Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Source of Windows PopUp SPAM

From: "Brenna Primrose" <primrose () creighton edu>
Date: Tue, 15 Oct 2002 17:06:51 -0500
Before one of my servers received the popup, BlackICE alerted me to the
following on my personal (non-server) machine:

Intruder information:

 IP:  207.44.141.140
 Name:  WEBPOPUP06
 DNS:  WEBPOPUP06
 Node:  WEBPOPUP06
 Workgroup:  WORKGROUP
 NetBIOS:  WEBPOPUP06     
 MAC:  005056630372


Hack attempts by this intruder:

  Date & Time: 2002-10-14 16:00:34 (-5:00 GMT)
  Time Zone: Central Daylight Time
  MSRPC UDP port probe (port=135)
  Victim IP: 147.134.47.171
  Attempts: 2

  Date & Time: 2002-10-15 02:41:15 (-5:00 GMT)
  Time Zone: Central Daylight Time
  MSRPC UDP port probe (port=135)
  Victim IP: 147.134.47.171
  Attempts: 2

4 intrusions detected from this intruder.


BlackICE Defender personal firewall log entries:

Severity,Timestamp,IssueID,IssueName,IntruderIP,IntruderName,VictimIP,Vi
ctimName,Parameters,Count,ResponseLevel,IntruderPort,VictimPort,PacketFl
ags
1,2002-10-14 16:00:34,2003405,MSRPC UDP port
probe,207.44.141.140,WEBPOPUP06,147.134.47.171,,port=135&reason=Firewall
ed,2,,1803,135,00006911
1,2002-10-15 02:41:15,2003405,MSRPC UDP port
probe,207.44.141.140,WEBPOPUP06,147.134.47.171,,port=135&reason=Firewall
ed,2,,1302,135,00006911


(This report was generated by VisualICE Report Utility 4.7)

The computer at 207.44.141.140 (annoyingly named "WEBPOPUP06") is the
culprit in our case.  The ISP has been notified.

These spammers are freakin' annoying!

Brenna



http://profiles.yahoo.com/absolut_contagion 
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t () creighton edu 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 
------END GEEK CODE BLOCK------
-----Original Message-----
From: Lawrence Baldwin [mailto:pckboy () bellsouth net] 
Sent: Sunday, October 13, 2002 12:27 PM
To: incidents () securityfocus com
Subject: Source of Windows PopUp SPAM



I've believe I have figured out the hosts that were used to send the
recent
rash of PopUP SPAM:

http://www.mynetwatchman.com/kb/security/articles/popupspam/

Lawrence Baldwin
myNetWatchman.com

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: