Nimda virus and whois search...

[Franck Martin]

While I was implementing a perl script to catch nimda virus on Apache (www.digitalcon.ca/nimda/) and send an e-mail to the owner of the IP, I realised it is rather difficult to automatise whois searches.

First of all there are 3 repositories of IP networks: ARIN, APNIC and RIPE. There is no whois repository above them to specify which one is in charge of which range of IP (There is only a text file on the www.iana.org web site). None of these repositories implement the same database structure, so a whois query must be adapted to each repository.

Lastly, most IPs are delegated to ISP who could also implement whois database to specify to which company they have lent their IP addresses.

Basically, it seems there is no heirarchy structure to find the owner of a certain IP Block.

If there was some kind of standard, it would help fighting worms by informing IP owners that some machines have been infected. It would also help all Intrusion detection System to inform system administrator of potential attacks with a detailed report...

The DNS is well implemented the reverse DNS is not so well done as only major hosts have a record, and IP whois database are not that specific...

Just a thought...

Cheers
[EMAIL PROTECTED]

Re: Nimda virus and whois search...

[Pekka Savola]

On 30 Sep 2001, Franck Martin wrote:
> If there was some kind of standard, it would help fighting worms by
> informing IP owners that some machines have been infected. It would also
> help all Intrusion detection System to inform system administrator of
> potential attacks with a detailed report...

There are some more advanced whois clients which have more knowledge on
where to query and how, e.g. http://freshmeat.net/projects/whois/.

That doesn't say, of course, that there wouldn't be any benefits from
"standardization"...

On the IDS front, I would not like to make the reporting too easy.  I'm
completely fed up with "Top Notch IDS Products" returning "alarms" on e.g.
the following:

 - users running traceroute, on incomoing icmp time exceeded messages
triggering an icmp flood "detection"
 - using a public ftp server, thus generating an ident query
 - using an smtp server, -""-
 - etc.

Most of times, these reports are sent by people who have no idea what is
going on at all.  Spamming operators with these kind of alarms shouldn't
be encouraged.

(b.t.w: is there a web page somewhere which lists and gives
reasons/pointers to usual "false alarms" like listed above?  It might be
useful as a pointer).

-- 
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

Re: this was passed on in the IETF email

[Henning G. Schulzrinne]

See
  
See http://home.rica.net/alphae/419coal/,
http://home.pacbell.net/jpaladin or
http://travel.state.gov/tips_nigeria.html

for relevant background.
-- 
Henning Schulzrinne   http://www.cs.columbia.edu/~hgs

W3C Fee based Patent Policy - RAND

[Shirley Tseng]

Hi,

Was this discussed by the IETF or via the IETF/W3C liaison committee?  I
didn't see it in the archive.  The review period ends today!

A summary at http://www.openphd.net/W3C_Patent_Policy/
W3C Patent Policy
W3C and the Promotion of Fee-based Standards for the Web

last call review period closes on 30 September 2001

Comment archives are at
http://lists.w3.org/Archives/Public/www-patentpolicy-comment/

The Working Draft (http://www.w3.org/TR/patent-policy/) (reproduced in the
Patent Policy Frequently Asked Questions,
http://www.w3.org/2001/08/16-PP-FAQ) also states that RAND allows for
licensing audits (RAND "may include reasonable, customary terms relating to
operation or maintenance of the license relationship such as the following:
audit (when relevant to fees), choice of law, and dispute resolution.")


Shirley Tseng
Infinite Global Infrastructures
www.igillc.com
[EMAIL PROTECTED]

RE: this was passed on in the IETF email

[Pradeep Kumar]

I received the *same email* some 6 months back. This is not a scam, but a
POOR JOKE now:-).
Can you as the list owner block the sender.

Thanks
-Pradeep


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Saturday, September 29, 2001 10:39 PM
To: Linda A. Brown
Cc: IETF
Subject: Re: this was passed on in the IETF email


On Sat, 29 Sep 2001 23:56:37 EDT, "Linda A. Brown" <[EMAIL PROTECTED]>
said:
> I am forwarding this back to the list to be checked out...

Umm... the guy asks *ON A PUBLIC MAILING LIST* for help laundering $152M
and you *need* to check it out?  Either (a) it's a scam (probably) to get
your account number so they can clear it out, or (b) they're so incompetent
that you don't want to be involved with them.

/Valdis

Gain with no pain

[Perfumes2u.com]

Hello

I've just seen your site and wondered if you would be interested in joining
our affiliate scheme, placing one of our banners on your site and
earning 10% on all sales as a result of click thru's coming from your site.
If your site receives a large number of hits, contact us directly to receive
a higher commission rate.
Visitors will have to leave your site at some time so why not have the
opportunity of earning income when they do.
Perhaps you could put it on your order confirmation page and earn extra
revenue after customers have placed an order.

At the moment our average sale is in excess of £32.00 so you could expect to 

earn approx in excess of £3.20 per sale.

All the commissions are handled and paid out through our partner YourCheque
who is totally independent.

You can sign up on our site ( www.perfumes2u.com ) or directly at:-

http://www.yourcheque.com/yc-perfumes2u.htm

--
Best regards,

John Ledgermailto:[EMAIL PROTECTED]

www.perfumes2u.com

P.S. You have nothing to lose - you could even use it as a way of saving 10%
on all your own or your staff purchases.

RE: W3C Fee based Patent Policy - RAND

[Franck Martin]

This is outrageous as it will stop the development of opensource software.

If the W3C needs money, then they should look from their sponsors. I hope
this won't affect IETF, and that Internet Standard won't become closed, open
only to the RICH countries and RICH people (talk about digital divide!). If
W3C goes in this move, then I suggest that IETF bring back the HTML
standards back into the IETF.

Franck Martin
Network and Database Development Officer
SOPAC South Pacific Applied Geoscience Commission
Fiji
E-mail: [EMAIL PROTECTED]  
Web site: http://www.sopac.org/
 Support FMaps: http://fmaps.sourceforge.net/
 

This e-mail is intended for its addresses only. Do not forward this e-mail
without approval. The views expressed in this e-mail may not be necessarily
the views of SOPAC.



-Original Message-
From: Shirley Tseng [mailto:[EMAIL PROTECTED]]
Sent: Monday, 1 October 2001 5:37 
To: [EMAIL PROTECTED]
Subject: W3C Fee based Patent Policy - RAND


Hi,

Was this discussed by the IETF or via the IETF/W3C liaison committee?  I
didn't see it in the archive.  The review period ends today!

A summary at http://www.openphd.net/W3C_Patent_Policy/
W3C Patent Policy
W3C and the Promotion of Fee-based Standards for the Web

last call review period closes on 30 September 2001

Comment archives are at
http://lists.w3.org/Archives/Public/www-patentpolicy-comment/

The Working Draft (http://www.w3.org/TR/patent-policy/) (reproduced in the
Patent Policy Frequently Asked Questions,
http://www.w3.org/2001/08/16-PP-FAQ) also states that RAND allows for
licensing audits (RAND "may include reasonable, customary terms relating to
operation or maintenance of the license relationship such as the following:
audit (when relevant to fees), choice of law, and dispute resolution.")


Shirley Tseng
Infinite Global Infrastructures
www.igillc.com
[EMAIL PROTECTED]

RE: Nimda virus and whois search...

[Franck Martin]

I'm not considering it, unless it is REALLY justified. In my case I have a
small bandwidth that I pay a lot (64kbps USD4500/month). People not patching
their servers cost me a lot of money.

In other hand, I think IDS software should report not only the problem, but
also information to the human on how to tackle the problem. When you see a
problem with an IP reported by IDS, then you have to investigate yourself
(host, network,...). If it was done automatically for you then you would
have information to take a decision: who to e-mail, what to e-mail, should I
e-mail or call the FBI or do nothing,...

Franck Martin
Network and Database Development Officer
SOPAC South Pacific Applied Geoscience Commission
Fiji
E-mail: [EMAIL PROTECTED]  
Web site: http://www.sopac.org/
 Support FMaps: http://fmaps.sourceforge.net/
 

This e-mail is intended for its addresses only. Do not forward this e-mail
without approval. The views expressed in this e-mail may not be necessarily
the views of SOPAC.



-Original Message-
From: stanislav shalunov [mailto:[EMAIL PROTECTED]]
Sent: Monday, 1 October 2001 3:55 
To: Franck Martin
Subject: Re: Nimda virus and whois search...


Please seriously consider not sending automated email in this way.
You're not making matters better by creating a storm of email messages
in addition to an already existing storm of HTTP queries.  Your
response might be worse than the original problem.

-- 
Stanislav Shalunov  http://www.internet2.edu/~shalunov/

"You wake me up early in the morning to tell me I am right?  Please
wait until I am wrong." -- John von Neumann, on being phoned at 10 a.m.

"Wo Ka Ming!"

[Helmut Guckenberger]

Note: forwarded message attached.


__
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com
--- Begin Message ---

John, just got this off of PBS's "America's Defence
Monitor," apparently we are in for hostilities soon.

Hope all is well with you; remember to keep writing!

__
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com

--- End Message ---

Re: Nimda virus and whois search...

[Valdis . Kletnieks]

On Sun, 30 Sep 2001 13:35:14 +0300, Pekka Savola said:
>  - users running traceroute, on incomoing icmp time exceeded messages
> triggering an icmp flood "detection"
>  - using a public ftp server, thus generating an ident query
>  - using an smtp server, -""-
>  - etc.

My personal pet peeve - getting complaints that one of my machines is scanning
some user's machine with source port 123.  Odd that the machine in question
was the target of the CNAME 'ntp-2.vt.edu' ;)

/Valdis

Re: Nimda virus and whois search...

[Bob Braden]

  *> 
  *> While I was implementing a perl script to catch nimda virus on Apache
  *> (www.digitalcon.ca/nimda/) and send an e-mail to the owner of the IP, I

It will come as a great surprise to many people to learn that someone
owns IP.  At one point, some eager beavers in the US government thought
they owned it, since they paid for its development.  But cooler heads
prevailed..

Bob Braden

RE: Nimda virus and whois search...

[Franck Martin]

I know that nobody Owns an IP, it is like Owning water and oxygen. Althought
we have water taxes but not yet oxygen taxes. It will come soon at the rate
the World pollutes (nobody talk about the Toxic Texan anymore)

Seriously, what is the appropriate term: owner, rentee, leaser ?

Franck Martin
Network and Database Development Officer
SOPAC South Pacific Applied Geoscience Commission
Fiji
E-mail: [EMAIL PROTECTED]  
Web site: http://www.sopac.org/
 Support FMaps: http://fmaps.sourceforge.net/
 

This e-mail is intended for its addresses only. Do not forward this e-mail
without approval. The views expressed in this e-mail may not be necessarily
the views of SOPAC.



-Original Message-
From: Bob Braden [mailto:[EMAIL PROTECTED]]
Sent: Monday, 1 October 2001 3:33 
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Nimda virus and whois search...



  *> 
  *> While I was implementing a perl script to catch nimda virus on Apache
  *> (www.digitalcon.ca/nimda/) and send an e-mail to the owner of the IP, I

It will come as a great surprise to many people to learn that someone
owns IP.  At one point, some eager beavers in the US government thought
they owned it, since they paid for its development.  But cooler heads
prevailed..

Bob Braden

RE: Nimda virus and whois search...

[Joel Jaeggli]

On Mon, 1 Oct 2001, Franck Martin wrote:

> I know that nobody Owns an IP, it is like Owning water and oxygen. Althought
> we have water taxes but not yet oxygen taxes. It will come soon at the rate
> the World pollutes (nobody talk about the Toxic Texan anymore)
>
> Seriously, what is the appropriate term: owner, rentee, leaser ?

steward

Main Entry: stew·ard·ship
Pronunciation:  'stü-&rd-"ship, 'styü-; 'st(y)u(-&)rd-
Function:   noun
Date:   15th century
1 : the office, duties, and obligations of a steward
2 : the conducting, supervising, or managing of something; especially :
the careful and responsible management of something entrusted to one's
care  

> Franck Martin
> Network and Database Development Officer
> SOPAC South Pacific Applied Geoscience Commission
> Fiji
> E-mail: [EMAIL PROTECTED] 
> Web site: http://www.sopac.org/
>  Support FMaps: http://fmaps.sourceforge.net/
> 
>
> This e-mail is intended for its addresses only. Do not forward this e-mail
> without approval. The views expressed in this e-mail may not be necessarily
> the views of SOPAC.
>
>
>
> -Original Message-
> From: Bob Braden [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 1 October 2001 3:33
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Nimda virus and whois search...
>
>
>
>   *>
>   *> While I was implementing a perl script to catch nimda virus on Apache
>   *> (www.digitalcon.ca/nimda/) and send an e-mail to the owner of the IP, I
>
> It will come as a great surprise to many people to learn that someone
> owns IP.  At one point, some eager beavers in the US government thought
> they owned it, since they paid for its development.  But cooler heads
> prevailed..
>
> Bob Braden
>

-- 
--
Joel Jaeggli   [EMAIL PROTECTED]
Academic User Services   [EMAIL PROTECTED]
 PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E
--
It is clear that the arm of criticism cannot replace the criticism of
arms.  Karl Marx -- Introduction to the critique of Hegel's Philosophy of
the right, 1843.

