[Dshield] Re: Dshield digest, Vol 1 #677 - 4 msgs

Support Services support at maedata.net
Thu Jun 27 17:38:53 GMT 2002


try murak mail server from http:\\www.icewarp.com, it supports multiple
scanners, can be used with 3rd party AV products like f-prot, mcafee, etc.



----- Original Message -----
From: <list-request at dshield.org>
To: <list at dshield.org>
Sent: Thursday, June 27, 2002 12:00 PM
Subject: Dshield digest, Vol 1 #677 - 4 msgs


> Send Dshield mailing list submissions to
> list at dshield.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www.dshield.org/mailman/listinfo/list
> or, via email, send a message with subject or body 'help' to
> list-request at dshield.org
>
> You can reach the person managing the list at
> list-admin at dshield.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Dshield digest..."
>
>
> Today's Topics:
>
>    1. Re: Klez (Dave Goodrich)
>    2. Analyzing DShield data for indications of possible problems? (Ed
Truitt)
>    3. Klez (Paul Marsh)
>    4. RE: Should I be concerned about this? (Tony Carothers)
>
> --__--__--
>
> Message: 1
> Date: Wed, 26 Jun 2002 09:30:54 -0500
> From: Dave Goodrich <dave at pixelhammer.com>
> To: list at dshield.org
> Subject: Re: [Dshield] Klez
> Reply-To: list at dshield.org
>
> 30 a day?, my postmaster address is getting over a thousand a week in klez
> bounces. We are a small ISP with only 3500 accounts and 200 domains. We
> are currently experiencing overwhelming traffic due to Klez with some
> users having to ask us to delete their email boxes due to maxed quotas in
> Klez attachments.
>
> My new priority is to finish a new mail server with Spam and Virus
> scanners installed.
>
> Am I seeing more Klez? Oh yea baby it's growing day by day in Indiana. We
> have a lot of rural customers who either don't have virus protection or do
> not keep it up to date. My tech support is spend a lot of time just
> shutting off infected accounts when we can find them.
>
> DAve
>
>
> On Wed, Jun 26, 2002 at 09:53:24AM +0100, Divagaran wrote:
> > KlezI am also still recieving 10 to 20 a day
> > -----Original Message-----
> > From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
> > Paul Marsh
> > Sent: 25 June 2002 20:00
> > To: 'Dshield (E-mail)
> > Subject: [Dshield] Klez
> >
> >
> > I just want to take a quick poll, is everyone/anyone else still seeing
Klez
> > attachments?  Some days I see a few maybe 5 or so but today I've
received
> > about 30 of them.  It's just getting annoying, is there anyway to truly
> > locate the infected machine?   I just love it when an attachment comes
in
> > saying it's from one of my users to another one of my users and the
> > attachment is infected.
> >
> > Thanx, Paul
> >
>
>
> --
> My other computer is your Windows machine...
>
>
>
> --__--__--
>
> Message: 2
> From: "Ed Truitt" <ed.truitt at etee2k.net>
> To: <list at dshield.org>
> Date: Thu, 27 Jun 2002 09:14:18 -0500
> Subject: [Dshield] Analyzing DShield data for indications of possible
problems?
> Reply-To: list at dshield.org
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yesterday, my team lead (who is also a DShield.org list subscriber)
> and I were talking about something I thought I would pass along to
> serve as a discussion starter.  We both have read numerous instances
> of people asking if they have seen an increase in probing / scanning
> activity on this port or that, or from a certain netblock, country,
> or region, etc.
>
> We talked about the similarities between network scanning / probing
> and other process controls (like a chemical plant or a refinery).
> Specifically, if we could establish a baseline which represents the
> "normal" level of scanning activities, then we could let the
> computers analyze data as it was gathered, and look for
> "statistically significant" events - those which deviate from the
> norm enough that they indicate that something has changed.  After
> all, we know that Port 80 scanning activity will drop off around the
> 20th of the month, them pick back up around the first, as this is the
> default behavior for CR/Nimda.  So, a change in activity that matches
> that pattern is not something to worry about - unless the level of
> change is significantly different.  However, a brief burst of
> scanning on a previously quiet port (SNMP, anyone?) might indicate a
> recon, prior to unleashing a new worm (I remember seeing this pattern
> before SQLsnake showed up.)  Also, a change in the amount of activity
> from a specific geographical region/netblock might indicate
> preparations for a cyber-attack.  Such information might help ISS
> alert sysadmins to batten down the hatches, and might allow us the
> time to mitigate, if not eliminate, the damage such an attack could
> do.
