Re: Speaking of viruses...
Sorry - my mailer did something stupid. Here's what was sent, and more comments at the bottom: To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Attn: Bob - Dust.exe CC'd to [EMAIL PROTECTED] - UCLA, your option "2" for your abuse desk rings to an invalid number. On Monday morning a bunch of our Win2k PC's got infected with a virus. We are seeing the infected machines attempting to make FTP connections to various IP's - the one's I've seen so far are in UCLA and MIT address space. The client connects to the FTP server (all have been Serv-U running under Windows), logs in with username "1", password "1", and retrieves Dust.exe Some of the IP's I've seen connections to: 18.242.5.42 (MIT) 18.241.5.89 (MIT) 169.232.117.223 (UCLA) The Dust.exe process attempts to install infected files named Jah.exe and Gamma.exe Jah is detected by Trend as WORM_RBOT.alo Gamma is detected as "possible virus". Starting this morning Trend started detecting Dust as TROJ_SCNDTHOT.ab When the machine tried to download it from MIT, Trend caught it as above. When it tried to UCLA, Trend did not catch it, and the download succeeded. When this hit on Monday, we saw infected PC's trying to infect other machines over tcp/445. They were trying random IP's in the address space that the infected computer was configured in. We did not see any FTP connections Monday morning like these, however we weren't really looking for them. -- END -- After this was sent, I've found some more details. The Dust.exe file is also being served by IP's at ThePlanet and ncsd.edu. The file from UCLA is about 5K bigger than the files served by the other sites. This explains why Trend was catching it when served by MIT but not by UCLA. After some more investigation, it looks like an infected machine uses a tcp/445 vulnerability to infect others. Once the others are hit on 445, they are instructed to download the payload from these FTP sites. I've made copies of the files available to CERT. I'm waiting on Trend to react to our support request from this morning.
Speaking of viruses...
I sent this to CERT this morning. They apparently were unaware of it, and as far as I can tell there's nothing on any of the A/V sites about it. As of 14:00 CST, these sites are still serving up the virus executable. I haven't heard anything back from CERT or UCLA. Am I the only one seeing this?! From [EMAIL PROTECTED] Thu Feb 10 10:24:16 2005 Date: Thu, 10 Feb 2005 10:24:15 -0600 (CST) From: Adam Maloney <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Attn: Bob - Dust.exe CC'd to [EMAIL PROTECTED] - UCLA, your option "2" for your abuse desk rings to an invalid number. On Monday morning a bunch of our Win2k PC's got infected with a virus. We are seeing the infected machines attempting to make FTP connections to various IP's - the one's I've seen so far are in UCLA and MIT address space. The client connects to the FTP server (all have been Serv-U running under Windows), logs in with username "1", password "1", and retrieves Dust.exe Some of the IP's I've seen connections to: 18.242.5.42 (MIT) 18.241.5.89 (MIT) 169.232.117.223 (UCLA) The Dust.exe process attempts to install infected files named Jah.exe and Gamma.exe Jah is detected by Trend as WORM_RBOT.alo Gamma is detected as "possible virus". Starting this morning Trend started detecting Dust as TROJ_SCNDTHOT.ab When the machine tried to download it from MIT, Trend caught it as above. When it tried to UCLA, Trend did not catch it, and the download succeeded. When this hit on Monday, we saw infected PC's trying to infect other machines over tcp/445. They were trying random IP's in the address space that the infected computer was configured in. We did not see any FTP connections Monday morning like these, however we weren't really looking for them. -- END -- After this was sent, I've found some more details. The Dust.exe file is also being served by IP's at ThePlanet and ncsd.edu. The file from UCLA is about 5K bigger than the files served by the other sites. This explains why Trend was catching it when served by MIT but not by UCLA. After some more investigation, it looks like an infected machine uses a tcp/445 vulnerability to infect others. Once the others are hit on 445, they are instructed to download the payload from these FTP sites. I've made copies of the files available to CERT. I'm waiting on Trend to react to our support request from this morning.
Re: OT: Avi Freeman at the WSOP
Does anyone know if this "episode" will contain an interview or anything with Avi? IIRC, it's typical of WSOP to show a brief interview with the players that make it to the final table. I want to see the glazed-over look from the WSOP announcers when they read his bio. ("ache-a-me - it sounds like some sort of pain relief medication...") Congrats on your win Avi! I know a lot of Tivo's will be busy on 8/17. Maybe when he has some free time he can grace us (or inet-access) with some stories. God I hope he didn't lose to Phil Helmuth (sp?) :) On Mon, 2004-05-24 at 06:34, John Payne wrote: > > --On Friday, May 21, 2004 6:50 PM -0700 Rodney Joffe > <[EMAIL PROTECTED]> wrote: > > > I guess he's done slightly better than that ;-). > > Place Name Prize > > 5 Avi Freeman(sic) (Philadelphia, PA) $90,000 > > > August 17th, 10PM on ESPN. Having watched most of the final table until > Avi busted out, I'm really looking forward to seeing the hole cards :) > > >
Access in Steamboat Springs CO
Anyone providing access in Steamboat Springs care to give me dial-up access for a few days? I'd just need an hour or so a day through April 2nd. I also detected a wireless provider here called Springloose - if you guys are on-list, I wouldn't mind wireless access either :) I will be happy to return the favor if you're ever in the Twin Cities area. Adam Maloney Systems Administrator Sihope Communications
nanog@merit.edu
