[Dshield] Two questions.

Paul Marsh pmarsh at nmefdn.org
Wed Aug 15 20:34:37 GMT 2001


First Question:

	How do you get it through an ISP's head that they have a machine
that is infected?  I've called twice, emailed detailed IIS and firewall logs
to them and this machine is still up and running.  The IP address is
209.213.135.1, it belongs to quik.com aka quik international of Costa Mesa
Ca.  If you decide to hit this humans site please be careful there is a
Backdoor.Sadmin.Dr trojan that launches if you dig around to much.
Second Question:
	Server A running IIS serving up my web site has not been hit with
the CR2 signature in almost a week, cool :)
	Server B running OWA is still being hit everyday just about the same
time everyday with 40 or so signatures.  Both machines are connected to the
same firewall, 	same T1 and so on but why is one being hit and not the
other?  Is there something I'm missing?

Thanx, Paul






More information about the list mailing list