[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[f-cpu] Worm attack ! (was Re: End third level navigation)
- To: Michael Riepe <michael@stud.uni-hannover.de>
- Subject: [f-cpu] Worm attack ! (was Re: End third level navigation)
- From: Yann Guidon <whygee@f-cpu.org>
- Date: Sat, 11 May 2002 03:07:53 +0200
- Cc: fm <f-cpu@seul.org>
- Delivered-To: archiver@seul.org
- Delivered-To: f-cpu-outgoing@seul.org
- Delivered-To: f-cpu@seul.org
- Delivery-Date: Fri, 10 May 2002 21:01:31 -0400
- Organization: http://www.f-cpu.org
- References: <E176Bf0-000HUF-00@mx6.mail.ru> <3CDC0687.8E0DCD5C@f-cpu.org> <20020511003148.62600@thrai.stud.uni-hannover.de>
- Reply-To: f-cpu@seul.org
- Sender: owner-f-cpu@seul.org
Hello,
I forward this to the list because the situation is aggravating.
From what i read in other places, this list is not the only target,
it is spreading very fast.
Read carefully.
Michael Riepe wrote:
> On Fri, May 10, 2002 at 07:42:31PM +0200, Yann Guidon wrote:
> > hello
> >
> > michael wrote:
> > <nothing>
> >
> > i got two messages from your address.
> Unlikely. I didn't send anything for days.
> But I got spam from Altera that was sent to f-cpu-outgoing :(
I had remarked too. Read below for the explanation.
It looks like a targetted/"intelligent" attack, because i just got forged
addresses from <archiver@seul.org> and opencores.
a robot is doing this ! It has even posted to the request address,
so i just got a log message of the virus sending his HTML
to the mailsystem ! of course, *I* was mailbombed because
the mailer outputs one error message per line and i got 300KB
of error messages...
====================================
I REPEAT : BE VERY CAREFUL !
====================================
The unprotected mail system seems to be in Russia,
as the headers indicates, and they coincide with the other offensive posts.
It looks like :
Received: (All my server path)
Received: from mx1.mail.ru (mx1.mail.ru [194.67.57.11]) by vhost.devcon.net (8.9.2/8.9.2) with ESMTP id
WAA15966 for <whygee@f-cpu.org>; Fri, 10 May 2002 22:04:28 +0200 (CEST)
Received: from [212.118.94.130] (helo=Hcvspyah) by mx1.mail.ru with smtp (Exim SMTP.1) id 176Gci-00013I-00
for whygee@f-cpu.org; Sat, 11 May 2002 00:04:17 +0400
From: archiver <archiver@seul.org>
To: whygee@f-cpu.org
Subject: Hi,introduction on ADSL
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=Mn8q66UG31k8YaZ05h5c3
Message-ID: <E176Gci-00013I-00@mx1.mail.ru>
Remark 1 : look at the message-ID and the original IP !
Remark 2 : it is a very targetted attack because the headers are pretty short,
only 2 or 3 hops.
Hypothesis : it scans through online archives.
This is a good assumption because it explains why there is an autoreply from
Altera : The worm forged the list's name and the autoreplier answered to us.
Altera's mail was not spam, but a side-effect of robots talking to each others
and not understanding ... Just like when it talked to the mailing list administrator.
* If you have posted, the attack seems to be direct
* If you have not posted, there is still the other risk
that the message goes through the list.
* Do not trust the "from" field
> > either someone is forging your address or you have
> > been infected, but i doubt that because you make
> > your own OS and i doubt you use a russian server...
> That mail didn't come from my system.
obviously not.
> I never send HTML mails, nor .exe files (unless you ask me to do it).
> And my Message-ID usually looks like the one above.
>
> [...]
> > It bounced because it is too large. fortunately.
>
> Yep. Seems to be a virus.
Worse ! and i'm even more worried.
Be careful,
> Michael "Tired" Riepe <Michael.Riepe@stud.uni-hannover.de>
> "All I wanna do is have a little fun before I die"
WHYGEE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe f-cpu in the body. http://f-cpu.seul.org/