Hello list, Is anyone aware of some kind of IRC worm that uses SMTP servers to act as a spy client or something like that? While taking a look on a IDS log of a client, I saw several alerts that were triggered and classified as "IRC traffic" directed to a SMTP server on port 25. Nothing odd about that at a first glance, as it could be just a simple copy/paste of a IRC log sent via mail. But on this particular situation ( that is causing hundreds of alerts/day ), the format of the mail is everything but "normal". Here is a sample (IRC user data changed): <quote> HELO x4i8x4 RSET MAIL FROM: <> RCPT TO: <mask!__at_private PRIVMSG #channel :LOL> </quote> Obviously the server is responding with a "501 5.5.4 Invalid Address". Not that i consider this a serious issue ( from the server side of course ), but I'm curious on what's causing this behaviour. Sorry if this is a well known issue, but i've done a some what limited search and came up with nothing that applies. Regards, Joao Gouveia ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 11:33:35 PST