sid :2003054: rings on mail sent by [130.217.241.36]
ail.scms.waikato.ac.nz -- probably because the machine
thinks of itself as
"zombie.scms.waikato.ac.nz".
Perhaps content:"EHLO zombie\r\n" is the
signature of the zombie mailer? And
a similar one this morning
[10:05am dominic] grep 'Suspicious SMTP EHLO'
/var/log/snort/alert
07/27-08:19:32.292694 [**] [1:2003050:2] BLEEDING-EDGE
VIRUS Suspicious
SMTP EHLO Intbound [billy] [**] [Classification: A Network
Trojan was
detected] [Priority: 1] 64.191.75.140:57215 ->
129.97.128.232:25
[10:10am dominic] getent hosts 64.191.75.140
64.191.75.140 64-191-75-140.hostnoc.net
[10:10am dominic] telnet 64.191.75.140 25
Trying 64.191.75.140...
Connected to 64.191.75.140.
Escape character is '^]'.
220 billy.bcpub.com ESMTP Postfix (2.0.18)
quit
221 Bye
Connection closed by foreign host.
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|