Re: Google DNS problems?!?
On Sun, May 08, 2005 at 02:18:19AM +, Fergie (Paul Ferguson) wrote: Does anyone else think that its a bit odd that if it were simply DNS problems that a redirect for www.google.com would end up at a location which provided this: All of the hack evidence is from people looking at a whois query and fretting over: Server Name: GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM IP Address: 80.190.192.24 Registrar: KEY-SYSTEMS GMBH Whois Server: whois.rrpproxy.net Referral URL: http://www.key-systems.net Server Name: GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE.THAN.SECZY.COM IP Address: 209.187.114.130 Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM Whois Server: whois.itsyourdomain.com Referral URL: http://www.itsyourdomain.com We've been over this before, whois queries also return nameservers, which people take advantage of. http://img179.echo.cx/img179/7959/googlehacked7to.jpg [or] http://img241.echo.cx/img241/6208/googlemsn3lp.png Seems more than simple DNS problems to me. I hate being played like an idiot - ferg Wow, one person being redirected to a competitors site, ever heard of spyware? (Yes, even on a Mac) -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Google DNS problems?!?
On Sun, May 08, 2005 at 03:09:40AM +, Fergie (Paul Ferguson) wrote: Well, Matthew, my boy, it appears to have been more than a simple spyware incident on a Mac or two. If you're not part of the solution Precisely. Please review the data before posting 'omg google was hacked!' to public mailing lists.
Re: Port 25 - Blacklash
On Tue, Apr 26, 2005 at 05:50:11PM -0400, Daniel Golding wrote: Do all of Comcast's markets block port 25? Not yet.
Re: Dear Linksys: Your broken WET54GS5 makes me sad.
On Mon, Apr 11, 2005 at 11:13:31AM -0700, just me wrote: It seems that it's pretty dim there. After acknowledging that the product was broken by design, they offered to replace them under warranty. Great. I wonder how Cisco feels about these jack-holes using their brand. matto What does your inability to get a $49 consumer device working have to do with NANOG? -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: New Computer? Six Steps to Safer Surfing
On Tue, Dec 21, 2004 at 06:17:42AM +, Christopher L. Morrow wrote: and Sean will/maybe-has-already pointed out that unix (in all it's glorious variations) is no more secure than anything else... as much as it saddens me to say all that it sure seems to be the truth. :( Only if you turn on all the services (running as the root user), then fire up XF86, a web browser, and email client (also running as root). (Yes, I am well aware that you can run software on Windows as restricted userID's. We're talking about the typical desktop though) -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: New Computer? Six Steps to Safer Surfing
On Tue, Dec 21, 2004 at 09:40:10AM +, Adrian Chadd wrote: No, wrong. Modern botnet type software can run as a non privileged user on most Unixes. It still has enough privilege to cause great harm. Spyware may require a little more privilege to be a bother. It's not snarfing passwords, it's not using raw sockets, it's not hiding itself on the filesystem, it's not infecting or replacing binaries, it has limited functionality for restarting itself (cron, bash_login?), it's trivial to clean up. Nobody said *nix wasn't vulnerable, it's simply less vulnerable and the level of penetration can be severely limited. In response to the post by Christopher Morrow, the typical *nix desktop (should|is) not running apache, sshd, portmapper, etc. And sendmail is installed listening only on the loopback interface from RedHat 9 onward. The point being, you don't need a firewall. You need to turn off/remove/fix the services that are causing the problem. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: New Computer? Six Steps to Safer Surfing
On Sat, Dec 18, 2004 at 09:14:30PM -0500, Sean Donelan wrote: I wouldn't rely on software firewalls. At the same store you buy your computer, also buy a hardware firewall. Hopefully soon the motherboard and NIC manufacturers will start including built-in hardware firewalls. But sometimes, such as dialup modems, software firewalls are the only alternative. Hopefully soon people will start running operating systems, web browsers, and email clients where they have no need for a personal firewall. (Or, with luck, certain vendors will fix their buggy software) -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: BitTorrent is 35% of traffic ?
On Fri, Nov 05, 2004 at 08:59:42AM +0900, Tony Li wrote: For those not familiar, BitTorrent is a file sharing app that is commonly used for exchanging full movies. As such, folks are moving gigabyte files regularly and it's not surprising that this is detectable. Shuffling .mp3's around would be trivial by comparison. Tony It's also used for distributing large patches (XP SP2), the latest ISO's of various (free) operating systems, any pretty much anything else that would create a flash crowd load on a system that it could not handle without distributing the traffic amoung the people downloading. This isn't a made-for-pirating-software/audio program, don't treat it as such. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: whois.arin.net dead again
Probably went overbudget with the vacations to caribbean islands, and had to shut down a few servers to save on the power bill. On Tue, Jun 22, 2004 at 11:30:51PM -0400, Jon Lewis wrote: What's going on? whois.arin.net is not accepting connections and the whois search via www.arin.net is dead again. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Packet Kiddies Invade NANOG
On Sun, Mar 14, 2004 at 10:43:29PM -0600, Gregory Taylor wrote: Matthew (yes I know it is you), The personal information you have posted regarding my phone number is me. However, the slanderous material and obvious hate/flame statements you made against me are absolutely false. For the record, I've been in-transit between the cold state of Minnesota to the semi-warm state of Texas for the past two days via car, Without internet access. If I wanted to post the urls in this thread I would have no issues doing it without hiding behind an anonymous email account. As for the accusations made being false, I know nothing about them. I do recall the 2 or 3 times you've attacked me by the direct, or indirect request of Andrew Kirch (trelane). -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Steadfast Networks
On Wed, Mar 10, 2004 at 05:53:35PM -0500, Andrew D Kirch wrote: for irc channel == group of nonrelated self-serving script kiddies? He was banned from #nanog, not #trelane -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Need a cox.net mail server contact
On Thu, Mar 11, 2004 at 12:34:29AM -0500, Brian Bruns wrote: Hello all, If a cox.net mail admin, or someone who knows a cox.net mail admin could contact me offlist about them blocking 2mbit.com in their mail servers, that would be great. I've tried contacting their [EMAIL PROTECTED] with UNBLOCK in the subject, but it just bounces the mail back at me with the same error as if I was trying to contact one of their users. Sooo, you kinda see the issue. Get used to it, a lot of mail servers are rejecting mail that comes from DSL and Cable modem lines, you're hosting 2mbit.com on roadrunner (despite calling it an 'RF T1' (??)) and thus, it will be blocked. Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org The irony.. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: ATT carrying rfc1918 on the as7018 backbone?
On Thu, Jan 22, 2004 at 03:21:01PM -0700, Brett Watson wrote: First, yes I know I should call ATT but I want to know if anyone else sees this problem: [snip] [random destinations chosen, first few hops removed on purpose] traceroute to 10.150.5.1 (10.150.5.1), 30 hops max, 38 byte packets 4 bic04-p2-0.rosehe1.mn.attbb.net (24.31.2.46) 9.621 ms 12.405 ms 8.635 ms 5 12.118.239.77 (12.118.239.77) 21.055 ms 22.684 ms 17.674 ms 6 tbr1-p012301.cgcil.ip.att.net (12.123.6.9) 21.249 ms 18.653 ms 32.055 ms 7 tbr1-cl1.sffca.ip.att.net (12.122.10.6) 60.504 ms 65.109 ms 63.290 ms 8 gbr1-p10.sffca.ip.att.net (12.122.11.66) 60.401 ms 62.929 ms 59.776 ms 9 gar1-p360.sffca.ip.att.net (12.123.13.57) 60.556 ms 60.769 ms 63.278 ms 10 12.126.195.122 (12.126.195.122) 62.064 ms 60.966 ms 64.617 ms 11 12.244.67.25 (12.244.67.25) 75.027 ms 68.277 ms 66.029 ms 12 12.244.67.21 (12.244.67.21) 66.410 ms 67.539 ms 67.902 ms 13 12.244.98.215 (12.244.98.215) 68.285 ms 69.883 ms 83.187 ms 14 10.150.5.1 (10.150.5.1) 72.288 ms 72.797 ms 70.952 ms traceroute to 10.240.0.1 (10.240.0.1), 30 hops max, 38 byte packets 4 bic04-p2-0.rosehe1.mn.attbb.net (24.31.2.46) 12.024 ms 9.476 ms 9.918 ms 5 12.118.239.77 (12.118.239.77) 30.056 ms 20.397 ms 17.087 ms 6 tbr2-p012301.cgcil.ip.att.net (12.123.6.13) 19.700 ms 36.509 ms 20.223 ms 7 