[unisog] phishing attack against email credentials at auckland.ac.nz

Russell Fulton r.fulton at auckland.ac.nz
Tue Jun 7 07:25:29 GMT 2005


On Tue, 2005-06-07 at 00:38 -0400, Russell Kaiser wrote:

> Looking at Symantec's website, I see a W32/Mytob.DJ that now matches
> the emails people are seeing and also mentions the 209.67 addresses
> people are seeing:
> 
> http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.dj@mm.html

yes, we got updates from Symantec about 2 hours after the event.
> 
> Note that the virus description also mentions an IRC controller
> (irc.blackcarder.net port 7000).
> 

We had machines trying to connect to two different IRC servers, from my
snort logs:

213.251.160.15 ns32200.ovh.net Possible sdbot floodnet detected  attempting to IRC	29
84.244.5.163 serv-2-5-163.lycos-vds.com Possible sdbot floodnet detected attempting to IRC 55

Russell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050607/cea93262/smime-0001.bin


More information about the unisog mailing list