http://isc.sans.org/diary.html?storyid=2208
"There is a spam making the rounds that is targetting customers of ISPs. The
template of the e-mail is attached below and the attackers are using some
sort of method to specifically mention the proper ISP name being used by the
victim. In short, it's trying to get you to upload scripts to your
webserver and run them. So far, the reverse engineering is ongoing, but it
is obfuscated PHP or ASP code that will run once you go that page.
...
"
----- Original Message -----
From: "J Porter" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, February 09, 2007 9:49 PM
Subject: [Declude.Virus] php attachments??
I've received some emails today designated as being from places like
Verisign and Cox stating I should put a attached php file on our servers.
The attachments are not being caught by F-Prot, so they're probably not
viruses, but probably would be bad news if I added them to our web
servers.
Declude identifies the sender as being ipowerweb.com and they don't fail
enough tests to be caught by our system.
Anyone else seen these??
I guess I should block php attachments.Are they being caught by anything?
Anyone investigated these attachments to see what they really do?
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
