Re: [Full-disclosure] Ford Motors IT Contact

[Bruce Ediger]

On Tue, 27 May 2008, Anders B Jansson wrote:

> Limiting the continued propagation of sql-slammer is both a worthy and
> commendable deed.
>
> But I'm afraid that it's totally futile.

How so?  Code Red II and Nimda appear to have disappeared, albeit after many
years.

I suspect that somebody let loose the Crclean anti-worm on Code Red II, but
nobody appears to want to confess to it.  I bet that SQL-Slammer would be
vulnerable to the same sort of anti-worm (i.e. responding only to SQL-slammer
scans, rather than doing scanning on its own).

--NSA--CIA--FBI--NRO--TSA--JENKEM--DHS--BUTTHASH--TIARA--GHCQ--ECHELON--
   As for you government types intercepting this,
   thanks for keeping us safe from our freedoms.
   Warrantless wiretapping is un-American and unpatriotic.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Simon Smith]

Indeed, that is the IP address.

That IP address appears to be bound to some sort of a VPN system for 
ford. Perhaps its infected VPN users?

Michael Holstein wrote:
> 
>> In response to them still being infected with sql slammer and it 
>> probing my networks regularly.
>>   
> Let me guess .. it's 136.1.7.55 ?
> 
> Here's what I get (from ford) every time that IP pops up in our 
> automated abuse report ..
> 
> --snip--
> 
> Our investigation into this matter has determined that the recent onset
> of attacks from this IP is the result of the IP being forged by an
> external party.  External parties will commonly use IP addresses that
> belong to large organizations to mask network traffic.
> 
> --snip--
> 
> Cheers,
> 
> Michael Holstein
> Cleveland State University
> 
> 

-- 

- simon

--
http://www.snosoft.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Ray P]

When that stuff first showed up last year I emailed their ARIN contact and got 
a real person. They got back to me within a day and said the same thing. SQL 
Slammer is a single packet UDP attack so their response is 100% plausible.

Ray

> 
> > In response to them still being infected with sql slammer and it probing 
> > my networks regularly.
> >   
> Let me guess .. it's 136.1.7.55 ?
> 
> Here's what I get (from ford) every time that IP pops up in our 
> automated abuse report ..
> 
> --snip--
> 
> Our investigation into this matter has determined that the recent onset
> of attacks from this IP is the result of the IP being forged by an
> external party.  External parties will commonly use IP addresses that
> belong to large organizations to mask network traffic.
> 
> --snip--
> 
> Cheers,
> 
> Michael Holstein
> Cleveland State University
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_
Keep your kids safer online with Windows Live Family Safety.
http://www.windowslive.com/family_safety/overview.html?ocid=TXT_TAGLM_WL_Refresh_family_safety_052008___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Michael Holstein]

> In response to them still being infected with sql slammer and it probing 
> my networks regularly.
>   
Let me guess .. it's 136.1.7.55 ?

Here's what I get (from ford) every time that IP pops up in our 
automated abuse report ..

--snip--

Our investigation into this matter has determined that the recent onset
of attacks from this IP is the result of the IP being forged by an
external party.  External parties will commonly use IP addresses that
belong to large organizations to mask network traffic.

--snip--

Cheers,

Michael Holstein
Cleveland State University


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Anders B Jansson]

Simon Smith wrote:
> In response to them still being infected with sql slammer and it probing 
> my networks regularly.

Ah, them and a gazillion of others.

I ran a little experiment some time ago.

I had an unused ipadress (bog standard dynamic home issue cable feed) and just 
for fun I installed nepenthes (and Nessus) on an old PC and logged how, when 
and with what is was attacked.

After a week I dropped generic portscans from the log because it was too much 
to process.

After a month I dropped sql-slammer from the log because it was also to much to 
process.

After six months I cancelled the entire project because it was too depressing.

Now I only detect,log and drop ssh brute force attempts (avg 3-4 per day, 
mainly from mainland china and some from korea).

Limiting the continued propagation of sql-slammer is both a worthy and 
commendable deed.

But I'm afraid that it's totally futile.

