nanog mailing list archives

Re: Port 139 scans

From: Roland Dobbins <rdobbins () netmore net>
Date: Thu, 28 Sep 2000 10:57:04 -0700


http://www.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html

Ben Browning wrote:


At 09:54 AM 9/28/00 -0700, vern () ee lbl gov wrote:

By the way, we identified a couple instances of the virus that Ken Lindahl
mentioned in his earlier post.


Indeed, nearly all of my woes have disappeared with this information.
Thanks Ken!

Additionally, I set a trap for it yesterday. I opened a Windows box up to
all internet traffic, made it nice and insecure (let me tell ya, that took
a lot of work ;), and dialed it up. Then every half hour or so I checked
for it. After an hour, I had a bug in a bottle.

Busting out the handy hex editor, I scrolled down, and down, and down,
until what should appear before my burning eyes, but Lo! An IP address...

...which points to an open mail relay somewhere in China (202.106.185.107)
which then is used to send the info(likely the IP addy of the infected box)
to the local user nongmin_cn . If anyone else goes through this process,
I'd be interested in knowing about it.

I already sent off abuse complaints to the upstreams for that IP. Hope they
can read English  :)

---
Ben Browning <benb () oz net>
oz.net Network Operations
Tel (206) 443-8000 Fax (206) 443-0500
http://www.oz.net/


-- 
------------------------------------------------------------
 Roland Dobbins <rdobbins () netmore net> // 818.535.5024 voice

Current thread:

Re: Port 139 scans ken lindahl (Sep 27)
- <Possible follow-ups>
- RE: Port 139 scans Roeland M.J. Meyer (Sep 27)
  - Re: Port 139 scans Roland Dobbins (Sep 27)
- RE: Port 139 scans Roeland M.J. Meyer (Sep 27)
- Re: Port 139 scans vern (Sep 28)
  - Re: Port 139 scans Ben Browning (Sep 28)
    - Re: Port 139 scans Roland Dobbins (Sep 28)