[87723] in North American Network Operators' Group
[Fwd: Re: sober.z to hit tomorrow]
daemon@ATHENA.MIT.EDU (Wil Schultz)
Fri Jan 6 02:29:55 2006
Date: Thu, 05 Jan 2006 23:29:27 -0800
From: Wil Schultz <wschultz@wilcomm.net>
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
Here is some more interesting information. I'm not positive this is
Sober.Z related but it's walking like and talking like a duck.
First I see the below DNS requests, shortly after I see many SMTP
packets hitting Hotmail, AOL, Yahoo.com, Yahoo.co.uk, Progegy, etc....
Looks like it's... Sending SPAM?!?!
This I didn't expect at all, here is a trace from one of the known
infected users:
###############################################################
<snip, due to the postmasters request since it looks like SPAM>
###############################################################
Wil Schultz wrote:
> FYI: I've set some traps on our DNS servers, dunno exactally what this
> means but I thought that I should share:
>
> Jan 5 18:41:09 myServer named[24490]: client X.X.X.X#1192: query:
> arcor.de IN MX
> Jan 5 18:45:48 myServer named[24490]: client X.X.X.X#1034: query:
> freenet.de IN MX
>
> These are the only two logs I have at this point. And I don't recall
> any other Sober searching for an email server.
>
> -Wil
>
> Wil Schultz wrote:
>
>> Wouldn't it be fun if it contained the WMF exploit in some form?
>> So, I'm planning on using swatch to monitor DNS requests for the
>> known affected domains. What is everyone else planning to do?
>>
>> -Wil
>>
>>
>
>
>
