Bugtraq mailing list archives
New worm?
From: Karousel <no.email () isp com>
Date: Sat, 27 Mar 2004 14:17:45 -0500
Hi, I think it's a new worm spreading on undernet. The worm PRIVMSG user with an ip address and port like this (ip and port never change) : [07:53] <C96347981> http://69.157.174.169:2233/ If you telnet to this address, you'll get C:\telnet 69.157.174.169 2233 GET / HTTP/1.1 HTTP/1.1 200 OK Server: My Bitchin' IE Infector Date: Sat Mar 27 13:22:27 2004 Content-type: text/html Accept-Encoding: identity Accept-ranges: bytes <<snip content>> Connection to host lost. C:\ it may not be related, but telneting to port 80 will disconnect you with an "unknown" response as soon you type a letter C:\telnet 69.157.174.169 80 GUNKNOWN Connection to host lost. C:\ Each user wich sent me this address seems to had the (almost) same pattern for nick and fullname: 1 letter followed by number. Some fullname are followed by 11 numbers, others by 12 numbers. None of them was on any channels at all. C14130657 is Guest18231 () Toronto-HSE-ppp3970074 sympatico ca * E63731312752 S66185921 is ~M93079924 () pcp01044550pcs villgs01 fl comcast net * O12647092342 C96347981 is ~O98407918 () host217-44-126-36 range217-44 btcentralplus com * Y710488319397 M84234958 is Guest92377 () AOrleans-103-1-33-71 w81-250 abo wanadoo fr * O58235883713 Z29553055 is Guest58875 () nwc102-194 nwconx net * E815603852272 O23413228 is Guest32361 () 062249161030 customer alfanett no * F729082226753 I65330976 is ~E89040321 () adsl-216-103-54-205 dsl lsan03 pacbell net * C527516603470 The isp (sympatico.ca) has been notified on march 27 at 10:00 am and this computer is still up.
Current thread:
- New worm? Karousel (Mar 27)
- Re: New worm? Gadi Evron (Mar 29)
- Re: New worm? Charles Hamby (Mar 29)
- <Possible follow-ups>
- re: New worm? http-equiv () excite com (Mar 29)