North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Port 139 scans
- From: Roland Dobbins
- Date: Thu Sep 28 14:04:59 2000
http://www.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
Ben Browning wrote:
>
> At 09:54 AM 9/28/00 -0700, vern@ee.lbl.gov wrote:
> >By the way, we identified a couple instances of the virus that Ken Lindahl
> >mentioned in his earlier post.
>
> Indeed, nearly all of my woes have disappeared with this information.
> Thanks Ken!
>
> Additionally, I set a trap for it yesterday. I opened a Windows box up to
> all internet traffic, made it nice and insecure (let me tell ya, that took
> a lot of work ;), and dialed it up. Then every half hour or so I checked
> for it. After an hour, I had a bug in a bottle.
>
> Busting out the handy hex editor, I scrolled down, and down, and down,
> until what should appear before my burning eyes, but Lo! An IP address...
>
> ...which points to an open mail relay somewhere in China (202.106.185.107)
> which then is used to send the info(likely the IP addy of the infected box)
> to the local user nongmin_cn . If anyone else goes through this process,
> I'd be interested in knowing about it.
>
> I already sent off abuse complaints to the upstreams for that IP. Hope they
> can read English :)
>
> ---
> Ben Browning <benb@oz.net>
> oz.net Network Operations
> Tel (206) 443-8000 Fax (206) 443-0500
> http://www.oz.net/
--
------------------------------------------------------------
Roland Dobbins <rdobbins@netmore.net> // 818.535.5024 voice
|
