[tanya-jawab] Serangan Apa ini namanya ? - pls help
Hi all,
Hari ini saya dapat email banyak sekali (+- 10.000) email terhitung
dari hari jum'at malam (30 Juni 2006) sampai pagi ini (3 Juli 2006).
Isi email spt yg saya attach dibawah ini. Ada yang tau jenis serangan
apa ini ?.
Kalo kemaren saya sudah ikuti saran Mas Rony untuk block di ssh-nya
kemudian Mas Fajar dengan utility Denyhosts.
Apakah ini serangan virus ?
Demikian dan terima kasih atas sarannya.
-dodo-
Note :
- User yang di generated oleh email ini selalu berubah-ubah. dan tidak
ada dalam list user maildir.
---
Hi. This is the qmail-send program at ..co.id.
I tried to deliver a bounce message to this address, but the bounce bounced!
[EMAIL PROTECTED]:
user does not exist, but will deliver to
/home/vpopmail/domains/.co.id/erna-i/Maildir/
can not open new email file errno=2
file=/home/vpopmail/domains/.co.id/erna-i/Maildir/tmp/1151659930.3123...co.id,S=9202
system error
--- Below this line is the original bounce.
Return-Path:
Received: (qmail 3120 invoked for bounce); 30 Jun 2006 16:32:10 +0700
Date: 30 Jun 2006 16:32:10 +0700
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: failure notice
Hi. This is the qmail-send program at ..co.id.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
[EMAIL PROTECTED]:
user does not exist, but will deliver to
/home/vpopmail/domains/.co.id/erna-i/Maildir/
can not open new email file errno=2
file=/home/vpopmail/domains/.co.id/erna-i/Maildir/tmp/1151659930.3119...co.id,S=8474
system error
--- Below this line is a copy of the message.
Return-Path: [EMAIL PROTECTED]
Received: (qmail 3117 invoked from network); 30 Jun 2006 16:32:10 +0700
Received: from unknown (HELO mercury1) (10.62.220.11)
by ..co.id with SMTP; 30 Jun 2006 16:32:10 +0700
Return-path: [EMAIL PROTECTED]
Received: from [16.113.144.21] (port=1896 helo=16.113.144.21)
by .co.id with esmtp
id ZHFBoI-osP687-61
for [EMAIL PROTECTED]; Fri, 30 Jun 2006 04:18:46 +0100
Content-class: urn:content-classes:message
Subject: NEvEr bEttEr cant bE fOund.
MIME-Version: 1.0
Content-Type: multipart/related;
boundary=_=_NextPart_001_01C69139.68151542;
Date: Fri, 30 Jun 2006 04:18:46 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Message-ID: [EMAIL PROTECTED]
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: NEvEr bEttEr cant bE fOund.
Thread-Index: eL3wCbEEsTeBvWREGUVaePrfkniI8U==
From: Tamika [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
X-Return-Path: [EMAIL PROTECTED]
X-MDaemon-Deliver-To: [EMAIL PROTECTED]
X-MDAV-Processed: .co.id, Fri, 30 Jun 2006 04:18:46 +0100
X-Spam: Not detected
--_=_NextPart_001_01C69139.68151542
Content-Type: multipart/alternative;
boundary=_=_NextPart_002_01C69139.68151542
--_=_NextPart_002_01C69139.68151542
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
http://gjghts.sevenlegend.com/?35042652=20
69dqPQufvFjS81CueROy0mCvVcA5jlIV1on8Dv4zIj9taSfBAFuVS04pYd3eOb4wFDKZrDolPlzM
4boIcigrhfK2X9eesMzRFcRzO5uFjOnNh52R3DZxb2UazoxhVBrZxdeGjMbnB7I1VIPITfHWT82mGC1
i0kEj0pSLkYTI5yfP0UlIcTLr6swhTGLIGShEaCYvnbP1jRCLTFRit5WLQ9QFSnG1hQmCK
