Klez-E

Julian Field jkf at ecs.soton.ac.uk
Thu May 16 15:32:01 IST 2002


At 12:08 16/05/2002, you wrote:
>I'm new so excuse me.
>
>Where can I find the syslog in REDHAT 5.0?

Look in /etc/syslogd.conf or /etc/syslog.conf.
That file will tell you what logs go where.

Type "man syslogd" and things will become clearer.


>--------------------------------------------------------------
>Kham Vue
>Internet Admin
>The City of Wadsworth
>WADSNET.COM High Speed Internet Service
>kvue at wadsnet.com
>  "Believe that life is worth living, and your belief will help create the
> fact."
>       --William James
>
>----- Original Message -----
>From: "Jeff A. Earickson" <jaearick at COLBY.EDU>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Wednesday, May 15, 2002 4:46 PM
>Subject: Re: Klez-E
>
>
> > Hi,
> > I would study the full mail headers of the email (turn this on in
> > mailscanner if you don't have them), or search your syslogs for message
> > id g4FEfKR17219 and see what IP number the message originated from.
> > Then go looking to see who might own the machine attached to that
> > IP number.  At my site, I search the syslogs to see who has been
> > making POP connections from that IP number.  If there are any POP
> > connections associated with the machine, then I know who the owner
> > is.  Once I know that then I drag out the boiling oil and thumbscrews.
> > The user's account gets locked out, their machine blacklisted in my
> > sendmail settings -- they are dead until the machine is cleaned up.
> >
> > ** Jeff A. Earickson, Ph.D                         PHONE: 207-872-3659
> > ** Senior UNIX Sysadmin, Information Technology    EMAIL:
> jaearick at colby.edu
> > ** Colby College, 4214 Mayflower Hill,               FAX: 207-872-3076
> > ** Waterville ME, 04901-8842
> >
> ----------------------------------------------------------------------------
> >
> > On Wed, 15 May 2002, Mike Walker wrote:
> >
> > > Date: Wed, 15 May 2002 20:57:15 +0100
> > > From: Mike Walker <mike at 4frontmedia.net>
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Klez-E
> > >
> > > Over the last two days we have seen several virus warnings notifications
> > > from one of our mailscanner users, we cannot quite determine
> > > whether they are infected or is it Klez-E up to tricks.
> > > Before we alarm the user and tell him that our scanner missed this one
> > > has anybody any thoughts or similar experiences?
> > >
> > > When we check the quarantined message it is implying that our user was
> > > the sender but......with Klez-E who knows?
> > > The message we as the provider get from MailScanner is as follows:
> > >
> ***************************************************************************
> > > The following e-mail messages were found to have viruses in them:
> > >
> > > Sender: <>
> > > Recipient: < Our users e-mail address appears here > (I've removed to
> > > protect identity)
> > >
> > > Subject: Mail delivery failed: returning message to sender
> > >
> > > MessageID: g4FEfKR17219
> > >
> > > Report:
> /var/spool/MailScanner/incoming/g4FEfKR17219/msg-1060-281.txt/[From
> > > emmanuel < Our users e-mail address appears here >][Date Wed, 15 May 2002
> > > 15:40:50 +0100]/snoopy.exe infected: I-Worm.Klez.e
> > >
> > > --
> > >
> > > MailScanner
> > >
> > > Email Virus Scanner
> > >
> > >
> > > ____________________________________________________________
> > > This message has been scanned for viruses by "VITANIUM" the
> > > multi-scan E-mail Virus Protection Service from 4FrontMedia.
> > > To safeguard your business call 01233-850906.
> > >
> > >
> >
> >

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list