Attempts to compromiseTOR servers running windows?
Eugen Leitl
eugen at leitl.org
Tue Nov 29 21:14:19 UTC 2005
On Tue, Nov 29, 2005 at 01:06:21PM -0800, jed c wrote:
> When I set up tor I gave this yahoo address as a contact address. Just before the thanksgiving holiday I noticed a lot of spam with a zipped file containing the sober worm as an attachment. I have since received about three thousand messages and Ive begun to notice a pattern. It seems that these are addresses that come from tor contact addresses. I have also received error messages (from Yahoo?) that indicate that mail that I never sent from my yahoo account could not be sent. Any ideas?
I'm seeing these as well. I don't see any reason to suspect
anything other than normal worm activity.
>
> Date: 27 Nov 2005 01:45:20 -0000 From:MAILER-DAEMON at yahoo.com To:n_o_t_here at yahoo.com Subject: failure delivery [input] [input] [input] [input]
> Message from yahoo.com.
> Unable to deliver message to the following address(es).
>
> <root at yahoo.com>:
> This address no longer accepts mail.
>
> --- Original message follows.
>
> Return-Path: <n_o_t_here at yahoo.com>
>
> The original message is over 5k. Message truncated to 1K.
>
> X-Rocket-Spam: 12.220.68.209
> X-YahooFilteredBulk: 12.220.68.209
> X-Rocket-Track: cat=BK;
> info=ip:BK<ip=12.220.68.209,policy=g-w0,n0,g100>;sv:UK<ip=66.218.86.247>
> X-Originating-IP: [12.220.68.209]
> Return-Path: <n_o_t_here at yahoo.com>
> Authentication-Results: mta274.mail.scd.yahoo.com
> from=yahoo.com; domainkeys=neutral (no sig)
> Received: from 12.220.68.209 (HELO bitty.com) (12.220.68.209)
> by mta274.mail.scd.yahoo.com with SMTP; Sat, 26 Nov 2005 17:45:15
> -0800
> From: n_o_t_here at yahoo.com
> Date: Sun, 27 Nov 2005 01:43:46 UTC
> Subject: hi,_ive_a_new_mail_address
> Importance: Normal
> X-Mailer: SpeedMail_V8.87
> X-Priority: 3 (Normal)
> Message-ID: <bb097cf2d5056d34759c at yahoo.com>
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="====206ac3.b394c9d3bcab5"
> Content-Transfer-Encoding: 7bit
> This is a multi-part message in MIME format.
>
> --====206ac3.b394c9d3bcab5
>
> hey its me, my old address dont work at time. i dont know why?!
> in the last days ive got some mails. i' think thaz your mails but im
> not sure!
>
> plz read and check ...
> cyaaaaaaa
> --====206ac3.b394c9d3bcab5
> Content-Type: application/octet-stream; name=mailtext.zip
> Content-Transfer-Encodi
> *** MESSAGE TRUNCATED ***
>
>
>
> [input] [input] [input] [input] [input] [input] [input] [input]
>
>
> ---------------------------------
> Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
>
> ---------------------------------
> Yahoo! Music Unlimited - Access over 1 million songs. Try it free.--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20051129/db2b117c/attachment.pgp>
More information about the tor-talk
mailing list