bl4ck_fr1d4y
Ugo Bellavance
ugob at camo-route.com
Mon Jul 24 03:15:18 IST 2006
Hi,
I got those weird logs on one of my servers. Why is MailScanner
logging this? It is rather unusual to have only a file name or
directory logged, isn't it?
All I could find about this is
http://www.blacksecurity.org/alpha/news/Bl4ck_Fr1d4y/5.html
Jul 21 20:07:10 server MailScanner[5309]: bl4ck_fr1d4y_2006-07-21/
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/bl4ck_readme.txt
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/bl4ck_ms06_036.py
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/scapy.pyc
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/scapy.py
Jul 21 20:07:10 server MailScanner[5309]:
[...]
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/bl4ck_ms06_014.py
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/bl4ck_readme.txt
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/rbl4ck_sendmail/
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/rbl4ck_sendmail/rbl4ck-sendmail.py
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/bl4ck_fr1d4y.txt
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/bl4ck_cyrus-imapd/
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/bl4ck_cyrus-imapd/cyrus-imapd-expl.rb
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/quickclient.c
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/shellcode.c
Jul 21 20:07:10 server MailScanner[5309]:
bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/sparcpoc.s
All I can think of is that the archive found an the website (see above)
transited through this server, but why the logs?
I didn't see other weird log entries.
Any ideas welcome,
Ugo
More information about the MailScanner
mailing list