RE: IRC -> smtp worm?

From: Scott Phelps (scottpat_private)
Date: Thu Jan 09 2003 - 11:43:49 PST

Next message: Axel Beckert: "Re: Strange Apache logs - maybe DDOS?"

Previous message: J Jewitt: "Odd Shares showing up on workstations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	Several email viruses try to locate email addresses within text files on
the victims computer, the viruses are usually not too bright when it comes
to determining what is a valid email address. the @ sign followed by
something with a dot in it was probably enough for this particular virus to
identify that string as an email, and to attempt send a copy of itself
there.

Scott Phelps
Dreamwright Studios


-----Original Message-----
From: Joao Gouveia [mailto:tharbadat_private]
Sent: Tuesday, December 17, 2002 9:37 PM
To: incidentsat_private
Subject: IRC -> smtp worm?


Hello list,

Is anyone aware of some kind of IRC worm that uses SMTP servers to act
as a spy client or something like that?
While taking a look on a IDS log of a client, I saw several alerts that
were triggered and classified as "IRC traffic" directed to a SMTP server
on port 25. Nothing odd about that at a first glance, as it could be
just a simple copy/paste of a IRC log sent via mail. But on this
particular situation ( that is causing hundreds of alerts/day ), the
format of the mail is everything but "normal".
Here is a sample (IRC user data changed):
<quote>
HELO x4i8x4
RSET
MAIL FROM: <>
RCPT TO: <mask!__at_private PRIVMSG #channel :LOL>
</quote>

Obviously the server is responding with a "501 5.5.4 Invalid Address".
Not that i consider this a serious issue ( from the server side of
course ), but I'm curious on what's causing this behaviour.

Sorry if this is a well known issue, but i've done a some what limited
search and came up with nothing that applies.

Regards,

Joao Gouveia


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Axel Beckert: "Re: Strange Apache logs - maybe DDOS?"
Previous message: J Jewitt: "Odd Shares showing up on workstations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 15:33:37 PST