Inventor of the Internet Technology / Father of Modern Day Networking
My apologies for this non-op note. I was hoping to tap the wisdom of the collective. http://www.lk.cs.ucla.edu/ http://www.lk.cs.ucla.edu/LK/Inet/keys.html Is there a person who invented the Internet, and is this person him? Cheers, Ehud
On Wed, 27 Sep 2000 09:28:21 PDT, Ehud Gavron said:
Is there a person who invented the Internet, and is this person him?
Well, he may have invented the idea of packet switching, but note that he was NOT one of the inventors of TCP/IP. As with most other major advances, there was no one person who did ALL the work. Calculus was a joint effort, television was a joint effort, computers were a joint effort. And the Internet was a joint effort. Look at the list of RFCs, and ask yourself whether Kleinrock would have gotten anyplace without Vint Cerf, Jon Postel, Steve Crocker, or all the OTHER people who did stuff early on.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Wed, Sep 27, 2000 at 12:51:37PM -0400, Valdis.Kletnieks@vt.edu wrote:
Well, he may have invented the idea of packet switching, but note that he was NOT one of the inventors of TCP/IP.
To be fair, the site does include a link to http://www.isoc.org/internet-history/brief.html and also points out the difference between packet-switching and IP. --msa
Actually, it was i who invented the internet. Back in 1973 it sort of sprang into my mind one day as i gazed at ripples on a pond and snacked on a bag of peyote buttons. But then the wind introduced a randomness into the ripples which was ugly and offended my sensibilities. I decided right then to drop the whole idea. In retrospect i'd have to say it was the right decision. Speaking of the internet and the way it operates, is anyone else seeing a large number of random hosts scanning through their address space using TCP on port 139? Bill On Wed, 27 Sep 2000, Ehud Gavron wrote:
My apologies for this non-op note. I was hoping to tap the wisdom of the collective.
http://www.lk.cs.ucla.edu/ http://www.lk.cs.ucla.edu/LK/Inet/keys.html
Is there a person who invented the Internet, and is this person him?
Cheers,
Ehud
On Wed, 27 Sep 2000, Bill Becker wrote:
Speaking of the internet and the way it operates, is anyone else seeing a large number of random hosts scanning through their address space using TCP on port 139?
Bill
We have been seeing this for about 3 weeks now. --- John Fraizer EnterZone, Inc
Yes but in the past few days activity has stepped up tremendously. Where my webserver, which uses Samba to communicate with my local desktop win98 machine (the latter is client, no shares exported) used to get once in a couple months an attempt on port 139 now I have 45 / day. Furthermore, they're overwhelmingly from customers of my upstream -- Concentric. A handful from @home and others. I reported this to Concentric with the log.smb file in the message. No response 3 days later. ----- Original Message ----- From: "Randy Bush" <randy@psg.com> To: "John Fraizer" <nanog@EnterZone.Net> Cc: <nanog@merit.edu> Sent: Thursday, September 28, 2000 1:40 AM Subject: Re: Port 139 scans
Speaking of the internet and the way it operates, is anyone else seeing a large number of random hosts scanning through their address space using TCP on port 139? We have been seeing this for about 3 weeks now.
s/weeks/years/
randy
I am particularly concerned over this issue of these broadcasts originating from Concentric.net, since I too a Concentric.net user have been getting an increase of port 139 scans, then A dialup port saturation and disconnect, even though CFW stops the packet at the port. Lets direct all traffic concerning this issue to Jim Tobias at concentric.net jtobia@concentric.net for a concerted effort to resolve the issue if it Originates from a Concentric.net or Concentric.com network node. 2000/09/27 6:47:28 AM GMT -0700: Dial-Up Adapter [0000][Ref# 5] Blocking incoming TCP: src=206.173.248.146, dst=206.173.232.156, sport=2596, dport=139. 2000/09/27 9:33:26 PM GMT -0700: Dial-Up Adapter [0000][Ref# 5] Blocking incoming TCP: src=206.173.232.118, dst=206.173.232.204, sport=1638, dport=139. Dana Hudes wrote:
Yes but in the past few days activity has stepped up tremendously. Where my webserver, which uses Samba to communicate with my local desktop win98 machine (the latter is client, no shares exported) used to get once in a couple months an attempt on port 139 now I have 45 / day. Furthermore, they're overwhelmingly from customers of my upstream -- Concentric. A handful from @home and others. I reported this to Concentric with the log.smb file in the message. No response 3 days later.
----- Original Message ----- From: "Randy Bush" <randy@psg.com> To: "John Fraizer" <nanog@EnterZone.Net> Cc: <nanog@merit.edu> Sent: Thursday, September 28, 2000 1:40 AM Subject: Re: Port 139 scans
Speaking of the internet and the way it operates, is anyone else seeing a large number of random hosts scanning through their address space using TCP on port 139? We have been seeing this for about 3 weeks now.
s/weeks/years/
randy
-- Thank you; |--------------------------------| | Thinking is a learned process. | | ICANN member @large | | Gigabit over IP, ieee 802.17 | |--------------------------------| Henry R. Linneweh
Dana Hudes wrote:
Yes but in the past few days activity has stepped up tremendously. Where my webserver, which uses Samba to communicate with my local desktop win98 machine (the latter is client, no shares exported) used to get once in a couple months an attempt on port 139 now I have 45 / day.
I also use Concentric. I have seen a huge upsurge in 139 scans, and whenever I connect to the magic port (7597) for curiosity's sake, I get the prompt that shows it's infected. It isn't your imagination. Before someone comments on the fact that these are natural, I will state that I log everything, all the time, and the upswing has been recent, and dramatic. From a natural 2 or 3 an hour, I have seen it surge to
Furthermore, they're overwhelmingly from customers of my upstream -- Concentric. A handful from @home and others. I reported this to Concentric with the log.smb file in the message. No response 3 days later.
I am wondering which address you mailed this to. I am aware that there is at least one person from concentric (or nextlink) that reads this list, so that may help. I've engaged portsentry, specifically looking for those machines that I see that are infected with a variant of the notepad trojan (and thanks to ken lindahl for posting that link to NAI, so that I didn't have to go guessing for which port was the magic one). I will be emailing concentric later this evening, with a list of machines that I have verified as containing the trojan. I usually have good response from them, but haven't really tried an email since they combined with Nextlink. .shrdlu -- Modems connected to LANs are your friend. -kmart
OK. This thing must be spreading like mad! We're taking several attempts per second. It might be a good idea to implement filtering on the borders for TCP SYN from 0/0 to 0/0 port 7597. That way, at least it can't be used once it's installed. I realize it is unrealistic to block 0/0 to 0/0 port 139 on the borders without breaking tons of winblows customers. It sure would be nice though. Especially considering the scope of things and how fast it's spreading. I believe we've seen this thing on a "test run" in the past few weeks. It took out a fairly good sized regional provider four days in a row. I'm talking DOWN HARD border to border. All indications are that the controlling party turned the infected machines into kamakazis and had them ping smurf amps. Since the resulting flood of ICMP echo-reply traffic was targeted at machines all over this providers network on customer pipes ranging from 64K to 155M, it was nearly impossible to diagnose. One minute, everything was fine. Next minute, nothing. It was just dead. Anyone else have any thoughts on damage control here? --- John Fraizer EnterZone, Inc
On Fri, 29 Sep 2000, John Fraizer wrote:
It might be a good idea to implement filtering on the borders for TCP SYN from 0/0 to 0/0 port 7597. That way, at least it can't be used once it's installed.
I realize it is unrealistic to block 0/0 to 0/0 port 139 on the borders without breaking tons of winblows customers. It sure would be nice though. Especially considering the scope of things and how fast it's spreading.
We're also seeing a number of scans at a time. I wonder if anyone else is bothering to pass on reports to the originating netblock contacts. I don't know why we shouldn't block port 139. I blocked 137-139 for years when I was running our previous ISP and no complaints. As they say, let them use FTP! Good thought though, I'll have to add 7597 to our filters. Chuck Scott
It might be a good idea to implement filtering on the borders for TCP SYN from 0/0 to 0/0 port 7597. That way, at least it can't be used once it's installed.
<snip>
Anyone else have any thoughts on damage control here?