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 27.903 ms 37.704 ms 24.727 ms 8 tbr2-cl6.dlstx.ip.att.net (12.122.10.90) 39.469 ms 39.656 ms 39.857 ms 9 tbr1-p013601.dlstx.ip.att.net (12.122.9.161) 39.150 ms 41.235 ms 38.007 ms 10 tbr2-cl1.attga.ip.att.net (12.122.2.90) 59.744 ms 58.258 ms 58.824 ms 11 gbr2-p20.attga.ip.att.net (12.122.12.38) 56.180 ms 62.450 ms 55.442 ms 12 gar1-p370.attga.ip.att.net (12.123.21.5) 74.746 ms 59.692 ms 57.531 ms 13 12.244.72.90 (12.244.72.90) 60.589 ms 62.514 ms 60.926 ms 14 c-66-56-66-73.atl.client2.attbi.com (66.56.66.73) 57.664 ms ATTBB (Now Comcast) uses ATT.net for connectivity, Comcast has to reach all their cable modems across the USA from their outsourced tech support centers, thus, att.net routes 10/8 across their network. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: New IPv4 Allocation to ARIN
On Fri, Jan 16, 2004 at 10:56:24AM -0500, [EMAIL PROTECTED] wrote: All you early adopters of 69/8 now have somebody to share your pain with I wouldn't be surprised if more people are filtering 69/8 now than before, roughly 40% of the spam hitting my servers is from there. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: NSI gives away a years reg and free transfer of the domain name...
On Tue, Oct 21, 2003 at 04:01:22PM -0700, todd glassey wrote: Hey all - I got this advertising email blurb today from NSI saying that I could move all my domains to NSI and get an additional free years subscription. And there is NO movement cost. Interesting marketing ploy - how many others got one of these... Sounds like long distance carriers all over again, people will be transferring their domain back and forth when it nears expiration =) Todd -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: abuse from a user of this list
This is not a list issue, nor does anyone on the list care. Please take your blathering back to IRC. http://dictionary.reference.com/search?q=denigrate -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: abuse from a user of this list
On Mon, Oct 13, 2003 at 12:15:02PM -0400, William Allen Simpson wrote: Put me down as caring. Moreover, as a long-time participant in this forum, I'm particularly concerned about even anecdotal evidence that one of our posters is mounting an attack on another. For clarification, no, I had nothing to do with the attacks on his network, from what I've gathered they were the result of Andrew taunting the wrong group of people with something like haha, i've got you now, i'm calling the FBI, not very intelligent. http://www.poptix.net/trelane.mp3 The voicemail that was left on my phone, the voice and words of person who needs to get a grip. I made no threats against him, I expressed my lack of sympathy for the playground bully who is now receiving what he's dished out so many times before. It saddens me that ostensible college students have grammar problems, but that stoops to an ad hominem attack. Please cease. I felt it was the only thing even nearly relevant to the list. Based on the web pages at http://2mbit.com/ and http://www.sosdg.org/, I see an effort to improve the community not found at either http://www.poptix.net nor http://techmonkeys.org/. I create and host documents with information that is scarce, and useful, if it's not useful to you, there is a link to Google in there somewhere. http://techmonkeys.org is not mine, nor do I control the content therein. Mayhap all persons involved are young. Never-the-less, I'd like to encourage security awareness. I remember a decade ago, I was an immortal on a local MUD, and helped a promising fellow there who eventually went to work for rediris.es. Security awareness is one thing, complaining to nanog because your DSL is under attack is not going to benefit anyone, it had no impact on anyone beyond the end user, afaik. If everyone reported every attack on their home DSL/Cable/dialup to nanog, the S/N ratio would drop like a rock. (if that's still possible) I'd say you need to contact your FBI office. Personally, I'd start by evaluating if there was something I could do to not incur further attacks. The FBI is not going to care, nor have they ever when it was an incident like this. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Extreme BlackDiamond
On Mon, Oct 13, 2003 at 05:52:59PM +0100, Shazad - eServers wrote: If you are so smart, GO and CHECK the HEADERS of that POST. Was it me? NO IT WASENT. No offense, but: Received: by segue.merit.edu (Postfix) id 2B7F25DE96; Mon, 13 Oct 2003 10:59:19 -0400 (EDT) Delivered-To: [EMAIL PROTECTED] Received: from velocity.eservers.biz (velocity.eservers.biz [209.51.159.226]) by segue.merit.edu (Postfix) with SMTP id 0EB485DE89 for [EMAIL PROTECTED]; Mon, 13 Oct 2003 10:59:18 -0400 (EDT) Received: (qmail 32650 invoked from network); 13 Oct 2003 14:21:29 - Received: from london.eservers.biz (HELO eserverspbnb) (62.3.241.102) by velocity.eservers.biz with SMTP; 13 Oct 2003 14:21:29 - Reply-To: [EMAIL PROTECTED] From: Shazad - eServers [EMAIL PROTECTED] To: 'Fisher, Shawn' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Extreme BlackDiamond Date: Mon, 13 Oct 2003 15:58:55 +0100 Received: by segue.merit.edu (Postfix) id 5CE615DE0F; Mon, 13 Oct 2003 11:04:23 -0400 (EDT) Delivered-To: [EMAIL PROTECTED] Received: from velocity.eservers.biz (velocity.eservers.biz [209.51.159.226]) by segue.merit.edu (Postfix) with SMTP id CBA335DE1D for [EMAIL PROTECTED]; Mon, 13 Oct 2003 11:04:22 -0400 (EDT) Received: (qmail 32752 invoked from network); 13 Oct 2003 14:26:34 - Received: from london.eservers.biz (HELO eserverspbnb) (62.3.241.102) by velocity.eservers.biz with SMTP; 13 Oct 2003 14:26:34 - Reply-To: [EMAIL PROTECTED] From: Shazad - eServers [EMAIL PROTECTED] To: 'Randy Bush' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Extreme BlackDiamond Date: Mon, 13 Oct 2003 16:04:00 +0100 Looks like the exact same path to me. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Abuse Departments
On Sat, Oct 11, 2003 at 08:22:25PM -0500, Andrew D Kirch wrote: [snip] Maybe you should avoid pissing the kiddies off on IRC, or get something other than Ameritech DSL if you want your upstream to give a damn. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Abuse Departments
On Sun, Oct 12, 2003 at 01:54:28AM -0500, Matt wrote: I think he does make a fair observation about the state of many abuse departments today. How many posts do we see on here requesting someone with a clue in abuse from some domain in the average month? And how many of them are taken care of by pointing them to Jared's NOC list? I recently had an issue with an open proxy/relay within berkeley.edu's resnet, I shot off an email at around 2:30am CST, got a reply within 20 minutes, and the box was off the net within an hour. Most places will take care of abuse issues if they get to the right person, but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: VeriSign SMTP reject server updated
On Sat, Sep 20, 2003 at 08:31:27PM -0400, Joe Provo wrote: Wrong protocol. There should be *NO* SMTP transactions for non-extistant domains. After being bit by this over the weekend I would have to agree, due to a screwup at netSOL a companies domain I manage was resolving to their sitefinder service, and all mail just went *poof*. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Looking for clue at NetSOL/Verisign
Is there anyone with a clue at verisign who's able to actually repair a broken entry in their database? I've got a companies domain name that seems to be stuck with nameservers listed in whois, but none in the .com zone. This means that everything for this companies domain is hitting the sitefinder crap, mail is being rejected, etc. A call to netsol got me a rather clueless person who claimed that sitefinder was created by ICANN, and that it's normal for a domain to have no nameservers for up to 3 days when changing name server entries. (instead of an immediate transition) I had this problem before with the exact same set of nameservers, it required a week worth of calls to verisign and a threat of legal action before someone manually touched something in their database to fix it. Unfortunately they claimed at the time that it was normal, and the changes had been processed normally (after a week!), so I have no contact information for the clued person who fixed it. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Worst design decisions?
On Thu, Sep 18, 2003 at 03:53:44PM -0700, Ben Browning wrote: Procurve switch management interface. Archaic, arcane, insane, unusable. I'm actually quite happy with the HP ProCurve switch interface, the web interface is the first thing to be disabled though. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: What *are* they smoking?
