Security Incidents mailing list archives
Re: lifestages on IRC
From: vinceh () TECHDREAMS COM (Vincent Hillier)
Date: Mon, 10 Jul 2000 07:39:23 -0400
On Sun, 9 Jul 2000, Omicron N wrote:
hi I was on IRC ( on Win 2000) when i received a mesg window asking for permission to transfer the file LIFE_STAGES.TXT, I naturally said no. But when i saw the message in the Server connection window, the name was LIFE_STAGES.SHS. Now the threat from a virus/worm remains remote if the user is alert. But what i want to know is if it is possible to fool the user into clicking the wrong button and making him execute the file.
Yes, it is. Users who are not very computer inclined, would probably say YES and accept the file, this is common, very common. You will see people sending mypicture.bmp.vbs, and the like via IRC. However, the user must then goto the client download directory and click on the file. Some ircds are now filtering files, they will not allow certain filetypes to be sent via DCC.
Is it possible to spoof the ip address given by the irc client to the IRC server ?
Most commonly, people use a "vhost" which is a virtual host via a BNC (IRC Bouncer) basically an IRC proxy server. So the given IP may not really be of the user sitting behind a terminal, but the server running the BNC.
Actually, i'm new to IRC and don't know anything about this. This "offer" of file happened twice , so i've started using irc on linux only.
Also What can i do to track the guy who was doing me this "favor" ?
More often then not, the users sending you these files, really do not know they are sending them. Most worms nowadays, embed themself into the clients remotes, (most commonly the mIRC Client) and these files get sent to anyone that joins the channel, without the user at the terminal even knowing. As for tracking /dns nickname will return the users IP, but as stated above, this may not be accurate. Vincent Hillier vince () lansystems com Network Administrator http://www.lansystems.com
Current thread:
- Re: scan log and subsequent response from the host's ISP, (continued)
- Re: scan log and subsequent response from the host's ISP Michal Nazarewicz (Jul 07)
- Re: scan log and subsequent response from the host's ISP Osvaldo Janeri Filho (Jul 10)
- Intrusion, WuFTP exploit? David Knaack (Jul 07)
- Re: scan log and subsequent response from the host's ISP Philipp Buehler (Jul 11)
- Re: scan log and subsequent response from the host's ISP Pauel Loshkin (Jul 07)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 10)
- Re: scan log and subsequent response from the host's ISP Pavel Lozhkin (Jul 10)
- Snort (about large-udp attack) JW Oh (Jul 10)
- lifestages on IRC Omicron N (Jul 09)
- Re: lifestages on IRC Robert van der Meulen (Jul 10)
- Re: lifestages on IRC Vincent Hillier (Jul 10)
- Re: lifestages on IRC T. H. Haymore (Jul 10)
- tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
- Re: tin.it and others non collaborative isps. Bradley Woodward (Jul 10)
- Some stats of events Henri J. Schlereth (Jul 10)
- Re: tin.it and others non collaborative isps. gabriel rosenkoetter (Jul 10)
- Re: tin.it and others non collaborative isps. Philipp Buehler (Jul 11)
- Re: tin.it and others non collaborative isps. Richard Bejtlich (Jul 11)
- Hostile email mmurray () TAOS COM (Jul 12)
- I Was rooted Andrew Heath (Jul 17)