[32355] in North American Network Operators' Group
Re: Operational impact of filtering SMB/NETBIOS traffic?
daemon@ATHENA.MIT.EDU (Jeremy T. Bouse)
Mon Nov 20 00:14:29 2000
Date: Mon, 20 Nov 2000 00:12:34 -0500
From: "Jeremy T. Bouse" <undrgrid@toons.UnderGrid.net>
To: nanog@merit.edu
Message-ID: <20001120001234.A14022@UnderGrid.net>
Mail-Followup-To: nanog@merit.edu
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD"
In-Reply-To: <20001119212339.A22670@daa.dyndns.org>; from daa@rmi.net on Sun, Nov 19, 2000 at 09:23:40PM -0700
Errors-To: owner-nanog-outgoing@merit.edu
--HlL+5n6rz5pIUxbD
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
David Avery was said to been seen saying:
>=20
> I would hope leased line/colo machines would be better set up, but I am p=
robably
> dreaming.
>=20
One would think this to be true but I have found it quite often to
be the opposite... I've had to deal with countless intrusion attempts again=
st
our network only to find that the box attacking me had been owned by some
script kiddie on the net because the admin of the box had failed to secure
it before placing it online... I've found this to be true with school
districts (had one in Colorado a several weeks ago) and commercial companies
(had a company in Dallas, TX right after the school district incident)...
In fact in the case of the Colorado school district attempt I had the=20
admin tell me he had only put the machine online on Thursday, however by
Sunday I had already recorded attempts from it...=20
> Just for referance I an one of the net/security admins at distributed.net
> and there are a number of win* worms running arounf in the wild carrying
> the distributed.net client as part of their payload.
>=20
> So far in the past 3 months ( since the worms appeared) I have logged
> over 400,000 unique IP addresses returning data to distributed.net=20
> from installs created by the worms. We have spot checked a number of=20
> these IPs and find win9x boxes with open C shares and signs on multiple
> infestation including QAZ and other DDoS payloads.
>=20
This would not surprise me at all... I've noticed quite a few
QAZ style signature attempts coming from repeated Cable & Wireless IP blocks
recently... As I'm on a C&W backbone I'm routinely scan'd by other C&W
IPs which have been infect'd and some have even been from clients of my
own ISP...
Respectfully,
Jeremy T. Bouse
UnderGrid Network Services, LLC
--=20
,--------------------------------------------------------------------------=
---,
| Jeremy T. Bouse - UnderGrid Network Services, LLC - www.UnderGrid.ne=
t |
| All messages from this address should be atleast PGP/GPG signed =
|
| Public PGP/GPG fingerprint and location in headers of message =
|
| If received unsigned (without requesting as such) DO NOT trust it! =
|
| undrgrid@UnderGrid.net - NIC Whois: JB5713 - Jeremy.Bouse@UnderGrid.n=
et |
`--------------------------------------------------------------------------=
---'
--HlL+5n6rz5pIUxbD
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQCVAwUBOhiywdJBoZ3O7iClAQHHWwQAyMHkN0Ot6l+uz4F6HIsVofzc1pkBboxC
4oYqJzwn4Ewqup4f9DY3qq8/eXKwR/eA/MctBy+9Q6vBdESkhFLlIPRU+CFc86oE
XB1uLx1WuGvEq8KS6Nw4lDj9T1qzDRYZ4VjSAxkWj5CbVf04Vj09nXL63XCiNpno
uu/nETu0HFc=
=eLqk
-----END PGP SIGNATURE-----
--HlL+5n6rz5pIUxbD--
