Security Incidents mailing list archives

Re: Hybris Worm

From: gabriel rosenkoetter <gr () ECLIPSED NET>
Date: Sun, 4 Feb 2001 12:05:16 -0500

On Sun, Feb 04, 2001 at 12:18:19PM +1100, Gilbert Alaverdian wrote:

notice the name of the guys's box that sent it....


If you mean this:

Received: from hacker (ppp-171-74.30-151.libero.it [151.30.74.171])


That's not a mailbox name, but a (faked, obviously) hostname,
probably the one provided on the EHLO line to the SMTP server where
he injected this mail. Which would appear to be running:

          by xticket (2.5 Build 2640 (Berkeley 8.8.6)/8.8.4) with SMTP


The validity of that IP address is also questionable, but it might
be worth getting in touch with the good folks at libero.it and
seeing who was connected to that slot on their dial-up box at that
time. (It's almost definitely a stolen account, of course.)

       ~ g r @ eclipsed.net

Current thread:

Hybris Worm Gilbert Alaverdian (Feb 03)
- Re: Hybris Worm Brett Glass (Feb 04)
- Re: Hybris Worm gabriel rosenkoetter (Feb 04)
  - Re: Hybris Worm PRESSO-CERT (Feb 04)