Ok, guess it's time to get on nanog-post.... You can disable the clients, at least until next reboot. This won't work with telnet, you have to use netcat: $ nc qaz_infected_ip 7597 :qazwsx.hsq
quit
"exit" will close the connection but not the QAZ server, while "quit" does appear to shut it down. You can also "run x". Once QAZ has been shutdown, it's also possible to connect to the share and manually delete the infected notepad.exe, although I haven't yet figured out if there's a way to unshare someone's drives remotely via command line (if I did this, I wouldn't be able to get back in to clean the infection). I've also been playing with that chinese MTA. I've been trying to capture the actual contents of the e-mail that gets sent. Not sure if they've been recently imparted with a clue, but it seems like the SMTP transactions aren't completing now. Something is definitely funny over there... two days ago I could do the following by hand, just like strings on QAZ suggests that it does: 220 smtp.yeah.net ESMTP mail from:nongmin_cn 250 Ok rcpt to:nongmin_cn 250 Ok data 354 End data with <CR><LF>.<CR><LF> . 250 Ok: queued as 9D8021C25A939 Today it disconnects upon receving the "rcpt to:nongmin_cn" line (no 5xx error, just disconnects). I just have a funny feeling about this, it's a very weird MTA that accepts broken syntax (not that that is so uncommon), and it will terminate connections very quickly if it doesn't get data right away. My feeling is that the attackers are probably just watching the SMTP logs to glean IPs from, and that they don't care if the virus gets to send the e-mail or not. I believe that this SMTP isn't actually responsible for _any_ legitimate mail, a check on MX records for yeah.net shows that it's not listed there. Perhaps the attackers have modified the MTA itself now to hide their tracks, making it look like that address has been disabled (the virus doesn't know this, and will keep trying to send at every reboot, btw). Mike P.S. The QAZ server only allows one connection at a time. If you think someone is infected but not answering on that port, it may be in use....
On Fri, 29 Sep 2000, Mike Lewinski wrote:
"exit" will close the connection but not the QAZ server, while "quit" does appear to shut it down. You can also "run x". Once QAZ has been shutdown, it's also possible to connect to the share and manually delete the infected notepad.exe, although I haven't yet figured out if there's a way to unshare someone's drives remotely via command line (if I did this, I wouldn't be able to get back in to clean the infection).
It would be cool if someone would make a tool that would auto-disinfect users... -Dan
On Fri, 29 Sep 2000, Dan Hollis wrote:
On Fri, 29 Sep 2000, Mike Lewinski wrote:
"exit" will close the connection but not the QAZ server, while "quit" does appear to shut it down. You can also "run x". Once QAZ has been shutdown, it's also possible to connect to the share and manually delete the infected notepad.exe, although I haven't yet figured out if there's a way to unshare someone's drives remotely via command line (if I did this, I wouldn't be able to get back in to clean the infection).
It would be cool if someone would make a tool that would auto-disinfect users...
-Dan
Yep. The problem with that is that current laws on the books (in the US at least) make this an illegal solution. If memory serves me correctly, the one I'm thinking about is worded something like: "...any person who without authorization, accesses, modifies, deletes or destroys..." The penalties are pretty stiff too. The best of intentions don't negate the fact that it's illegal. --- John Fraizer EnterZone, Inc
ISPs must shut off service to infected clients until they repair the damage. A user in such situation can telnet to their own port 7597 and type the commands. If they want service back, that's what they have to do. If they can't handle it or can't be bothered then they can't have service because it is an AUP violation. doesn't matter how big or small the provider, you are helping your own uninfected customers because the behavior seems to be to scan local netblocks. Aggressive action is required because things are going to get worse if it is not taken. ----- Original Message ----- From: "John Fraizer" <nanog@EnterZone.Net> To: "Dan Hollis" <goemon@sasami.anime.net> Cc: "Mike Lewinski" <mike@rockynet.com>; <nanog@merit.edu> Sent: Friday, September 29, 2000 4:29 PM Subject: Re: Disabling QAZ (was Re: Port 139 scans)
On Fri, 29 Sep 2000, Dan Hollis wrote:
On Fri, 29 Sep 2000, Mike Lewinski wrote:
"exit" will close the connection but not the QAZ server, while "quit" does appear to shut it down. You can also "run x". Once QAZ has been shutdown, it's also possible to connect to the share and manually delete the infected notepad.exe, although I haven't yet figured out if there's a way to unshare someone's drives remotely via command line (if I did this, I wouldn't be able to get back in to clean the infection).
It would be cool if someone would make a tool that would auto-disinfect users...
-Dan
Yep. The problem with that is that current laws on the books (in the US at least) make this an illegal solution. If memory serves me correctly, the one I'm thinking about is worded something like:
"...any person who without authorization, accesses, modifies, deletes or destroys..."
The penalties are pretty stiff too. The best of intentions don't negate the fact that it's illegal.
--- John Fraizer EnterZone, Inc
Yep. The problem with that is that current laws on the books (in the US at least) make this an illegal solution. If memory serves me correctly, the one I'm thinking about is worded something like:
"...any person who without authorization, accesses, modifies, deletes or destroys..."
The penalties are pretty stiff too. The best of intentions don't negate the fact that it's illegal.
In some jurisdictions, the "necessity defense" _may_ allow for this type of conduct (especially if the normal channels of redress have failed). This is about the worst mangling of English I've seen in a while, but you'll see the point I hope: "The defendant's need to avoid the harm to [himself] [herself] or to the person or property of another clearly outweighed, according to ordinary standards of reasonableness, the harm sought to be prevented by the law which the defendant is accused of violating." Mike -- Opinions expressed are mine and mine alone.
What about saying that the port 7759 connection is an attempt to authorize a user connecting to your port 139? Jason --- Jason Slagle - CCNA - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w--- O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+ ------END GEEK CODE BLOCK------ On Fri, 29 Sep 2000, Mike Lewinski wrote:
Yep. The problem with that is that current laws on the books (in the US at least) make this an illegal solution. If memory serves me correctly, the one I'm thinking about is worded something like:
"...any person who without authorization, accesses, modifies, deletes or destroys..."
The penalties are pretty stiff too. The best of intentions don't negate the fact that it's illegal.
In some jurisdictions, the "necessity defense" _may_ allow for this type of conduct (especially if the normal channels of redress have failed).
This is about the worst mangling of English I've seen in a while, but you'll see the point I hope:
"The defendant's need to avoid the harm to [himself] [herself] or to the person or property of another clearly outweighed, according to ordinary standards of reasonableness, the harm sought to be prevented by the law which the defendant is accused of violating."
Mike -- Opinions expressed are mine and mine alone.
I think hosting a DDoS tool or disruptive trojan is a violation of my AUP. I've only found one copy on a customer network, but they seem to respond well to the "run this .reg file and remove this file to clean your box or we'll pull the plug" email ... it really doesn't seem to be the ISPs job to clean our customer's machines, but it is our job to enforce acceptable use policies. Why not use that, and leave it up to the customer to comply or not (with the documented penalties for noncompliance). -travis On Sat, 30 Sep 2000, Jason Slagle wrote:
What about saying that the port 7759 connection is an attempt to authorize a user connecting to your port 139?
Jason
--- Jason Slagle - CCNA - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w--- O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+ ------END GEEK CODE BLOCK------
Get me specs on how it's done and I will give it a shot. We already have automated sub7 cleaners on Dalnet that we use to clean infected hosts. I could likely whip a daemon up pretty eaisly to monitor port 139 and auto disinfect. Jason --- Jason Slagle - CCNA - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w--- O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+ ------END GEEK CODE BLOCK------ On Fri, 29 Sep 2000, Dan Hollis wrote:
On Fri, 29 Sep 2000, Mike Lewinski wrote:
"exit" will close the connection but not the QAZ server, while "quit" does appear to shut it down. You can also "run x". Once QAZ has been shutdown, it's also possible to connect to the share and manually delete the infected notepad.exe, although I haven't yet figured out if there's a way to unshare someone's drives remotely via command line (if I did this, I wouldn't be able to get back in to clean the infection).
It would be cool if someone would make a tool that would auto-disinfect users...
-Dan
On Fri, 29 Sep 2000, Mike Lewinski wrote:
It might be a good idea to implement filtering on the borders for TCP SYN from 0/0 to 0/0 port 7597. That way, at least it can't be used once it's installed.
<snip>
Anyone else have any thoughts on damage control here?
Ok, guess it's time to get on nanog-post....
You can disable the clients, at least until next reboot. This won't work with telnet, you have to use netcat:
$ nc qaz_infected_ip 7597 :qazwsx.hsq
quit
Well, since I'm hardheaded, and I don't have netcat installed, I tried with telnet and it seems to have worked. $ telnet 216.30.78.100 7597 Trying 216.30.78.100... Connected to 216.30.78.100. Escape character is '^]'. :qazwsx.hsq
help die quit Connection closed by foreign host.
$ telnet 216.30.78.100 7597 Trying 216.30.78.100... telnet: Unable to connect to remote host: Connection refused --- John Fraizer EnterZone, Inc
You can disable the clients, at least until next reboot. This won't work with telnet, you have to use netcat:
Well, since I'm hardheaded, and I don't have netcat installed, I tried with telnet and it seems to have worked.
Err, make that "doesn't work with the Windows 9x/NT telnet client" (actually, I found limited success if I paste the input instead of typing it). Mike
participants (14)
-
Bill Becker
-
Charles Scott
-
Dan Hollis
-
Dana Hudes
-
Ehud Gavron
-
Etaoin Shrdlu
-
Henry R. Linneweh
-
Jason Slagle
-
John Fraizer
-
Majdi S. Abbas
-
Mike Lewinski
-
Randy Bush
-
Travis Pugh
-
Valdis.Kletnieks@vt.edu