Re: Speaking of viruses...

2005-02-10 Thread Adam Maloney 
Sorry - my mailer did something stupid.  Here's what was sent, and more 
comments at the bottom:

To: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: Attn: Bob - Dust.exe
CC'd to [EMAIL PROTECTED] - UCLA, your option "2" for your abuse desk rings to 
an
invalid number.
On Monday morning a bunch of our Win2k PC's got infected with a virus. We are
seeing the infected machines attempting to make FTP connections to various IP's
- the one's I've seen so far are in UCLA and MIT address space.  The client
connects to the FTP server (all have been Serv-U running under Windows), logs
in with username "1", password "1", and retrieves Dust.exe
Some of the IP's I've seen connections to:
18.242.5.42 (MIT)
18.241.5.89 (MIT)
169.232.117.223 (UCLA)
The Dust.exe process attempts to install infected files named Jah.exe and
Gamma.exe  Jah is detected by Trend as WORM_RBOT.alo  Gamma is detected as
"possible virus".
Starting this morning Trend started detecting Dust as TROJ_SCNDTHOT.ab
When the machine tried to download it from MIT, Trend caught it as above. When
it tried to UCLA, Trend did not catch it, and the download succeeded.
When this hit on Monday, we saw infected PC's trying to infect other
machines over tcp/445.  They were trying random IP's in the address space
that the infected computer was configured in.  We did not see any FTP
connections Monday morning like these, however we weren't really looking
for them.
-- END --
After this was sent, I've found some more details.  The Dust.exe file is
also being served by IP's at ThePlanet and ncsd.edu.  The file from UCLA
is about 5K bigger than the files served by the other sites.  This
explains why Trend was catching it when served by MIT but not by UCLA.
After some more investigation, it looks like an infected machine uses a
tcp/445 vulnerability to infect others.  Once the others are hit on 445,
they are instructed to download the payload from these FTP sites.
I've made copies of the files available to CERT.  I'm waiting on Trend to
react to our support request from this morning.

Speaking of viruses...

2005-02-10 Thread Adam Maloney 
I sent this to CERT this morning.  They apparently were unaware of it, and 
as far as I can tell there's nothing on any of the A/V sites about it.  As 
of 14:00 CST, these sites are still serving up the virus executable.  I 
haven't heard anything back from CERT or UCLA.  Am I the only one seeing 
this?!

From [EMAIL PROTECTED] Thu Feb 10 10:24:16 2005
Date: Thu, 10 Feb 2005 10:24:15 -0600 (CST)
From: Adam Maloney <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Attn: Bob - Dust.exe
CC'd to [EMAIL PROTECTED] - UCLA, your option "2" for your abuse desk rings to an 
invalid number.

On Monday morning a bunch of our Win2k PC's got infected with a virus. We are 
seeing the infected machines attempting to make FTP connections to various IP's 
- the one's I've seen so far are in UCLA and MIT address space.  The client 
connects to the FTP server (all have been Serv-U running under Windows), logs 
in with username "1", password "1", and retrieves Dust.exe

Some of the IP's I've seen connections to:
18.242.5.42 (MIT)
18.241.5.89 (MIT)
169.232.117.223 (UCLA)
The Dust.exe process attempts to install infected files named Jah.exe and 
Gamma.exe  Jah is detected by Trend as WORM_RBOT.alo  Gamma is detected as 
"possible virus".

Starting this morning Trend started detecting Dust as TROJ_SCNDTHOT.ab
When the machine tried to download it from MIT, Trend caught it as above. When 
it tried to UCLA, Trend did not catch it, and the download succeeded.

When this hit on Monday, we saw infected PC's trying to infect other 
machines over tcp/445.  They were trying random IP's in the address space 
that the infected computer was configured in.  We did not see any FTP 
connections Monday morning like these, however we weren't really looking 
for them.

-- END --
After this was sent, I've found some more details.  The Dust.exe file is 
also being served by IP's at ThePlanet and ncsd.edu.  The file from UCLA 
is about 5K bigger than the files served by the other sites.  This 
explains why Trend was catching it when served by MIT but not by UCLA.

After some more investigation, it looks like an infected machine uses a 
tcp/445 vulnerability to infect others.  Once the others are hit on 445, 
they are instructed to download the payload from these FTP sites.

