[61106] in North American Network Operators' Group
RE: Sobig.f surprise attack today
daemon@ATHENA.MIT.EDU (Mark Segal)
Fri Aug 22 17:07:30 2003
From: Mark Segal <MSegal@Corporate.FCIBroadband.com>
To: 'netadm' <netadm@infolink.com>,
"'nanog@merit.edu'" <nanog@merit.edu>
Date: Fri, 22 Aug 2003 17:04:32 -0400
Errors-To: owner-nanog-outgoing@merit.edu
My questions is what were those servers.. Was the purpose to denial of
service attack them? If so we just assisted that.. :)
mark
--
Mark Segal
Director, Network Planning
FCI Broadband
Tel: 905-284-4070
Fax: 416-987-4701
http://www.fcibroadband.com
Futureway Communications Inc. is now FCI Broadband
-----Original Message-----
From: netadm [mailto:netadm@infolink.com]
Sent: August 22, 2003 3:50 PM
To: nanog@merit.edu
Subject: RE: Sobig.f surprise attack today
From http://www.f-secure.com/v-descs/sobig_f.shtml
-----------------------------------------------------------------
Update on 19:00 UTC
When deadline for the attack was passed, one machine was still
(somewhat) up. However, immediatly after the deadline, this machine (located
in the USA) was totally swamped under network traffic.
We've tried connecting to it, just like the virus does. We do this from
three different sensors from three different machines in three different
countries. We haven't been able to connect to it once. If we can't connect,
neither can the viruses.
So the attack failed. Whoa.
We'll keep monitoring until 22:00 UTC. If we're not able to connect once, we
can safely say that the attack was prevented.
-----Original Message-----
From: Andrew Kerr [mailto:andrew_kerr@iamnos.ca]
Sent: Friday, August 22, 2003 3:43 PM
To: Jay Hennigan
Cc: nanog@merit.edu
Subject: Re: Sobig.f surprise attack today
Jay Hennigan wrote:
> On Fri, 22 Aug 2003, Andrew Kerr wrote:
>
>
>>Its been posted here, and f-secure has it, but I wrote a quick script
>>to keep an eye on the 20 servers and dump the output to a simple page:
>>
>>http://207.195.54.37/sobig.html
>>
>>(Updates about every 5 mins)
>
>
> You're probing the list of NTP servers the worm uses to get the date,
> not the list of hosts to which it "phones home".
>
A few people pointed that out. By the time this message hits the list,
it should be corrected.
