"DirectAdmin Client Message" Email - Scam/Real?

pluk

Verified User
Joined
May 13, 2004
Messages
224
Is this security a SPAM???

From: DirectAdmin <[email protected]>
Subject: DirectAdmin Client Message

Dear --------,

Please note that currently there is a security vulnerability concerning the current
DirectAdmin version, in order to learn how to protect your server until we can issue
a patch please visit http://www.austinfosec.com.au/update.php


Thank you,
DirectAdmin.com
 
I just got the same exact email...

Return-Path: <[email protected]>
Received: from jbmc-software.com (jbmc-software.com [216.194.67.119])
by mx.google.com with ESMTPS id uz1si1076821icb.37.2011.05.25.13.50.13
(version=TLSv1/SSLv3 cipher=OTHER);
Wed, 25 May 2011 13:50:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 216.194.67.119 as permitted sender) client-ip=216.194.67.119;
Received: from apache by jbmc-software.com with local (Exim 4.76)
(envelope-from <[email protected]>)
id 1QPL32-0003rx-8x
 
i recieved this email too.

If this is a spam, how they can get my name and my email address correctly?
 
Fradulent email?

Just received this..

Dear Douglas B Haber,

Please note that currently there is a security vulnerability concerning the current DirectAdmin version, in order to learn how to protect your server until we can issue a patch please visit http://www.austinfosec.xxx.au/update.php


Thank you,
DirectAdmin.com

Clearly not authentic.. but they have my email.. DirectAdmin hax?
 
Yeah I had my name too. DA admins, can you please clarify?

Received: by 10.90.241.13 with SMTP id o13cs134960agh; Wed, 25 May 2011 13:49:20 -0700 (PDT)
Received: by 10.231.121.216 with SMTP id i24mr55002ibr.5.1306356559690; Wed, 25 May 2011 13:49:19 -0700 (PDT)
Received: from jbmc-software.com (jbmc-software.com [216.194.67.119]) by mx.google.com with ESMTPS id x9si157171ibh.99.2011.05.25.13.49.18 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 25 May 2011 13:49:18 -0700 (PDT)
Received: from apache by jbmc-software.com with local (Exim 4.76) (envelope-from <[email protected]>) id 1QPL29-0002q6-0L for [email protected]; Wed, 25 May 2011 14:50:25 -0600
Return-Path: <[email protected]>
Received-Spf: pass (google.com: domain of [email protected] designates 216.194.67.119 as permitted sender) client-ip=216.194.67.119;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 216.194.67.119 as permitted sender) [email protected]
Message-Id: <[email protected]>
 
Spam/Phishing? DirectAdmin Client Message

Just received this mail in my inbox (e-mail):

From: DirectAdmin [mailto:[email protected]]
Sent: woensdag 25 mei 2011 22:51
To: XXX
Subject: DirectAdmin Client Message

Dear XXX,

Please note that currently there is a security vulnerability concerning the current DirectAdmin version, in order to learn how to protect your server until we can issue a patch please visit http://www.austinfosec.com.au/update.php


Thank you,
DirectAdmin.com
Is this a valid message? Could not find anything about it on the forum yet.

Headers:
Received: from jbmc-software.com (216.194.67.119) by xxx.xxx.xx
(172.16.250.210) with Microsoft SMTP Server (TLS) id 8.1.436.0; Wed, 25 May
2011 22:49:44 +0200
Received: from apache by jbmc-software.com with local (Exim 4.76)
(envelope-from <[email protected]>) id 1QPL2W-0003Hu-Tx for
xxx@xxx; Wed, 25 May 2011 14:50:48 -0600
To: <xxx@xxx>
Subject: DirectAdmin Client Message
From: DirectAdmin <[email protected]>
Message-ID: <[email protected]>
Date: Wed, 25 May 2011 14:50:48 -0600
MIME-Version: 1.0
Content-Type: text/plain
Return-Path: [email protected]
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-HelloDomain: jbmc-software.com
X-GFI-SMTP-RemoteIP: 216.194.67.119
 
Looks like a server is hacked...

