Void's Forums

Void Main's Beautiful Site
http://voidmain.is-a-geek.net/forums/

phpBB - update it now!

http://voidmain.is-a-geek.net/forums/viewtopic.php?f=9&t=1279

Page 3 of 3

PostPosted: Fri Jan 14, 2005 2:04 pm
by ZiaTioN
Yeah, I believe the two are one in the same. I think the infected machine sends out the exploit attempt and attempts to have the target machine download the code from itself. I tried to go to the site in your log example and get the worm code but it has been removed. If you still have the source code of the worm I can verify this if you want to send them to me. :-)

PostPosted: Fri Jan 14, 2005 3:09 pm
by Void Main
No, they are two different sites. Do an nslookup on the download hostname and you will see it does not have the same IP address as the host running the worm. I have about 20 different variations of the code as for a while I was downloading the code when I saw a new one pop in the logs.

PostPosted: Fri Jan 14, 2005 3:21 pm
by ZiaTioN
Yeah I actually went back to your posted log and noticed that after I posted the last message. So since that was the case and since you have already written an app to auto block the ip's as they attempt I figured added email traffic would just add to the uneeded network congestion so I have somewhat abondaned that idea.

PostPosted: Sat Feb 12, 2005 12:54 am
by xeon3d
Hi.

If you still need portuguese translating services (free of course ;) ) I'm able to help.

I've also been a victim (to a part) of those stupid Brazilian scriptkiddiez (they're not hackers).

You can reach me in my msn addy.

Regards.
Marcos.
All times are UTC - 6 hours
Page 3 of 3
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/