[ALUG] Fwd: facebook hack attack

Andreas Tauscher ta at geuka.net
Mon Jun 10 22:42:31 EAT 2013 

First Microsoft, Skype, and now Facebook is trapped to read private
messages.

-------- Original-Nachricht --------
Betreff: facebook hack attack
Datum: Mon, 10 Jun 2013 16:35:08 +0200
Von: Ulli Horlacher <framstag at fex.rus.uni-stuttgart.de>
An: fex at listserv.uni-stuttgart.de

I have detected a hack attack by facebook!

(I have substituted private data with XXXXXX)

First, there was an access by a regular user from XXXXXXXXX.de
Look at the Referer line! He was coming from facebook!
In the URL encoded (base64) there is the whole login data!

Immediatelly then there was the same requests from 173.252.100.115 and
later 173.252.100.117 which belong to facebook:

NetRange:       173.252.64.0 - 173.252.127.255
CIDR:           173.252.64.0/18
OriginAS:       AS32934
NetName:        FACEBOOK-INC

Because fexsrv does not allow byte-ranges, facebook retried it with
all-lowercase URL,

facebook scans messages of its user and collects secret authentification
data!


CONNECT:80 2013-06-10 15:38:58 XXXXXXXXX.de 147.142.000.000 [1590_0]
GET /fup/ZnJvbT1rYXRqYS5yYWtvd0BXXXXXXXXXXXXXXXX HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0)
Gecko/20100101 Firefox/21.0
Referer:
http://www.facebook.com/l.php?u=http%3A%2F%2Ffex.belwue.de%2Ffup%2FZnJvbT1rYXRqYS5yYWtvd0BXXXXXXXXXXXXXXXXXX
Cookie: akey=XXXXXXXXXXXXXXXXXX
EXEC /home/fex/cgi-bin/fup

CONNECT:80 2013-06-10 15:38:58 - 173.252.100.115 [1591_0]
GET /fup/ZnJvbT1rYXRqYS5yYWtvd0BXXXXXXXXXXXXXXXX HTTP/1.1
User-Agent: facebookexternalhit/1.1
(+http://www.facebook.com/externalhit_uatext.php)
Range: bytes=0-524287
DISCONNECT: Range a-b

CONNECT:80 2013-06-10 15:39:09 - 173.252.100.117 [1619_0]
GET /fup/znjvbt1ryxrqys5yywtvd0bXXXXXXXXXXXXXXXX HTTP/1.1
User-Agent: facebookexternalhit/1.1
(+http://www.facebook.com/externalhit_uatext.php)
Range: bytes=0-524287
DISCONNECT: Range a-b



-- 
Ullrich Horlacher              Informationssysteme und Serverbetrieb
Rechenzentrum IZUS/TIK         E-Mail: horlacher at tik.uni-stuttgart.de
Universitaet Stuttgart         Tel:    ++49-711-68565868
Allmandring 30a                Fax:    ++49-711-682357
70550 Stuttgart (Germany)      WWW:    http://www.tik.uni-stuttgart.de/
REF: <20130610140254.GW9241 at rus.uni-stuttgart.de>
REF: <20130610143508.GA18690 at rus.uni-stuttgart.de>
_______________________________________________
FEX mailing list
FEX at listserv.uni-stuttgart.de
https://listserv.uni-stuttgart.de/mailman/listinfo/fex

More information about the Linux mailing list