Re: The Confiker Virus.
you need to add python-crypto with whatever package manager your OS uses, yast line in suse: │python-crypto │2.0.1 │2.0.1 │Collection of cryptographic algorithms and protocols, implemented for use from Python d JoeSox joe...@gmail.com 31/03/09 8:46 am Has anyone tried the Python scs Network Scanner script? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ I have installed Impacket-0.9.6.0 library but it throws the following warning WARNING: Crypto package not found. Some features will fail. Does anyone know if this effects the reliability of the scs script? I have it scanning but I don't like that warning. What other library is Impacket looking for to correct that warning? -- Thanks, Joe On Mon, Mar 30, 2009 at 10:27 AM, Paul Ferguson fergdawgs...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Something folks might be interested in -- a way to detect Conficker-infected hosts in your network: https://www.honeynet.org/node/389 FYI, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ0QDjq1pz9mNUZTMRAm7SAJ9MZo33Vok1uvyB4H7DML1gUKRlPQCggWtC bL4g6kI0sc75IDu/fYzv8yI= =HpOH -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Cacti Graphing
Hi All, Has any one on this list graphed alcatel-lucent service routers succesfully using Cacti and if yes would you be kind enough to provide the base template or the how to.? -- Kind Regards Joseph Nzioka, Cell:+254 735 452050 Cell:+254 711 968429
RE: The Confiker Virus.
Joe, Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though. -Original Message- From: David Tebbutt [mailto:da...@sunshadeseyewear.com.au] Sent: Tuesday, March 31, 2009 2:10 AM To: Paul Ferguson; JoeSox Cc: nanog@nanog.org Subject: Re: The Confiker Virus. you need to add python-crypto with whatever package manager your OS uses, yast line in suse: |python-crypto |2.0.1 |2.0.1 |Collection of cryptographic algorithms and protocols, implemented for use from Python d JoeSox joe...@gmail.com 31/03/09 8:46 am Has anyone tried the Python scs Network Scanner script? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ I have installed Impacket-0.9.6.0 library but it throws the following warning WARNING: Crypto package not found. Some features will fail. Does anyone know if this effects the reliability of the scs script? I have it scanning but I don't like that warning. What other library is Impacket looking for to correct that warning? -- Thanks, Joe On Mon, Mar 30, 2009 at 10:27 AM, Paul Ferguson fergdawgs...@gmail.com wrote:
Re: The Confiker Virus.
Anyone try the new nmap beta that includes the ability to detect it? nmap-4.85BETA5 ? I am looking for output from a scan on a known infected machine vs what I believe is a clean machine I have. Thanks, On Tue, Mar 31, 2009 at 7:48 AM, Eric Tykwinski eric-l...@truenet.comwrote: Joe, Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though. -Original Message- From: David Tebbutt [mailto:da...@sunshadeseyewear.com.au] Sent: Tuesday, March 31, 2009 2:10 AM To: Paul Ferguson; JoeSox Cc: nanog@nanog.org Subject: Re: The Confiker Virus. you need to add python-crypto with whatever package manager your OS uses, yast line in suse: |python-crypto |2.0.1 |2.0.1 |Collection of cryptographic algorithms and protocols, implemented for use from Python d JoeSox joe...@gmail.com 31/03/09 8:46 am Has anyone tried the Python scs Network Scanner script? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ I have installed Impacket-0.9.6.0 library but it throws the following warning WARNING: Crypto package not found. Some features will fail. Does anyone know if this effects the reliability of the scs script? I have it scanning but I don't like that warning. What other library is Impacket looking for to correct that warning? -- Thanks, Joe On Mon, Mar 30, 2009 at 10:27 AM, Paul Ferguson fergdawgs...@gmail.com wrote: -- Jason Biel
Re: The Confiker Virus.
Here is a pretty good recap of all options, including some useful comments: http://it.slashdot.org/article.pl?sid=09/03/30/090224 - including the specific one addressing the py script: http://it.slashdot.org/comments.pl?sid=1180397cid=27387085 ) Stefan On Tue, Mar 31, 2009 at 7:48 AM, Eric Tykwinski eric-l...@truenet.com wrote: Joe, Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though. -Original Message- From: David Tebbutt [mailto:da...@sunshadeseyewear.com.au] Sent: Tuesday, March 31, 2009 2:10 AM To: Paul Ferguson; JoeSox Cc: nanog@nanog.org Subject: Re: The Confiker Virus. you need to add python-crypto with whatever package manager your OS uses, yast line in suse: |python-crypto |2.0.1 |2.0.1 |Collection of cryptographic algorithms and protocols, implemented for use from Python d JoeSox joe...@gmail.com 31/03/09 8:46 am Has anyone tried the Python scs Network Scanner script? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ I have installed Impacket-0.9.6.0 library but it throws the following warning WARNING: Crypto package not found. Some features will fail. Does anyone know if this effects the reliability of the scs script? I have it scanning but I don't like that warning. What other library is Impacket looking for to correct that warning? -- Thanks, Joe On Mon, Mar 30, 2009 at 10:27 AM, Paul Ferguson fergdawgs...@gmail.com wrote: -- ***Stefan http://twitter.com/netfortius
Re: The Confiker Virus.
Also see http://arstechnica.com/security/news/2009/03/new-method-for-detecting-conficker-discovered-debuted.ars
Re: The Confiker Virus.
I forgot to mention that I have had python-crypto already installed before I posted. I was still getting the WARNING. -- Joe On Mon, Mar 30, 2009 at 11:10 PM, David Tebbutt da...@sunshadeseyewear.com.au wrote: you need to add python-crypto with whatever package manager your OS uses, yast line in suse: │python-crypto │2.0.1 │2.0.1 │Collection of cryptographic algorithms and protocols, implemented for use from Python d
Re: The Confiker Virus.
0n Tue, Mar 31, 2009 at 09:22:32AM -0400, Steven M. Bellovin wrote: Honeynet Project has released Know Your Enemy: Containing Conficker: Our Know Your Enemy: Containing Conficker whitepaper was released on March 30th as a PDF only. You can download the full paper from the link below. Paper Abstract The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domainname generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download including source code. In addition, as a result of this paper and the hard work of Dan Kaminsky, most vulnerability scanning tools (including Nmap) should now have a plugin or signatures that allow you to remotely detect infected Conficker systems on your networks. Finally, we would like to recognize and thank the tremendous help and input of the Conficker Working Group. Paper last updated March 30th 2009, 23:00 GMT (rev1) http://www.honeynet.org/files/KYE-Conficker.pdf -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
Re: The Confiker Virus.
From what I can find with the nmap way, You don't want to see *Conficker: LIKELY INFECTED* or *Conficker: VULNERABLE*. 2009/3/31 JoeSox joe...@gmail.com I forgot to mention that I have had python-crypto already installed before I posted. I was still getting the WARNING. -- Joe On Mon, Mar 30, 2009 at 11:10 PM, David Tebbutt da...@sunshadeseyewear.com.au wrote: you need to add python-crypto with whatever package manager your OS uses, yast line in suse: │python-crypto │2.0.1 │2.0.1 │Collection of cryptographic algorithms and protocols, implemented for use from Python d -- Jason Biel
Re: The Confiker Virus.
I am uncertain also. I scan a subnet on my network with Axence NetTools looking for 445 port and I receive some hits. I perform a netstat -a some of those results but don't really see any 445 activity. The SCS script doesn't find anything either. The PCs are patched and virusscan updated. One PC when I connected to it did not navigate to Windowsupdate website. I scheduled a Full McAfee scan as their documentation suggests (http://download.nai.com/products/mcafee-avert/documents/combating_w32_conficker_worm.pdf), and sometime through the scan I was able to reach windowsupdate. I don't know if it was a coincidence or not that I was not able to reach the website. I haven't looked into the registry and any other places for evidence of conficker. I will probably today but I am afraid it maybe a waste of time since they are already patched and updated. -- Joe On Tue, Mar 31, 2009 at 5:48 AM, Eric Tykwinski eric-l...@truenet.com wrote: Joe, Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though.
TWC outage
Seems to be an outage with Time Warner Cable in the upstate New York area ... As far as I can tell, it's on AS7843. I'm awaiting callback from an engineer for details Adam -- Webjogger (845) 757-4000 ASN 20208 == C:\tracert www.authorize.net Tracing route to www.authorize.net [64.94.118.77] over a maximum of 30 hops: 138 ms 1 ms 2 ms 10049.webjogger.net [204.8.80.49] 2 6 ms 6 ms 7 ms cpe-24-29-112-25.nyc.res.rr.com [24.29.112.25] 3 8 ms 7 ms 6 ms gig-12-2-nycmnyrdc-rtr1.nyc.rr.com [24.29.104.97] 4 7 ms 7 ms 8 ms gig1-0-0-nwrknjmd-rtr1.nyc.rr.com [24.29.130.182] 5 7 ms 7 ms 6 ms ae-4-0.cr0.nyc30.tbone.rr.com [66.109.6.78] 6 9 ms 8 ms 8 ms ae-1-0.pr0.nyc20.tbone.rr.com [66.109.6.163] 7 8 ms 9 ms 8 ms 66.109.9.210 8 *** Request timed out. 9 *** Request timed out. 10 *** Request timed out. 11 *** Request timed out. 12 *** Request timed out. 13 *** Request timed out. 14 *** Request timed out. 15 *** Request timed out. 16 *** Request timed out. 17 *** Request timed out. 18 *** Request timed out. 19 *** Request timed out. 20 *** Request timed out. 21 *** Request timed out. 22 *** Request timed out. 23 *** Request timed out. 24 *** Request timed out. 25 *** Request timed out. 26 *** Request timed out. 27 *** Request timed out. 28 *** Request timed out. 29 *** Request timed out. 30 *** Request timed out. Trace complete.
Spoofer project update
Hi, as many of you are acutely aware, IP source spoofing is still a common attack vector. The ANA spoofer project: http://spoofer.csail.mit.edu first began quantifying the extent of source verification in 2005. We've amassed several years worth of data -- data that has become particularly interesting in light of recent attacks. However, our data raised as many questions as it answered. Hence, we have developed a new version of the tester designed to answer these questions and improve our Internet-wide inferences. What's New: In addition to new tests, we've hooked into CAIDA's Ark infrastructure which allows us to perform multiple path-based measurements. This information is presented to the client now in visual form; see the screenshots for an example report: http://spoofer.csail.mit.edu/example/example.php How you can help: Simple -- take a few minutes to download and run the tester. The more points you can run the tester from, the better. Comments/Flames: Welcome, and we appreciate all feedback. Be sure to read the FAQ: http://spoofer.csail.mit.edu/faq.php Many thanks, rob pgpPepMpUgLes.pgp Description: PGP signature
Re: Cacti Graphing
Hi Nzioka, the appropriate place for your request is http://forums.cacti.net/. http://forums.cacti.net/Or you can also check http://sourceforge.net/mailarchive/forum.php?forum_name=cacti-user Regards Raymond Macharia On Tue, Mar 31, 2009 at 1:05 PM, Joseph Nzioka jnzi...@gmail.com wrote: Hi All, Has any one on this list graphed alcatel-lucent service routers succesfully using Cacti and if yes would you be kind enough to provide the base template or the how to.? -- Kind Regards Joseph Nzioka, Cell:+254 735 452050 Cell:+254 711 968429
RE: Earthlink help needed
Hey, I'm also having an issue with mail delivery to earthlink. It seems some of the messages to earthlink are not reaching the inbox post the initial acceptance. Can an earthlink administrator confirm off-list if this is something the client can control? The few that I have examples of swear they never receive the message but our logs show it was accepted for delivery. Thanks, Raymond Corbin 443.866.6048 -Original Message- From: Mike Lewinski [mailto:m...@rockynet.com] Sent: Monday, March 30, 2009 8:16 PM To: nanog@nanog.org Subject: Re: Earthlink help needed Within an hour of making this post I received a call from a very helpful engineer at Earthlink. The problem has been identified and a resolution is in the works. Mike Mike Lewinski wrote: One of our mail servers can't talk to any of the earthlink MX servers and after two weeks of trying I've got a queue full of undeliverable mail to their subs. Previous attempts at getting help via postmas...@earthlink.net are unanswered. INOC-DBA has no directory entry for them. This old NANOG post (http://www.merit.edu/mail.archives/nanog/msg01582.html) has a valid phone number but invalid extension. So I hit 0 and got a tech anyway. That tech instructed me to forward on my concerns to blockedbyearthl...@abuse.earthlink.net which I did, but nothing more than an auto-response has come back a week later now (and yes, I followed the instructions in the auto-responder and re-submitted in the requested format). Everything I've read indicates that if we are being blocked deliberately I should be getting a 550 SMTP error back. We do not even get a SYN/ACK back (nor ICMP unreachable/prohibited, nor RST) so no SMTP errors are generated from their servers. The MX are all pingable and traceable, so its not a routing problem AFAICT. The mailman server here has paranoid rDNS setup, does not appear on any blacklists, and has never been the subject of any spam complaints. It runs a listserv for a professional legal association which charges members a fee before they are allowed to join the list, so the possibility of unwanted third parties being subscribed is very near zero. TIA and sorry for the noise. We tried having an Earthlink subscriber work this from the other angle. All she got was Earthlink has been blocking port 25 for years you should now this by now! Mike Lewinski -- m...@rockynet.com POTS: 303-629-2860 INOC-DBA: 13345*mjl
Re: Cacti Graphing
Hi Joe, I sent you some links offline as well, but make sure the polling host can talk to the target: IIRC, the Alcatel/Lucent device(s) default to snmp v2. IIRC, Cacti is defaulted to v1. At the CLI of the [hopefully] nix device: snmpwalk -v 2c $community ip_addr 1.3.6 That should prove that you can talk to and walk the device. If that works and the poller doesn't, investigate host poller settings or options for v2. That and ACL's have been typical root causes of problems whenever I have had issues with polling a target device. Best, Martin On Tue, Mar 31, 2009 at 6:05 AM, Joseph Nzioka jnzi...@gmail.com wrote: Hi All, Has any one on this list graphed alcatel-lucent service routers succesfully using Cacti and if yes would you be kind enough to provide the base template or the how to.? -- Kind Regards Joseph Nzioka, Cell:+254 735 452050 Cell:+254 711 968429 -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters
Re: The Confiker Virus.
See http://honeynet.org/node/388 for snort signatures for .a and .b variants. - d. On Tue, 31 Mar 2009, Steven Fischer wrote: Is anyone aware of any network-based signatures that could be used to identify and tag IP traffic, for dropping at the ingress/egress points? On Tue, Mar 31, 2009 at 9:41 AM, JoeSox joe...@gmail.com wrote: I am uncertain also. I scan a subnet on my network with Axence NetTools looking for 445 port and I receive some hits. I perform a netstat -a some of those results but don't really see any 445 activity. The SCS script doesn't find anything either. The PCs are patched and virusscan updated. One PC when I connected to it did not navigate to Windowsupdate website. I scheduled a Full McAfee scan as their documentation suggests ( http://download.nai.com/products/mcafee-avert/documents/combating_w32_conficker_worm.pdf ), and sometime through the scan I was able to reach windowsupdate. I don't know if it was a coincidence or not that I was not able to reach the website. I haven't looked into the registry and any other places for evidence of conficker. I will probably today but I am afraid it maybe a waste of time since they are already patched and updated. -- Joe On Tue, Mar 31, 2009 at 5:48 AM, Eric Tykwinski eric-l...@truenet.com wrote: Joe, Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though. -- Dominic J. Eidson Baruk Khazad! Khazad ai-menu! - Gimli http://www.dominiceidson.com/
Re: TWC outage