I've made copies of the files available to CERT.  I'm waiting on Trend to 
react to our support request from this morning.

Re: OT: Avi Freeman at the WSOP

2004-05-24 Thread Adam Maloney 

Does anyone know if this "episode" will contain an interview or anything
with Avi?  IIRC, it's typical of WSOP to show a brief interview with the
players that make it to the final table.  I want to see the glazed-over
look from the WSOP announcers when they read his bio.  ("ache-a-me - it
sounds like some sort of pain relief medication...")

Congrats on your win Avi!  I know a lot of Tivo's will be busy on 8/17.

Maybe when he has some free time he can grace us (or inet-access) with
some stories.  God I hope he didn't lose to Phil Helmuth (sp?) :)

On Mon, 2004-05-24 at 06:34, John Payne wrote:
> 
> --On Friday, May 21, 2004 6:50 PM -0700 Rodney Joffe 
> <[EMAIL PROTECTED]> wrote:
> 
> > I guess he's done slightly better than that ;-).
> > Place  Name Prize
> > 5  Avi Freeman(sic) (Philadelphia, PA)  $90,000
> 
> 
> August 17th, 10PM on ESPN.  Having watched most of the final table until 
> Avi busted out, I'm really looking forward to seeing the hole cards :)
> 
> 
>

Access in Steamboat Springs CO

2004-03-29 Thread Adam Maloney 

Anyone providing access in Steamboat Springs care to give me dial-up
access for a few days?  I'd just need an hour or so a day through April
2nd.

I also detected a wireless provider here called Springloose - if you guys
are on-list, I wouldn't mind wireless access either :)

I will be happy to return the favor if you're ever in the Twin Cities
area.

Adam Maloney
Systems Administrator
Sihope Communications

nanog@merit.edu

2004-01-28 Thread Adam Maloney 

On Wed, 2004-01-28 at 00:12, Jay Hennigan wrote:
> I have an AT&T T-1 taking errors.  Their trouble reporting number dumps
> me into the IVR from hell.  It even has machines calling me back at
> intervals with status.  The status says "A test was run..."  No hint as to
> the results of the test.
> 
> One of the choices is to say or hit "2" if you need further assistance.
> 
> Doing so gets a response telling you to call their maintenance center which
> is the same machine that I used to generate the ticket in the first place.
> 
> Furrfu!  The telephone company doesn't have anyone to answer the telephone.
> 
> Even "Floyd"[1] is looking pretty good at this point.
> 
> Anyone have a secret number or touchtone sequence to share?  Swearing at
> it doesn't work.  This is a point-to-point circuit, not an Internet T-1.
> 
> [1] 
> http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2003/02/21/BU227355.DTL

The ATT TickeTron loves you!  It will open your ticket, work your
ticket, and then close your ticket for no reason.  Then you can call
back into it and open a new ticket, which will again be closed.  You can
yell and scream at TickeTron all you want, and it will still give you
the same friendly, useless service as it did the first 10 times you
opened your ticket!  

"Open the fscking Ticket, TickeTron"  
"I'm sorry Jay, I'm afraid I can't do that, your ticket has been
closed."

I have a number for "Richmond Maintenance Center", e-mailed to you
off-list.  It may not be the right group for PtP, but at least you'll
get a real person to vent at.  They will probably be able to open your
ticket and get it to a warm body without getting "HAL" involved.

Make sure you ask the engineer you speak with what the ATT techs call
that system internally.  They have their own name for it (and it's not
TickeTron), and it's absolutely hilarious...and appropriate.  For the
life of me, I can't remember what it was.  At least the engineers know
how frustrating it is.  Really though, the worst part is that yelling at
it is just no fun.  And threatening to DEADBEEF it's space in memory
won't earn you any points either :)

Adam Maloney
Systems Administrator
Sihope Communications

Re: Alternative Satellite news feed needed

2003-10-02 Thread Adam Maloney 

> Only complaints I had about their service before I left were they
> wouldn't offer a filter before transmission service. It would have cut
> down on the transmit load and saved some time for my news server if they
> were filtering before it got to me.

I think they couldn't do this because it was a broadcast transmission, and
not point to point.  Any pre-transmission filter would be applied to
everyone.

> It was extremely nice to take the NNTP load off of our upstream links when
> we first set it up. As I understood it, they were not doing well on binary
> feeds towards the end there though.

