Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Spam from weird IP 118.189.136.119

  • From: Lars Higham
  • Date: Tue Jun 17 00:51:55 2003

Okay, but what's the trojan signature look like?

How should people be checking to see if they're compromised?

-----Original Message-----
From: John Brown [mailto:jmbrown@chagresventures.com] 
Sent: Tuesday, June 17, 2003 10:12 AM
To: Lars Higham
Cc: nanog@nanog.org
Subject: Re: Spam from weird IP 118.189.136.119


I name this 

Weird-118rr


On Tue, Jun 17, 2003 at 09:48:07AM +0530, Lars Higham wrote:
> 
> 
> 
> It would be useful if this exploit could be named and documented at 
> least for one known instance -
> 
> 
> Regards,
> Lars Higham
> 
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf 
> Of Richard D G Cox
> Sent: Monday, June 16, 2003 9:32 PM
> To: nanog@nanog.org
> Subject: Re: Spam from weird IP 118.189.136.119
> 
> 
> 
> On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor" 
> <pascal.gloor@spale.com> wrote:
> 
> | Getting SPAM from 118.189.136.119 relayed by rr.com ?
> |
> | this network is not allocated, nor announced. I have been looking
> | everywhere to find if it has been announced (historical bgp update 
> | databases, like RIS RIPE / CIDR REPORT / etc..)... I didnt found 
> | anything.... this probably mean rr.com is routing that network 
> | internaly.
> 
> This is very likely to be a known exploit I have been tracking.  In 
> all the cases which we have so far confirmed, the spam was not 
> relayed, but proxied by a trojan executable which is able to mimic a 
> "previous" header with such a degree of accuracy that it is 
> indistinguishable from the genuine article!
> 
> | If there is any rr.com guy around. Could you please check this?
> 
> Our advice would be that the server-that-connected-to-you needs to be 
> taken offline by the security people at its site (which you say is
> RoadRunner) and they should have ALL its disk(s) imaged for forensic 
> analysis purposes.
> 
> Our experience is that sites hit by this exploit will do basic checks 
> on the server and claim it is uncompromised and "cannot possibly be 
> sending that spam".  Such a claim would be entirely incorrect.  You 
> would need to persuade them that something is wrong, which is 
> difficult at the best of times.  RoadRunner being involved in this 
> case suggests this may
> *not* be the "best of times".
> 
> --
> Richard Cox
> 





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.