U9TCNPhGpgSfD7WmgdCRH9bC6Hjtcs96U4TiukOZkX3wI8UrX7kdHrQB2cJyQmcKF5WoJHt
eHZNKOtt78djNPmdXbwGstKxwRD7McacJ3or9QmlLaUpzxeAo33zgoR80B8srs8w5XyqqjuB
oqis1qEwafc6E3cUf4KCCcNhGUmeFT8JXuVSVwFuDp4g4rZZ7Od23PJC0rkLcFODp1iofXOSd0TCi
5BDc5KRcF3kyGpUKdYwYPioVMKklAAzAgSo1JXQYFTv3im9lztMIXj3Sv5kBpzAdqPYYPtnkIxn1Dj
a7alg2EAHVz3EVpIQz0uIRm5GGnM6vwwkQ4EUq1QJyZ1St6ZIBxqu72NITPZfu01oQuNkVGzN
dfzPrgA6DzwlX7buwzBsQKLOKIUpBnIz7yuRdJTzv0TB39ZttwBVpuNnqE98Ayg2NoS9oGfbpw
tyWVePg8uGSq12x2EFHqSRCqcrZXNbcYKEri1l75Y4QrsPjgeM1exwJ8JLimAWsvau6KZ020bBx
--_=_NextPart_002_01C69139.68151542
Content-Type: text/html;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
html xmlns:v=3Durn:schemas-microsoft-com:vml =
xmlns:o=3Durn:schemas-microsoft-com:office:office =
xmlns:w=3Durn:schemas-microsoft-com:office:word =
xmlns=3Dhttp://www.w3.org/TR/REC-html40;
head
META HTTP-EQUIV=3DContent-Type CONTENT=3Dtext/html; =
charset=3Dus-ascii meta name=3DGenerator content=3DMicrosoft Word
11 (filtered medium) !--[if !mso] style
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
/style
![endif]--
style
!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Times New Roman;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
Re: [tanya-jawab] Serangan Apa ini namanya ? - pls help
saya perna mengalami sperti itu. 1. coba cek masing2 pc di client (trojan,virus) 2 sementara blok dulu port 25 khusus komputer yang sudah terdeteksi mengirim email tersebut. 3. perhatikan log mail anda, amati sewaktu waktu. smoga membantu - Original Message - From: dodo [EMAIL PROTECTED] To: tanya-jawab@linux.or.id Sent: Monday, July 03, 2006 11:49 AM Subject: [tanya-jawab] Serangan Apa ini namanya ? - pls help | Hi all, | | Hari ini saya dapat email banyak sekali (+- 10.000) email terhitung | dari hari jum'at malam (30 Juni 2006) sampai pagi ini (3 Juli 2006). | Isi email spt yg saya attach dibawah ini. Ada yang tau jenis serangan | apa ini ?. | Kalo kemaren saya sudah ikuti saran Mas Rony untuk block di ssh-nya | kemudian Mas Fajar dengan utility Denyhosts. | Apakah ini serangan virus ? | Demikian dan terima kasih atas sarannya. | | -dodo- | | | Note : | - User yang di generated oleh email ini selalu berubah-ubah. dan tidak | ada dalam list user maildir. | -- - | | | Hi. This is the qmail-send program at ..co.id. | I tried to deliver a bounce message to this address, but the bounce bounced! | | [EMAIL PROTECTED]: | user does not exist, but will deliver to | /home/vpopmail/domains/.co.id/erna-i/Maildir/ | can not open new email file errno=2 | file=/home/vpopmail/domains/.co.id/erna-i/Maildir/tmp/1151659930.3123.xx xx..co.id,S=9202 | system error | | --- Below this line is the original bounce. | | Return-Path: | Received: (qmail 3120 invoked for bounce); 30 Jun 2006 16:32:10 +0700 | Date: 30 Jun 2006 16:32:10 +0700 | From: [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Subject: failure notice | | Hi. This is the qmail-send program at ..co.id. | I'm afraid I wasn't able to deliver your message to the following addresses. | This is a permanent