lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1056012576.5166.15.camel@slacker>
From: matthew at textbox.net (Matt)
Subject: is there a new virus?

I have noticed an increase in irc bots using spreader methods, I came
across one recently that was bombing my IP over and over:

Typical mIRC DDoS bot:
dosusal.exe (mIRC executable)
fasdal.exe
index.html (for web stats)
llpxy.exe
markmewd.exe (hide startup)
ox.ocx (main script file)
proxy.exe (starts proxies)
proxy.log
quale.dll (edited moo.dll)
sipal.exe
smqdate.exe (hidewindow)
sptr.exe
sqlme.exe
teaw.exe
wins.ini (mIRC.ini)
wire.exe
After checking it out it seems to have syn attacks, starting a proxy
server,e-mail spreading, sql spreading, iis spreading, netbios/local
network spreading, icq messaging.

The spread file is named trashmanx.exe ~ index.html links to
http://members.aol.com/furthermost/ira/osiris.jpg
-- 
Matt <matthew@...tbox.net>
Textbox Networks

On Thu, 2003-06-19 at 03:27, Philip Stortz wrote:
> is there a new virus out there or an old one spreading like wild fire?  i've been getting a huge number of attempts to initiate a "netbios" session, from ip's all over the place.  i'm on a slow dialup with a dynamic ip, and i got attempts from over 2 dozen ip #'s in just a few hours of use over several sessions with different ip's.  since i use a mac, they aren't too much of a problem, except that they greatly slow things down and sometimes do crash programs.  i've been putting all the offending machines in the stop list of my firewall, but the shear volume and ferocity of these attempts is amazing.  some of them try 3 or 6 times in rapid succession, and repeat every few minutes.  i've been seeing a lot more incursion attempts on other ports as well.  i'm very curious about what's going on, and i suspect that many machines out there are being infected and that the netbios session is just the beginning of a virus that will do something else once it's co-opted enough machines
 ,!
>   i.e. a DOS attack or something else nasty (or if it continues to grow, just a traffic jam on the back bone).  has any one heard of something new or old coming back?  sometimes they start when i've just dialed in and downloaded my email before surfing beyond my isp at all, so they must just be hunting for machines, aggressively.
> 
> along the same lines, there's a machine at 12.247.15.226 that's been randomly throwing packets at me (and likely many "random" addresses) several times a day.  i've complained and asked for an explanation (no one else out there seems to find it necessary to randomly talk all the time) of what's going on and why.  any information would be appreciated, if nothing else so i know why this is being done.  that domain belongs to at&t, so i guess it might be some kind of diagnostic scan, but it's certainly obnoxious, and i have blocked that ip as well.  i block any ip that tries to talk to me before i talk to them, there are no servers here obviously and all traffic slows down my connection and occasionally causes problems (doubtless some of the problems are with how my isp handles the traffic... and some may be stack overflows or other faults).  these communication attempts (unfortunately my current firewall doesn't save the packets so i can't really tell what's happening) often 
 o!
>  ccur several times in a few seconds, and happen several times a day (or even several times in an hour).  they are sometimes netbios sessions, but usually on port 1214, which apparently is used by some viruses/worms/trojans.  i'd really, really like to know what's going on, and as you'd expect att has been useless and failed to even respond.
> 
> any help/explanation of either of these problems would be greatly appreciated.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