Wouldn't it be fun if it contained the WMF exploit in some form? So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do? -Wil
Wil Schultz wrote:
Wouldn't it be fun if it contained the WMF exploit in some form? So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do?
-Wil
All the popular domains known we have puched out a global rule to our customers to block those domains and we are blocking those domains on the aggregate circuits/routers as a secondary precaution. I plan to check a few times tomorrow to see if any of those domains that aren't registered yet actually show up and possibly use netflow also. -- http://www.digitalrage.org/ The Information Technology News Center
I'm sutting PCs down and going on vacation for a while. Seriously. :-) TIA to those of you working to protect your customers and therefore other systems as well. -Jim P. ----- Original Message ---- From: Wil Schultz <wschultz@wilcomm.net> To: nanog@merit.edu Sent: Thursday, January 05, 2006 1:53:09 PM Subject: sober.z to hit tomorrow Wouldn't it be fun if it contained the WMF exploit in some form? So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do? -Wil
FYI: I've set some traps on our DNS servers, dunno exactally what this means but I thought that I should share: Jan 5 18:41:09 myServer named[24490]: client X.X.X.X#1192: query: arcor.de IN MX Jan 5 18:45:48 myServer named[24490]: client X.X.X.X#1034: query: freenet.de IN MX These are the only two logs I have at this point. And I don't recall any other Sober searching for an email server. -Wil Wil Schultz wrote:
Wouldn't it be fun if it contained the WMF exploit in some form? So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do?
-Wil
Here is some more interesting information. I'm not positive this is Sober.Z related but it's walking like and talking like a duck. First I see the below DNS requests, shortly after I see many SMTP packets hitting Hotmail, AOL, Yahoo.com, Yahoo.co.uk, Progegy, etc.... Looks like it's... Sending SPAM?!?! This I didn't expect at all, here is a trace from one of the known infected users: ######################################################## 220 mta272.mail.mud.yahoo.com ESMTP YSmtp service ready HELO mx1.mail.yahoo.com 250 mta272.mail.mud.yahoo.com MAIL FROM: <wrkdtdnqskz@hotmail.com> 250 sender <wrkdtdnqskz@hotmail.com> ok RCPT TO: <klay900@yahoo.com> 250 recipient <klay900@yahoo.com> ok data 354 go ahead From: "oesh" <wrkdtdnqskz@hotmail.com> To: klay900@yahoo.com Content-type: text/html Subject: You are tempter-lover, for sure! Soft Cialis. Order <acy></acy>all your prescription medication online<BR> Have a holiday in your <acm></acm>life with Viagra Pro<BR> <A href="http://ikbghlmj.milliontime.info/?acdefjxwnsoyikzcvbghlm">http://achibejkf.victoriaroadmaps.info/?dglmfxwnsoyachizcvbejk</A><BR> Your <acj></acj>wife <acl></acl>will be charmed by your stamina and enduranceGenerik Viagra.<BR> Your wife will be amazed by you. Generik Viagra.<BR> Cheapest Viagra <acx></acx>Pro online<BR> . 250 ok dirdel quit 221 mta272.mail.mud.yahoo.com ######################################################## Wil Schultz wrote:
FYI: I've set some traps on our DNS servers, dunno exactally what this means but I thought that I should share:
Jan 5 18:41:09 myServer named[24490]: client X.X.X.X#1192: query: arcor.de IN MX Jan 5 18:45:48 myServer named[24490]: client X.X.X.X#1034: query: freenet.de IN MX
These are the only two logs I have at this point. And I don't recall any other Sober searching for an email server.
-Wil
Wil Schultz wrote:
Wouldn't it be fun if it contained the WMF exploit in some form? So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do?
-Wil
participants (3)
-
Elijah Savage
-
Jim Popovitch
-
Wil Schultz