[55272] in North American Network Operators' Group
Re: Tracing where it started
daemon@ATHENA.MIT.EDU (Johannes Ullrich)
Sun Jan 26 11:56:38 2003
Date: Sun, 26 Jan 2003 11:55:48 -0500
From: "Johannes Ullrich" <jullrich@euclidian.com>
To: "Alex Rubenstein" <alex@nac.net>
Cc: tdp@discombobulated.net, nanog@merit.edu
X-Qmail-Scanner-Mail-From: jullrich@euclidian.com via server.euclidian.com
In-Reply-To: <Pine.WNT.4.43.0301260008290.2284-100000@TEMPEST.hq.nac.net>
Errors-To: owner-nanog-outgoing@merit.edu
> > +-----------------+
> > | 216.069.032.086 | Kentucky Community and Technical College System
> > | 066.223.041.231 | Interland
> > | 216.066.011.120 | Hurricane Electric
> > | 216.098.178.081 | V-Span, Inc.
> > +-----------------+
>
> HE.net seems to be a reoccuring theme. (I speak to evil of them --
> actually, there are some good people over there).
First of all: This worm started so fast, to find its source we have to
look into the past, not at the 'flash point'. HE.net is a very large
colo provider, so I am in no way surprised that they show up. Same
for Interland.
--
--------------------------------------------------------------------
jullrich@euclidian.com Collaborative Intrusion Detection
join http://www.dshield.org
