1. Forum
  2. FidoNet
  3. INTERNET

  • .pls?

    From August Abolins@1:153/757.2 to All on Tue Mar 2 08:48:27 2021
    A new one. I've never seen a .PLS used as bait.

    https://photos.kolico.ca/tmp/dhl.jpg
    https://photos.kolico.ca/tmp/dhl-1.jpg
    --- SBBSecho 3.13-Linux
    * Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757.2)
  • From Jay Harris@1:229/664 to August Abolins on Tue Mar 2 12:45:15 2021
    *** Quoting August Abolins from a message to All ***

    A new one. I've never seen a .PLS used as bait.

    Interesting, a .pls file was a playlist file used in Winamp. Not sure if any other media players used it.

    Jay

    ... In the long run, we are all dead.

    --- Telegard v3.09.g2-sp4/mL
    * Origin: Northern Realms | 289-424-5180 | bbs.nrbbs.net (1:229/664)
  • From August Abolins@1:153/757.2 to All on Tue Mar 2 09:53:11 2021
    A new one. I've never seen a .PLS used as bait.

    https://photos.kolico.ca/tmp/dhl.jpg
    https://photos.kolico.ca/tmp/dhl-1.jpg


    Another interesting thing about that one. Although the .pls file registers as 59B in the mail header, the actual file is 0B.

    Looking at the raw message:

    X-EN-OrigIP: 192.163.245.86
    Received: from crystalnet by host.anmoul.net.in with local (Exim 4.93)
    (envelope-from <crystalnet@host.anmoul.net.in>)
    id 1lH1yz-00038T-AP
    for books@ashlies.ca; Tue, 02 Mar 2021 10:10:25 +0000
    To: books@ashlies.ca
    Subject: =?UTF-8?B?UmVtaW5kZXIsIERITCBpbmZvcm1zIHlvdSB0aGF0IHlvdXIgc2hpcG1lbnQg TsKwIDk0MzAyNDU5Njg1IGlzIHN0aWxsIHBlbmRpbmcgIQ==?=
    X-PHP-Script: crystal.net.in/mat/metoo.php for 20.52.179.36
    ^^^^^^^^^

    From: =?UTF-8?B?REhMIEVYUFJFU1M=?= <no-reply@certideal.com>
    Message-Id: <E1lH1yz-00038T-AP@host.anmoul.net.in>

    Looks like this is sneaky attempt to launch a remote .php file.

    I also did not realize that the header contents could be obfuscated with UTF-8 prefixes:

    Subject: =?UTF-8?B?UmVtaW5kZXIsIERITCBpbmZ...

    Buggers.
    --- SBBSecho 3.13-Linux
    * Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757.2)
  • From August Abolins@1:153/757.2 to Jay Harris on Tue Mar 2 10:00:18 2021
    A new one. I've never seen a .PLS used as bait.

    Interesting, a .pls file was a playlist file used in Winamp. Not sure if any other media players used it.

    Yes.. now I remember those.

    Meanwhile, while the header in my email program indicated that the .pls was 59B, it was actually 0B when I saved it.

    The email standard has really gone down the tubes as far as allowing crap like that.
    --- SBBSecho 3.13-Linux
    * Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757.2)
  • From Daniel Path@2:371/52 to August Abolins on Tue Mar 2 18:44:31 2021
    Hello August.

    02 Mar 21 08:48, you wrote to All:

    A new one. I've never seen a .PLS used as bait.

    i'm wondering what's inside the pls...

    Daniel

    --- GoldED+/EMX 1.1.4.7
    * Origin: Roon's BBS - Budapest, HUNGARY (2:371/52)
  • From August Abolins@2:221/1.58 to Daniel Path on Tue Mar 2 17:49:00 2021
    Hello Daniel Path!

    i'm wondering what's inside the pls...

    It turns out to be nothing. The "trick" was to make it look
    like there was a 59Byte attachment, when indeed there was
    nothing!

    The real vector to deliver the payload was this line:

    X-PHP-Script: crystal.net.in/mat/metoo.php for 20.52.179.36
    ^^^^^^^^^


    --
    ../|ug

    --- OpenXP 5.0.49
    * Origin: (2:221/1.58)