RE: URGENT AND CONFIDENTIAL

[Emmanuel Leigh]

I hope no-one is foolish enough to send their details to this gentleman
cause it will only lead to grief .

-Original Message-
From:   Micheal Igwe [SMTP:[EMAIL PROTECTED]]
Sent:   30 September 2001 1:16 AM
To: [EMAIL PROTECTED]
Subject:URGENT  AND CONFIDENTIAL

3/5   RIDER HAGGARD
CLOSE, JO, BORG
SOUTH AFRICA.

Email [EMAIL PROTECTED]

 (URGENT  AND CONFIDENTIAL)

   (RE:  TRANSFER OF ($ 152,000.000.00 USD  
ONE HUNDRED AND FIFTY TWO MILLION DOLLARS   

Dear sir,

We want to transfer to overseas ($ 152,000.000.00 USD)
One hundred and
Fifty two million United States Dollars) from a Prime
Bank in Africa, I want to ask you to  quietly  look
for a reliable and honest person who will be
capable  and fit to provide either an existing bank
account  or  to set up a new  Bank a/c  immediately to
receive this money, even an empty a/c can serve to 
receive this money, as long as you will remain honest
to me till the end for this important business
trusting in  you and believing  in God that you  will
never let me down either now or in future.

I am Micheal Igwe,the Auditor General of prime banks
in
Africa, during the course of our auditing  I
discovered a floating fund  in an account opened in
the bank in 1990 and since 1993 nobody has operated 
on this account again, after going through some old 
files in the records I discovered that the owner of
the account  died without a [heir]  hence  the money
is floating and  if I do not
remit this money out urgently it will be forfeited for
nothing. the owner of this account is  Mr.  Allan P.
Seaman, a foreigner, and an industrialist, and  he
died,  since 1993. and  no
other person knows about this account or any thing
concerning it, the account has no other beneficiary
and my investigation proved to me as well that Allan
P. Seaman   until his death was the manager  Diamond
Safari  [pty]. SA.  
 
We will start the  first transfer with fifty two
million [$52,000.000] upon successful transaction
without any disappoint from your side, we shall
re-apply for the payment of the remaining  rest amount
to your account, 
The amount involved is (USD 152M) One hundred and
Fifty two million United States Dollars, only I want
to first transfer $52,000.000 [fifty two million
United States Dollar from this money into a
safe foreigners account abroad before the rest, but I
don't know any foreigner, I am only contacting you as
a foreigner because this money can not be approved to
a local person here, without valid international
foreign passport, but can only be approved to any
foreigner with valid international passport or drivers
license and foreign a/c  because the money is in us
dollars and
the former owner of the  a/c  Mr. Allan P. Seaman is 
a foreigner too, [and the money can only be approved
into a foreign a/c 

However, we will sign a binding agreement,  to bind us
together   I got your contact address  from the Girl
who operates computer,  I am revealing this to you
with believe in God that you will never let me down in
this business,  you are the first and the only person
that I am contacting for this business, so please
reply urgently so that I will inform you the next step
to take
urgently. Send also your private telephone and fax
number including the full details of the account to be
used for the deposit.

I want us to meet face to face to build confidence and
to sign a binding
agreement that will  bind us together  before
transferring the money to any account of  your choice
where the fund will be safe. Before we fly to your
country for withdrawal, sharing and  investments.

I need your full co-operation to make
this work fine. because the management is ready to
approve this payment to any foreigner who has correct
information of this account, which I will give to you,
upon your positive response and once I am convinced
that you  are  capable  and will meet up with
instruction of  a key bank official who is deeply
involved with me in this business.
I need your strong assurance that you will never, 
never let me down.

With my influence and the position of the bank
official we can transfer this
money to any foreigner's reliable account which