Analysis of the Site that Phished AXIS bank

Hey,

A few days ago, I received a classic fraud mail, pointing me to a phished site of AXIS bank. The email read something like

Dear Valued Customer,
During our regularly scheduled account maintenance and verification
procedures, we have
detected a slight error in your Account billing information. This
might be due to either of the following reasons:
1. A recent updates in our billing server ( Due to slightly problem )
2. A recent change in your personal information ( i.e. change of address).
3. An inability to accurately verify your selected option of payment due to an internal error within our processors.

UTI is now AXIS.
If you are an account holder of UTI, please follow the link below and enter correctly the information required of you.

Please re-confirm your Internet Banking by clicking the link below:
https://www.axisbank.co.in/BankAway/SignOn.aspx?RequestId=714870

Thanks for your advance help.

Axis Bank
Customer Service.

iConnect is best used with Microsoft Internet Explorer Version 4.0 ((c) Microsoft) and higher. If you are getting the a Security Alert Message please Click here.
Copyright(c) 2007 - Axis Bank. All rights reserved.

I got a little curious, and did a little analysis on the host that had the site running. Here are the findings. The windows box was registered at goDaddy.com for

Richard Lyons
394 Notre Dame Ave
Apt 7
Manchester, New Hampshire 03102
United States
myergeau@gmail.com

A quick port scan revealed that the machine was most probably hosted on a non-professional network, mostly a home computer with services like anonymous FTP, windows RPC etc running. It seems to be a part of a wider botnet, possibly controlled using analogx. There was also SOCKS proxy running, that could be be nervous system communicating to this node.
Here is the output of nMaping the box.

Interesting ports on 206-221-179-205.fndns.net (206.221.179.205): Not shown: 1681 closed ports
PORT STATE SERVICE
1/tcp open tcpmux
21/tcp open ftp
|_ Anonymous FTP: FTP:
Anonymous login allowed
22/tcp open ssh
|_ SSH Protocol Version 1: Server supports SSHv1
25/tcp open smtp
| SMTP: Responded to EHLO command
| prague.dnstraffic.net Hello example.org [122.167.111.114]
| SIZE 52428800
| PIPELINING
| AUTH PLAIN LOGIN
| STARTTLS
| 250 HELP
| Responded to HELP command
| Commands supported:
|_ AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP 53/tcp open domain
80/tcp open http
|_ HTML title: cPanel®
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp filtered microsoft-ds
465/tcp open smtps
631/tcp open ipp
993/tcp open imaps
995/tcp open pop3s
1022/tcp filtered unknown
1023/tcp filtered netvenuechat
1026/tcp filtered LSA-or-nterm
1080/tcp filtered socks
1485/tcp filtered lansource
1720/tcp filtered H.323/Q.931
3128/tcp filtered squid-http
3306/tcp open mysql
3456/tcp filtered vat
6588/tcp filtered analogx

Update : The phishing site has been successfully been disabled. Interestingly, the domain name now points to 74.54.176.34 as opposed to 206.221.179.205 earlier. All the malicious services are also gone now, and the node is no longer a part of the botnet. Yet another phishing site taken down !! :)