nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Spam from weird IP 118.189.136.119

From: "Lars Higham" <lhigham () yahoo com>
Date: Tue, 17 Jun 2003 10:17:38 +0530

Okay, but what's the trojan signature look like?

How should people be checking to see if they're compromised?

-----Original Message-----
From: John Brown [mailto:jmbrown () chagresventures com] 
Sent: Tuesday, June 17, 2003 10:12 AM
To: Lars Higham
Cc: nanog () nanog org
Subject: Re: Spam from weird IP 118.189.136.119


I name this 

Weird-118rr


On Tue, Jun 17, 2003 at 09:48:07AM +0530, Lars Higham wrote:




It would be useful if this exploit could be named and documented at 
least for one known instance -


Regards,
Lars Higham

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf 
Of Richard D G Cox
Sent: Monday, June 16, 2003 9:32 PM
To: nanog () nanog org
Subject: Re: Spam from weird IP 118.189.136.119



On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor" 
<pascal.gloor () spale com> wrote:

| Getting SPAM from 118.189.136.119 relayed by rr.com ?
|
| this network is not allocated, nor announced. I have been looking
| everywhere to find if it has been announced (historical bgp update 
| databases, like RIS RIPE / CIDR REPORT / etc..)... I didnt found 
| anything.... this probably mean rr.com is routing that network 
| internaly.

This is very likely to be a known exploit I have been tracking.  In 
all the cases which we have so far confirmed, the spam was not 
relayed, but proxied by a trojan executable which is able to mimic a 
"previous" header with such a degree of accuracy that it is 
indistinguishable from the genuine article!

| If there is any rr.com guy around. Could you please check this?

Our advice would be that the server-that-connected-to-you needs to be 
taken offline by the security people at its site (which you say is
RoadRunner) and they should have ALL its disk(s) imaged for forensic 
analysis purposes.

Our experience is that sites hit by this exploit will do basic checks 
on the server and claim it is uncompromised and "cannot possibly be 
sending that spam".  Such a claim would be entirely incorrect.  You 
would need to persuade them that something is wrong, which is 
difficult at the best of times.  RoadRunner being involved in this 
case suggests this may
*not* be the "best of times".

--
Richard Cox
Previous By Date Next
Previous By Thread Next

Current thread: