[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[f-cpu] Worm attack ! (was Re: End third level navigation)


I forward this to the list because the situation is aggravating.

From what i read in other places, this list is not the only target,
it is spreading very fast.

Read carefully.

Michael Riepe wrote:
> On Fri, May 10, 2002 at 07:42:31PM +0200, Yann Guidon wrote:
> > hello
> >
> > michael wrote:
> > <nothing>
> >
> > i got two messages from your address.
> Unlikely. I didn't send anything for days.
> But I got spam from Altera that was sent to f-cpu-outgoing :(

I had remarked too. Read below for the explanation.

It looks like a targetted/"intelligent" attack, because i just got forged
addresses from <archiver@seul.org> and opencores.
a robot is doing this ! It has even posted to the request address,
so i just got a log message of the virus sending his HTML
to the mailsystem ! of course, *I* was mailbombed because
the mailer outputs one error message per line and i got 300KB
of error messages...




The unprotected mail system seems to be in Russia,
as the headers indicates, and they coincide with the other offensive posts.

It looks like :

       Received: (All my server path)
       Received: from mx1.mail.ru (mx1.mail.ru []) by vhost.devcon.net (8.9.2/8.9.2) with ESMTP id
                 WAA15966 for <whygee@f-cpu.org>; Fri, 10 May 2002 22:04:28 +0200 (CEST)
       Received: from [] (helo=Hcvspyah) by mx1.mail.ru with smtp (Exim SMTP.1) id 176Gci-00013I-00
                 for whygee@f-cpu.org; Sat, 11 May 2002 00:04:17 +0400
           From: archiver <archiver@seul.org>
             To: whygee@f-cpu.org
        Subject: Hi,introduction on ADSL
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary=Mn8q66UG31k8YaZ05h5c3
     Message-ID: <E176Gci-00013I-00@mx1.mail.ru>

Remark 1 : look at the message-ID and the original IP !

Remark 2 : it is a very targetted attack because the headers are pretty short,
only 2 or 3 hops.

Hypothesis : it scans through online archives.

This is a good assumption because it explains why there is an autoreply from
Altera : The worm forged the list's name and the autoreplier answered to us.
Altera's mail was not spam, but a side-effect of robots talking to each others
and not understanding ... Just like when it talked to the mailing list administrator.

 * If you have posted, the attack seems to be direct
 * If you have not posted, there is still the other risk
   that the message goes through the list.
 * Do not trust the "from" field

> > either someone is forging your address or you have
> > been infected, but i doubt that because you make
> > your own OS and i doubt you use a russian server...
> That mail didn't come from my system.
obviously not.

> I never send HTML mails, nor .exe files (unless you ask me to do it).
>  And my Message-ID usually looks like the one above.
> [...]
> > It bounced because it is too large. fortunately.
> Yep. Seems to be a virus.

Worse ! and i'm even more worried.

Be careful,

>  Michael "Tired" Riepe <Michael.Riepe@stud.uni-hannover.de>
>  "All I wanna do is have a little fun before I die"
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe f-cpu       in the body. http://f-cpu.seul.org/