If a pro cannot clean it out safely, then i cannot imagine our typical
homeuser would be able to... and with some luck he installs a firewall
and antivirus next time, after reinstalling his system for the 4th or
5th time.
You may want to check out some AT (Anti-Trojan) software such as The
Cle
Did you actially read the article? This was about drones sending out via
its ISP mailserver. Blocking outbound 25 doesnt help a bit here. In
general sure, good ide, and also start using submission for example. But
in this contect its silly.
No, it is relevant or I wouldn't have mentioned it.
Al
[EMAIL PROTECTED] wrote:
CNET reports
http://news.com.com/Zombie+trick+expected+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=cd.top
that botnets are now routing their mail traffic through the local
ISP's mail servers rather than trying their own port 25
connections.
Both on ASRG and here on
t;[EMAIL PROTECTED]>
Gadi Evron (as specified below)
--
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Office: +972-2-5317890
Fax: +972-2-5317801
http://www.tehila.gov.il
The opinions, v
All Inktomi/Yahoo crawling is done from 68.142.248.0/22; the whois
entry for that block says to report issues to [EMAIL PROTECTED]
Have you tried alerting them to the problems yet?
If yes, and if you didn't receive a response, please forward me the mail
that you sent, and I'll see to it that the r
over there? I can't seem to be able to reach them and
this is becoming a real annoyance.
Anyone else observing this?
--
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Office: +972
.
FYI if you haven't seen this yet.
Gadi.
--- Begin Message ---
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: Vulnerability in Cisco IOS Embedded Call
Processing Solutions
Revision 1.0
For Public Release 2005 January 19 1500 UTC
+-
http://www.lurhq.com/baba.html
Thanks go to Joe Stewart from lurhq.
Further, please note this is the older variant. According to Joe the B
variant was released Jan/12.
Gadi.
Nils Ketelsen wrote:
I still have no clue what is causing this, but I am pretty clueless when
it comes to Windows PCs anyway, and as you might have guessed: The PCs
making these connections are windows machines.
http://www.lurhq.com/baba.html
Thanks go to Joe Stewart from lurhq.
--
Gadi Evron
http://www.theregister.co.uk/2005/01/17/panix_domain_hijack/
Gadi.
Nevertheless the total number of accessed addresses was still
1000 (over all hosts). So I think we might have in fact 1000 Addresses
that are contacted/attacked. The complete list of contacted addresses can
be found here:
http://steering-group.net/~nils/ips.txt
More to the point - how about the I
I still have no clue what is causing this, but I am pretty clueless when
it comes to Windows PCs anyway, and as you might have guessed: The PCs
making these connections are windows machines.
Continuing our off-list discussion for this on-list comment...
Without a reboot, try to connect the outgoin
Nils Ketelsen wrote:
We see a lot of requests of the following format in our proxy logs:
1105979310.010 240001 10.3.12.211 TCP_MISS/504
1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html
1105979314.020 240009 10.3.12.211 TCP_MISS/504
1458 GET http://67.171.84.104:25238/2005/
MAN") at lurhq always comes
up with the answers.
--
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Office: +972-2-5317890
Fax: +972-2-5317801
http://www.tehila.gov.il
http://www.theage.com.au/articles/2005/01/17/1105810810053.html
&&
http://www.smh.com.au/articles/2005/01/17/1105810810053.html
Gadi.
Until today, I considered this to be a real and relevant threat,
although rather low in my matrix.
As someone I know said today, now that kiddies saw how much "fun" this
is, I am sure they will attempt this again.
The question that comes to mind is - what do you do to be prepared?
I suppose tha
Cheung, Rick wrote:
Hi. Anyone notice an increase of TCP Syns to port 11768, and 445
across random internet IPs? I googled the port, and found a similar posting
here:
http://www.trustedmatrix.org/portal/forum_viewtopic.php?7.954
We located the source on our network, updated DATs, an
Hi.
We are in the process of forming a new drone army research and
mitigation mailing list.
Unlike other resources (which we don't come to compete with), this list
will bring together anti virus researchers/reverse engineers, network
admins and others who may be able to contribute.