Even if you _do_ manage to get someone to react and investigate they will just 
tell you that the source is a server managed by some external entity that 
management has forced them to accept on their network (see last weeks 
discussion on that subject).
-- 
// hdw

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Simon Smith]

In response to them still being infected with sql slammer and it probing 
my networks regularly.

Nate McFeters wrote:
> Is this in response to a vulnerability to report, or in response to some 
> other form of abuse, like spam?
>  
> -Nate
> 
>  
> On 5/27/08, *Gary Wilson* <[EMAIL PROTECTED] 
> > wrote:
> 
> 
> On Tue, May 27, 2008 16:46, Simon Smith wrote:
>  > Does anyone here have a contact for Ford Motors IT Department,
>  > Specifically for abuse?
>  > --
>  >
> 
> Europe, or US?  And in relation to their online activities or other?
> 
> When I was on my placement year, I did all of Ford Europe's website
> and I
> was employed by the Marketting company Winderman Cato Johnson - so I
> guess
> contacting them if it's Europe and to do with their online prescence.
> 
> Things may have changed, but a quick google suggests Wunderman are still
> heavilly involved with Ford, Europe.
> 
> HTH
> 
> GW
> 
> 
> 
> --
>   /   Gary Wilson, aka dragon/dragonlord/dragonv480\
> .'(_.--.  e: [EMAIL PROTECTED]
>  MSN: dragonv480   .--._)`.
> <   _   |  Skype:dragonv480 ICQ:342070475 AIM:dragonv480  
> |   _   >
> `.( `--' w: http://volvo480.northernscum.org.uk  
> `--' ).'
>   \w: http://www.northernscum.org.uk   /
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 

- simon

--
http://www.snosoft.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Nate McFeters]

Is this in response to a vulnerability to report, or in response to some
other form of abuse, like spam?

-Nate


On 5/27/08, Gary Wilson <[EMAIL PROTECTED]> wrote:
>
>
> On Tue, May 27, 2008 16:46, Simon Smith wrote:
> > Does anyone here have a contact for Ford Motors IT Department,
> > Specifically for abuse?
> > --
> >
>
> Europe, or US?  And in relation to their online activities or other?
>
> When I was on my placement year, I did all of Ford Europe's website and I
> was employed by the Marketting company Winderman Cato Johnson - so I guess
> contacting them if it's Europe and to do with their online prescence.
>
> Things may have changed, but a quick google suggests Wunderman are still
> heavilly involved with Ford, Europe.
>
> HTH
>
> GW
>
>
>
> --
>   /   Gary Wilson, aka dragon/dragonlord/dragonv480\
> .'(_.--.  e: [EMAIL PROTECTED] MSN: dragonv480   .--._)`.
> <   _   |  Skype:dragonv480 ICQ:342070475 AIM:dragonv480   |   _
> >
> `.( `--' w: http://volvo480.northernscum.org.uk   `--' ).'
>   \w: http://www.northernscum.org.uk   /
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Gary Wilson]

On Tue, May 27, 2008 16:46, Simon Smith wrote:
> Does anyone here have a contact for Ford Motors IT Department,
> Specifically for abuse?
> --
>

Europe, or US?  And in relation to their online activities or other?

When I was on my placement year, I did all of Ford Europe's website and I
was employed by the Marketting company Winderman Cato Johnson - so I guess
contacting them if it's Europe and to do with their online prescence.

Things may have changed, but a quick google suggests Wunderman are still
heavilly involved with Ford, Europe.

HTH

GW



-- 
   /   Gary Wilson, aka dragon/dragonlord/dragonv480\
 .'(_.--.  e: [EMAIL PROTECTED] MSN: dragonv480   .--._)`.
<   _   |  Skype:dragonv480 ICQ:342070475 AIM:dragonv480   |   _   >
 `.( `--' w: http://volvo480.northernscum.org.uk   `--' ).'
   \w: http://www.northernscum.org.uk   /


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Valdis . Kletnieks]

On Tue, 27 May 2008 12:50:38 EDT, Stack Smasher said:

> "If you see me laughing, you better have backups"

Even funnier if the contractor is the one tasked with doing backups. :)


pgp6kzamRhjnO.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/