bl4ck_fr1d4y

Julian Field MailScanner at ecs.soton.ac.uk
Mon Jul 24 16:48:54 IST 2006


On 24 Jul 2006, at 13:19, Ugo Bellavance wrote:

> Mike Kercher wrote:
>> I downloaded the tarball and the contents match what's in your logs.
>> Perhaps someone emailed the tarball to one of your users.
>
> Yeah, I did extract it as well...  But does MailScanner does normally
> every file when it extracts a tarball?

Yes, it opens up tar, zip and rar files to do filename/filetype  
checking on the contents.


>
>>
>> Mike
>>
>>
>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info
>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
>>> Of Ugo Bellavance
>>> Sent: Sunday, July 23, 2006 9:15 PM
>>> To: mailscanner at lists.mailscanner.info
>>> Subject: bl4ck_fr1d4y
>>>
>>> Hi,
>>>
>>> 	I got those weird logs on one of my servers.  Why is
>>> MailScanner logging this?  It is rather unusual to have only
>>> a file name or directory logged, isn't it?
>>>
>>> All I could find about this is
>>>
>>> http://www.blacksecurity.org/alpha/news/Bl4ck_Fr1d4y/5.html
>>>
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/ Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/bl4ck_readme.txt
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/bl4ck_ms06_036.py
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/scapy.pyc
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_036/scapy.py
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>>
>>> [...]
>>>
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/bl4ck_ms06_014.py
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/bl4ck_ms06_014/bl4ck_readme.txt
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/rbl4ck_sendmail/
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/rbl4ck_sendmail/rbl4ck-sendmail.py
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/bl4ck_fr1d4y.txt
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/bl4ck_cyrus-imapd/
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/bl4ck_cyrus-imapd/cyrus-imapd-expl.rb
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/quickclient.c
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/shellcode.c
>>> Jul 21 20:07:10 server MailScanner[5309]:
>>> bl4ck_fr1d4y_2006-07-21/black_RXenc-con-back-SOLARIS/sparcpoc.s
>>>
>>> All I can think of is that the archive found an the website
>>> (see above) transited through this server, but why the logs?
>>>
>>> I didn't see other weird log entries.
>>>
>>> Any ideas welcome,
>>>
>>> Ugo
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

-- 
Julian Field
MailScanner at ecs.soton.ac.uk



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.



More information about the MailScanner mailing list