g8-3-0.scrm01.pbi.net (64.171.152.248)  7.611 ms  7.446 ms  7.913 ms
 5  bb1-p12-0.scrm01.sbcglobal.net (151.164.188.125)  8.057 ms  7.909 ms  7.598 ms
 6  bb1-p10-3.crscca.sbcglobal.net (151.164.188.121)  11.649 ms  13.327 ms  11.301 ms
 7  ex2-p14-0.eqsjca.sbcglobal.net (151.164.242.230)  12.494 ms  13.526 ms  12.377 ms
 8  ex1-p10-0.eqsjca.sbcglobal.net (151.164.191.66)  215.758 ms  139.392 ms  213.456 ms
 9  sl-st20-sj-0-0.sprintlink.net (144.223.242.81)  12.069 ms  12.942 ms  12.657 ms
10  sl-bb21-sj-9-0.sprintlink.net (144.232.9.59)  104.169 ms  14.369 ms  30.610 ms
11  sl-bb24-chi-3-0.sprintlink.net (144.232.20.160)  59.922 ms  60.763 ms  60.629 ms
12  sl-bb23-chi-14-0.sprintlink.net (144.232.26.102)  60.435 ms  60.982 ms  60.320 ms
13  sl-gw36-chi-15-0.sprintlink.net (144.232.26.66)  60.543 ms  59.331 ms  59.183 ms
14  sl-nufx-6-0.sprintlink.net (144.223.21.18)  59.826 ms  60.902 ms  60.124 ms
15  pos-6-0-nap-sob2-nap-sob1.chicago.lincon.net (206.166.9.121)  65.105 ms  65.320 ms  65.295 ms
16  POS-1-0-6-PeoriaCore-PEO-P1-1-NapSOB1-CHI-P1.lincon.net (206.166.5.66)  65.824 ms  65.371 ms  65.298 ms
17  POS-4-0-6-NewPeoCore-PEO-P2-6-PeoriaCore-PEO-P1.lincon.net (206.166.9.134)  64.562 ms  65.615 ms  64.873 ms
18  atm2-0-sub03-peoria-core-wiu-core.macomb.lincon.net (206.166.9.198)  65.011 ms  65.816 ms  66.240 ms
19  atm-1-0-0-4-wiu-core-wiu-dist.macomb.lincon.net (206.166.9.130)  65.279 ms  123.672 ms  79.265 ms
20  s1-wiu-ii-union.macomb.lincon.net (206.166.85.46)  75.213 ms  68.839 ms  79.473 ms
21  linuxuhs.union.115.k12.il.us (209.174.122.21)  81.830 ms  68.362 ms  68.297 ms


The "home" page at 209.174.122.21 was the default Fedora Core Test Page.

The directory listing wasn't turn off so the place were the PHP scripts replacing the ebay regular scripts was visible:

 

 

 

Index of /.signin.ebay.com/ws

 

 


Icon Name Last modified Size Description


[DIR] Parent Directory -
[PHP] eBayISAPIdllPlaceCCInfo.php 30-Nov-2004 13:21 44K
[PHP] eBayISAPIdllPlaceCCInfoError.php 30-Nov-2004 13:21 18K
[PHP] eBayISAPIdllSignIn.php 30-Nov-2004 13:21 22K
[PHP] eBayISAPIdllSignInError.php 30-Nov-2004 13:21 22K
[PHP] eBayISAPIdllThankYou.php 10-Mar-2005 04:01 19K
[DIR] pic/ 06-Jul-2004 03:23 -

 


Apache/2.0.52 (Fedora) Server at 209.174.122.21 Port 80

These "scripts" are actually HTML pages for most.

At least the script "eBayISAPIdllThankYou.php" includes a virus which attacks MS-Windows using a buffer overun in visual basic.

I made a package that you can download here: ebay-trust.zip (use wget if your browser wants to load this file as an HTML page). My package doesn't include the images.

Of course, all of this is illegal and it looks like someone has been hacked in the US (the hackers rarelly do this sort of a thing on their own computers.)

The table below includes style sheets from Yahoo! which may change with time and this it may not look right in a while. Sorry!

 

 

 

 

X-Apparently-To: alexis_wilke@yahoo.com via 206.190.38.194; Thu, 10 Mar 2005 19:29:57 -0800
Authentication-Results: mta226.mail.scd.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
X-Originating-IP: [66.35.250.206]
Return-Path: <root@weidenaar.com>
Received: from 66.35.250.206 (EHLO sc8-sf-mx1.sourceforge.net) (66.35.250.206) by mta226.mail.scd.yahoo.com with SMTP; Thu, 10 Mar 2005 19:29:57 -0800
Received: from amsfep18-int.chello.nl ([213.46.243.13]) by sc8-sf-mx1.sourceforge.net with esmtp (Exim 4.41) id 1D9aqZ-0004hU-Js for alexis_wilke@users.sourceforge.net; Thu, 10 Mar 2005 19:29:57 -0800
Received: from weidenaar.com ([213.93.126.186]) by amsfep18-int.chello.nl (InterMail vM.6.01.04.01 201-2131-118-101-20041129) with SMTP id <20050311032948.QBUK4045.amsfep18-int.chello.nl@weidenaar.com> for <alexis_wilke@users.sourceforge.net>; Fri, 11 Mar 2005 04:29:48 +0100
Received: (qmail 18356 invoked by uid 0); 11 Mar 2005 01:40:04 -0000
Date: 11 Mar 2005 01:40:03 -0000
Message-ID: <20050311014003.18355.qmail@weidenaar.com>
To: alexis_wilke@users.sourceforge.net
Subject: IMPORTANT:Security Issues [Incident: 040921]
From: security@ebay.com
Content-Type: text/html
X-Spam-Score: 2.0 (++)
X-Spam-Report: Spam Filtering performed by sourceforge.net. See http://spamassassin.org/tag/ for more details. Report problems to http://sf.net/tracker/?func=add&group_id=1&atid=200001 0.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL 0.0 HTML_60_70 BODY: Message is 60% to 70% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.3 HTML_TITLE_UNTITLED BODY: HTML title contains "Untitled" 0.5 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers
Content-Length: 1977


Update Your Account Information Within 24 Hours

 

 

 

 

 

spacer
Valued eBay Member,

According to our site policy you will have to confirm that you are the real owner of the eBay account by completing the following form or else your account will be suspended within 24 hours for investigations.

Never share your eBay password to anyone!

Establish your proof of identity with ID Verify (free of charge) - an easy way to help others trust you as their trading partner. The process takes about 5 minutes to complete and involves updating your eBay information. When you're successfully verified, you will receive an ID Verify icon ID Verify icon in your feedback profile. Currently, the service is only available to residents of the United States and U.S. territories (Puerto Rico, US Virgin Islands and Guam.)

eBay logo

To update your eBay records >> Click here <<

We appreciate your support and understanding, as we work together to keep eBay a safe place to trade.
Thank you for your patience in this matter.

 

Trust and Safety Department
eBay Inc.

Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

Note : Ignoring this message will cause the Suspension of your account . To reactivate it you will have to pay a fee of 350 $ .

 

Copyright 1995-2004 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are trademarks of eBay Inc. eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125.