Some helpful person posted a comment on my blog to tell me that I had a phishing scam running from my machine, and sure enough with a little digging I can see that their was indeed some rather nasty stuff sitting in a hidden directory in my brother-in-laws user account.
It looks like there were two different scams running, one for PayPal and one for Chase Bank.
I’ve removed the user account and moved the directory and I’ll have a poke around a bit later.
One thing I will say is that I feel violated and embarrased to think that my machine has been used to aid these theiving bastards.
Out of interest, here is the directory listings of the directories added to my machine.
.:
total 8
drwxrwxr-x 4 504 504 96 Apr 10 22:54 ./
drwxr-xr-x 7 504 504 4096 Apr 7 19:49 ../
drwxr-xr-x 3 504 504 16 Mar 21 06:46 .MembersLogIn/
drwxrwxrwx 5 504 504 24 Sep 22 2005 .update/
./.MembersLogIn:
total 4
drwxr-xr-x 3 504 504 16 Mar 21 06:46 ./
drwxrwxr-x 4 504 504 96 Apr 10 22:54 ../
-rw-r--r-- 1 504 504 0 Mar 21 06:46 si
drwxr-xr-x 2 504 504 88 Mar 21 06:43 .SignIn/
./.MembersLogIn/.SignIn:
total 460
drwxr-xr-x 2 504 504 88 Mar 21 06:43 ./
drwxr-xr-x 3 504 504 16 Mar 21 06:46 ../
-rw-r--r-- 1 504 504 446 Mar 21 06:42 .cvv.db
-rw-r--r-- 1 504 504 56784 Mar 11 07:17 final.html
-rw-r--r-- 1 504 504 463 Mar 21 06:43 .first.db
-rw-r--r-- 1 504 504 480 Mar 21 06:43 .last.db
-rwxr-xr-x 1 504 504 167964 Mar 17 2001 pico*
-rwxr-xr-x 1 504 504 84476 Jul 28 2005 pico.jpg*
-rw-r--r-- 1 504 504 73988 Mar 11 08:43 prospect.html
-rw-r--r-- 1 504 504 11759 Mar 21 07:51 prospect.php
-rw-r--r-- 1 504 504 27828 Mar 21 06:38 sso_logon.html
-rw-r--r-- 1 504 504 16384 Mar 21 06:20 .sso_logon.html.swp
-rw-r--r-- 1 504 504 176 Mar 21 06:40 .user.db
./.update:
total 12
drwxrwxrwx 5 504 504 24 Sep 22 2005 ./
drwxrwxr-x 4 504 504 96 Apr 10 22:54 ../
drwxr-xr-x 2 504 504 80 Nov 3 06:52 cgi-bin/
drwxr-xr-x 2 504 504 24 Sep 9 2005 css/
drwxr-xr-x 2 504 504 4096 Sep 9 2005 pic/
./.update/cgi-bin:
total 368
drwxr-xr-x 2 504 504 80 Nov 3 06:52 ./
drwxrwxrwx 5 504 504 24 Sep 22 2005 ../
-rwxrwxr-x 1 504 504 8693 Apr 10 01:53 check_card.php*
-rwxrwxr-x 1 504 504 0 Aug 3 2004 index.php*
-rwxrwxr-x 1 504 504 8938 Sep 10 2005 letter.php*
-rwxrwxr-x 1 504 504 176723 Mar 17 2001 pico*
-rwxrwxr-x 1 504 504 84476 Jul 28 2005 pico.jpg*
-rwxrwxr-x 1 504 504 2476 Sep 22 2005 webscrcmd_checkuser.php*
-rwxrwxr-x 1 504 504 9440 Apr 23 2005 webscrcmd_login.php*
-rwxrwxr-x 1 504 504 28005 Apr 7 19:53 webscrcmd_profile_credit_card.php*
-rwxrwxr-x 1 504 504 4117 Apr 23 2005 webscrcmd_redirect.php*
-rwxrwxr-x 1 504 504 28351 Apr 7 19:52 webscrcmd_thank_you.php*
./.update/css:
total 52
drwxr-xr-x 2 504 504 24 Sep 9 2005 ./
drwxrwxrwx 5 504 504 24 Sep 22 2005 ../
-rw-r--r-- 1 504 504 41904 Apr 22 2005 xpt.css
-rw-r--r-- 1 504 504 1081 Apr 22 2005 xptInvoice.css
-rw-r--r-- 1 504 504 69 Apr 22 2005 xptlive.css
./.update/pic:
total 432
drwxr-xr-x 2 504 504 4096 Sep 9 2005 ./
drwxrwxrwx 5 504 504 24 Sep 22 2005 ../
-rw-r--r-- 1 504 504 10951 Mar 8 2004 6qkUBHm48gr6isze5LqAc-t.s0AK2P019CxPBg.gif
-rw-r--r-- 1 504 504 250 Mar 1 2004 bg.gif
-rw-r--r-- 1 504 504 1864 Mar 8 2004 bnr_ppBuyerProtection_175x80.gif
-rw-r--r-- 1 504 504 21910 Mar 8 2004 bnr_providianClearChoicesV22_120x600.gif
-rw-r--r-- 1 504 504 7743 Mar 8 2004 bnr_providianPPVisaV22_135x132.gif
-rw-r--r-- 1 504 504 8332 Mar 1 2004 check_zoom_260.gif
-rw-r--r-- 1 504 504 3314 Mar 8 2004 DyU7qIySrousGoYNb9CiNrydF3cTQqpwIcXjbA.gif
-rw-r--r-- 1 504 504 490 Mar 8 2004 icon_auctionTools_35x35.gif
-rw-r--r-- 1 504 504 1720 Mar 8 2004 icon_community_logo.gif
-rw-r--r-- 1 504 504 576 Mar 10 2004 icon_error_40x40.gif
-rw-r--r-- 1 504 504 465 Mar 8 2004 icon_merchantTools_35x35.gif
-rw-r--r-- 1 504 504 432 Mar 8 2004 icon_shops_35x35.gif
-rw-r--r-- 1 504 504 879 Mar 8 2004 icon_shops_logo.gif
-rw-r--r-- 1 504 504 267 Mar 8 2004 logo_ccAmex.gif
-rw-r--r-- 1 504 504 403 Mar 8 2004 logo_ccDiscover.gif
-rw-r--r-- 1 504 504 408 Mar 8 2004 logo_ccEcheck.gif
-rw-r--r-- 1 504 504 815 Mar 8 2004 logo_ccMC.gif
-rw-r--r-- 1 504 504 338 Mar 8 2004 logo_ccVisa.gif
-rw-r--r-- 1 504 504 33 May 11 2005 logo.gif
-rw-r--r-- 1 504 504 545 Mar 8 2004 mini_cvv2.gif
-rw-r--r-- 1 504 504 902 Mar 1 2004 paypal_logo.gif
-rw-r--r-- 1 504 504 148 Mar 8 2004 period_ani.gif
-rw-r--r-- 1 504 504 43 Mar 1 2004 pixel.gif
-rw-r--r-- 1 504 504 267 Mar 1 2004 P_off_auction_tools.gif
-rw-r--r-- 1 504 504 293 Mar 1 2004 P_off_merchant_tools.gif
-rw-r--r-- 1 504 504 288 Mar 1 2004 P_off_request_money.gif
-rw-r--r-- 1 504 504 257 Mar 1 2004 P_off_send_money.gif
-rw-r--r-- 1 504 504 231 Mar 1 2004 P_off_welcome.gif
-rw-r--r-- 1 504 504 494 Mar 8 2004 P_on_my_account.gif
-rw-r--r-- 1 504 504 473 Mar 8 2004 P_on_welcome.gif
-rw-r--r-- 1 504 504 7568 Mar 1 2004 pp_main.js
-rw-r--r-- 1 504 504 16433 Mar 1 2004 pp_styles_111402.css
-rw-r--r-- 1 504 504 869 Mar 1 2004 pp_table_styles.css
-rw-r--r-- 1 504 504 10226 Mar 8 2004 Pz9p1YQ8ot6LD63QmOkuRQcmtrDJaXn8JtZpsw.gif
-rw-r--r-- 1 504 504 5880 Mar 8 2004 QyeQfcf-aVAv88Kd3fVhXFxKzIwr1hxUy1pycQ.gif
-rw-r--r-- 1 504 504 99 Mar 8 2004 SA_none.gif
-rw-r--r-- 1 504 504 183 Mar 8 2004 SA_off_add_funds.gif
-rw-r--r-- 1 504 504 190 Mar 8 2004 SA_off_history.gif
-rw-r--r-- 1 504 504 168 Mar 8 2004 SA_off_overview.gif
-rw-r--r-- 1 504 504 175 Mar 8 2004 SA_off_withdraw.gif
-rw-r--r-- 1 504 504 198 Mar 8 2004 SA_on_profile.gif
-rw-r--r-- 1 504 504 95 Mar 1 2004 secure_lock_2.gif
-rw-r--r-- 1 504 504 4362 Mar 8 2004 SOxUEOLlFrdzrT2t6fkgK29DGKVEKfHwdLBRA.gif
-rw-r--r-- 1 504 504 79 Mar 1 2004 symbol_account.gif
-rw-r--r-- 1 504 504 62 Mar 1 2004 symbol_account_small.gif
-rw-r--r-- 1 504 504 79 Mar 1 2004 symbol_route.gif
-rw-r--r-- 1 504 504 59 Mar 1 2004 symbol_route_small.gif
-rw-r--r-- 1 504 504 140800 Sep 9 2005 Thumbs.db
-rw-r--r-- 1 504 504 2489 Mar 8 2004 top_image_home.gif
-rw-r--r-- 1 504 504 1963 Mar 8 2004 vR.XVfEKfuwONsUNZTSCT5Y.ED0mHsIogNiAdA.gif
-rw-r--r-- 1 504 504 10228 Mar 8 2004 YA5wVvU5WOm0qTmpfAQoolDHkLZpFpU9y6CvgA.gif
You can see that it’s quite elaborate, once the ebay page has collected the victims info it is emailed to the following address.
coaielepopii@gmail.com
I have reported the abuse to gmail but of course they can create a new account in seconds.
Dear Dr Dan,
This sounds very scary, & to computer illiterate mortals such as me, who also use eBay, the alarm bells are trilling away loudly!
Do I need to act on this & if I do, what do I do?
Your valued advice will be greatly appreciated as always.
Cheers
Nickie