Re: Re: SQL injection worm ?

[Willem Koenings <infsec () gmail com>]

On Wed, 5 Jan 2005 18:27:25 -0500 (EST), bugtraq () cgisecurity net
<bugtraq () cgisecurity net> wrote:
> Here is some additional information.

> ³ ircname  : [UNC]69402
> | channels : #!processor
> ³ server   : shellcodewarez.info (ScW Network)
> : idle     : 4 hours 57 mins 9 secs (signon: Tue Jan  4 23:40:01 2005)
> ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- --  -
> | [UNC]73047 (vjfud () BFE013F 3F070E03 2BA09B8 IP) (unknown)
> ³ ircname  : [UNC]73047
> | channels : +#!processor
> ³ server   : shellcodewarez.info (ScW Network)
> : idle     : 4 hours 57 mins 26 secs (signon: Wed Jan  5 07:48:45 2005)
>
> As you can see they are masking the ip addresses.

That depends. When new victim arrives on the channel, you can see his IP:

[13:06] * [UNC]08801 (ngnvje@210.93.182.253) has joined #!processor

but on inquery it's really masked, yes:

[13:07] [UNC]08801 is ngnvje () 9665494 1E6027D8 277B9277 IP * [UNC]08801 
[13:07] [UNC]08801 is on #!processor  
[13:07] [UNC]08801 using shellcodewarez.info ScW Network 
[13:07] [UNC]08801 has been idle 49 secs, signed on thursday jan 06 01:18 pm

all the best,

W.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html