phpBB - update it now!

Place to discuss anything, almost. No politics, religion, Microsoft, or anything else that I (the nazi censor) deem inappropriate.
ZiaTioN
administrator
administrator
Posts: 460
Joined: Tue Apr 08, 2003 3:28 pm
Contact:

Post by ZiaTioN » Fri Jan 14, 2005 2:04 pm

Yeah, I believe the two are one in the same. I think the infected machine sends out the exploit attempt and attempts to have the target machine download the code from itself. I tried to go to the site in your log example and get the worm code but it has been removed. If you still have the source code of the worm I can verify this if you want to send them to me. :-)

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Fri Jan 14, 2005 3:09 pm

No, they are two different sites. Do an nslookup on the download hostname and you will see it does not have the same IP address as the host running the worm. I have about 20 different variations of the code as for a while I was downloading the code when I saw a new one pop in the logs.

ZiaTioN
administrator
administrator
Posts: 460
Joined: Tue Apr 08, 2003 3:28 pm
Contact:

Post by ZiaTioN » Fri Jan 14, 2005 3:21 pm

Yeah I actually went back to your posted log and noticed that after I posted the last message. So since that was the case and since you have already written an app to auto block the ip's as they attempt I figured added email traffic would just add to the uneeded network congestion so I have somewhat abondaned that idea.

xeon3d
n00b
n00b
Posts: 1
Joined: Sat Feb 12, 2005 12:51 am
Location: Albufeira - Portugal
Contact:

Post by xeon3d » Sat Feb 12, 2005 12:54 am

Hi.

If you still need portuguese translating services (free of course ;) ) I'm able to help.

I've also been a victim (to a part) of those stupid Brazilian scriptkiddiez (they're not hackers).

You can reach me in my msn addy.

Regards.
Marcos.

Post Reply