Thanks for various replies off-list which helped to troubleshoot this issue and possibly accelerate resolution. Time Warner attributed the issue to a routing loop on the Level 3 network caused by some work last night. Based on a traceroute from a Webjogger customer, the loop was in Chicago. As of about 4:45pm EDT things seem back to normal. Thanks! Adam -- Webjogger (845) 757-4000 ASN 20208 - Original Message - From: Adam Greene To: outa...@outages.org ; nanog@nanog.org Sent: Tuesday, March 31, 2009 11:18 AM Subject: [outages] TWC outage Seems to be an outage with Time Warner Cable in the upstate New York area ... As far as I can tell, it's on AS7843. I'm awaiting callback from an engineer for details Adam -- Webjogger (845) 757-4000 ASN 20208 == C:\tracert www.authorize.net Tracing route to www.authorize.net [64.94.118.77] over a maximum of 30 hops: 138 ms 1 ms 2 ms 10049.webjogger.net [204.8.80.49] 2 6 ms 6 ms 7 ms cpe-24-29-112-25.nyc.res.rr.com [24.29.112.25] 3 8 ms 7 ms 6 ms gig-12-2-nycmnyrdc-rtr1.nyc.rr.com [24.29.104.97] 4 7 ms 7 ms 8 ms gig1-0-0-nwrknjmd-rtr1.nyc.rr.com [24.29.130.182] 5 7 ms 7 ms 6 ms ae-4-0.cr0.nyc30.tbone.rr.com [66.109.6.78] 6 9 ms 8 ms 8 ms ae-1-0.pr0.nyc20.tbone.rr.com [66.109.6.163] 7 8 ms 9 ms 8 ms 66.109.9.210 8 *** Request timed out. 9 *** Request timed out. 10 *** Request timed out. 11 *** Request timed out. 12 *** Request timed out. 13 *** Request timed out. 14 *** Request timed out. 15 *** Request timed out. 16 *** Request timed out. 17 *** Request timed out. 18 *** Request timed out. 19 *** Request timed out. 20 *** Request timed out. 21 *** Request timed out. 22 *** Request timed out. 23 *** Request timed out. 24 *** Request timed out. 25 *** Request timed out. 26 *** Request timed out. 27 *** Request timed out. 28 *** Request timed out. 29 *** Request timed out. 30 *** Request timed out. Trace complete. ___ outages mailing list outa...@outages.org https://puck.nether.net/mailman/listinfo/outages
Re: TWC outage
are you just a little early for April Fools? :-) On 2009Mar31, at 5:43 PM, Adam Greene wrote: Based on a traceroute from a Webjogger customer, the loop was in Chicago.
Hotmail/MSN/Live help?
My mail server is currently being blocked by Windows/Live/Hotmail even though I am (and have been for years) a member of Microsoft's JMRP and SNDS services. Not sure what changed after years of peaceful co-existence. Could someone from Windows Live Hotmail please contact me off list? TIA -- Paul Senior System Administrator Internet Broadcasting p...@ibsys.com Visit us at: www.ibsys.com This message may contain information that is privileged or confidential. If you receive this transmission in error, please notify the sender by reply email and delete the message and any attachment; and be advised that disclosing, copying, distributing or taking any action in reliance upon the content is prohibited. --
Re: Google Over IPV6
Nick Hilliard wrote: On 27/03/2009 15:26, Leo Bicknell wrote: AFAIK you have to have native peering with them to be part of the pilot. At least, you did when we signed up. They may have relaxed that since. According to a Google IPv6 talk I attended yesterday, they don't intend to relax that rule. Tunneling ipv6 connectivity over ipv4 is trash quality engineering and to be honest, its not a credible substitute for adequate ipv6 infrastructure. facetious Tunneling ipv4 over mpls is trash quality engineering and it's not a credible substitute for adequate ipv4 infrastructure. /facetious Everything is a tunnel... Nick
Re: Google Over IPV6
Everything is a tunnel... Tube man. Everything is a tube... and Al Gore invented tubes. MMC Nick -- Matthew Moyle-Croft Internode/Agile Peering and Core Networks
Can you see these AS links:)
Hello folks, As part of a research project here at Northwestern, we have found quite a few unexpected AS-level links that do not appear in public available BGP tables. We really need your help in validating them; for anyone who knows links associated with any AS, if you can assist us with this please contact us off list. Thanks! - Kai