>
> DShield.org has the data.  Does anyone else see value in approaching
> scans/probes/hacktivity from this perspective (process control)?  It
> seems to me to be a better approach than people asking "have you
> noticed...?".
>
> Cheers,
> Ed Truitt
> PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> http://www.etee2k.net
> http://www.bsatroop148.org
>
> "Note to spammers:  my 'delete' key is connected to YOUR ISP.
>  Also, if you send me UCE, I reserve the right to post your spew
> on my Web site, with the appropriate color commentary, so that
> others may have a good laugh at your expense."
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPRsdttuunCUC+Qq5EQLjigCg1g4uSay1JNExz6zMSJfn5IfrT6QAoNJP
> 9vtZiXg+c7rLomNDAmq9MmrS
> =QDpM
> -----END PGP SIGNATURE-----
>
>
> --__--__--
>
> Message: 3
> From: Paul Marsh <pmarsh at nmefdn.org>
> To: "'Dshield (E-mail)" <list at dshield.org>
> Date: Thu, 27 Jun 2002 10:52:56 -0400
> Subject: [Dshield] Klez
> Reply-To: list at dshield.org
>
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
>
> ------_=_NextPart_001_01C21DEA.52CDB180
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> Thank you all very much for your input.  I just wanted to make sure I =
> was
> not the only one still getting this annoying thing.  I've been reading
> through the reply-posts to my question and have come to the conclusions =
> that
> I need to educate myself more on reading headers, does anyone know =
> where I
> can find some quick and dirty info on headers.  I stripped the headers =
> off
> of a few that came through yesterday and found they were all from the =
> same
> place minus the BS virus inserted stuff.  I've posted it here so I can =
> get
> some feed back on what it really says.  The way I interpret is that =
> it's
> from an AOL netblock/modem pool 172.167.179.170. I also noticed the
> following "X-Apparently-From: RealtyVis2 at aol.com" so would that mean =
> this is
> the infected system/user? =20
>
> Thanx, Paul   =20
>
> =E6   ImCr        =A0=EC#=15E=1D=C2=01        rly-ip02.mx.aol.com =
> rly-ip02.mx.aol.com
> <MFOLLETT at WILTON.COM>   c=3Dus;a=3D ;p=3Dnellie =
> mae;l=3DEXCHANGE0206262310N4K44L1D
> =01   E   =01                   =15   =16           <user at nmefdn.org>
> EwLsReceived: from rly-ip02.mx.aol.com ([152.163.225.160]) by
> exchange.nmfdn.org with SMTP (Microsoft Exchange Internet Mail Service
> Version 5.5.2653.13)
> id N4K44L1D; Wed, 26 Jun 2002 19:10:06 -0400
> Received: from  logs-mtc-ta.proxy.aol.com (logs-mtc-ta.proxy.aol.com
> [64.12.105.5]) by rly-ip02.mx.aol.com (v83.35) with ESMTP id
> RELAYIN2-0626190953; Wed, 26 Jun 2002 19:09:53 -0400
> Received: from Pltqfsb (ACA7B3AA.ipt.aol.com [172.167.179.170])
> by logs-mtc-ta.proxy.aol.com (8.10.0/8.10.0) with SMTP id
> g5QMpCq501899
> for <user at nmefdn.org>; Wed, 26 Jun 2002 18:51:12 -0400 (EDT)
> Date: Wed, 26 Jun 2002 18:51:12 -0400 (EDT)
> Message-Id: <200206262251.g5QMpCq501899 at logs-mtc-ta.proxy.aol.com>
> From: <user at nmefdn.org>
> To: user at nmefdn.org
> Subject: Returned mail--"(InString2.toLowerCase().substring(0,4) "
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary=3DSA4vV0tB0836aCI01446DF39R6
> X-Apparently-From: RealtyVis2 at aol.com
>
> --SA4vV0tB0836aCI01446DF39R6
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable
>
> <HTML><HEAD></HEAD><BODY>
>
> <FONT>The following mail can't be sent to infolex at otenet.gr:<br>
> <br>
> From: user at nmefdn.org<br>
> To: infolex at otenet.gr<br>
> Subject: (InString2.toLowerCase().substring(0,4) <br>
> The attachment is the original mail</FONT></BODY></HTML>
>
> --SA4vV0tB0836aCI01446DF39R6
> Content-Type: application/octet-stream;
> name=3D2.00.exe
> Content-Transfer-Encoding: base64
> Content-ID: <QX85o1h7T9>
>
> ------_=_NextPart_001_01C21DEA.52CDB180
> Content-Type: text/html;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Diso-8859-1">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 5.5.2653.12">
> <TITLE>Klez </TITLE>
> </HEAD>
> <BODY>
>
> <P><FONT SIZE=3D2>Thank you all very much for your input.&nbsp; I just =
> wanted to make sure I was not the only one still getting this annoying =
> thing.&nbsp; I've been reading through the reply-posts to my question =
> and have come to the conclusions that I need to educate myself more on =
