bl4ck_fr1d4y

Mon Jul 24 13:19:49 IST 2006

Mike Kercher wrote:
> I downloaded the tarball and the contents match what's in your logs.
> Perhaps someone emailed the tarball to one of your users.

Yeah, I did extract it as well...  But does MailScanner does normally
every file when it extracts a tarball?

> 
> Mike
>  
> 
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info 
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
>> Of Ugo Bellavance
>> Sent: Sunday, July 23, 2006 9:15 PM
>> To: mailscanner at lists.mailscanner.info
>> Subject: bl4ck_fr1d4y
>>
>> Hi,
>>
>> 	I got those weird logs on one of my servers.  Why is 
>> MailScanner logging this?  It is rather unusual to have only 
>> a file name or directory logged, isn't it?
>>
>> All I could find about this is
>>
>> http://www.blacksecurity.org/alpha/news/Bl4ck_Fr1d4y/5.html
>>
>> Jul 21 20:07:10 server MailScanner[5309]: 
>> bl4ck_fr1d4y_2006-07-21/ Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/bl4ck_readme.txt
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/bl4ck_ms06_036.py
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/scapy.pyc
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/scapy.py
>> Jul 21 20:07:10 server MailScanner[5309]:
>>
>> [...]
>>
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/bl4ck_ms06_014.py
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/bl4ck_readme.txt
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/rbl4ck_sendmail/
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/rbl4ck_sendmail/rbl4ck-sendmail.py
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/bl4ck_fr1d4y.txt
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/bl4ck_cyrus-imapd/
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/bl4ck_cyrus-imapd/cyrus-imapd-expl.rb
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/quickclient.c
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/shellcode.c
>> Jul 21 20:07:10 server MailScanner[5309]:
>> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/sparcpoc.s
>>
>> All I can think of is that the archive found an the website 
>> (see above) transited through this server, but why the logs?
>>
>> I didn't see other weird log entries.
>>
>> Any ideas welcome,
>>
>> Ugo
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website! 
>>