nlayer.net Abuse and Security contact

[John Obi <dalnetuzer () yahoo com>]

Folks,

I have sent many emails to abuse () nlayer net and
security () nlayer net reporting a security abuse by one
of their users but nothing done up to now.

If there is real person from nlayer.net please contact
me offline.

Thanks,

-J

__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/
> --- Begin Message ---
>
>
> From: John Obi <dalnetuzer () yahoo com>
>
> Date: Mon, 15 Dec 2003 22:57:36 -0800 (PST)
>
> Dear Sir/Madam,
>
> We have known script kiddie who spreads
> Download.Trojan and BAT.Trojan.
>
> The script kiddi runs port scan and infect the users
> who use WinNT, 2000 and XP via port 445 if the windows
> isn't updated.
>
> He is issuing commands to the infected PC to download
> this setup file which has these trojans.
>
> http://www.darkhell.org/sh1.exe
>
> This host is hosting the trojan files which is in
> sh1.exe
>
> When you download this file and you have Norton
> Antivirus or Mcafee with latest virus ID, your AV will
> detect it directly as below:
>
> can type:  Realtime Protection Scan
> Event:  Virus Found!
> Virus name: Download.Trojan
> File:  C:\WINNT\system32\Haver\Backsa.exe
> Location:  Quarantine
> Computer:  RASHID-ALKUBAIS
> User:  Administrator
> Action taken:  Clean failed : Quarantine succeeded :
> Access denied
> Date found: Tue Dec 16 09:23:12 2003
>
> Scan type:  Realtime Protection Scan
> Event:  Virus Found!
> Virus name: BAT.Trojan
> File:  C:\WINNT\system32\Haver\ceve.bat
> Location:  Quarantine
> Computer:  RASHID-ALKUBAIS
> User:  Administrator
> Action taken:  Clean failed : Quarantine succeeded :
> Access denied
> Date found: Tue Dec 16 09:23:12 2003
>
>
> When I got connected to his IRC server I saw this:
>
> * Dns resolved sh1.cellfiles.org to 81.134.89.149
>
> [07:01] * Connecting to 81.134.89.149 (6667)
> -
> [07:01] -irc.DarkHell.Org- *** Looking up your
> hostname...
>
> -
> There are 437 users and 0 invisible on 1 servers
> 2 channels formed
> I have 437 clients and 0 servers
> -
>
> ========================
>
> [07:01] * Now talking in #sh1-
> [07:01] <[H0-3250]> !pfast stop
> [07:01] <[H0-3250]> !syn 66.90.92.202 6667 500
> [07:01] <[H0-3250]> !pfast 444444 66.90.92.202 6667
> [07:02] <[H0-3250]> !syn 202.91.32.181 6667 500
> [07:02] <[H0-3250]> !pfast stop
> [07:02] <[H0-3250]> !pfast 444444 202.91.32.181 6667
> [07:02] <[H0-3250]> !syn 69.65.31.3 6667 500
> [07:02] <[H0-3250]> !pfast stop
> [07:02] <[H0-3250]> !pfast 444444 69.65.31.3 6667
> [07:02] <[H0-3250]> !ipscan
> [07:02] <[H0-3250]> !syn 66.151.29.193 6667 500
>
> ========================================
>
> -
> [H0-3250] is
> Have () devilz-E8805F6 in-addr btopenworld com * h3h3
> [H0-3250] on +#sh1- 
> [H0-3250] using irc.DarkHell.Org DarkHell server
> [H0-3250] has been idle 18secs, signed on Mon Dec 15
> 14:53:28
> [H0-3250] End of /WHOIS list.
> -
>
> ==================================================
>
> And he issuing these DDoS attacks against the IRC
> servers around the globe and the http servers.
>
> The traceroute to www.darkhell.org  shows that it's
> hosted in your network.
>
> Show Level 3 (Baltimore, MD) Traceroute to
> www.darkhell.org (69.22.169.27) 
>
>   1 so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0
> msec
>     so-6-1-0.mp1.Baltimore1.Level3.net (4.68.112.65) 0
> msec
>     so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0
> msec
>   2 so-0-1-0.bbr2.Washington1.Level3.net
> (64.159.0.230) 0 msec
>     so-6-1-0.mp2.Baltimore1.Level3.net (4.68.112.73) 0
> msec
>     so-0-1-0.bbr2.Washington1.Level3.net
> (64.159.0.230) 0 msec
>   3 so-6-1-0.bbr1.Washington1.Level3.net
> (64.159.0.106) 4 msec
>     so-7-0-0.edge1.Washington1.Level3.net
> (209.244.11.14) 0 msec
>     so-6-1-0.bbr1.Washington1.Level3.net
> (64.159.0.106) 4 msec
>   4 209.0.227.118 4 msec
>     so-6-0-0.edge1.Washington1.Level3.net
> (209.244.11.10) 0 msec
>     209.0.227.118 4 msec
>   5 209.0.227.118 4 msec
>     pos3-1-2488M.cr2.WDC2.gblx.net (67.17.67.58)
> [AS3549 {GBLX}] 4 msec
>     209.0.227.118 0 msec
>   6 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
>     pos3-1-2488M.cr1.WDC2.gblx.net (67.17.67.54)
> [AS3549 {GBLX}] 4 msec
>     so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
>   7 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
>     so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238)
> [AS3549 {GBLX}] 80 msec
>     so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241)
> [AS3549 {GBLX}] 76 msec
>   8 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193)
> [AS4474 {GVIL1}] 80 msec
>     so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238)
> [AS3549 {GBLX}] 80 msec
>     gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193)
> [AS4474 {GVIL1}] 76 msec
>   9 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193)
> [AS4474 {GVIL1}] 80 msec
>     ge-1-1-0.cr1.sfo1.nlayer.net (69.22.143.178)
> [AS4474 {GVIL1}] 76 msec
>     gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193)
> [AS4474 {GVIL1}] 80 msec
>  10 ge4-4.hr1.sfo1.nlayer.net (69.22.143.10) [AS4474
> {GVIL1}] 108 msec
>     ge-1-1-0.cr1.sfo1.nlayer.net (69.22.143.178)
> [AS4474 {GVIL1}] 76 msec
>     ge4-4.hr1.sfo1.nlayer.net (69.22.143.10) [AS4474
> {GVIL1}] 80 msec
>  11 ge1-1.hr1.sfo1.nlayer.net (69.22.143.2) [AS4474
> {GVIL1}] 80 msec
>     customer.ge1-5.hr1.sfo1.nlayer.net (69.22.128.230)
> [AS4474 {GVIL1}] 80 msec
>     ge1-1.hr1.sfo1.nlayer.net (69.22.143.2) [AS4474
> {GVIL1}] 76 msec
>  12 SV4.DNSLISTS.NET (69.22.169.27) [AS27638
> {HOSTANY-ASN}] 80 msec
>     customer.ge1-5.hr1.sfo1.nlayer.net (69.22.128.230)
> [AS4474 {GVIL1}] 76 msec
>     SV4.DNSLISTS.NET (69.22.169.27) [AS27638
> {HOSTANY-ASN}] 80 msec
>
> I'm asking you to stop this abuse kindly ASAP.
>
> Thanks,
>
> -J
>
>
>
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
>
> --- End Message ---