LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-29-2004, 03:11 PM   #1
graffitici
Member
 
Registered: Jun 2003
Location: Istanbul - Turkey
Distribution: Fedora, Gentoo
Posts: 150

Rep: Reputation: 15
security breach: send mail to unknown address?


Hi!

A recent event scared me to death. I do now know whether this is a serious issue, or a well done hoax (in that case, it certainly works). I have received a mail from my default mail server few hours ago that said a mail I sent to some address in yahoo couldn't be delivered. I didn't attach any importance to it. But I received a second one just few minutes ago. I append the mail to the end of my post ( I have replaced my e-mail with my@mail.com ).

What do you suppose this is? mailer-daemon@yahoo.com seems to be a legitimate e-mail. I am sure that I haven't sent anything to this claudia@yahoo.com. Could this be a kind of linux virus that sends some files somehow? Because apparently I sent a file called:
file.pif
I do not know what this is, nor what it is used for. It has probably been renamed anyway. Another thing that concerns me is that claudia@yahoo.com is over the limit, which may happen if this guy receives lot of files like this one from, perhaps, other infected people?
All in all, this can as well be a minor error, but I am really curious as to how such a thing can be happening, although I am using linux.
I would appreciate any help and advice
Thanks!
Bibby


failure delivery
Date: Today 04:41:25
From: MAILER-DAEMON@yahoo.com
To: my@mail.com

Message from _yahoo.com.
Unable to deliver message to the following address(es).

<claudia@yahoo.com>:
size saved = 8912
Sorry, your message to claudia@yahoo.com cannot be delivered. _This account is over quota.

--- Original message follows.

Return-Path: <me@mail.com>

The original message is over 5k. _Message truncated to 1K.

X-Rocket-Spam: 81.215.109.54
X-YahooFilteredBulk: 81.215.109.54
X-Rocket-Track: 1323744: 20 ; SERVER=66.163.174.38
Return-Path: <my@mail.com>
X-RocketNR: 1
X-RocketRT: 1075321251-mta132.mail.sc5.yahoo.com
Received: from 81.215.109.54 _(EHLO superonline.com) (81.215.109.54)
_ by mta132.mail.sc5.yahoo.com with SMTP; Wed, 28 Jan 2004 12:20:51 -0800
From: my@mail.com
To: claudia@yahoo.com
Subject: Server Report
Date: Wed, 28 Jan 2004 22:19:21 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
________boundary="----=_NextPart_000_0008_45F14F9E.CA31F981"
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

------=_NextPart_000_0008_45F14F9E.CA31F981
Content-Type: text/plain;
________charset="Windows-1252"
Content-Transfer-Encoding: 7bit




------=_NextPart_000_0008_45F14F9E.CA31F981
Content-Type: application/octet-stream;
________name="file.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
________filename="file.pif"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA
*** MESSAGE TRUNCATED ***
 
Old 01-29-2004, 03:20 PM   #2
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
That is a MyDoom virus message.
 
Old 01-29-2004, 03:26 PM   #3
graffitici
Member
 
Registered: Jun 2003
Location: Istanbul - Turkey
Distribution: Fedora, Gentoo
Posts: 150

Original Poster
Rep: Reputation: 15
I checked the security response at symantec. Apparently this doesn't affect linux. The stupid winxp should have gotten it somehow then. I have to run the removal tool as soon as possible.
I shouldn't have any concerns under linux then?

Last edited by graffitici; 01-29-2004 at 03:29 PM.
 
Old 01-29-2004, 03:30 PM   #4
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
It is yet another Outlook virus. I have been getting the bounces all week on my mail server, but I can see in the IP stamp they aren't actually originating from my machine, they are double bounces. IE, my mail server tried to bounce them and the bounce bounce so I get notified.

It can't effect linux boxes. The key factor is the claudia@whatever address, the virus tries to send mail to common names at whatever domains it can find.
 
Old 01-29-2004, 06:27 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Modern e-mail worms randomly choose their "from" address as an addressbook entry from their victim. They're all spoofed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Force sendmail to send mail on an ip address sdave1284 Linux - Software 8 11-24-2005 12:26 AM
[Security Questions] Last Login, how good is this feature for security breach info? t3gah Linux - Security 2 06-14-2005 02:02 AM
send mail to external email address hamish Linux - Networking 8 12-10-2004 10:17 AM
Send Mail, unknown mailer error 255 housemusic42 Linux - Networking 4 03-12-2004 05:03 PM
Send mail listening address? bradyc Linux - Newbie 4 02-06-2004 09:49 AM


All times are GMT -5. The time now is 06:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration