On Thu, 2003-12-18 at 08:09, John Obi wrote:
> Folks,
>
> I have sent many emails to [EMAIL PROTECTED] and
> [EMAIL PROTECTED] reporting a security abuse by one
> of their users but nothing done up to now.
>
> If there is real person from nlayer.net please contact
> me offline.
>
> Thanks,
>
One suggestion is to use an e-mail account other than a yahoo.
That might be an issue with abuse/security folks.
Dee
> -J
>
> __
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
>
> __
> From: John Obi <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Abuse and spamming trojans via www.darkhell.org
> Date: Mon, 15 Dec 2003 22:57:36 -0800
>
> Dear Sir/Madam,
>
> We have known script kiddie who spreads
> Download.Trojan and BAT.Trojan.
>
> The script kiddi runs port scan and infect the users
> who use WinNT, 2000 and XP via port 445 if the windows
> isn't updated.
>
> He is issuing commands to the infected PC to download
> this setup file which has these trojans.
>
> http://www.darkhell.org/sh1.exe
>
> This host is hosting the trojan files which is in
> sh1.exe
>
> When you download this file and you have Norton
> Antivirus or Mcafee with latest virus ID, your AV will
> detect it directly as below:
>
> can type: Realtime Protection Scan
> Event: Virus Found!
> Virus name: Download.Trojan
> File: C:\WINNT\system32\Haver\Backsa.exe
> Location: Quarantine
> Computer: RASHID-ALKUBAIS
> User: Administrator
> Action taken: Clean failed : Quarantine succeeded :
> Access denied
> Date found: Tue Dec 16 09:23:12 2003
>
> Scan type: Realtime Protection Scan
> Event: Virus Found!
> Virus name: BAT.Trojan
> File: C:\WINNT\system32\Haver\ceve.bat
> Location: Quarantine
> Computer: RASHID-ALKUBAIS
> User: Administrator
> Action taken: Clean failed : Quarantine succeeded :
> Access denied
> Date found: Tue Dec 16 09:23:12 2003
>
>
> When I got connected to his IRC server I saw this:
>
> * Dns resolved sh1.cellfiles.org to 81.134.89.149
>
> [07:01] * Connecting to 81.134.89.149 (6667)
> -
> [07:01] -irc.DarkHell.Org- *** Looking up your
> hostname...
>
> -
> There are 437 users and 0 invisible on 1 servers
> 2 channels formed
> I have 437 clients and 0 servers
> -
>
>
>
> [07:01] * Now talking in #sh1-
> [07:01] <[H0-3250]> !pfast stop
> [07:01] <[H0-3250]> !syn 66.90.92.202 6667 500
> [07:01] <[H0-3250]> !pfast 44 66.90.92.202 6667
> [07:02] <[H0-3250]> !syn 202.91.32.181 6667 500
> [07:02] <[H0-3250]> !pfast stop
> [07:02] <[H0-3250]> !pfast 44 202.91.32.181 6667
> [07:02] <[H0-3250]> !syn 69.65.31.3 6667 500
> [07:02] <[H0-3250]> !pfast stop
> [07:02] <[H0-3250]> !pfast 44 69.65.31.3 6667
> [07:02] <[H0-3250]> !ipscan
> [07:02] <[H0-3250]> !syn 66.151.29.193 6667 500
>
>
>
> -
> [H0-3250] is
> [EMAIL PROTECTED] * h3h3
> [H0-3250] on +#sh1-
> [H0-3250] using irc.DarkHell.Org DarkHell server
> [H0-3250] has been idle 18secs, signed on Mon Dec 15
> 14:53:28
> [H0-3250] End of /WHOIS list.
> -
>
> ==
>
> And he issuing these DDoS attacks against the IRC
> servers around the globe and the http servers.
>
> The traceroute to www.darkhell.org shows that it's
> hosted in your network.
>
> Show Level 3 (Baltimore, MD) Traceroute to
> www.darkhell.org (69.22.169.27)
>
> 1 so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0
> msec
> so-6-1-0.mp1.Baltimore1.Level3.net (4.68.112.65) 0
> msec
> so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0
> msec
> 2 so-0-1-0.bbr2.Washington1.Level3.net
> (64.159.0.230) 0 msec
> so-6-1-0.mp2.Baltimore1.Level3.net (4.68.112.73) 0
> msec
> so-0-1-0.bbr2.Washington1.Level3.net
> (64.159.0.230) 0 msec
> 3 so-6-1-0.bbr1.Washington1.Level3.net
> (64.159.0.106) 4 msec
> so-7-0-0.edge1.Washington1.Level3.net
> (209.244.11.14) 0 msec
> so-6-1-0.bbr1.Washington1.Level3.net
> (64.159.0.106) 4 msec
> 4 209.0.227.118 4 msec
> so-6-0-0.edge1.Washington1.Level3.net
> (209.244.11.10) 0 msec
> 209.0.227.118 4 msec
> 5 209.0.227.118 4 msec
> pos3-1-2488M.cr2.WDC2.gblx.net (67.17.67.58)
> [AS3549 {GBLX}] 4 msec
> 209.0.227.118 0 msec
> 6 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
> pos3-1-2488M.cr1.WDC2.gblx.net (67.17.67.54)
> [AS3549 {GBLX}] 4 msec
> so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
> 7 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
> so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238)
> [AS3549 {GBLX}] 80 msec
> so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
> 8 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193)
> [AS4474 {GVIL1}] 80 msec
> so2-0-0-2488M.ar3.PAO2.gblx.net