On Thu, 2003-12-18 at 08:09, John Obi wrote:
Folks,
I have sent many emails to abuse@nlayer.net and security@nlayer.net reporting a security abuse by one of their users but nothing done up to now.
If there is real person from nlayer.net please contact me offline.
Thanks,
One suggestion is to use an e-mail account other than a yahoo. That might be an issue with abuse/security folks. Dee
-J
__________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/
______________________________________________________________________ From: John Obi <dalnetuzer@yahoo.com> To: abuse@hostany.com, DNSLISTS.NETTFcK49@privacypost.com Cc: abuse@nlayer.net Subject: Abuse and spamming trojans via www.darkhell.org Date: Mon, 15 Dec 2003 22:57:36 -0800
Dear Sir/Madam,
We have known script kiddie who spreads Download.Trojan and BAT.Trojan.
The script kiddi runs port scan and infect the users who use WinNT, 2000 and XP via port 445 if the windows isn't updated.
He is issuing commands to the infected PC to download this setup file which has these trojans.
http://www.darkhell.org/sh1.exe
This host is hosting the trojan files which is in sh1.exe
When you download this file and you have Norton Antivirus or Mcafee with latest virus ID, your AV will detect it directly as below:
can type: Realtime Protection Scan Event: Virus Found! Virus name: Download.Trojan File: C:\WINNT\system32\Haver\Backsa.exe Location: Quarantine Computer: RASHID-ALKUBAIS User: Administrator Action taken: Clean failed : Quarantine succeeded : Access denied Date found: Tue Dec 16 09:23:12 2003
Scan type: Realtime Protection Scan Event: Virus Found! Virus name: BAT.Trojan File: C:\WINNT\system32\Haver\ceve.bat Location: Quarantine Computer: RASHID-ALKUBAIS User: Administrator Action taken: Clean failed : Quarantine succeeded : Access denied Date found: Tue Dec 16 09:23:12 2003
When I got connected to his IRC server I saw this:
* Dns resolved sh1.cellfiles.org to 81.134.89.149
[07:01] * Connecting to 81.134.89.149 (6667) - [07:01] -irc.DarkHell.Org- *** Looking up your hostname...
- There are 437 users and 0 invisible on 1 servers 2 channels formed I have 437 clients and 0 servers -
========================
[07:01] * Now talking in #sh1- [07:01] <[H0-3250]> !pfast stop [07:01] <[H0-3250]> !syn 66.90.92.202 6667 500 [07:01] <[H0-3250]> !pfast 444444 66.90.92.202 6667 [07:02] <[H0-3250]> !syn 202.91.32.181 6667 500 [07:02] <[H0-3250]> !pfast stop [07:02] <[H0-3250]> !pfast 444444 202.91.32.181 6667 [07:02] <[H0-3250]> !syn 69.65.31.3 6667 500 [07:02] <[H0-3250]> !pfast stop [07:02] <[H0-3250]> !pfast 444444 69.65.31.3 6667 [07:02] <[H0-3250]> !ipscan [07:02] <[H0-3250]> !syn 66.151.29.193 6667 500
========================================
- [H0-3250] is Have@devilz-E8805F6.in-addr.btopenworld.com * h3h3 [H0-3250] on +#sh1- [H0-3250] using irc.DarkHell.Org DarkHell server [H0-3250] has been idle 18secs, signed on Mon Dec 15 14:53:28 [H0-3250] End of /WHOIS list. -
==================================================
And he issuing these DDoS attacks against the IRC servers around the globe and the http servers.
The traceroute to www.darkhell.org shows that it's hosted in your network.
Show Level 3 (Baltimore, MD) Traceroute to www.darkhell.org (69.22.169.27)
1 so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0 msec so-6-1-0.mp1.Baltimore1.Level3.net (4.68.112.65) 0 msec so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0 msec 2 so-0-1-0.bbr2.Washington1.Level3.net (64.159.0.230) 0 msec so-6-1-0.mp2.Baltimore1.Level3.net (4.68.112.73) 0 msec so-0-1-0.bbr2.Washington1.Level3.net (64.159.0.230) 0 msec 3 so-6-1-0.bbr1.Washington1.Level3.net (64.159.0.106) 4 msec so-7-0-0.edge1.Washington1.Level3.net (209.244.11.14) 0 msec so-6-1-0.bbr1.Washington1.Level3.net (64.159.0.106) 4 msec 4 209.0.227.118 4 msec so-6-0-0.edge1.Washington1.Level3.net (209.244.11.10) 0 msec 209.0.227.118 4 msec 5 209.0.227.118 4 msec pos3-1-2488M.cr2.WDC2.gblx.net (67.17.67.58) [AS3549 {GBLX}] 4 msec 209.0.227.118 0 msec 6 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) [AS3549 {GBLX}] 76 msec pos3-1-2488M.cr1.WDC2.gblx.net (67.17.67.54) [AS3549 {GBLX}] 4 msec so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) [AS3549 {GBLX}] 76 msec 7 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) [AS3549 {GBLX}] 76 msec so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238) [AS3549 {GBLX}] 80 msec so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) [AS3549 {GBLX}] 76 msec 8 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) [AS4474 {GVIL1}] 80 msec so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238) [AS3549 {GBLX}] 80 msec gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) [AS4474 {GVIL1}] 76 msec 9 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) [AS4474 {GVIL1}] 80 msec ge-1-1-0.cr1.sfo1.nlayer.net (69.22.143.178) [AS4474 {GVIL1}] 76 msec gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) [AS4474 {GVIL1}] 80 msec 10 ge4-4.hr1.sfo1.nlayer.net (69.22.143.10) [AS4474 {GVIL1}] 108 msec ge-1-1-0.cr1.sfo1.nlayer.net (69.22.143.178) [AS4474 {GVIL1}] 76 msec ge4-4.hr1.sfo1.nlayer.net (69.22.143.10) [AS4474 {GVIL1}] 80 msec 11 ge1-1.hr1.sfo1.nlayer.net (69.22.143.2) [AS4474 {GVIL1}] 80 msec customer.ge1-5.hr1.sfo1.nlayer.net (69.22.128.230) [AS4474 {GVIL1}] 80 msec ge1-1.hr1.sfo1.nlayer.net (69.22.143.2) [AS4474 {GVIL1}] 76 msec 12 SV4.DNSLISTS.NET (69.22.169.27) [AS27638 {HOSTANY-ASN}] 80 msec customer.ge1-5.hr1.sfo1.nlayer.net (69.22.128.230) [AS4474 {GVIL1}] 76 msec SV4.DNSLISTS.NET (69.22.169.27) [AS27638 {HOSTANY-ASN}] 80 msec
I'm asking you to stop this abuse kindly ASAP.
Thanks,
-J
__________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ -- Alaska Wireless Systems http://www.akwireless.net -=- "Take Control of Your E-Mail!" (907)349-4308 Office - AIM = awswired