bl4ck_fr1d4y

Mike Kercher mike at vesol.com
Mon Jul 24 05:03:19 IST 2006 

I downloaded the tarball and the contents match what's in your logs.
Perhaps someone emailed the tarball to one of your users.

Mike
 

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of Ugo Bellavance
> Sent: Sunday, July 23, 2006 9:15 PM
> To: mailscanner at lists.mailscanner.info
> Subject: bl4ck_fr1d4y
> 
> Hi,
> 
> 	I got those weird logs on one of my servers.  Why is 
> MailScanner logging this?  It is rather unusual to have only 
> a file name or directory logged, isn't it?
> 
> All I could find about this is
> 
> http://www.blacksecurity.org/alpha/news/Bl4ck_Fr1d4y/5.html
> 
> Jul 21 20:07:10 server MailScanner[5309]: 
> bl4ck_fr1d4y_2006-07-21/ Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/bl4ck_readme.txt
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/bl4ck_ms06_036.py
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/scapy.pyc
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/scapy.py
> Jul 21 20:07:10 server MailScanner[5309]:
> 
> [...]
> 
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/bl4ck_ms06_014.py
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/bl4ck_readme.txt
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/rbl4ck_sendmail/
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/rbl4ck_sendmail/rbl4ck-sendmail.py
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/bl4ck_fr1d4y.txt
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/bl4ck_cyrus-imapd/
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/bl4ck_cyrus-imapd/cyrus-imapd-expl.rb
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/quickclient.c
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/shellcode.c
> Jul 21 20:07:10 server MailScanner[5309]:
> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/sparcpoc.s
> 
> All I can think of is that the archive found an the website 
> (see above) transited through this server, but why the logs?
> 
> I didn't see other weird log entries.
> 
> Any ideas welcome,
> 
> Ugo
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
>

More information about the MailScanner mailing list