On Tue, Sep 16, 2003 at 01:18:26AM +0200, Jeroen Massar wrote: Even worse of this is that you can't verify domain names under .net any more for 'existence' as every .net domain suddenly has a A record and then can be used for spamming... From: Spammer [EMAIL PROTECTED] To: You [EMAIL PROTECTED] Thank you Verisign! Now we need to check for existence of an MX and then just break a couple of RFC's in the process :( Checking for NS or SOA record(s) is sufficient, neither are being returned, only A records. Of course, you could just block anything that resolves to netsol. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203 pgp0.pgp Description: PGP signature
Re: Automatic shutdown of infected network connections
On Tue, Sep 02, 2003 at 09:59:51AM -0500, Jonathan Crockett wrote: I work for a cable modem provider. What we came up with is a modem config that allows http, pop, and smtp while cutting the allowed bandwidth to 56k upstream and 56k downstrem. This way they can still get the needed updates, but are not able to blast our network. Secondary effect is that customer will call in an complain about slow speeds, then our techs can tell them why, they are slow and inform them how to fix the problem. Why in the world would you do that? the DOCSIS specification allows for filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k). Besides, have you ever tried updating an XP system at 56k? It could literally take days. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Automatic shutdown of infected network connections
On Wed, Sep 03, 2003 at 07:20:28AM -0500, Nathan E Norman wrote: On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote: Why in the world would you do that? the DOCSIS specification allows for filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k). The modem _is_ the CPE. There's no load on the network; just CPU on the modem. modem config != CMTS config. I think that's exactly what I said, perhaps you misread my comment. My point was that you're rate limiting and filtering customers for no reason when you have the ability to filter the attack vectors in a very effective and 'clean' way. You should consider leaving those ports filtered seeing how they're the #1 way for windows systems to be infected/hijacked. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Automatic shutdown of infected network connections
On Wed, Sep 03, 2003 at 10:12:16AM -0500, Nathan E Norman wrote: What you said is highlighted above. I don't think I misread it ... I may have misunderstood what you meant. Did you intend to take issue _only_ with rate limiting, as opposed to filtering, or are you taking issue with the broad filtering described, or both? i'm trying to parse Why in the world ... :-) I was taking issue with the deny all, allow pop3, smtp, http, .. + rate limit approach, I did see the 'filtering at the modem' part, perhaps restating the ability of DOCSIS compliant CPE's was confusing. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: What do you want your ISP to block today?
On Sat, Aug 30, 2003 at 12:08:51PM -0400, Eric Kagan wrote: How long do we give after the friendly notice as you are still infecting other people before it is okay to shut you off ? Assuming a situation like the blaster worm, I'd expect a call to one of the emergency contacts listed. Response time should be less than an hour. (even if it is just a 'thanks, we're working on it') -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: What do you want your ISP to block today?
On Sat, Aug 30, 2003 at 02:53:46PM -0400, [EMAIL PROTECTED] wrote: This, in fact, is the single biggest thorn in our side at the moment. It's hard to adopt a pious patch your broken box attitude when the user can't get it patched without getting 0wned first... This is where you start forcing users through a captive portal to the update site of their vendor, I think they'll get the idea when every site they try to bring up turns out to be windowsupdate.microsoft.com [snip] Given the Lion worm that hit Linux boxes, and the fact there's apparently a known remote-root (since fixed) for Apple's OSX, what operating systems would you consider acceptable? Anything that's not currently infected, and is patched to the current 'safe' level. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203 pgp0.pgp Description: PGP signature
Re: What do you want your ISP to block today?
On Fri, Aug 29, 2003 at 11:42:16PM -0400, Sean Donelan wrote: North Texas charges students $30 if their computer is infected, and needs to be cleaned. Excellent, perhaps they'll learn early that they have to patch often. . don't want to pay McAfee, Symantec, etc for anti-virus software; Please show me an anti-virus product for the desktop that protects against such things, I've disinfected at least 30 machines this week that have McAfee VirusShield or Norton Antivirus installed with automatic updates enabled (and yes, I verified they all had the latest virus definitions), they'll happily sit there spewing shit to the world until they're rebooted (a few weeks later, now that windows will happily kludge along but not completely crash) then you get a wonderful dialog that says: 'Warning $anti-virus-program has found an infected file $FOO but could not delete it' Why couldn't it delete it? Because the file was set read only, and the software is too dumb to attrib -r $file And no, $upstream should not be filtering my connection, if you see activity from my network and I don't respond to a friendly notice, turn off my circuit. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Is there a technical solution to SPAM?
