Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello John Doe, I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements. This is the same issue with the recent media and self-proclaimed "Security Researchers". Fly-by-night mind you. To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed. Yes, Russia is very well known for Virus and Malware writer's. Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues. Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff. Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. ----- Original Message ---- From: Mark Foo <mark.foo.dog@gmail.com> To: Bruce Williams <williams.bruce@gmail.com> Cc: Christopher Morrow <christopher.morrow@gmail.com>; nanog@nanog.org; Joe Greco <jgreco@ns.sol.net> Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware c&c botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=en&q=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES.. These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell. This is the MALWARE CARTEL. GET THE PICTURE? Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE.
I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened.
-chris
Russell: Ferg was just being coy -- what you don't understand is there are about 3 other security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law Enforcement might not take action against you (but appear to be interested now), but the community can. GET OFF THE NET WITH YOUR MALWARE! You mistake me for someone who believes you pack of lies! Don't you understand each time you post to this list gives those of us who know the opportunity to post MORE EVIDENCE of your MALWARE? You disconnected Hostfresh and think that's the extent of your cimes? Gimme a break. Only those who are easily socially engineered would believe your pathetic claims of innocence. You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post: Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html
Let me know if there's anything else you'd like me to state to the public.
Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks.
We're on a rocky road right now. But it IS starting to smooth out.
That's just the calm before the storm. Go ahead and post a response to each of these allegations: Cybercrime's US Hosts http://www.spamhaus.org/news.lasso?article=636 Report Slams U.S. Host as Major Source of Badware http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as... A Superlative Scam and Spam Site Registrar http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rss... ICANN cast as online scam enabler http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/ 'Malware-friendly' Intercage back with the living http://www.theregister.co.uk/2008/09/24/intercage_back_online/ On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell <russm2k8@yahoo.com> wrote:
Hello John Doe,
I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements.
This is the same issue with the recent media and self-proclaimed "Security Researchers". Fly-by-night mind you.
To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed.
Yes, Russia is very well known for Virus and Malware writer's.
Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues.
Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff.
Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out.
Thank you for your time. Have a great day. --- Russell Mitchell
InterCage, Inc.
----- Original Message ---- From: Mark Foo <mark.foo.dog@gmail.com> To: Bruce Williams <williams.bruce@gmail.com> Cc: Christopher Morrow <christopher.morrow@gmail.com>; nanog@nanog.org; Joe Greco <jgreco@ns.sol.net> Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
NANOG:
Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy.
Intercage/Atrivo hosts the malware c&c botnets that DDoS your systems and networks.
Intercage/Atrivo hosts the spyware that compromises your users' passwords.
Intercage/Atrivo hosts the adware that slows your customers' machines.
Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=en&q=intercage+malware
You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES..
These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell.
This is the MALWARE CARTEL. GET THE PICTURE?
Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE.
I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened.
-chris
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Sep 24, 2008 at 12:27 AM, Mark Foo <mark.foo.dog@gmail.com> wrote:
Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks.
Actually, I was not being coy. Okay, maybe I was. With regards to the "prefix shuffle" to Cernel, I think that speaks for itself. With regards to "...another of Emil's networks...", I don't believe that to be true. In fact, I think Emil is just a pawn in this entire mess. It is clear to me -- at least -- that this entire criminal operation is being operated out of Eastern Europe, and their foothold in the U.S. is the major issue here. This is the major heartburn -- ISPs and network operators in the U.S. seem not to care about these issues, and it becomes an 'unpopular' effort to purge these activities in this audience. $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2e5Wq1pz9mNUZTMRAsf6AJ47BKaCBckIkllV2XN/CJhvIGUqowCgrOSQ kBmKYLTVEipzNwXGxIZa6Zo= =zs8t -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
It is clear to me -- at least -- that this entire criminal operation is being operated out of Eastern Europe, and their foothold in the U.S. is the major issue here.
If you believe that this is a criminal operation then you should keep this discussion OFF THE LIST and discourage anyone from taking any action against the bad guys that might disrupt evidence gathering. If this is a criminal matter, then it is best to keep quiet, collect good evidence, and go to court. Better to get a court injunction ordering them to stop sending malware, and then collect evidence showing that they violated the injunction. To do this, they need to have functioning upstream connections to your network. NANOG is not the place to discuss these things. None of this is network operational. The whole discussion amounts to a shouting match between vigilantes and their victims. Some of those victims might also be bad guys, but a shouting match on NANOG does not prove this one way or the other. --Michael Dillon
Very well said. James -----Original Message----- From: michael.dillon@bt.com [mailto:michael.dillon@bt.com] Sent: Wednesday, September 24, 2008 5:23 AM To: nanog@nanog.org Subject: RE: YAY! Re: Atrivo/Intercage: NO Upstream depeer
It is clear to me -- at least -- that this entire criminal operation is being operated out of Eastern Europe, and their foothold in the U.S. is the major issue here.
If you believe that this is a criminal operation then you should keep this discussion OFF THE LIST and discourage anyone from taking any action against the bad guys that might disrupt evidence gathering. If this is a criminal matter, then it is best to keep quiet, collect good evidence, and go to court. Better to get a court injunction ordering them to stop sending malware, and then collect evidence showing that they violated the injunction. To do this, they need to have functioning upstream connections to your network. NANOG is not the place to discuss these things. None of this is network operational. The whole discussion amounts to a shouting match between vigilantes and their victims. Some of those victims might also be bad guys, but a shouting match on NANOG does not prove this one way or the other. --Michael Dillon
participants (5)
-
James Thomas
-
Mark Foo
-
michael.dillon@bt.com
-
Paul Ferguson
-
Russell Mitchell