Code:
	Van: 	DirectAdmin <[email protected]>
	Onderwerp: 	DirectAdmin Client Message
(...)
	Received: 	from server2.filtermail.eu ([85.17.205.251]) by adam.in1klik.nl with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <[email protected]>) id 1QPL3A-0001N8-Lg for [email protected]; Wed, 25 May 2011 22:51:28 +0200
	Received: 	from jbmc-software.com ([216.194.67.119]) by server2.filtermail.eu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <[email protected]>) id 1QPL3z-0003sa-Pc for [email protected]; Wed, 25 May 2011 22:52:28 +0200
	Received: 	from apache by jbmc-software.com with local (Exim 4.76) (envelope-from <[email protected]>) id 1QPL50-0005ls-90 for [email protected]; Wed, 25 May 2011 14:53:22 -0600
	Message-Id: 	<[email protected]>
	Received-Spf: 	Received-SPF: pass (server2.filtermail.eu: domain of directadmin.com designates 216.194.67.119 as permitted sender) client-ip=216.194.67.119; [email protected]; helo=jbmc-software.com;
	X-Spf-Result: 	server2.filtermail.eu: domain of directadmin.com designates 216.194.67.119 as permitted sender
	X-Spf: 	pass
	X-Ols-Boguswarn: 	No x-mailer header
	X-Ols-Boguswarn: 	Sent by robot (mfrom)
	X-Ols-Boguswarn: 	Sent by robot (From:)
	X-Fake-Warning: 	OK - 5000 points
	X-Filter-Id: 	XtLePq6GTMn8G68F0EmQve9sOybHbNjwoourtTCVrOvnyrNzTeFPWx66s/MLrrLAS7X5R1anTuIn Gq7k6TFebWQ5ZcPo2zavaIwIuwv2SqA4zRxQJj2DuZ1YYzNQ6Ok4NnDuFQ1kxqTeo7E2me9LrfI8 +gAvTzmvR9boBKdd/1zbnbZw5rlyjpgD1kEPC6KHvewR4GcrMXLS3kY6CAo4/rA7SwKBklAAzGDl H/yt1lHLf5qsjZkwKN1JVK2Kks799R/2gMGq0KWAzmMf+ibVDhO74WP7oig6AJKRgcUl6MZ4UsI+ aSVu1DgAomPoHRPa/b9N3TCpi26Qiqgg+uPHBMqtJwQ5BQh6LHvW/c5BBojIvfSw53BgNF/GB2yS +Ho/HM4PDUthpgkNh9t/fOdpSL64jneVZyLEKWp1aJ10Ql1yyqppsTYzYAtoaMJsxAfweoWeEoK4 kS3whDXu3JqLoPY4ocfmWv3Fe9Iziczdq+A=
	X-Filtermail-Class: 	ham;
	X-Filtermail-Score: 	0.34773902084
	X-Filtermail-Evidence: 	'ole': 0.50; 'crm114': 0.50; 'direct': 0.50; 'spambayes.global_tokens': 0.09; 'pyzor': 0.50; 'sa': 0.50; 'os': 0.42; 'dkim': 0.50; 'dnsbl': 0.75; 'sender': 0.50
	X-Filtermail-Thermostat: 	--
 
Just got another one...


by 10.90.241.13 with SMTP id o13cs135193agh; Wed, 25 May 2011 13:58:04 -0700 (PDT)
Received: by 10.231.82.197 with SMTP id c5mr28076ibl.131.1306357084388; Wed, 25 May 2011 13:58:04 -0700 (PDT)
Received: from jbmc-software.com (jbmc-software.com [216.194.67.119]) by mx.google.com with ESMTPS id c6si174258ibj.12.2011.05.25.13.58.04 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 25 May 2011 13:58:04 -0700 (PDT)
Received: from apache by jbmc-software.com with local (Exim 4.76) (envelope-from <[email protected]>) id 1QPLAc-0001AW-NM for [email protected]; Wed, 25 May 2011 14:59:10 -0600
Return-Path: <[email protected]>
Received-Spf: pass (google.com: domain of [email protected] designates 216.194.67.119 as permitted sender) client-ip=216.194.67.119;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 216.194.67.119 as permitted sender) [email protected]
Auto-Submitted: auto-generated
Message-Id: <[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
 
This is a phising scam! My antivirus detected an backdoor embedded in the webpage.

Strange fact; The e-mail comes from the DirectAdmin server itsself, plus it addreses me by the name i was known with DirectAdmin..
 
Looks like a server is hacked...

Code:
	Van: 	DirectAdmin <[email protected]>
	Onderwerp: 	DirectAdmin Client Message
(...)
	Received: 	from server2.filtermail.eu ([85.17.205.251]) by adam.in1klik.nl with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <[email protected]>) id 1QPL3A-0001N8-Lg for [email protected]; Wed, 25 May 2011 22:51:28 +0200
	Received: 	from jbmc-software.com ([216.194.67.119]) by server2.filtermail.eu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <[email protected]>) id 1QPL3z-0003sa-Pc for [email protected]; Wed, 25 May 2011 22:52:28 +0200
	Received: 	from apache by jbmc-software.com with local (Exim 4.76) (envelope-from <[email protected]>) id 1QPL50-0005ls-90 for [email protected]; Wed, 25 May 2011 14:53:22 -0600
	Message-Id: 	<[email protected]>
	Received-Spf: 	Received-SPF: pass (server2.filtermail.eu: domain of directadmin.com designates 216.194.67.119 as permitted sender) client-ip=216.194.67.119; [email protected]; helo=jbmc-software.com;
	X-Spf-Result: 	server2.filtermail.eu: domain of directadmin.com designates 216.194.67.119 as permitted sender
	X-Spf: 	pass
	X-Ols-Boguswarn: 	No x-mailer header
	X-Ols-Boguswarn: 	Sent by robot (mfrom)
	X-Ols-Boguswarn: 	Sent by robot (From:)
	X-Fake-Warning: 	OK - 5000 points
	X-Filter-Id: 	XtLePq6GTMn8G68F0EmQve9sOybHbNjwoourtTCVrOvnyrNzTeFPWx66s/MLrrLAS7X5R1anTuIn Gq7k6TFebWQ5ZcPo2zavaIwIuwv2SqA4zRxQJj2DuZ1YYzNQ6Ok4NnDuFQ1kxqTeo7E2me9LrfI8 +gAvTzmvR9boBKdd/1zbnbZw5rlyjpgD1kEPC6KHvewR4GcrMXLS3kY6CAo4/rA7SwKBklAAzGDl H/yt1lHLf5qsjZkwKN1JVK2Kks799R/2gMGq0KWAzmMf+ibVDhO74WP7oig6AJKRgcUl6MZ4UsI+ aSVu1DgAomPoHRPa/b9N3TCpi26Qiqgg+uPHBMqtJwQ5BQh6LHvW/c5BBojIvfSw53BgNF/GB2yS +Ho/HM4PDUthpgkNh9t/fOdpSL64jneVZyLEKWp1aJ10Ql1yyqppsTYzYAtoaMJsxAfweoWeEoK4 kS3whDXu3JqLoPY4ocfmWv3Fe9Iziczdq+A=
	X-Filtermail-Class: 	ham;
	X-Filtermail-Score: 	0.34773902084
	X-Filtermail-Evidence: 	'ole': 0.50; 'crm114': 0.50; 'direct': 0.50; 'spambayes.global_tokens': 0.09; 'pyzor': 0.50; 'sa': 0.50; 'os': 0.42; 'dkim': 0.50; 'dnsbl': 0.75; 'sender': 0.50
	X-Filtermail-Thermostat: 	--

I figured that to be the case. I'm concerned how much of my data has been exposed.
 
Spam?

Here's an interesting one. Just got a spam email from someone claiming to be DA. Message source is below:

Code:
Return-path: <[email protected]>
Envelope-to: [my email address]
Delivery-date: Wed, 25 May 2011 16:53:54 -0400
Received: from mail by illusion.bluespidernetwork.co.uk with spam-scanned (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1QPL5U-0004Jk-GI
	for [my email address]; Wed, 25 May 2011 16:53:54 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	illusion.bluespidernetwork.co.uk
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
	SPF_PASS autolearn=ham version=3.3.1
Received: from jbmc-software.com ([216.194.67.119])
	by illusion.bluespidernetwork.co.uk with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.72)
	(envelope-from <[email protected]>)
	id 1QPL5U-0004Jg-Bt
	for [my email address]; Wed, 25 May 2011 16:53:52 -0400
Received: from apache by jbmc-software.com with local (Exim 4.76)
	(envelope-from <[email protected]>)
	id 1QPL6X-00076l-Sf
	for [my email address]; Wed, 25 May 2011 14:54:57 -0600
To: [my email address]
Subject: DirectAdmin Client Message
From: DirectAdmin <[email protected]>
Message-Id: <[email protected]>
Date: Wed, 25 May 2011 14:54:57 -0600
X-Antivirus-Scanner: Clean mail, though you should still use an Antivirus scanner

Dear [my real name],

Please note that currently there is a security vulnerability concerning the current
DirectAdmin version, in order to learn how to protect your server until we can issue
a patch please visit http www austinfosec com au update.php


Thank you,	
DirectAdmin.com

(URL manipulated to prevent search engine spiders picking it up).
The source code to that site has an iframe which directs somewhere else. The code to THAT site has some "encrypted" javascript that runs on load. I can only assume this attempts to do something malicious. Probably doesn't work in Firefox/Linux anyway.

Just making anyone at JBMC aware of this, and any other DA admins that come across this message. What's more interesting is that it has my full and correct name.
 
Last edited:
Back
Top