I think they ended up filtering posts over a certain length over a year
ago (?).  They were approaching 45-50MBit/s, and when they implemented
that filter they cut it back to about 30.  Not exactly a full feed, but
how much porn do you actually need? :)

We ended up supplementing their feed with a text-only feed from one of our
upstreams, just to make sure we weren't missing anything that someone
might actually care about (i.e. non-porn).

Adam Maloney
Systems Administrator
Sihope Communications

Re: Sobigf + BGP

2003-08-25 Thread Adam Maloney 

And my wife said 2 days at fortuneteller camp was a waste of money - Hah!

This is neat, maybe I can make some more stuff happen.  "Tomorrow I will
win the lottery."  "My next Qwest bill will be correct."

Incidentally, I'd dump that stock you just bought - the CEO of that
company is going to be involved in a little "incident" next week involving
2 goats, a paper mache' reconstruction of the Eiffel tower, and a well
known youth organization.

The oracle has spoken :)

> When Blaster hit back on Aug 11, I remembered an earlier NANOG post that I
> saw:
> 
> Subject: Re: Microsoft.com attack?
> On Fri, 1 Aug 2003, Adam Maloney <[EMAIL PROTECTED]> wrote:
> > I was just thinking the other day, wouldn't it be funny if there was a
> > worm that had infected machines attack windowsupdate.microsoft.com so
> > you couldn't patch? :)
> 
> Despite the windowsupdate.microsoft.com vs windowsupdate.com difference, the
> paranoid side of me thinks that this was more than coincidental...
> 
> -Sounil
> 

Adam Maloney
Systems Administrator
Sihope Communications

Re: Brace yourselves.. W32/Sobig-F about to mutate...

2003-08-22 Thread Adam Maloney 

The [EMAIL PROTECTED] address may fool them, but I would be very
suspicious of a Microsoft patch that was only 9.6KB :)

> Parts/Attachments:
>1 Shown  3 lines  Text
>2  9.6 KB Application
>3 Shown  0 lines  Text
> --------

Adam Maloney
Systems Administrator
Sihope Communications

Re: Microsoft.com attack?

2003-08-01 Thread Adam Maloney 

Yeah, seeing the same here - it's been flaky for us for the last 30
minutes while we've been trying it.

I wonder if it's related to this messages.zip / admin@ thing that's all
over the place today.

I was just thinking the other day, wouldn't it be funny if there was a
worm that had infected machines attack windowsupdate.microsoft.com so you
couldn't patch? :)  I haven't confirmed that this is the problem, but it
seems likely.

Adam Maloney
Systems Administrator
Sihope Communications

On Fri, 1 Aug 2003, Jason Frisvold wrote:

> Anyone aware of an attack on www.microsoft.com?  I had a customer
> machine that was attacking it, looks like either a bug in Microsoft's
> SP4 (coincidentally this started the day after this was installed) or
> there's some new(?) worm of some sort causing this ??
> 
> Thanks!
> 
> -- 
> ---
> Jason H. Frisvold
> Backbone Engineering Supervisor
> Penteledata Engineering
> [EMAIL PROTECTED]
> RedHat Engineer - RHCE # 807302349405893
> Cisco Certified - CCNA # CSCO10151622
> MySQL Core Certified - ID# 205982910
> ---
> "Imagination is more important than knowledge.
> Knowledge is limited. Imagination encircles
> the world."
>   -- Albert Einstein [1879-1955]
>

Cisco vulnerability and dangerous filtering techniques

2003-07-22 Thread Adam Maloney 

I had a passing thought over the weekend regarding Thursday's cisco
vulnerability and the recent Microsoft holes.

The next worm taking advantage of the latest Windows' vulnerabilities is
more or less inevitable.  Someone somewhere has to be writing it.  So why
not include the cisco exploit in the worm payload?

Based on past history, there will be plenty of vulnerable Windows hosts to
infect with the worm.  I would also guess that there are lots of
organizations and end-users that have cisco devices that haven't patched
their IOS.  Furthermore, I wonder how many people have applied filtering
only at their border?  But packets from an infected host inside the
network wouldn't be stopped by filtering applied only to the external
side.

Basically, if you're filtering access to your interface IP's rather than
upgrading IOS, remember that the internet isn't the only source of danger
to your network.

Adam Maloney
Systems Administrator
Sihope Communications