[Dshield] New signature?

Greg Broiles gbroiles at well.com
Sun Aug 12 07:13:28 GMT 2001

At 04:43 PM 8/11/2001 -0700, John Groseclose wrote:

>That's the eEye vulnerability scanner. Some twit is scanning your 
>machine/network to see if you're open to Code Red.
>Looks like it's coming from dsl092-004-240.sfo1.dsl.speakeasy.net - 
>there's been a LOT of this kind of thing from various Speakeasy hosts for 
>the last week.
>Repeated notes to abuse at speakeasy.net and suppoer at speakeasy.net have gone 

they were probably too busy with their own unannounced, un-consented-to 
scan of their subscribers using Eeye's scanner - I saw the scan, noticed 
the similarity to CR I/II but the different signature, and called their 
support people to ask why one of their webservers was being used to scan my 
hosts - they said they were doing it to check for infected machines, that 
they didn't see any reason to give a heads-up or ask permission first, and 
that they'd only be contacting subscribers who were apparently 
infected/vunlerable. That might have made sense post-CR I, but after CR II, 
I don't think it's reasonable to make any inferences or assumptions about 
what state a machine is in after it's been left rooted and vulnerable like 
that, especially where it's busily broadcasting its existence and 
vulnerability to other machines on the net.


I have also seen a significant increase in TCP/UDP scans from within 
Speakeasy's IP block on port 139 in the past few days - I did some grepping 
to look for matches between my logs of infected CR II hosts and the hosts 
doing the 139 probes - didn't find any correlation, but am not sure that 
means much, given the random nature of CR II propagation and the apparently 
linear port 139 scans. (I've got 4 IP's, so it's easy to watch the scans 
walk up my block of addresses). It seems reasonable to think some of those 
hosts poking around on 139 were rooted with CR II and are now being used to 
look in a more methodical fashion for more interesting victims.

On the other hand, the only machines I've got exposed to the world are 
locked-down *BSD's, and I'm getting bored with playing worm whack-a-mole 
with logfiles, and have stopped watching this stuff carefully. It's 
interesting to watch the worm spread, but nothing I've seen has risen 
beyond the level of annoyance, and I don't think there's anything I can do 
to make unmotivated (or unwitting) Windows NT/2K sysadmins bring their 
systems up to a reasonable level of security such that they're not 
endangering (or annoying) their network neighbors.

Greg Broiles
gbroiles at well.com
"We have found and closed the thing you watch us with." -- New Delhi street kids

More information about the list mailing list