AV research
Fergie (Paul Ferguson) wrote:
These people don't waste much time when a new exploit
found, do they? Geez.
http://isc.sans.org/diary.php?date=2004-12-21
As a friend of mine just said.. good times!
http://www.google.com/search?q=NeverEverNoSanity
Gadi.
I received several notices today from fellow ISP's, originally from an
Israeli ISP's security information sharing mailing list, that several
large Israeli ISP's experience an outbreak that cause tech support lines
to overflow.
Basically, this malware appears to change dialer configuration for
Dan Hollis wrote:
On Tue, 21 Dec 2004, Fergie (Paul Ferguson) wrote:
These people don't waste much time when a new exploit
found, do they? Geez.
http://isc.sans.org/diary.php?date=2004-12-21
Its exploiting a bug in old versions of phpbb, it's not using the recent
php exploit.
-Dan
It isn't very
cw wrote:
Does anyone have any more detail on exactly what this thing does after
it gets into a system?
Check *any* AV web site.
The cgi platform for a company I use has been hit and the effect is
not just limited to phpBB, it seems to get into the server and then go
through everything it can wr
"bot": derivative of "robot". An application on an infected computer
used for orchestrated attacks or for distributed generation of spam,
often distributed in or with viruses or other malware. Similar to
"zombie", which is an older usage specific to distributed denial of
service attacks.
I bel
william(at)elan.net wrote:
Can somebody also share good definition of "BOT" and "BOTNET" for glossary
and description of 2-4 lines? Should I also list it as synonymous with
Zombie (bot being more hacker-oriented use and zombie being more toward
spammer-oriented use)?
I'd let others define a "bot
Botnets aren't new. They've been prototyped on various IRC networks for
years. It started with hordes of linked eggdrop bots for Death Star
style privmsg/notice flood attacks on single users (1998? 1999?). When
For history's sake, most people name BO and netbus as the "original"
remote control
Botnets are a new phenomenon. [ Gadi!?]
hehe, I won't take the bait on that one Martin. :)
I suppose that back in the days when it was "new" they weren't really
called "armies", and _hackers_ would actually set up "real" bots on
pwned boxes. Today we see less and less actual eggdrops/energymechs
there are some million-bot drone armies out there. with enough attackers
I've heard that claim before, but I've yet to be convinced that those
making it were doing more than speculating. It is not unreasonable to
believe there are millions of bot drones, but that is not the same as
an army unde
Hank Nussbacher wrote:
http://www.cnn.com/2004/LAW/12/18/spam.lawsuit.ap/index.html
What a nice present for the holiday season :-)
-Hank
Indeed! If it will hold after the appeal.
Thing is, the spammers are not there to be found for paying, so they
might not exist for appealing. Meaning this might
It appears like many of us will be very busy this month, on the network
front.
The linux kernel has two published vulnerabilities (one for IGMP -
http://isec.pl/vulnerabilities/isec-0018-igmp.txt).
MS released one for DHCP (http://go.microsoft.com/fwlink/?LinkId=36664)
and last but not least -
Hi guys. I figured I might as well ping, as I do once a year on
different forums since `96, and send some information here asking for help.
The following drone army seems to be on the move, switching binary and
relay server, which is why I allow myself to post it openly.
Anyone seeing any conne
--- Begin Message ---
Hello all,
while doing some experiments with dig using a .fm domain I made a small
typo. Much to my surprise the whole fm zone was transferable by anyone.
It's obvious this is a fabulous source for dictionary spammers who just
mail to generic addresses at as much domains as
Fergie (Paul Ferguson) wrote:
"Lycos Europe appeared to have pulled a controversial
anti-spam screensaver program from its site on Friday,
after coming under fire from both security experts and
the spammers themselves."
http://www.infoworld.com/article/04/12/03/HNlycospullsscreensaver_1.html
Okay.
Sorry your experience has been different, this is definitely one of
those YMMV kinds of deals. That is a significant attack by most
anyone's standards. Getting to the right security team usually ends
up being the challenge. Once there however we have found many
providers do a great job of deali
Rich Kulawiec wrote:
On Thu, Dec 02, 2004 at 04:18:52PM -0500, Hannigan, Martin wrote:
Can you direct me toward a singluar entity of 1MM bots controlled by
a single master?
