[31560] in North American Network Operators' Group
Re: Port 139 scans
daemon@ATHENA.MIT.EDU (Ben Browning)
Thu Sep 28 13:54:42 2000
Message-Id: <5.0.0.25.2.20000928104430.00a31af0@mail.oz.net>
Date: Thu, 28 Sep 2000 10:52:46 -0700
To: nanog@merit.edu
From: Ben Browning <benb@oz.net>
In-Reply-To: <200009281654.e8SGsrd25514@daffy.ee.lbl.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 09:54 AM 9/28/00 -0700, vern@ee.lbl.gov wrote:
>By the way, we identified a couple instances of the virus that Ken Lindahl
>mentioned in his earlier post.
Indeed, nearly all of my woes have disappeared with this information.
Thanks Ken!
Additionally, I set a trap for it yesterday. I opened a Windows box up to
all internet traffic, made it nice and insecure (let me tell ya, that took
a lot of work ;), and dialed it up. Then every half hour or so I checked
for it. After an hour, I had a bug in a bottle.
Busting out the handy hex editor, I scrolled down, and down, and down,
until what should appear before my burning eyes, but Lo! An IP address...
...which points to an open mail relay somewhere in China (202.106.185.107)
which then is used to send the info(likely the IP addy of the infected box)
to the local user nongmin_cn . If anyone else goes through this process,
I'd be interested in knowing about it.
I already sent off abuse complaints to the upstreams for that IP. Hope they
can read English :)
---
Ben Browning <benb@oz.net>
oz.net Network Operations
Tel (206) 443-8000 Fax (206) 443-0500
http://www.oz.net/
