I am particularly concerned over this issue of these broadcasts originating from Concentric.net
I don't think they particularly are. Here at lbl.gov (128.3/16), we're getting scanned from cmu.edu (128.2/16). nersc.gov (128.55/16) is getting scanned from ucsd.edu (128.54/16). So it could well be that the ones being scanned from concentric.net are simply those with nearby address blocks, and it's just one small part of rampant scanning from all over the place. By the way, we identified a couple instances of the virus that Ken Lindahl mentioned in his earlier post. Vern
At 09:54 AM 9/28/00 -0700, vern@ee.lbl.gov wrote:
By the way, we identified a couple instances of the virus that Ken Lindahl mentioned in his earlier post.
Indeed, nearly all of my woes have disappeared with this information. Thanks Ken! Additionally, I set a trap for it yesterday. I opened a Windows box up to all internet traffic, made it nice and insecure (let me tell ya, that took a lot of work ;), and dialed it up. Then every half hour or so I checked for it. After an hour, I had a bug in a bottle. Busting out the handy hex editor, I scrolled down, and down, and down, until what should appear before my burning eyes, but Lo! An IP address... ...which points to an open mail relay somewhere in China (202.106.185.107) which then is used to send the info(likely the IP addy of the infected box) to the local user nongmin_cn . If anyone else goes through this process, I'd be interested in knowing about it. I already sent off abuse complaints to the upstreams for that IP. Hope they can read English :) --- Ben Browning <benb@oz.net> oz.net Network Operations Tel (206) 443-8000 Fax (206) 443-0500 http://www.oz.net/
http://www.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html Ben Browning wrote:
At 09:54 AM 9/28/00 -0700, vern@ee.lbl.gov wrote:
By the way, we identified a couple instances of the virus that Ken Lindahl mentioned in his earlier post.
Indeed, nearly all of my woes have disappeared with this information. Thanks Ken!
Additionally, I set a trap for it yesterday. I opened a Windows box up to all internet traffic, made it nice and insecure (let me tell ya, that took a lot of work ;), and dialed it up. Then every half hour or so I checked for it. After an hour, I had a bug in a bottle.
Busting out the handy hex editor, I scrolled down, and down, and down, until what should appear before my burning eyes, but Lo! An IP address...
...which points to an open mail relay somewhere in China (202.106.185.107) which then is used to send the info(likely the IP addy of the infected box) to the local user nongmin_cn . If anyone else goes through this process, I'd be interested in knowing about it.
I already sent off abuse complaints to the upstreams for that IP. Hope they can read English :)
--- Ben Browning <benb@oz.net> oz.net Network Operations Tel (206) 443-8000 Fax (206) 443-0500 http://www.oz.net/
-- ------------------------------------------------------------ Roland Dobbins <rdobbins@netmore.net> // 818.535.5024 voice
participants (3)
-
Ben Browning
-
Roland Dobbins
-
vern@ee.lbl.gov