> reading headers, does anyone know where I can find some quick and dirty =
> info on headers.&nbsp; I stripped the headers off of a few that came =
> through yesterday and found they were all from the same place minus the =
> BS virus inserted stuff.&nbsp; I've posted it here so I can get some =
> feed back on what it really says.&nbsp; The way I interpret is that =
> it's from an AOL netblock/modem pool 172.167.179.170. I also noticed =
> the following &quot;X-Apparently-From: RealtyVis2 at aol.com&quot; so =
> would that mean this is the infected system/user?&nbsp; </FONT></P>
>
> <P><FONT SIZE=3D2>Thanx, Paul&nbsp;&nbsp;&nbsp; </FONT>
> </P>
>
> <P><FONT SIZE=3D2>=E6&nbsp;&nbsp; =
> ImCr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
> =A0=EC#=15E=1D=C2=01&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
> rly-ip02.mx.aol.com rly-ip02.mx.aol.com =
> &lt;MFOLLETT at WILTON.COM&gt;&nbsp;&nbsp; c=3Dus;a=3D ;p=3Dnellie =
> mae;l=3DEXCHANGE0206262310N4K44L1D&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
> =01&nbsp;&nbsp; E&nbsp;&nbsp; =
> =01&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
> sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =15&nbsp;&nbsp; =
> =16&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
> &lt;user at nmefdn.org&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
> EwLsReceived: from rly-ip02.mx.aol.com ([152.163.225.160]) by =
> exchange.nmfdn.org with SMTP (Microsoft Exchange Internet Mail Service =
> Version 5.5.2653.13)</FONT></P>
>
> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>id =
> N4K44L1D; Wed, 26 Jun 2002 19:10:06 -0400</FONT>
> <BR><FONT SIZE=3D2>Received: from&nbsp; logs-mtc-ta.proxy.aol.com =
> (logs-mtc-ta.proxy.aol.com [64.12.105.5]) by rly-ip02.mx.aol.com =
> (v83.35) with ESMTP id RELAYIN2-0626190953; Wed, 26 Jun 2002 19:09:53 =
> -0400</FONT></P>
>
> <P><FONT SIZE=3D2>Received: from Pltqfsb (ACA7B3AA.ipt.aol.com =
> [172.167.179.170])</FONT>
> <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>by =
> logs-mtc-ta.proxy.aol.com (8.10.0/8.10.0) with SMTP id =
> g5QMpCq501899</FONT>
> <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>for =
> &lt;user at nmefdn.org&gt;; Wed, 26 Jun 2002 18:51:12 -0400 (EDT)</FONT>
> <BR><FONT SIZE=3D2>Date: Wed, 26 Jun 2002 18:51:12 -0400 (EDT)</FONT>
> <BR><FONT SIZE=3D2>Message-Id: =
> &lt;200206262251.g5QMpCq501899 at logs-mtc-ta.proxy.aol.com&gt;</FONT>
> <BR><FONT SIZE=3D2>From: &lt;user at nmefdn.org&gt;</FONT>
> <BR><FONT SIZE=3D2>To: user at nmefdn.org</FONT>
> <BR><FONT SIZE=3D2>Subject: Returned =
> mail--&quot;(InString2.toLowerCase().substring(0,4) &quot;</FONT>
> <BR><FONT SIZE=3D2>MIME-Version: 1.0</FONT>
> <BR><FONT SIZE=3D2>Content-Type: multipart/alternative;</FONT>
> <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
> SIZE=3D2>boundary=3DSA4vV0tB0836aCI01446DF39R6</FONT>
> <BR><FONT SIZE=3D2>X-Apparently-From: RealtyVis2 at aol.com</FONT>
> </P>
>
> <P><FONT SIZE=3D2>--SA4vV0tB0836aCI01446DF39R6</FONT>
> <BR><FONT SIZE=3D2>Content-Type: text/html;</FONT>
> <BR><FONT SIZE=3D2>Content-Transfer-Encoding: quoted-printable</FONT>
> </P>
>
> <P><FONT =
> SIZE=3D2>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;</FONT>
> </P>
>
> <P><FONT SIZE=3D2>&lt;FONT&gt;The following mail can't be sent to =
> infolex at otenet.gr:&lt;br&gt;</FONT>
> <BR><FONT SIZE=3D2>&lt;br&gt;</FONT>
> <BR><FONT SIZE=3D2>From: user at nmefdn.org&lt;br&gt;</FONT>
> <BR><FONT SIZE=3D2>To: infolex at otenet.gr&lt;br&gt;</FONT>
> <BR><FONT SIZE=3D2>Subject: (InString2.toLowerCase().substring(0,4) =
> &lt;br&gt;</FONT>
> <BR><FONT SIZE=3D2>The attachment is the original =
> mail&lt;/FONT&gt;&lt;/BODY&gt;&lt;/HTML&gt;</FONT>
> </P>
>
> <P><FONT SIZE=3D2>--SA4vV0tB0836aCI01446DF39R6</FONT>
> <BR><FONT SIZE=3D2>Content-Type: application/octet-stream;</FONT>
> <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
> SIZE=3D2>name=3D2.00.exe</FONT>
> <BR><FONT SIZE=3D2>Content-Transfer-Encoding: base64</FONT>
> <BR><FONT SIZE=3D2>Content-ID: &lt;QX85o1h7T9&gt;</FONT>
> </P>
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C21DEA.52CDB180--
>
>
> --__--__--
>
> Message: 4
> From: Tony Carothers <tony.carothers at lifestreamtech.com>
> To: "'list at dshield.org'" <list at dshield.org>
> Subject: RE: [Dshield] Should I be concerned about this?
