[65914] in North American Network Operators' Group
nlayer.net Abuse and Security contact
daemon@ATHENA.MIT.EDU (John Obi)
Thu Dec 18 12:10:25 2003
Date: Thu, 18 Dec 2003 09:09:40 -0800 (PST)
From: John Obi <dalnetuzer@yahoo.com>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
--0-1819314972-1071767380=:62036
Content-Type: text/plain; charset=us-ascii
Content-Id:
Content-Disposition: inline
Folks,
I have sent many emails to abuse@nlayer.net and
security@nlayer.net reporting a security abuse by one
of their users but nothing done up to now.
If there is real person from nlayer.net please contact
me offline.
Thanks,
-J
__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/
--0-1819314972-1071767380=:62036
Content-Type: message/rfc822
Received: from [212.77.203.38] by web41702.mail.yahoo.com via HTTP; Mon, 15 Dec 2003 22:57:36 PST
Date: Mon, 15 Dec 2003 22:57:36 -0800 (PST)
From: John Obi <dalnetuzer@yahoo.com>
Subject: Abuse and spamming trojans via www.darkhell.org
To: abuse@hostany.com, DNSLISTS.NETTFcK49@privacypost.com
Cc: abuse@nlayer.net
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Length: 1733
Dear Sir/Madam,
We have known script kiddie who spreads
Download.Trojan and BAT.Trojan.
The script kiddi runs port scan and infect the users
who use WinNT, 2000 and XP via port 445 if the windows
isn't updated.
He is issuing commands to the infected PC to download
this setup file which has these trojans.
http://www.darkhell.org/sh1.exe
This host is hosting the trojan files which is in
sh1.exe
When you download this file and you have Norton
Antivirus or Mcafee with latest virus ID, your AV will
detect it directly as below:
can type: Realtime Protection Scan
Event: Virus Found!
Virus name: Download.Trojan
File: C:\WINNT\system32\Haver\Backsa.exe
Location: Quarantine
Computer: RASHID-ALKUBAIS
User: Administrator
Action taken: Clean failed : Quarantine succeeded :
Access denied
Date found: Tue Dec 16 09:23:12 2003
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: BAT.Trojan
File: C:\WINNT\system32\Haver\ceve.bat
Location: Quarantine
Computer: RASHID-ALKUBAIS
User: Administrator
Action taken: Clean failed : Quarantine succeeded :
Access denied
Date found: Tue Dec 16 09:23:12 2003
When I got connected to his IRC server I saw this:
* Dns resolved sh1.cellfiles.org to 81.134.89.149
[07:01] * Connecting to 81.134.89.149 (6667)
-
[07:01] -irc.DarkHell.Org- *** Looking up your
hostname...
-
There are 437 users and 0 invisible on 1 servers
2 channels formed
I have 437 clients and 0 servers
-
========================
[07:01] * Now talking in #sh1-
[07:01] <[H0-3250]> !pfast stop
[07:01] <[H0-3250]> !syn 66.90.92.202 6667 500
[07:01] <[H0-3250]> !pfast 444444 66.90.92.202 6667
[07:02] <[H0-3250]> !syn 202.91.32.181 6667 500
[07:02] <[H0-3250]> !pfast stop
[07:02] <[H0-3250]> !pfast 444444 202.91.32.181 6667
[07:02] <[H0-3250]> !syn 69.65.31.3 6667 500
[07:02] <[H0-3250]> !pfast stop
[07:02] <[H0-3250]> !pfast 444444 69.65.31.3 6667
[07:02] <[H0-3250]> !ipscan
[07:02] <[H0-3250]> !syn 66.151.29.193 6667 500
========================================
-
[H0-3250] is
Have@devilz-E8805F6.in-addr.btopenworld.com * h3h3
[H0-3250] on +#sh1-
[H0-3250] using irc.DarkHell.Org DarkHell server
[H0-3250] has been idle 18secs, signed on Mon Dec 15
14:53:28
[H0-3250] End of /WHOIS list.
-
==================================================
And he issuing these DDoS attacks against the IRC
servers around the globe and the http servers.
The traceroute to www.darkhell.org shows that it's
hosted in your network.
Show Level 3 (Baltimore, MD) Traceroute to
www.darkhell.org (69.22.169.27)
1 so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0
msec
so-6-1-0.mp1.Baltimore1.Level3.net (4.68.112.65) 0
msec
so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0
msec
2 so-0-1-0.bbr2.Washington1.Level3.net
(64.159.0.230) 0 msec
so-6-1-0.mp2.Baltimore1.Level3.net (4.68.112.73) 0
msec
so-0-1-0.bbr2.Washington1.Level3.net
(64.159.0.230) 0 msec
3 so-6-1-0.bbr1.Washington1.Level3.net
(64.159.0.106) 4 msec
so-7-0-0.edge1.Washington1.Level3.net
(209.244.11.14) 0 msec
so-6-1-0.bbr1.Washington1.Level3.net
(64.159.0.106) 4 msec
4 209.0.227.118 4 msec
so-6-0-0.edge1.Washington1.Level3.net
(209.244.11.10) 0 msec
209.0.227.118 4 msec
5 209.0.227.118 4 msec
pos3-1-2488M.cr2.WDC2.gblx.net (67.17.67.58)
[AS3549 {GBLX}] 4 msec
209.0.227.118 0 msec
6 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
[AS3549 {GBLX}] 76 msec
pos3-1-2488M.cr1.WDC2.gblx.net (67.17.67.54)
[AS3549 {GBLX}] 4 msec
so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
[AS3549 {GBLX}] 76 msec
7 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
[AS3549 {GBLX}] 76 msec
so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238)
[AS3549 {GBLX}] 80 msec
so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
[AS3549 {GBLX}] 76 msec
8 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193)
[AS4474 {GVIL1}] 80 msec
so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238)
[AS3549 {GBLX}] 80 msec
gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193)
[AS4474 {GVIL1}] 76 msec
9 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193)
[AS4474 {GVIL1}] 80 msec
ge-1-1-0.cr1.sfo1.nlayer.net (69.22.143.178)
[AS4474 {GVIL1}] 76 msec
gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193)
[AS4474 {GVIL1}] 80 msec
10 ge4-4.hr1.sfo1.nlayer.net (69.22.143.10) [AS4474
{GVIL1}] 108 msec
ge-1-1-0.cr1.sfo1.nlayer.net (69.22.143.178)
[AS4474 {GVIL1}] 76 msec
ge4-4.hr1.sfo1.nlayer.net (69.22.143.10) [AS4474
{GVIL1}] 80 msec
11 ge1-1.hr1.sfo1.nlayer.net (69.22.143.2) [AS4474
{GVIL1}] 80 msec
customer.ge1-5.hr1.sfo1.nlayer.net (69.22.128.230)
[AS4474 {GVIL1}] 80 msec
ge1-1.hr1.sfo1.nlayer.net (69.22.143.2) [AS4474
{GVIL1}] 76 msec
12 SV4.DNSLISTS.NET (69.22.169.27) [AS27638
{HOSTANY-ASN}] 80 msec
customer.ge1-5.hr1.sfo1.nlayer.net (69.22.128.230)
[AS4474 {GVIL1}] 76 msec
SV4.DNSLISTS.NET (69.22.169.27) [AS27638
{HOSTANY-ASN}] 80 msec
I'm asking you to stop this abuse kindly ASAP.
Thanks,
-J
__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/
--0-1819314972-1071767380=:62036--
