[Dshield] RE: Dshield digest, Vol 1 #744 - 8 msgs

James C. Slora, Jr. Jim.Slora at phra.com
Mon Aug 12 20:00:57 GMT 2002


"ALEPH0" wrote Sun, 11 Aug 2002 13:04:08 -0700

> Well, attacking infected systems seems like the responsible advice for an
> ISP to give to its customers.  LOL.  If I am interpretting this right, the
> ISP was running their DNS on Windows IIS servers.
<snip>

Actually, I lean toward the explanation that the tech flat out lied to me.
Host names, IPs, OS fingerprints did not match at all between the attacking
servers and the ISP's DNS servers. I have a bad habit of not checking every
attacking system to see if it is secretly my own provider's DNS server
(shame on me!), but I did do a little snooping after I got off the phone
with the tech. I only did a passive check, but I'm pretty confident that
there was no connection between the attacks and the DNS servers. If the
tech's words had turned out to be true, I'd have pulled the plug on that ISP
immediately and forever.

> > "During a DOS caused by a Nimda infection on a net-neighboring
> > server farm that also used my ISP, a support rep at the ISP's contract
call
> > center in Newfoundland told me that I should  download "WinKiller" and
> > attack the infected systems. When I declined this option, he told me
that it
> > was actually the ISP's DNS servers attacking me and that he needed to
get
> > off the phone to resolve the issue."






More information about the list mailing list