On Tue, Jul 29, 2003 at 02:24:29PM +0100, [EMAIL PROTECTED] wrote: Anyone who believes that SPAM can be solved by technical means should try googling one of the following: sms spam i-mode spam IM spam [snip] AOL Instant Messenger has a 'warn' function, I wrote a nifty little plugin for GAIM (A multi-IM-client available for various platforms) that simply drops messages from unknown people with a warning level 10%. If only everything else had a 'warn' function. (Although, to a degree razor serves this purpose along with a whitelist in spamassassin) -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Abuse.cc ???
On Fri, Apr 04, 2003 at 10:51:27PM -0500, McBurnett, Jim wrote: I tell ya, what really gets me in a bad mood is when my PIX logs show the same IP address hitting port 80 on 25 different IP's and the time line is 2 seconds start to finish. And then you report it, and it continues after a week every single day. Substitute port 80 here with 1433, 139,135, and on and on.. When a Syslog trap with a NTP sync time base and the entire log is not good enough, I don't know what is Yesterday, I got word from a network operator that 50 entries was not sufficient. So I parsed 4 days's worth and sent them over 1200 messages from their block.. have not heard back yet.. How was this traffic causing harm to your network? I'd rather have them dealing with people actively breaking into systems, DoS'ing, etc than terminating some customer who's probably infected with the latest microsoft worm. Later, J -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: State Super-DMCA Too True
On Sun, Mar 30, 2003 at 01:50:22AM -0800, Mike Lyon wrote: Ahh! But you see it ain't all you can eat or rather, use as much bandwidth as you want as we don't throttle you at all. I recently signed up for Comcast and had it installed. I get some really nice download speeds, would be surprised if the download has a cap on it. However, upload is definetly throttled, stops at about 250 kbps. It is, Comcast has a rate limit of 1.8mbit/.3mbit pretty much across the board. As for the NAT arguement, ATT (now Comcast) has been advertising the Linksys WAP's for all your wireless+NAT needs, they'll even sell it to you, and install it for you. ATT/Comcast doesn't sell business accounts (at least not here) but they will now sell you a more expensive package, 3.5Mbit/384kbit, for $95/mo, including 'model rental fee', it includes 5 IP addresses VPN Capability(?) as well. Of course, you can get that down to $85/mo if you have cable or phone service through them. -Mike -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Locating rogue APs
On Tue, Feb 11, 2003 at 11:27:28AM -0600, John Kristoff wrote: Apologies if this ends up on the list multiple times. I seem to have trouble getting this posted in a timely fashion. In general, MAC OUI designations may indicate a particular AP. IP multicast group participation may also be used by some APs. Some APs have a few unique ports open. Lastly, APs may be found with a radio on a particular default channel. All of these potentially identifying characteristics may be used to help audit the network for rogue IPs. Below is information on locating particular APs: Why are you posting this here? The information is somewhat incomplete/incorrect as well. Persons interested in finding rogue AP's would be much better off with a tool such as kismet that already identifies model/make of access points based on various datapoints (including the types you posted), as well as the ability to determine in where the AP is (pysically) with the use of a GPS unit. As a side benefit, it can make pretty maps. http://www.poptix.net/thehills.jpg John -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: How to secure the Internet in three easy steps
On Sun, Oct 27, 2002 at 02:35:23PM -0500, Eric M. Carroll wrote: Sean, At Home's policy was that servers were administratively forbidden. It ran proactive port scans to detect them (which of course were subject to firewall ACLs) and actioned them under a complex and changing rule set. It frequently left enforcement to the local partner depending on contractual arrangements. It did not block ports. Non-transparent proxing was used for http - you could opt out if you knew how. While many DSL providers have taken up filtering port 25, the cable industry practice is mostly to leave ports alone. I know of one large Untrue, ATT filters the following *on* the CPE: Ports / Direction / Protocol 137-139 - any Both UDP any - 137-139 Both UDP 137-139 - any Both TCP any - 137-139 Both TCP any - 1080 Inbound TCP any - 1080 Inbound UDP 68 - 67Inbound UDP 67 - 68Inbound UDP any - 5000 Inbound TCP any - 1243 Inbound UDP And they block port 80 inbound TCP further out in their network. Overall, cable providers more heavily than cable providers. I'd say that ATT represents a fair amount of the people served via cable internet. Regards, Eric Carroll -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: How to secure the Internet in three easy steps
