Security Incidents mailing list archives
Re: IRC -> smtp worm?
From: Þórhallur Hálfdánarson <tolli () tol li>
Date: Wed, 18 Dec 2002 16:45:51 +0000
-*- Joao Gouveia <tharbad () kaotik org> [ 2002-12-18 15:51 ]:
Hello list, Is anyone aware of some kind of IRC worm that uses SMTP servers to act as a spy client or something like that? While taking a look on a IDS log of a client, I saw several alerts that were triggered and classified as "IRC traffic" directed to a SMTP server on port 25. Nothing odd about that at a first glance, as it could be just a simple copy/paste of a IRC log sent via mail. But on this particular situation ( that is causing hundreds of alerts/day ), the format of the mail is everything but "normal". Here is a sample (IRC user data changed): <quote> HELO x4i8x4 RSET MAIL FROM: <> RCPT TO: <mask!__@69.69.69.69 PRIVMSG #channel :LOL> </quote> Obviously the server is responding with a "501 5.5.4 Invalid Address". Not that i consider this a serious issue ( from the server side of course ), but I'm curious on what's causing this behaviour. Sorry if this is a well known issue, but i've done a some what limited search and came up with nothing that applies.
IIRC, this was very common when Hybris was at it's best. It catpures snippets from IRC traffic on a client computer, interprets it as an email address and tries to send mail to that "address". -- Regards, Tolli tolli () tol li ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IRC -> smtp worm? Joao Gouveia (Dec 18)
- Re: IRC -> smtp worm? Þórhallur Hálfdánarson (Dec 18)
- Re: IRC -> smtp worm? H C (Dec 18)
- Re: IRC -> smtp worm? Eric Chien (Dec 18)