Re: W32.Badtrans.B@mm storming my mailservers...

From: Ryan Tucker (rtucker@netacc.net)
Date: 11/26/01

• Previous message: Magni@HammerofGod.com: "Malicious use of grc.com"
• In reply to: Raistlin: "W32.Badtrans.B@mm storming my mailservers..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 26 Nov 2001 14:55:45 -0500
Subject: Re: W32.Badtrans.B@mm storming my mailservers...
To: "Raistlin" <raistlin@gioco.net>
From: Ryan Tucker <rtucker@netacc.net>
Message-Id: <94438BA8-E2A7-11D5-876E-000393062A52@netacc.net>

We're seeing a lot of it...

Our possible-email-attack alarms have looked like this over the last
week...

2001-11-20 4
2001-11-21 7
2001-11-22 4
2001-11-23 2
2001-11-24 1
2001-11-25 5
2001-11-26 11 (up to 14:30 EST)

We started noticing this worm at 16:44 EST yesterday (11/25)...

Fortunately, html-trap.procmail seems to work well for catching
this. :-) -rt

On Monday, November 26, 2001, at 02:30 , Raistlin wrote:

> I have personally received about 8 copies of this worm today, and my
> mailserver is busy with incoming and outgoing requests of the same
> kind.
>
> Is this a trend out there or it's just my problem ?
>
> Stefano "Raistlin" Zanero
> System Administrator Gioco.Net
> public PGP key block at http://gioco.net/pgpkeys
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

--
Ryan Tucker <rtucker@netacc.net>
Network Operations Manager, NetAccess, Inc.
http://www.netacc.net/ • (585)419-8252
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Magni@HammerofGod.com: "Malicious use of grc.com"
• In reply to: Raistlin: "W32.Badtrans.B@mm storming my mailservers..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Malicious web sites ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ... (Incidents) Re: [incident] IIS defacement through FTP, possible DoS ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ... (Incidents) RE: Distributed ICMP/UDP scan or attack? ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ... (Incidents) Re: strange attacks - flood udp packets from 1030 to msql ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ... (Incidents) RE: Can anyone identify this backdoor? ... > and tracking system please see: http://aris.securityfocus.com ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ... (Incidents)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2001-11