On Sun, Oct 27, 2002 at 07:42:10PM -0600, Matthew S. Hallacy wrote: And they block port 80 inbound TCP further out in their network. Overall, cable providers more heavily than cable providers. ^-- s/cable/DSL/; -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Readiness for IPV6
On Tue, Jul 09, 2002 at 05:32:02PM +0200, fingers wrote: i still find some of the stuff extremely user-unfriendly (winxp) for manual native configuation, and i'm sure other users do too. also, the amount of support for it is still sketchy (whether in the transport or from the applications themselves). Yes, after trying to help a friend get IPv6 running on his WindowsXP system (you have to drop into a DOS box.. (but they did away with DOS, right?)), he decided it wasn't worth it if he had to do it that way. At some point M$ might make it user friendly for the windows users but at this point it's /not/ something that joe blow customer will be doing. Regards --Rob -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Readiness for IPV6
On Tue, Jul 09, 2002 at 12:31:54PM -0700, Christian Nielsen wrote: start run cmd ipv6install That's not what the KB article I read said, besides the fact that actually adding addresses/routes is a DOS prompt routine. Windows .NET Server and beyond The next version of Windows will include the first fully-supported release of the Microsoft IPv6 stack. This stack has been designed for full production use, suitable for live commercial deployments Depends on how you define 'suitable', I'm expecting a whole new breed of exploits. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
[OT] Re: Readiness for IPV6
On Wed, Jul 10, 2002 at 02:01:35AM +0200, Jeroen Massar wrote: flame Ah.. so everywhere you see 'text' and have to input 'text' is DOS? Cool bash == DOS, shells are DOS. A thing like this: 8- Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\ -8 is called a Command Prompt and has nothing to do with DOS. Why doesn't anybody complain when it's on *ix boxes ? It's shell everywhere then :) Pardon me: Microsoft Windows XP [Version 5.1.2600] C:\command /? Starts a new instance of the MS-DOS command interpreter. COMMAND [[drive:]path] [device] [/E:n] [/P] [/C string] [/MSG] [snip rest of output] Looks like it still claims to be the MS-DOS command interpreter to me, using the 'user friendly' name of 'Command Prompt' doesn't change what it is. [snip] They didn't 'exploit' me yet in the last 3 years I am using the development versions of the stack :) And everything has bugs As soon as it's in use enough for an exploit to be useful, it will be. /Flame [snip links] Don't forget http://www.microsoft.com/windowsxp/pro/techinfo/administration/ipv6/default.asp Which instructs you to go to a command prompt, like I said =) And as for your it's difficult': http://www.ipng.nl/index.php3?page=setup.htmlforcepage=windows.html Or the single line: ipv6 adu 3/fec0::1 Interface 3 (site 1): Local Area Connection uses Neighbor Discovery link-level address: 00-d0-b7-8f-5d-42 preferred address fec0::1, infinite/infinite preferred address 3ffe:8114:2000:240:2d0:b7ff:fe8f:5d42, 2591593s/604393s (addrconf) Tada ;) Yes, this is too difficult for 'joe blow user', as I said. I think the problem is reading the docs is difficult. IPv6 will be/is autoconfig all the way fortunatly so those 'native config' tools isn't going to be used by a lot of people. Users do not read documentation. Maybe also a nice tool for people saying but IPv4 has a GUI on windows you might like to type 'netsh' ones in your DOS prompt ;) If a user can't point, click, and go, they're unlikely to do something, I've dealt with people that went over a month without their internet access simply because they were afraid they would have to troubleshoot their internet connection over the phone. btw.. DOS == command.com, NT = cmd.exe, there *is* a difference. Yes, one is named command.com, one is named cmd.exe, it was easier than typing start cmd from the DOS command prompt. Greets, Jeroen -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
