New worm?Mar 27 2004 07:17PM Karousel (no email isp com) (2 replies)
Hi,
I think it's a new worm spreading on undernet. The worm PRIVMSG user
with an ip address and port like this (ip and port never change) :
[07:53] <C96347981> http://69.157.174.169:2233/
If you telnet to this address, you'll get
C:\telnet 69.157.174.169 2233
GET / HTTP/1.1
HTTP/1.1 200 OK
Server: My Bitchin' IE Infector
Date: Sat Mar 27 13:22:27 2004
Content-type: text/html
Accept-Encoding: identity
Accept-ranges: bytes
<<snip content>>
Connection to host lost.
C:
it may not be related, but telneting to port 80 will disconnect you with an
"unknown" response as soon you type a letter
C:\telnet 69.157.174.169 80
GUNKNOWN
Connection to host lost.
C:
Each user wich sent me this address seems to had the (almost) same pattern
for nick and fullname: 1 letter followed by number. Some fullname are
followed by 11 numbers, others by 12 numbers. None of them was on any
channels at all.
C14130657 is Guest18231 (at) Toronto-HSE-ppp3970074.sympatico (dot) ca [email concealed] * E63731312752
S66185921 is ~M93079924 (at) pcp01044550pcs.villgs01.fl.comcast (dot) net [email concealed] *
O12647092342
C96347981 is ~O98407918 (at) host217-44-126-36.range217-44.btcentralplus (dot) com [email concealed] *
Y710488319397
M84234958 is Guest92377 (at) AOrleans-103-1-33-71.w81-250.abo.wanadoo (dot) fr [email concealed] *
O58235883713
Z29553055 is Guest58875 (at) nwc102-194.nwconx (dot) net [email concealed] * E815603852272
O23413228 is Guest32361 (at) 062249161030.customer.alfanett (dot) no [email concealed] * F729082226753
I65330976 is ~E89040321 (at) adsl-216-103-54-205.dsl.lsan03.pacbell (dot) net [email concealed] *
C527516603470
The isp (sympatico.ca) has been notified on march 27 at 10:00 am and this
computer is still up.
I think it's a new worm spreading on undernet. The worm PRIVMSG user
with an ip address and port like this (ip and port never change) :
[07:53] <C96347981> http://69.157.174.169:2233/
If you telnet to this address, you'll get
C:\telnet 69.157.174.169 2233
GET / HTTP/1.1
HTTP/1.1 200 OK
Server: My Bitchin' IE Infector
Date: Sat Mar 27 13:22:27 2004
Content-type: text/html
Accept-Encoding: identity
Accept-ranges: bytes
<<snip content>>
Connection to host lost.
C:
it may not be related, but telneting to port 80 will disconnect you with an
"unknown" response as soon you type a letter
C:\telnet 69.157.174.169 80
GUNKNOWN
Connection to host lost.
C:
Each user wich sent me this address seems to had the (almost) same pattern
for nick and fullname: 1 letter followed by number. Some fullname are
followed by 11 numbers, others by 12 numbers. None of them was on any
channels at all.
C14130657 is Guest18231 (at) Toronto-HSE-ppp3970074.sympatico (dot) ca [email concealed] * E63731312752
S66185921 is ~M93079924 (at) pcp01044550pcs.villgs01.fl.comcast (dot) net [email concealed] *
O12647092342
C96347981 is ~O98407918 (at) host217-44-126-36.range217-44.btcentralplus (dot) com [email concealed] *
Y710488319397
M84234958 is Guest92377 (at) AOrleans-103-1-33-71.w81-250.abo.wanadoo (dot) fr [email concealed] *
O58235883713
Z29553055 is Guest58875 (at) nwc102-194.nwconx (dot) net [email concealed] * E815603852272
O23413228 is Guest32361 (at) 062249161030.customer.alfanett (dot) no [email concealed] * F729082226753
I65330976 is ~E89040321 (at) adsl-216-103-54-205.dsl.lsan03.pacbell (dot) net [email concealed] *
C527516603470
The isp (sympatico.ca) has been notified on march 27 at 10:00 am and this
computer is still up.
[ reply ]