RE: nlayer.net Abuse and Security contact

2003-12-18 Thread Henry Linneweh 
there are many irc networks you might say which one these are on.
on Efnet there is a channel #dmsetup that will handle infected users
and clean them if you point them in that direction...
 
-HenryMike Damm <[EMAIL PROTECTED]> wrote:
Some folks might want to jump on the IRC server in question and issue a/who. There appear to be some infected machines members of this list may beinterested in cleaning.Aside from the usual spew of cable/dsl I noticed:*.nyu.edu*.bu.edu*.northwestern.edu*.corp.yahoo.com*.tufts.edu*.uncwil.edu-Mike-Original Message-From: John Obi [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:10 AMTo: [EMAIL PROTECTED]Subject: nlayer.net Abuse and Security contactFolks,I have sent many emails to [EMAIL PROTECTED] and[EMAIL PROTECTED] reporting a security abuse by oneof their users but nothing done up to now.If there is real person from nlayer.net please contactme offline.Thanks,-J__Do you Yahoo!?New
 Yahoo! Photos - easier uploading and sharing.http://photos.yahoo.com/

Re: nlayer.net Abuse and Security contact

2003-12-18 Thread Richard A Steenbergen 

On Thu, Dec 18, 2003 at 09:09:40AM -0800, John Obi wrote:
> Folks,
> 
> I have sent many emails to [EMAIL PROTECTED] and
> [EMAIL PROTECTED] reporting a security abuse by one
> of their users but nothing done up to now.
> 
> If there is real person from nlayer.net please contact
> me offline.

Just because you don't receive a personalized response within 24 hours
does not mean that issues are not being actively worked or that you need 
to post to nanog about it. :)

-- 
Richard A Steenbergen <[EMAIL PROTECTED]>   http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

RE: nlayer.net Abuse and Security contact

2003-12-18 Thread Mike Damm 

Some folks might want to jump on the IRC server in question and issue a
/who. There appear to be some infected machines members of this list may be
interested in cleaning.

Aside from the usual spew of cable/dsl I noticed:
*.nyu.edu
*.bu.edu
*.northwestern.edu
*.corp.yahoo.com
*.tufts.edu
*.uncwil.edu

  -Mike

-Original Message-
From: John Obi [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 18, 2003 9:10 AM
To: [EMAIL PROTECTED]
Subject: nlayer.net Abuse and Security contact

Folks,

I have sent many emails to [EMAIL PROTECTED] and
[EMAIL PROTECTED] reporting a security abuse by one
of their users but nothing done up to now.

If there is real person from nlayer.net please contact
me offline.

Thanks,

-J

__
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/

Re: nlayer.net Abuse and Security contact

2003-12-18 Thread W.D.McKinney 

On Thu, 2003-12-18 at 08:09, John Obi wrote:
> Folks,
> 
> I have sent many emails to [EMAIL PROTECTED] and
> [EMAIL PROTECTED] reporting a security abuse by one
> of their users but nothing done up to now.
> 
> If there is real person from nlayer.net please contact
> me offline.
> 
> Thanks,
> 

One suggestion is to use an e-mail account other than a yahoo.
That might be an issue with abuse/security folks.

