lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: jheidtke at fmlh.edu (Jerry Heidtke)
Subject: Sobig has a surprise...

I've been unable to find, anywhere, the list of servers that Sobig.e tries to contact. I did find one reference that stated Sobig.e had a list of 22 servers that it tried to contact, not five.

I was able to confirm from several AV sites that while Sobig.e stopped trying to spread several weeks ago, the update feature is still active and launches itself every Monday and Friday. If you, or anyone, can confirm that this is the list from Sobig.e, (even by saying something like "Yes, I saw this traffic to these addresses in our firewall logs, checked the system, and it was infected with Sobig.e"), we can all rest a little easier, and I apologize for raising any unnecessary concern.

I didn't pay any attention to Sobig.e when it came out (not my area of responsibility), and wasn't aware that it had the same update capabilities of Sobig.f. I guess I assumed from all the uproar in the press and various lists about Sobig.f that this was some new nastiness only recently discovered. Was this all just more self-serving fear-mongering by the AV companies? Did I fall for it? yewww

I have to go wash my hands now...

Jerry

-----Original Message-----
From: Peter Ferrie [mailto:pferrie@...antec.com]
Sent: Saturday, August 23, 2003 3:58 PM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Sobig has a surprise...

>Ron was asking if anyone had more details about the OTHER addresses
>that Sobig tried to contact:
>
>67.164.250.26/8998
>129.244.36.194/8998
>67.73.60.121/8998
>218.146.139.246/8998
>66.169.84.77/8998
>
>Other people have seen the same thing. The exact circumstances are
>still unknown (at least to me).

This is the IP list for Sobig.E.

8^) p.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.


Powered by blists - more mailing lists