Analysis of the Site that Phished AXIS bank

Hey,

A few days ago, I received a classic fraud mail, pointing me to a phished site of AXIS bank. The email read something like

Dear Valued Customer,
During our regularly scheduled account maintenance and verification
procedures, we have
detected a slight error in your Account billing information. This
might be due to either of the following reasons:
1. A recent updates in our billing server ( Due to slightly problem )
2. A recent change in your personal information ( i.e. change of address).
3. An inability to accurately verify your selected option of payment due to an internal error within our processors.

UTI is now AXIS.
If you are an account holder of UTI, please follow the link below and enter correctly the information required of you.

Please re-confirm your Internet Banking by clicking the link below:
https://www.axisbank.co.in/BankAway/SignOn.aspx?RequestId=714870

Thanks for your advance help.

Axis Bank
Customer Service.

iConnect is best used with Microsoft Internet Explorer Version 4.0 ((c) Microsoft) and higher. If you are getting the a Security Alert Message please Click here.
Copyright(c) 2007 - Axis Bank. All rights reserved.

I got a little curious, and did a little analysis on the host that had the site running. Here are the findings. The windows box was registered at goDaddy.com for
Richard Lyons
394 Notre Dame Ave
Apt 7
Manchester, New Hampshire 03102
United States
[email protected][email protected]">com
A quick port scan revealed that the machine was most probably hosted on a non-professional network, mostly a home computer with services like anonymous FTP, windows RPC etc running. It seems to be a part of a wider botnet, possibly controlled using analogx. There was also SOCKS proxy running, that could be be nervous system communicating to this node.
Here is the output of nMaping the box.

Interesting ports on 206-221-179-205.fndns.net (206.221.179.205): Not shown: 1681 closed ports
PORT STATE SERVICE

1/tcp open tcpmux
21/tcp open ftp

|_ Anonymous FTP: FTP:
Anonymous login allowed

22/tcp open ssh

|_ SSH Protocol Version 1: Server supports SSHv1

25/tcp open smtp
| SMTP: Responded to EHLO command

| prague.dnstraffic.net Hello example.org [122.167.111.114]

| SIZE 52428800
| PIPELINING
| AUTH PLAIN LOGIN
| STARTTLS
| 250 HELP
| Responded to HELP command

| Commands supported:
|_ AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP 53/tcp open domain
80/tcp open http

|_ HTML title: cPanel®
110/tcp open pop3
111/tcp open rpcbind

135/tcp filtered msrpc

136/tcp filtered profile

137/tcp filtered netbios-ns

138/tcp filtered netbios-dgm

139/tcp filtered netbios-ssn

143/tcp open imap

443/tcp open https

445/tcp filtered microsoft-ds

465/tcp open smtps

631/tcp open ipp
993/tcp open imaps

995/tcp open pop3s

1022/tcp filtered unknown

1023/tcp filtered netvenuechat

1026/tcp filtered LSA-or-nterm

1080/tcp filtered socks

1485/tcp filtered lansource
1720/tcp filtered H.323/Q.931
3128/tcp filtered squid-http

3306/tcp open mysql

3456/tcp filtered vat
6588/tcp filtered analogx


Update : The phishing site has been successfully been disabled. Interestingly, the domain name now points to 74.54.176.34 as opposed to 206.221.179.205 earlier. All the malicious services are also gone now, and the node is no longer a part of the botnet. Yet another phishing site taken down !! :)