Security Incidents mailing list archives
IRC -> smtp worm?
From: Joao Gouveia <tharbad () kaotik org>
Date: 18 Dec 2002 02:37:08 +0000
Hello list, Is anyone aware of some kind of IRC worm that uses SMTP servers to act as a spy client or something like that? While taking a look on a IDS log of a client, I saw several alerts that were triggered and classified as "IRC traffic" directed to a SMTP server on port 25. Nothing odd about that at a first glance, as it could be just a simple copy/paste of a IRC log sent via mail. But on this particular situation ( that is causing hundreds of alerts/day ), the format of the mail is everything but "normal". Here is a sample (IRC user data changed): <quote> HELO x4i8x4 RSET MAIL FROM: <> RCPT TO: <mask!__@69.69.69.69 PRIVMSG #channel :LOL> </quote> Obviously the server is responding with a "501 5.5.4 Invalid Address". Not that i consider this a serious issue ( from the server side of course ), but I'm curious on what's causing this behaviour. Sorry if this is a well known issue, but i've done a some what limited search and came up with nothing that applies. Regards, Joao Gouveia ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IRC -> smtp worm? Joao Gouveia (Dec 18)
- Re: IRC -> smtp worm? Þórhallur Hálfdánarson (Dec 18)
- Re: IRC -> smtp worm? H C (Dec 18)
- Re: IRC -> smtp worm? Eric Chien (Dec 18)