On Wed, 2004-01-28 at 00:12, Jay Hennigan wrote: > I have an AT&T T-1 taking errors. Their trouble reporting number dumps > me into the IVR from hell. It even has machines calling me back at > intervals with status. The status says "A test was run..." No hint as to > the results of the test. > > One of the choices is to say or hit "2" if you need further assistance. > > Doing so gets a response telling you to call their maintenance center which > is the same machine that I used to generate the ticket in the first place. > > Furrfu! The telephone company doesn't have anyone to answer the telephone. > > Even "Floyd"[1] is looking pretty good at this point. > > Anyone have a secret number or touchtone sequence to share? Swearing at > it doesn't work. This is a point-to-point circuit, not an Internet T-1. > > [1] > http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2003/02/21/BU227355.DTL The ATT TickeTron loves you! It will open your ticket, work your ticket, and then close your ticket for no reason. Then you can call back into it and open a new ticket, which will again be closed. You can yell and scream at TickeTron all you want, and it will still give you the same friendly, useless service as it did the first 10 times you opened your ticket! "Open the fscking Ticket, TickeTron" "I'm sorry Jay, I'm afraid I can't do that, your ticket has been closed." I have a number for "Richmond Maintenance Center", e-mailed to you off-list. It may not be the right group for PtP, but at least you'll get a real person to vent at. They will probably be able to open your ticket and get it to a warm body without getting "HAL" involved. Make sure you ask the engineer you speak with what the ATT techs call that system internally. They have their own name for it (and it's not TickeTron), and it's absolutely hilarious...and appropriate. For the life of me, I can't remember what it was. At least the engineers know how frustrating it is. Really though, the worst part is that yelling at it is just no fun. And threatening to DEADBEEF it's space in memory won't earn you any points either :) Adam Maloney Systems Administrator Sihope Communications
Re: Alternative Satellite news feed needed
> Only complaints I had about their service before I left were they > wouldn't offer a filter before transmission service. It would have cut > down on the transmit load and saved some time for my news server if they > were filtering before it got to me. I think they couldn't do this because it was a broadcast transmission, and not point to point. Any pre-transmission filter would be applied to everyone. > It was extremely nice to take the NNTP load off of our upstream links when > we first set it up. As I understood it, they were not doing well on binary > feeds towards the end there though. I think they ended up filtering posts over a certain length over a year ago (?). They were approaching 45-50MBit/s, and when they implemented that filter they cut it back to about 30. Not exactly a full feed, but how much porn do you actually need? :) We ended up supplementing their feed with a text-only feed from one of our upstreams, just to make sure we weren't missing anything that someone might actually care about (i.e. non-porn). Adam Maloney Systems Administrator Sihope Communications
Re: Sobigf + BGP
And my wife said 2 days at fortuneteller camp was a waste of money - Hah! This is neat, maybe I can make some more stuff happen. "Tomorrow I will win the lottery." "My next Qwest bill will be correct." Incidentally, I'd dump that stock you just bought - the CEO of that company is going to be involved in a little "incident" next week involving 2 goats, a paper mache' reconstruction of the Eiffel tower, and a well known youth organization. The oracle has spoken :) > When Blaster hit back on Aug 11, I remembered an earlier NANOG post that I > saw: > > Subject: Re: Microsoft.com attack? > On Fri, 1 Aug 2003, Adam Maloney <[EMAIL PROTECTED]> wrote: > > I was just thinking the other day, wouldn't it be funny if there was a > > worm that had infected machines attack windowsupdate.microsoft.com so > > you couldn't patch? :) > > Despite the windowsupdate.microsoft.com vs windowsupdate.com difference, the > paranoid side of me thinks that this was more than coincidental... > > -Sounil > Adam Maloney Systems Administrator Sihope Communications
Re: Brace yourselves.. W32/Sobig-F about to mutate...
The [EMAIL PROTECTED] address may fool them, but I would be very suspicious of a Microsoft patch that was only 9.6KB :) > Parts/Attachments: >1 Shown 3 lines Text >2 9.6 KB Application >3 Shown 0 lines Text > -------- Adam Maloney Systems Administrator Sihope Communications
Re: Microsoft.com attack?
Yeah, seeing the same here - it's been flaky for us for the last 30 minutes while we've been trying it. I wonder if it's related to this messages.zip / admin@ thing that's all over the place today. I was just thinking the other day, wouldn't it be funny if there was a worm that had infected machines attack windowsupdate.microsoft.com so you couldn't patch? :) I haven't confirmed that this is the problem, but it seems likely. Adam Maloney Systems Administrator Sihope Communications On Fri, 1 Aug 2003, Jason Frisvold wrote: > Anyone aware of an attack on www.microsoft.com? I had a customer > machine that was attacking it, looks like either a bug in Microsoft's > SP4 (coincidentally this started the day after this was installed) or > there's some new(?) worm of some sort causing this ?? > > Thanks! > > -- > --- > Jason H. Frisvold > Backbone Engineering Supervisor > Penteledata Engineering > [EMAIL PROTECTED] > RedHat Engineer - RHCE # 807302349405893 > Cisco Certified - CCNA # CSCO10151622 > MySQL Core Certified - ID# 205982910 > --- > "Imagination is more important than knowledge. > Knowledge is limited. Imagination encircles > the world." > -- Albert Einstein [1879-1955] >
Cisco vulnerability and dangerous filtering techniques
I had a passing thought over the weekend regarding Thursday's cisco vulnerability and the recent Microsoft holes. The next worm taking advantage of the latest Windows' vulnerabilities is more or less inevitable. Someone somewhere has to be writing it. So why not include the cisco exploit in the worm payload? Based on past history, there will be plenty of vulnerable Windows hosts to infect with the worm. I would also guess that there are lots of organizations and end-users that have cisco devices that haven't patched their IOS. Furthermore, I wonder how many people have applied filtering only at their border? But packets from an infected host inside the network wouldn't be stopped by filtering applied only to the external side. Basically, if you're filtering access to your interface IP's rather than upgrading IOS, remember that the internet isn't the only source of danger to your network. Adam Maloney Systems Administrator Sihope Communications