Dee



> -J
> 
> __
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
> 
> __
> From: John Obi <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Abuse and spamming trojans via www.darkhell.org
> Date: Mon, 15 Dec 2003 22:57:36 -0800
> 
> Dear Sir/Madam,
> 
> We have known script kiddie who spreads
> Download.Trojan and BAT.Trojan.
> 
> The script kiddi runs port scan and infect the users
> who use WinNT, 2000 and XP via port 445 if the windows
> isn't updated.
> 
> He is issuing commands to the infected PC to download
> this setup file which has these trojans.
> 
> http://www.darkhell.org/sh1.exe
> 
> This host is hosting the trojan files which is in
> sh1.exe
> 
> When you download this file and you have Norton
> Antivirus or Mcafee with latest virus ID, your AV will
> detect it directly as below:
> 
> can type:  Realtime Protection Scan
> Event:  Virus Found!
> Virus name: Download.Trojan
> File:  C:\WINNT\system32\Haver\Backsa.exe
> Location:  Quarantine
> Computer:  RASHID-ALKUBAIS
> User:  Administrator
> Action taken:  Clean failed : Quarantine succeeded :
> Access denied
> Date found: Tue Dec 16 09:23:12 2003
> 
> Scan type:  Realtime Protection Scan
> Event:  Virus Found!
> Virus name: BAT.Trojan
> File:  C:\WINNT\system32\Haver\ceve.bat
> Location:  Quarantine
> Computer:  RASHID-ALKUBAIS
> User:  Administrator
> Action taken:  Clean failed : Quarantine succeeded :
> Access denied
> Date found: Tue Dec 16 09:23:12 2003
> 
> 
> When I got connected to his IRC server I saw this:
> 
> * Dns resolved sh1.cellfiles.org to 81.134.89.149
> 
> [07:01] * Connecting to 81.134.89.149 (6667)
> -
> [07:01] -irc.DarkHell.Org- *** Looking up your
> hostname...
> 
> -
> There are 437 users and 0 invisible on 1 servers
> 2 channels formed
> I have 437 clients and 0 servers
> -
> 
> 
> 
> [07:01] * Now talking in #sh1-
> [07:01] <[H0-3250]> !pfast stop
> [07:01] <[H0-3250]> !syn 66.90.92.202 6667 500
> [07:01] <[H0-3250]> !pfast 44 66.90.92.202 6667
> [07:02] <[H0-3250]> !syn 202.91.32.181 6667 500
> [07:02] <[H0-3250]> !pfast stop
> [07:02] <[H0-3250]> !pfast 44 202.91.32.181 6667
> [07:02] <[H0-3250]> !syn 69.65.31.3 6667 500
> [07:02] <[H0-3250]> !pfast stop
> [07:02] <[H0-3250]> !pfast 44 69.65.31.3 6667
> [07:02] <[H0-3250]> !ipscan
> [07:02] <[H0-3250]> !syn 66.151.29.193 6667 500
> 
> 
> 
> -
> [H0-3250] is
> [EMAIL PROTECTED] * h3h3
> [H0-3250] on +#sh1- 
> [H0-3250] using irc.DarkHell.Org DarkHell server
> [H0-3250] has been idle 18secs, signed on Mon Dec 15
> 14:53:28
> [H0-3250] End of /WHOIS list.
> -
> 
> ==
> 
> And he issuing these DDoS attacks against the IRC
> servers around the globe and the http servers.
> 
> The traceroute to www.darkhell.org  shows that it's
> hosted in your network.
> 
> Show Level 3 (Baltimore, MD) Traceroute to
> www.darkhell.org (69.22.169.27) 
> 
>   1 so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0
> msec
> so-6-1-0.mp1.Baltimore1.Level3.net (4.68.112.65) 0
> msec
> so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0
> msec
>   2 so-0-1-0.bbr2.Washington1.Level3.net
> (64.159.0.230) 0 msec
> so-6-1-0.mp2.Baltimore1.Level3.net (4.68.112.73) 0
> msec
> so-0-1-0.bbr2.Washington1.Level3.net
> (64.159.0.230) 0 msec
>   3 so-6-1-0.bbr1.Washington1.Level3.net
> (64.159.0.106) 4 msec
> so-7-0-0.edge1.Washington1.Level3.net
> (209.244.11.14) 0 msec
> so-6-1-0.bbr1.Washington1.Level3.net
> (64.159.0.106) 4 msec
>   4 209.0.227.118 4 msec
> so-6-0-0.edge1.Washington1.Level3.net
> (209.244.11.10) 0 msec
> 209.0.227.118 4 msec
>   5 209.0.227.118 4 msec
> pos3-1-2488M.cr2.WDC2.gblx.net (67.17.67.58)
> [AS3549 {GBLX}] 4 msec
> 209.0.227.118 0 msec
>   6 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
> pos3-1-2488M.cr1.WDC2.gblx.net (67.17.67.54)
> [AS3549 {GBLX}] 4 msec
> so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
>   7 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
> so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238)
> [AS3549 {GBLX}] 80 msec
> so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
>   8 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193)
> [AS4474 {GVIL1}] 80 msec
> so2-0-0-2488M.ar3.PAO2.gblx.net