[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: SQL injection worm ?

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Re: SQL injection worm ?
From: Willem Koenings <infsec@xxxxxxxxx>
Date: Thu, 6 Jan 2005 13:16:26 +0200

On Wed, 5 Jan 2005 18:27:25 -0500 (EST), bugtraq@xxxxxxxxxxxxxxx
<bugtraq@xxxxxxxxxxxxxxx> wrote:
> Here is some additional information.

> ³ ircname  : [UNC]69402
> | channels : #!processor
> ³ server   : shellcodewarez.info (ScW Network)
> : idle     : 4 hours 57 mins 9 secs (signon: Tue Jan  4 23:40:01 2005)
> ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- --  -
> | [UNC]73047 (vjfud@xxxxxxxxxxxxxxxxxxxxxxxxxxx) (unknown)
> ³ ircname  : [UNC]73047
> | channels : +#!processor
> ³ server   : shellcodewarez.info (ScW Network)
> : idle     : 4 hours 57 mins 26 secs (signon: Wed Jan  5 07:48:45 2005)
> 
> As you can see they are masking the ip addresses.

That depends. When new victim arrives on the channel, you can see his IP:

[13:06] * [UNC]08801 (ngnvje@xxxxxxxxxxxxxx) has joined #!processor

but on inquery it's really masked, yes:

[13:07] [UNC]08801 is ngnvje@xxxxxxxxxxxxxxxxxxxxxxxxxxxx * [UNC]08801 
[13:07] [UNC]08801 is on #!processor  
[13:07] [UNC]08801 using shellcodewarez.info ScW Network 
[13:07] [UNC]08801 has been idle 49 secs, signed on thursday jan 06 01:18 pm

all the best,

W.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] SQL injection worm ?
  - From: Maxime Ducharme
- [Full-Disclosure] Re: SQL injection worm ?
  - From: bugtraq

Prev by Date: Re: [Full-Disclosure] Request Declined; Causes of failures in systems was list noise
Next by Date: [Full-Disclosure] Animated Cursor Blue Screen?
Previous by thread: [Full-Disclosure] Re: SQL injection worm ?
Next by thread: [Full-Disclosure] Re: [Dshield] SQL injection worm ?
Index(es):
- Date
- Thread