Klez-E

Kham Vue kvue at WADSNET.COM
Thu May 16 12:08:28 IST 2002


I'm new so excuse me.

Where can I find the syslog in REDHAT 5.0?

--------------------------------------------------------------
Kham Vue
Internet Admin
The City of Wadsworth
WADSNET.COM High Speed Internet Service
kvue at wadsnet.com
 "Believe that life is worth living, and your belief will help create the fact."
      --William James

----- Original Message -----
From: "Jeff A. Earickson" <jaearick at COLBY.EDU>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Wednesday, May 15, 2002 4:46 PM
Subject: Re: Klez-E


> Hi,
> I would study the full mail headers of the email (turn this on in
> mailscanner if you don't have them), or search your syslogs for message
> id g4FEfKR17219 and see what IP number the message originated from.
> Then go looking to see who might own the machine attached to that
> IP number.  At my site, I search the syslogs to see who has been
> making POP connections from that IP number.  If there are any POP
> connections associated with the machine, then I know who the owner
> is.  Once I know that then I drag out the boiling oil and thumbscrews.
> The user's account gets locked out, their machine blacklisted in my
> sendmail settings -- they are dead until the machine is cleaned up.
>
> ** Jeff A. Earickson, Ph.D                         PHONE: 207-872-3659
> ** Senior UNIX Sysadmin, Information Technology    EMAIL: jaearick at colby.edu
> ** Colby College, 4214 Mayflower Hill,               FAX: 207-872-3076
> ** Waterville ME, 04901-8842
> ----------------------------------------------------------------------------
>
> On Wed, 15 May 2002, Mike Walker wrote:
>
> > Date: Wed, 15 May 2002 20:57:15 +0100
> > From: Mike Walker <mike at 4frontmedia.net>
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Klez-E
> >
> > Over the last two days we have seen several virus warnings notifications
> > from one of our mailscanner users, we cannot quite determine
> > whether they are infected or is it Klez-E up to tricks.
> > Before we alarm the user and tell him that our scanner missed this one
> > has anybody any thoughts or similar experiences?
> >
> > When we check the quarantined message it is implying that our user was
> > the sender but......with Klez-E who knows?
> > The message we as the provider get from MailScanner is as follows:
> > ***************************************************************************
> > The following e-mail messages were found to have viruses in them:
> >
> > Sender: <>
> > Recipient: < Our users e-mail address appears here > (I've removed to
> > protect identity)
> >
> > Subject: Mail delivery failed: returning message to sender
> >
> > MessageID: g4FEfKR17219
> >
> > Report: /var/spool/MailScanner/incoming/g4FEfKR17219/msg-1060-281.txt/[From
> > emmanuel < Our users e-mail address appears here >][Date Wed, 15 May 2002
> > 15:40:50 +0100]/snoopy.exe infected: I-Worm.Klez.e
> >
> > --
> >
> > MailScanner
> >
> > Email Virus Scanner
> >
> >
> > ____________________________________________________________
> > This message has been scanned for viruses by "VITANIUM" the
> > multi-scan E-mail Virus Protection Service from 4FrontMedia.
> > To safeguard your business call 01233-850906.
> >
> >
>
>



More information about the MailScanner mailing list