Hi Well, actually the 218-machine has an open smtp-port, and accepts whatever You can imagine.. I sent already a message to "all" there about these findings... And the domain where this IP is, is somewhere in far-east, at least what I can tell about the bird-feet chars that comes up there... Jaska. Tobias Weisserth kirjoitti viestissään (lähetysaika Tiistai 13. Tammikuuta 2004 18:52):
Hello Mark,
Am Die, den 13.01.2004 schrieb Retallack, Mark (Siemens) um 17:27:
As far has I can tell there are 2 IP address that we have:
218.234.171.84 - From where the files are downloaded 163.17.51.8 - Where the application connects to when it is run on the compromised machine.
Ah. I didn't notice there are two machines involved here. Is there a way to find out who is running those machines and send along a message to shut down one of them so that this scriptkiddy has to look for another victim?