[31561] in North American Network Operators' Group
Re: Port 139 scans
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Thu Sep 28 14:03:31 2000
Message-ID: <39D38670.A421EC27@netmore.net>
Date: Thu, 28 Sep 2000 10:57:04 -0700
From: Roland Dobbins <rdobbins@netmore.net>
Reply-To: rdobbins@netmore.net
MIME-Version: 1.0
To: Ben Browning <benb@oz.net>
Cc: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
http://www.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
Ben Browning wrote:
>
> At 09:54 AM 9/28/00 -0700, vern@ee.lbl.gov wrote:
> >By the way, we identified a couple instances of the virus that Ken Lindahl
> >mentioned in his earlier post.
>
> Indeed, nearly all of my woes have disappeared with this information.
> Thanks Ken!
>
> Additionally, I set a trap for it yesterday. I opened a Windows box up to
> all internet traffic, made it nice and insecure (let me tell ya, that took
> a lot of work ;), and dialed it up. Then every half hour or so I checked
> for it. After an hour, I had a bug in a bottle.
>
> Busting out the handy hex editor, I scrolled down, and down, and down,
> until what should appear before my burning eyes, but Lo! An IP address...
>
> ...which points to an open mail relay somewhere in China (202.106.185.107)
> which then is used to send the info(likely the IP addy of the infected box)
> to the local user nongmin_cn . If anyone else goes through this process,
> I'd be interested in knowing about it.
>
> I already sent off abuse complaints to the upstreams for that IP. Hope they
> can read English :)
>
> ---
> Ben Browning <benb@oz.net>
> oz.net Network Operations
> Tel (206) 443-8000 Fax (206) 443-0500
> http://www.oz.net/
--
------------------------------------------------------------
Roland Dobbins <rdobbins@netmore.net> // 818.535.5024 voice