Nobody can, except the single master who's in control of same, and
whoever that is -- if there is -- is unlikely to voluntari
se past few
years.
One of the strains started with sdbot.. then ircbot.. then agobot.. then
phatbot, rbot, whatever bot, korgobots (argh!) etc.
Thousands of different samples, all related - and for most you can find
quite a few versions of their sources online.
It never ends.. I am just glad this is getting some attention now.
Gadi Evron.
er they like.. but with the huge amounts of them out
there - I don't see it (port 25 blocking) solving the problem as a
whole. It would kill off the current strain of malware, though.
Gadi Evron.
ciate your help,
Gadi Evron.
This works:
http://search.yahoo.com/search?p=yahoo+abuse
This works:
http://search.yahoo.com/search?p=report+yahoo+abuse
This works:
http://www.google.com/search?&q=yahoo+abuse
This works:
http://www.google.com/search?&q=report+yahoo+abuse
I guess you didn't search hard enough.
Give the guy a brea
Gadi Evron wrote:
Thanks for your help, sorry for the OT post.
Gadi Evron.
As a very nice guy pointed out to me:
The University of California San Diego (ucsd.edu) is 139.239.0.0/16,
while 138.23.0.0/16 is University of California at Riverside (ucr.edu).
Sorry for the mistake. Make that
Thanks for your help, sorry for the OT post.
Gadi Evron.
From a recent email I gather this is very off-topic, so I will try to
be brief in my reply.
(Geneva.CH.EU.*) since 3+ years. I can say from my experiences I couldn't
make any kind of communication between botnets and spam. Most Trojan codes I
have looked into doesn't have any command/action to ma
there are many ways of sending spam that dont use port 25..
True, but reducing spam from millions to thousands seems like something
good, no?
individual rules are costly to implement and users wont use a service where you
have to pay more for basic services
Several big ISP's are blocking port
Next you'll block SIP if we start getting "spam calls"? Or any other
application that pops up and is used by the same people sending spam today?
There is the issue of usability. Why does a Cable user on a dynamic
range need SMTP open?
You're fixing the symptom, not curing the cause. The immedia
Blocking ports one by one and filling the Internet by application level
proxies (SMTP gateways for port 25) is not a road worth travelling.
Pete
Blocking port 25 for dynamic ranges means they can't send email, so that
drone are pretty useless for spammers on that account. Trojan horses
would h
Yea, verily. This is not an impossible problem for this community; it is
only an impossible problem for any one of us acting totally independently.
And while the solution isn't instant, the tide CAN be turned.
Problem is, we are a fighting a war we already lost. It's put out a fire
here and ther
But compared to the success rate of the bot writers, the anti-bot tools
fall far behind. Some people estimate between 10 million and 30 million
Actually, there are some fine Anti Trojan (AT) tools out there. Try out
The Cleaner and BOClean.
new bots have been created this year. That number is
Most ISP's wouldn't have to deal with this problem if corporations took
the time to release better products. I was faced with the question of
"What do you do for infected clients?" What can an ISP do. Most of the
An ISP doesn't really have to do anything, either. As long as it is not
in their fin
Only when they do something about it.
Trouble? When they have 40K extra users to pay for bandwidth (easily
eats up a T1 or two), it's damage enough. Besides, would you like
someone to launch "cyber A-Bombs" (phaa) from your network?
1. Worrying about personal privacy of their users, not wanting
I didn't mean to put IRC in a bad light, just pointing out that as usual,
any good tool can be abused.
Those drone armies that lurk on actual real networks are a major problem
for the networks themselves, but I doubt anyone can blame them for:
1. Worrying about personal privacy of their users, n
acro level. Besides, with so many
drones around and infected machines - who needs a proxy to be anonymous?
Gadi Evron.
aps, maybe, make runners have to use
different medias to control their botnets - non as efficient or easy as
IRC to date.
Maintaining the list you suggest is difficult, but I am more than
interested in how you planned on doing it?
Gadi Evron.
401 - 451 of 451 matches
Mail list logo
