dbr — 2010-02-09T19:05:28-05:00 — #1
I received an email supposedly from my websites technical support stating:
We are informing you that because of the security upgrade of the mailing service your mailbox (my email address was here) settings were changed. In order to apply the new set of settings click on the following link:
The link to click was from my site with a query string similar to this:
I checked and the bogus directories don't exist. I also talked to my host's tech support and didn't get much useful info.
It was from an email account called firstname.lastname@example.org which doesn't exist to an email account I use regularly.
Has anyone seen anything like this happen on any sites they manage? I didn't click the link. Anything else to be aware of? It seems like it won't be easy to get to the bottom of the matter.
sk89q — 2010-02-10T00:06:02-05:00 — #2
Try looking at the headers of the email to find the path that the email traveled.
dbr — 2010-02-10T01:07:45-05:00 — #3
Interesting. Looks like: email@example.com. Don't know that I can do anything with that though. Thanks for the response.
Received: (qmail 22148 invoked by uid 78);
Received: from unknown (HELO cloudmark1) (10.49.16.78) by 0 with SMTP;
Received: from [22.214.171.124] ([126.96.36.199:11841] helo=mail1.smhosp.on.ca) by cm-mr4 (envelope-from <firstname.lastname@example.org>) (ecelerity 188.8.131.52 r(31179/31189)) with ESMTP id 97/A9-00355-3C8474B4; Fri, 08 Jan 2010 10:01:24 -0500
Content-Type: multipart/alternative; boundary="----=NextPart000_0007_01CA9073.7B59EC50"
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
system — 2010-02-10T02:08:17-05:00 — #4
Does the IP address 184.108.40.206 has any relation to your sites? (I suppose not, but just in case).
I'd click (ith some safe browser) or rather check with telnet this link anyway - there can be some rewrite rules.
But luuks like some unfinished code injection.
I'd check running processes, web logs, mail logs anyway