[ale] Virus from "debian-it"

Transam transam at cavu.com
Mon May 13 18:15:36 EDT 2002


I received email this weekend from "debian-it" with the subject
"Questionnaire".

Hmmm.  Debian in Italy?  Why do the headers show as the top level domain with
the country code of .kr in the former Soviet Union?  Why is the initial
"Received:" header (the "from" system is not mentioned otherwise in any header)
show as

     Received: from Nfglpawh ([210.107.205.123])

Why does a "dig -x" on this IP not reverse resolve but instead shows
an authority of

;; AUTHORITY SECTION:
107.210.in-addr.arpa.	12H IN SOA	ns.krnic.net. domain.krnic.net

where I assume krnic.net is the NIC for the top level domain of .kr?

Why especially is a questionnaire over 1800 lines long?  I've been getting
lots of viruses in the past few weeks with a length of about 1800 lines.
While the "name of the file shows as a ".HTM", the actual file name in
this case showed as "DOC017~1.exe".  Yet another Windows virus had arrived.

Don't open any attachment that you are not *expecting* from someone you know.
It is not enough to know that the account is used by someone you trust
because a virus infecting that machine also will use that account.

Use a virus resistant platform such as Linux or Unix and/or use a virus
filter that we and many other companies offer.

Best regards,

Bob Toxen, President
Fly-By-Day Consulting, Inc.           "Experts in Linux & Network Security"
bob at verysecurelinux.com
http://www.verysecurelinux.com       [Linux/Unix & Network Security Consulting]
http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"]

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list