lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: tim at night-shade.org.uk (Tim Fletcher)
Subject: Anybody know what Sobig.F has downloaded?

On Sat, 2003-08-23 at 18:55, Tim Fletcher wrote:
> On Fri, 2003-08-22 at 21:33, Compton, Rich wrote:
> > As many of you know, the latest Sobig.F virus was scheduled to begin
> > downloading unknown code from various IPs at 3:00 EST today on UDP port
> > 8998.  Does anybody have any idea what this code is?  Are the infected boxes
> > actually downloading code?  Does anybody have an infected Windoze box with
> > Sobig that can see what code was downloaded?
> 
> While this is 2nd hand I have now heard about the same effect on 2
> different unrelated machines via friends on quakenet (irc)
> 
> <Mikeh> email from a m8
> <Mikeh> got a bit of a prob
> <Mikeh> with me pc, when i go online, after about a minute i get a
> message saying
> <Mikeh> "system is shutting down please save all work inj progress and
> log off,
> <Mikeh> system shut down was initiated by NT Authority/system.
> 
> This could be something totally unrelated but the fact I have now heard
> about it from 2 people since last night of whom 1 was definitely
> infected with Sobig.F I think their is code out there. 
> 
> Putting this together with the comments made on the list about traffic
> on udp port 8998 to a different set of ips from some of the Sobig.F
> infected hosts leads me to suggest that there is "something" going on
> but as to what I have very little idea as my only windows machine is for
> playing games on and so sees no email or direct net traffic.

I appear to be putting 2 and 2 together and getting 5 1/2 it's now less
clear (at least to me) if this is MSBlaster of Sobig.F 

Sorry for the additional noise

-- 
   Tim Fletcher 

                                     .~.
       tim@...ht-shade.org.uk        /V\      L   I   N   U   X   
                                    // \\  >Don't fear the penguin<
   irc: Night-Shade on Quakenet    /(   )\
                                    ^^-^^

Justice is incidental to law and order.
                -- J. Edgar Hoover

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