error; I've given up. Sorry it didn't work out. | | [EMAIL PROTECTED]: | user does not exist, but will deliver to | /home/vpopmail/domains/.co.id/erna-i/Maildir/ | can not open new email file errno=2 | file=/home/vpopmail/domains/.co.id/erna-i/Maildir/tmp/1151659930.3119.xx xx..co.id,S=8474 | system error | | --- Below this line is a copy of the message. | | Return-Path: [EMAIL PROTECTED] | Received: (qmail 3117 invoked from network); 30 Jun 2006 16:32:10 +0700 | Received: from unknown (HELO mercury1) (10.62.220.11) | by ..co.id with SMTP; 30 Jun 2006 16:32:10 +0700 | Return-path: [EMAIL PROTECTED] | Received: from [16.113.144.21] (port=1896 helo=16.113.144.21) | by .co.id with esmtp | id ZHFBoI-osP687-61 | for [EMAIL PROTECTED]; Fri, 30 Jun 2006 04:18:46 +0100 | Content-class: urn:content-classes:message | Subject: NEvEr bEttEr cant bE fOund. | MIME-Version: 1.0 | Content-Type: multipart/related; | boundary=_=_NextPart_001_01C69139.68151542; | Date: Fri, 30 Jun 2006 04:18:46 +0100 | X-MimeOLE: Produced By Microsoft Exchange V6.5 | Message-ID: [EMAIL PROTECTED] | X-MS-Has-Attach: yes | X-MS-TNEF-Correlator: | Thread-Topic: NEvEr bEttEr cant bE fOund. | Thread-Index: eL3wCbEEsTeBvWREGUVaePrfkniI8U== | From: Tamika [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | X-Return-Path: [EMAIL PROTECTED] | X-MDaemon-Deliver-To: [EMAIL PROTECTED] | X-MDAV-Processed: .co.id, Fri, 30 Jun 2006 04:18:46 +0100 | X-Spam: Not detected | | --_=_NextPart_001_01C69139.68151542 | Content-Type: multipart/alternative; | boundary=_=_NextPart_002_01C69139.68151542 | | | --_=_NextPart_002_01C69139.68151542 | Content-Type: text/plain; | charset=us-ascii | Content-Transfer-Encoding: quoted-printable | | http://gjghts.sevenlegend.com/?35042652=20 | 69dqPQufvFjS81CueROy0mCvVcA5jlIV1on8Dv4zIj9taSfBAFuVS04pYd3eOb4wFDKZrDolPlzM | 4boIcigrhfK2X9eesMzRFcRzO5uFjOnNh52R3DZxb2UazoxhVBrZxdeGjMbnB7I1VIPITfHWT82m GC1 | i0kEj0pSLkYTI5yfP0UlIcTLr6swhTGLIGShEaCYvnbP1jRCLTFRit5WLQ9QFSnG1hQmCK | U9TCNPhGpgSfD7WmgdCRH9bC6Hjtcs96U4TiukOZkX3wI8UrX7kdHrQB2cJyQmcKF5WoJHt | eHZNKOtt78djNPmdXbwGstKxwRD7McacJ3or9QmlLaUpzxeAo33zgoR80B8srs8w5XyqqjuB | oqis1qEwafc6E3cUf4KCCcNhGUmeFT8JXuVSVwFuDp4g4rZZ7Od23PJC0rkLcFODp1iofXOSd0TC i | 5BDc5KRcF3kyGpUKdYwYPioVMKklAAzAgSo1JXQYFTv3im9lztMIXj3Sv5kBpzAdqPYYPtnkIxn1 Dj | a7alg2EAHVz3EVpIQz0uIRm5GGnM6vwwkQ4EUq1QJyZ1St6ZIBxqu72NITPZfu01oQuNkVGzN | dfzPrgA6DzwlX7buwzBsQKLOKIUpBnIz7yuRdJTzv0TB39ZttwBVpuNnqE98Ayg2NoS9oGfbpw | tyWVePg8uGSq12x2EFHqSRCqcrZXNbcYKEri1l75Y4QrsPjgeM1exwJ8JLimAWsvau6KZ020bBx | | | | | --_=_NextPart_002_01C69139.68151542 | Content-Type: text/html; | charset=us-ascii | Content-Transfer-Encoding: quoted-printable | | html xmlns:v=3Durn:schemas-microsoft-com:vml = | xmlns:o=3Durn:schemas-microsoft-com:office:office = | xmlns:w=3Durn:schemas-microsoft-com:office:word = | xmlns=3Dhttp://www.w3.org/TR/REC-html40; | | head | META HTTP-EQUIV=3DContent-Type CONTENT=3Dtext/html; = | charset=3Dus-ascii meta name=3DGenerator content=3DMicrosoft Word | 11 (filtered medium) !--[if !mso] style | v