> Date: Thu, 27 Jun 2002 09:29:19 -0700
> Reply-To: list at dshield.org
>
> Check for an application called "Chaincast", it is a virtual multicast
> router that relays multicast from your box to other users.  When you
listen
> to some radio stations or broadcasts, they require you to install it.  The
> fine print says other users can use YOUR pipe to receive the multicast.
>
> -----Original Message-----
> From: Mercy [mailto:Mercymail at mindspring.com]
> Sent: Wednesday, June 26, 2002 4:58 PM
> To: list at dshield.org
> Subject: Re: [Dshield] Should I be concerned about this?
>
>
> Hi & Thanks...
>
> I don't think i'm using any multicast-aware sofware.  Not sure though.
>
> My husband's computer is networked to my DSL router.  We're not networked
> computer to computer... just through the DSL.
>
> Could I be picking up things from him?  But, he doesn't use it very often.
> (I'm the internet addict in the family lol)
>
> Mercy
> ----- Original Message -----
> From: "E.B. Dreger" <eddy+public+spam at noc.everquick.net>
> To: "DS mailing list" <list at dshield.org>
> Sent: Wednesday, June 26, 2002 12:36 AM
> Subject: Re: [Dshield] Should I be concerned about this?
>
>
> > M> Date: Tue, 25 Jun 2002 20:34:33 -0400
> > M> From: Mercy
> >
> > (snipped throughout)
> >
> >
> > M> "The firewall has blocked routed traffic from 68.71.167.143 to
> > M> 222.174.130.106 (IP Protocol 117).
> >
> > IP protocol 117 == interactive agent transfer protocol
> >
> > I don't offhand know of anything using it.  Note that 222.... is
> > a class D multicast address.  Do you know if you're running any
> > multicast-aware software?
> >
> >
> > M> "ZoneAlarm blocked an incoming data packet that was addressed
> > M> to port 0 on another computer. The packet was either
> >
> > Same warning?  I don't know that protocol 117 even has ports. :-)
> > But, then, I don't know anything about IP/117.
> >
> >
> > M> This alert generally occurs either as a result of random
> > M> routing problems on the Internet or a configuration issue on a
> >
> > Random routing problems are rare.  There'd need to be some funky
> > ARP trouble to cause a "configuration issue", too.
> >
> > Mercy, does your provider support multicast?  Have you any other
> > computers connected to the same network?  What software do you
> > have running?
> >
> >
> > M>      traceroute 68.71.167.143
> > M>
> > M>       3    206.117.161.1    8.015 ms   DNS error [AS226] .....
> >
> > BGP-aware traceroute.... mmmm....
> >
> >
> > Eddy
> > --
> > Brotsman & Dreger, Inc. - EverQuick Internet Division
> > Bandwidth, consulting, e-commerce, hosting, and network building
> > Phone: +1 (785) 865-5885 Lawrence and [inter]national
> > Phone: +1 (316) 794-8922 Wichita
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
> > From: A Trap <blacklist at brics.com>
> > To: blacklist at brics.com
> > Subject: Please ignore this portion of my mail signature.
> >
> > These last few lines are a trap for address-harvesting spambots.
> > Do NOT send mail to <blacklist at brics.com>, or you are likely to
> > be blocked.
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
>
>
> --__--__--
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> http://www.dshield.org/mailman/listinfo/list
>
>
> End of Dshield Digest
>





More information about the list mailing list