[AusNOG] ATTENTION: Ransom request!!!

Michael Baker lidder86 at gmail.com
Sun Jul 10 06:26:33 EST 2016


I came across something intresting a few weeks ago a dev server of mine got
compromised.. teach me for not patching wordpress ;) the compromise then
ran a bot that was sending these emails out templated i wonder how many
fake emails go out?

On Friday, July 8, 2016, A <clonemeagain at gmail.com> wrote:
> Cloudflare have an interesting article on it:
https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/
>
> On 8 Jul 2016 11:15 pm, "Keith Anderson" <keitha at apcs.com.au> wrote:
>>
>> Hi All,
>> Glad we have DoS filtering in place, hope it works.
>> received this one yesterday.
>> Have a good weekend all,
>> ### HEADER
>>
>> Received: from removed [x.x.x.x])
>> by removed (Postfix) with ESMTP id E077333F9F
>> for <systemadmin at removed>; Thu,  7 Jul 2016 15:04:38 +1000 (PGT)
>> X-ASG-Debug-ID: 1467867840-06ff6519594ed72d0001-Vn5JKc
>> Received: from ks3293195.kimsufi.com (ks3293195.kimsufi.com [5.135.186.134])
by filter1-removed with ESMTP id zxmM3rWeIgLfLFeL for <Removed>; Thu, 07
Jul 2016 05:04:02 +0000 (GMT)
>> X-Barracuda-Envelope-From: armada.collective at gmail.com
>> X-Barracuda-Effective-Source-IP: ks3293195.kimsufi.com[5.135.186.134]
>> X-Barracuda-Apparent-Source-IP: 5.135.186.134
>> From: Armada Collective <armada.collective at gmail.com>
>> To: <sysadmin at removed>
>> Subject: ATTENTION: Ransom request!!!
>> X-Barracuda-Connect: ks3293195.kimsufi.com[5.135.186.134]
>> X-Barracuda-Start-Time: 1467867841
>> X-Barracuda-URL: XXX
>> X-ASG-Orig-Subj: ATTENTION: Ransom request!!!
>> X-Barracuda-Scan-Msg-Size: 1266
>> X-Virus-Scanned: by bsmtpd at XXXX
>> X-Barracuda-BRTS-Status: 1
>> X-Barracuda-Spam-Score: 2.00
>> X-Barracuda-Spam-Status: No, SCORE=2.00 using global scores of
TAG_LEVEL=4.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=MISSING_DATE,
MISSING_MID, PLING_PLING
>> X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.31081
>> Rule breakdown below
>>  pts rule name              description
>> ---- ----------------------
--------------------------------------------------
>> 0.14 MISSING_MID            Missing Message-Id: header
>> 1.40 MISSING_DATE           Missing Date: header
>> 0.46 PLING_PLING            Subject has lots of exclamation marks
>> Message-ID: <20160707050438.7DECC16CC0B3 at filter1-XXX>
>> Date: Thu, 7 Jul 2016 05:04:38 +0000
>> Return-Path: armada.collective at gmail.com
>> MIME-Version: 1.0
>> Content-Type: text/plain
>> X-MS-Exchange-Organization-Network-Message-Id:
07157968-b5a4-4cfa-da65-08d3a624c308
>> X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
>> X-MS-Exchange-Organization-AuthSource: POM.local
>> X-MS-Exchange-Organization-AuthAs: Anonymous
>> ### END FULL HEADER
>>
>>
>> -----Original Message-----
>> From: Armada Collective [mailto:armada.collective at gmail.com]
>> Sent: Thursday, 7 July 2016 3:05 PM
>> To: Removed
>> Subject: ATTENTION: Ransom request!!!
>>
>> FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE
DECISION!
>>
>> We are Armada Collective.
>>
>> All your servers will be DDoS-ed starting Saturday (Jul 9 2016) if you
don't pay 5 Bitcoins @ 14T7TxDxhhpYtgNgrK1hpe4UsfULZDhFoC
>>
>> When we say all, we mean all - users will not be able to access sites
host with you at all.
>>
>> Right now we will start 15 minutes attack on your site's IP X.X.X.X It
will not be hard, we will not crash it at the moment to try to minimize
eventual damage, which we want to avoid at this moment. It's just to prove
that this is not a hoax. Check your logs!
>>
>> If you don't pay by Saturday, attack will start, price to stop will
increase by 5 BTC for every day of attack.
>>
>> If you report this to media and try to get some free publicity by using
our name, instead of paying, attack will start permanently and will last
for a long time.
>>
>> This is not a joke.
>>
>> Our attacks are extremely powerful - sometimes over 1 Tbps per second.
So, no cheap protection will help.
>>
>> Prevent it all with just 5 BTC @ 14T7TxDxhhpYtgNgrK1hpe4UsfULZDhFoC
>>
>> Do not reply, we will probably not read. Pay and we will know its you.
AND YOU WILL NEVER AGAIN HEAR FROM US!
>>
>> Bitcoin is anonymous, nobody will ever know you cooperated.
>> ———————————
>>
>>
>> apcs
>> Keith Anderson l Managing Director
>> AUS Mobile. +61 400 947 947
>> Fax.
>> 1300 7654 27
>> PNG Phone. +675 303 1236  Mobile. +675 76 947 947   Fax. +675 325 9066
>> Email. keitha at apcs.com.au l Web.
>> www.apcs.com.au
>>
>>
</mail/u/0/s/?view=att&th=155caac26813bdd5&attid=0.0.1&disp=emb&realattid=e1b303ec753bc3ae_0.0.1.1&zw&atsh=0>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160710/08b9dd19/attachment.html>


More information about the AusNOG mailing list