JS/Zerolin.gen increase ...?
Results 1 to 5 of 5

Thread: JS/Zerolin.gen increase ...?

  1. #1
    Senior Member
    Join Date
    Mar 2004
    Posts
    171

    Question JS/Zerolin.gen increase ...?

    Hey everyone,

    Has anyone else noticed a huge increase of email with the JS/Zerolin exploit in them? We use GFI Mail Security for AV on our Exchange server, and over the last week or so, the number of messages inbound with Zerolin has increased about 400%.

    JS/Zerolin has been around for a while, so it is getting nailed, but it is starting to really clog up the works. Anyone else seeing this?

    Thanks!
    MrCoffee
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

  2. #2
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    We run a pretty small operation (30 employees or so) and I have also noticed a hugh increase in JS/Zerolin. It went from non existant to doubling every week and a half. Our number of portscans has also increased significantly. Stupid bad traffic.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    171
    Yup, we are in the same boat. Less the 50 Users here, and the portscans have also increased, thou I never connected the two together until you mentioned it. Hmmm time to comb thru the log files me thinks

    Thank you for your reply!

    Cheers!
    MrC
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

  4. #4
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Something else you may want to check, who kinows maybe they are related...

    We have been having someone (multiple ips) trying to ssh and guess passwords to accounts like "test", "admin", "nobody" we get about 20 of those every 3 days. I figure it must be a worm. As the ip's are coming from all different places, and it seems like a pretty lowball attack if it was someone actuallly spoofing his ip.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    171
    I will take a look. I found when this started, at least on my network, I was getting a couple hundred "ip spoof" hits in my Firewall log, per day. The IP was one upstream at my ISP, but the MAC was always the same. It suddently stopped about the time school started.... :O

    Cheers!
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •