[Dshield] RE: Reporting Virus, Trojan and Port Scan Activity

Jim rodgersj at charter.net
Sun Mar 3 02:34:48 GMT 2002


Well, 

I guess I might as well throw in my $0.02 in to the ring and quit lurking 
on the list. As a best practices point, when I report port scans both at 
home and at work, I cc my ISP's abuse department, cert at cert.org and 
fedcirc at fedcirc.gov. I don't know that it really adds any weight, but it 
does help keep ISP's informed and most active at investigating these types 
of reports.

Did you know that there are current Federal laws against spam mail?
"The transmission of unsolicited bulk e-mail, including the transmission of 
counterfeit e-mail, may result in civil and criminal penalties against the sender, 
including those provided by the Computer Fraud and Abuse Act (18 U.S.C. § 1030 et seq.).
http://www4.law.cornell.edu/uscode/18/1030.html

(2) Any e-mail containing forged or spoofed RFC 822 header information is illegal - Electronic Mailbox Protection Act of 1997 - Section 3 (a) (1) - (9).
http://www.jmls.edu/cyber/statutes/email/empa1.html

Regards,

Jim 

"A well written,socially engineered speaks volumes ..."

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
list-request at dshield.org
Sent: Tuesday, February 26, 2002 12:02 PM
To: list at dshield.org
Subject: Dshield digest, Vol 1 #483 - 13 msgs


Send Dshield mailing list submissions to
	list at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://www1.dshield.org/mailman/listinfo/list
or, via email, send a message with subject or body 'help' to
	list-request at dshield.org

You can reach the person managing the list at
	list-admin at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dshield digest..."


Today's Topics:

   1. Re: Kornet.Net (BarkerJr)
   2. Re: Cheap relay-spammer trap (John Hardin)
   3. Re: Cheap relay-spammer trap (John Hardin)
   4. Re: Kornet.Net (Erik J. Varney)
   5. Re: Kornet.Net (John Hardin)
   6. Blocking ISP`s (Keith.Gainford at btinternet.com)
   7. Re: Blocking ISP`s (Jens Knoell)
   8. Re: Blocking ISP`s (Johannes B. Ullrich)
   9. RE: Blocking ISP`s (Malcolm Joosse)
  10. Re: Blocking ISPs (*Hobbit*)
  11. Re: Re: Blocking ISPs (Andrew Sanderson)
  12. Re: KAZAA (Mrcorp)
  13. Re: Re: Blocking ISPs (Jens Knoell)

--__--__--

Message: 1
From: "BarkerJr" <BarkerJr at ClanCdG.com>
To: <list at dshield.org>
Subject: Re: [Dshield] Kornet.Net
Date: Mon, 25 Feb 2002 11:24:09 -0500
Reply-To: list at dshield.org

That's what they do on usenet to abusing networks.

----- Original Message -----
From: "Grant Thurman" <Grant at Netprecision.Net>
To: <list at dshield.org>
Cc: <domain at NS.KORNET.NET>; <gspark at kornet.net>; "Net Abuse at Kornet."
<abuse at kornet.net>; "Net Postmaster at Kornet." <postmaster at kornet.net>;
<support at kornet.net>; <domain at NS.KORNET.NET>; <abuse at above.net>
Sent: Monday, February 25, 2002 9:46 AM
Subject: [Dshield] Kornet.Net


> Just an F.Y.I., I have blocked most IP address's from Kornet.Net on one of
> our servers and guess what the hacking has dropped by about 40% - 50%.
Maybe
> all USA based networks should just block known hacker havens like Korea,
> Russia etc... then when the legit customers of those ISP's can't get
> anywhere on the Net the Network Admins will pay attention to our abuse
> complaints and cut off their hackers accounts??? I have sent hundreds of
> hacker complaints to Kornet, NEVER have they even acknowledged one of
them,
> that $10 a month per hacker must be very important to them...
>
> Just a thought.


--__--__--

Message: 2
Subject: Re: [Dshield] Cheap relay-spammer trap
From: John Hardin <johnh at aproposretail.com>
To: DShield mailing list <list at dshield.org>
Date: 25 Feb 2002 09:31:53 -0800
Reply-To: list at dshield.org

On Sat, 2002-02-23 at 15:28, Peter Feltham wrote:
> One wrinkle is to set a "three-strikes and you're out" rule in the
> firewall too: that way you block any IP used for these attempts
> for any purposes thereafter.

I do that for the Vast Tracts of our class-C that are unused. Wonderful
scan traps. Abacus Portsentry is wonderful...

-- 
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "Perpetual motion is impossible. This is a self-sustaining unit
 which at the same time provides surplus electrical energy."
                                 -- the inventor of the Jasker engine,
                                    Reuters, 01/22/2002
-----------------------------------------------------------------------
 79 days until Star Wars episode II: Attack of the Clones


--__--__--

Message: 3
Subject: Re: [Dshield] Cheap relay-spammer trap
From: John Hardin <johnh at aproposretail.com>
To: DShield mailing list <list at dshield.org>
Date: 25 Feb 2002 09:35:11 -0800
Reply-To: list at dshield.org

On Sun, 2002-02-24 at 08:21, Tom Liston wrote:
> LaBrea is the program that you're talking about.  I'm the author.  It 
> can be found at http://www.hackbusters.net
> 
> It works on ALL ports... not just port 80. :-)  Fire it up, and you're 
> ready to go...
> 
> -TL

Hey, Tom! Have you taken a look at tying it to PortSentry like I
suggested to you a few months back?

-- 
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "Perpetual motion is impossible. This is a self-sustaining unit
 which at the same time provides surplus electrical energy."
                                 -- the inventor of the Jasker engine,
                                    Reuters, 01/22/2002
-----------------------------------------------------------------------
 79 days until Star Wars episode II: Attack of the Clones


--__--__--

Message: 4
From: "Erik J. Varney" <erik at centralsecurity.net>
To: <list at dshield.org>
Subject: Re: [Dshield] Kornet.Net
Date: Mon, 25 Feb 2002 13:59:09 -0500
Reply-To: list at dshield.org

Just a quick note on Kornet.net.  A lot of American military personnel
stationed in Korea use Kornet as an ISP.

Erik


--__--__--

Message: 5
Subject: Re: [Dshield] Kornet.Net
From: John Hardin <johnh at aproposretail.com>
To: DShield mailing list <list at dshield.org>
Date: 25 Feb 2002 12:41:59 -0800
Reply-To: list at dshield.org

On Mon, 2002-02-25 at 10:59, Erik J. Varney wrote:
> Just a quick note on Kornet.net.  A lot of American military personnel
> stationed in Korea use Kornet as an ISP.
> 
> Erik

I bet Kornet would start listening if *those* customers got cut off...

-- 
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "Perpetual motion is impossible. This is a self-sustaining unit
 which at the same time provides surplus electrical energy."
                                 -- the inventor of the Jasker engine,
                                    Reuters, 01/22/2002
-----------------------------------------------------------------------
 79 days until Star Wars episode II: Attack of the Clones


--__--__--

Message: 6
From: "Keith.Gainford at btinternet.com" <keith.gainford at btinternet.com>
To: "Dshield" <list at dshield.org>
Date: Mon, 25 Feb 2002 21:58:33 -0000
Subject: [Dshield] Blocking ISP`s
Reply-To: list at dshield.org

Hi All,

Please bear with me I am a home user only and quite ignorant of technical
issues. I use ZA Pro. The vast majority of scans, probes etc., I receive
eminate from within my own ISP. Is it feasible to block these, or would I
block my own access to the net?.

Again I apologies for what must be a nurdish type question.

Keith G


--__--__--

Message: 7
From: "Jens Knoell" <jens at ing.twinwave.net>
To: <list at dshield.org>
Subject: Re: [Dshield] Blocking ISP`s
Date: Mon, 25 Feb 2002 18:22:06 -0700
Reply-To: list at dshield.org

From: "Keith.Gainford at btinternet.com" <keith.gainford at btinternet.com>
> Hi All,
>
> Please bear with me I am a home user only and quite ignorant of technical
> issues. I use ZA Pro. The vast majority of scans, probes etc., I receive
> eminate from within my own ISP. Is it feasible to block these, or would I
> block my own access to the net?.
>
> Again I apologies for what must be a nurdish type question.
>
> Keith G

You'd most likely block your own access, unless you at least exclude your
DNS and Mailservers, if you get these from your ISP.

Jens


--__--__--

Message: 8
Date: Mon, 25 Feb 2002 20:27:49 -0500 (EST)
From: "Johannes B. Ullrich" <jullrich at sans.org>
To: Dshield <list at dshield.org>
Subject: Re: [Dshield] Blocking ISP`s
Reply-To: list at dshield.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Please bear with me I am a home user only and quite ignorant of technical
> issues. I use ZA Pro. The vast majority of scans, probes etc., I receive
> eminate from within my own ISP. Is it feasible to block these, or would I
> block my own access to the net?.

No need to apologize. This is actually a valid (and not a very
easy) question. In particular Nimda prefers to scan the local
network. So you can elminate a lot of the 'noise' by blocking
your ISPs IP ranges. 

However, you have to be selective. There are a few things you do 
not want to block. Mostly, these are servers your ISP provides like
mail server, DNS serve, maybe DHCP server (if you ISP uses that)
and things like that. For most of these, it will work if you just
block everything and see what services stop working. DHCP is a bit
more tricky, as you will just lose your connection at some point.

Blocking your gateway should actually not cut you off (if you block it
by IP). As you should not see any traffic that has a source or
destination address of your ISPs gateway.

Anyway. I would recommend trial and error on a home machine with
ZoneAlarm.


- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8euSWwWQP+4im9DYRApzKAJ0TMrFef/xV5LOetN03vPZtn7l2rQCgtya7
g11l1yhMuSBjXx0bszEj2/0=
=HyHj
-----END PGP SIGNATURE-----


--__--__--

Message: 9
Subject: RE: [Dshield] Blocking ISP`s
Date: Tue, 26 Feb 2002 13:19:50 +1100
From: "Malcolm Joosse" <malcolm at hotlinesupport.com>
To: <list at dshield.org>
Reply-To: list at dshield.org

You might find that "scans" from your internal ISP network are normal network chatter that ZA picks up.  I see this all the time on my cable @home and accept the fact.  If you do not have a good understanding about the ramifications of blocking IP addresses, I suggest that you keep an eye on activity and let ZA do its job protecting your PC.  It is not worthwhile over complicating your PC setup as it may only end in tears.  Report any attacks to the Admin of your ISP as this is proactive and makes you a better net citizen.
just my 2c worth
Mal

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Keith.Gainford at btinternet.com
Sent: Tuesday, February 26, 2002 8:59 AM
To: Dshield
Subject: [Dshield] Blocking ISP`s


Hi All,

Please bear with me I am a home user only and quite ignorant of technical
issues. I use ZA Pro. The vast majority of scans, probes etc., I receive
eminate from within my own ISP. Is it feasible to block these, or would I
block my own access to the net?.

Again I apologies for what must be a nurdish type question.

Keith G

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/list


--__--__--

Message: 10
To: list at dshield.org
Date: Mon, 25 Feb 2002 23:04:05 +0000 (GMT)
From: hobbit at avian.org (*Hobbit*)
Subject: [Dshield] Re: Blocking ISPs
Reply-To: list at dshield.org

You will find on cable clouds that certain administrative machines owned
by the cable provider scan customer blocks fairly routinely, looking for
things like webservers that they then go harrass customers about.

You may be best off dumping everything from your own network, the provider's
admin network, and a few other select things unnoticed, and set yourself
up to use some well-known DNS servers out at other provider sites.
Perhaps you want to just block 24.0.0.0/8 and be done with it.  You
might need a pinhole rule to get to the cable provider's POP server or
something.  But otherwise, remaining invisible to both your neighbors and
those chumps up at the headend is prudent.

_H*


--__--__--

Message: 11
From: "Andrew Sanderson" <andrew at bw.uu.net>
To: <list at dshield.org>
Subject: Re: [Dshield] Re: Blocking ISPs
Date: Tue, 26 Feb 2002 08:29:21 +0200
Organization: UUNet Botswana
Reply-To: list at dshield.org

I agree with most of what, you have said, as i work for an ISP, ok all beit=
 a big one, and im not realy in the dial-up side i agree, hide your self, o=
ne good program is sygate personal firewall, that will also let you know wh=
at your computer is sending out, and thus you block your unwanted/unknown t=
raffic.

To many ISP's have a non segmented way of distributing there ip to there cu=
stomers, mostly because of cost, one really good way to operate, if you are=
 using cable would be to put a router in front of you side, now i know they=
 are expensive, But if you look around there are soho products out there, o=
ne good cheap one is the SMC Barricade, it has one wan port then 4 inbound =
ports, it also has a limited fire wall built=3Dt in it, and it's cheap, und=
er 100 dollars.=20

In support of ISP's we have tried to filter traffic, but every time we star=
t to filter, there is always someone who, and it is there right, brings up =
the point, that "you do not have the write to filter my traffic" and we the=
n get a letter from someone's attorney saying, .... are you messing with ou=
r clients ip traffic..

Any way like hobbit said, the more invisable you are the better you are.

as a note i sit behind a pix ios 6.01a Cisco firewall, and my router is a C=
isco 3620, now in my case i can justify the cost as i took them out of stoc=
k from the company, (Not Stolen) just inventory off premises ...=20=20

Cheers

Andrew



Systems Team

UUNET Botswana (PTY) Ltd , http://www.uunet.co.bw/
A WorldCom Company, http://www.uu.net/
Tel: +267 588967 ext: 203, Fax: +267 588970,=20
Customer Service centre:+267 588967
e-mail: andrew at bw.uu.net, andrews at za.uu.net


  ----- Original Message -----=20
  From: *Hobbit*=20
  To: list at dshield.org=20
  Sent: 26/02/2002 1:04
  Subject: [Dshield] Re: Blocking ISPs


  You will find on cable clouds that certain administrative machines owned
  by the cable provider scan customer blocks fairly routinely, looking for
  things like webservers that they then go harrass customers about.

  You may be best off dumping everything from your own network, the provide=
r's
  admin network, and a few other select things unnoticed, and set yourself
  up to use some well-known DNS servers out at other provider sites.
  Perhaps you want to just block 24.0.0.0/8 and be done with it.  You
  might need a pinhole rule to get to the cable provider's POP server or
  something.  But otherwise, remaining invisible to both your neighbors and
  those chumps up at the headend is prudent.

  _H*

  _______________________________________________
  Dshield mailing list
  Dshield at dshield.org
  To change your subscription options (or unsubscribe), see: http://www1.ds=
hield.org/mailman/listinfo/list



  ---
  I take every precaution, to scan my outgoing mail for Viri.
  However i take no responsibility  for any Viri, that could come from my e=
-mail.
  Checked by AVG anti-virus system (http://www.grisoft.com).
  Version: 6.0.325 / Virus Database: 182 - Release Date: 19/2/02


[[ Attachement of type text/html deleted]]


--__--__--

Message: 12
Date: Tue, 26 Feb 2002 04:26:10 -0800 (PST)
From: Mrcorp <mrcorp at yahoo.com>
Subject: Re: [Dshield] KAZAA
To: list at dshield.org
Reply-To: list at dshield.org

I stand corrected.  Thanks!

Charles

--- Josh Ballard <Josh at oofle.com> wrote:
> Charles,
> 	You are right that KaZaA is not Morpheus.  You are also right that
> Gnutella has had some viruses and backdoors written for it.  But there
> is one problem here.  Morpheus is not KaZaA, yes, but neither of these
> are Gnutella clients.  They are both FastTrack clients, thus the
> comparison.  I'm not sticking up for the security of either of these
> programs though.  Any file sharing app in your network is a potential
> information leak as well as bandwidth hog.  Grokster is another
> FastTrack client, so anything you see on port 1214 could be any of these
> three applications, and all 3 can interconnect, but likely not a
> Gnutella app, unless someone changed their Gnutella client to that port
> (why?).  Anyway, I figured I would clear that up just to be safe and try
> to make sure people don't get confused.  
> 
> Josh Ballard
> oofle.com Firewall Center
> http://www.oofle.com/
> Josh at oofle.com
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/list


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com


--__--__--

Message: 13
From: "Jens Knoell" <jens at ing.twinwave.net>
To: <list at dshield.org>
Subject: Re: [Dshield] Re: Blocking ISPs
Date: Tue, 26 Feb 2002 05:44:36 -0700
Reply-To: list at dshield.org

From: "Andrew Sanderson" <andrew at bw.uu.net>
> [...]
> In support of ISP's we have tried to filter traffic, but every time we
star=
> t to filter, there is always someone who, and it is there right, brings up
=
> the point, that "you do not have the write to filter my traffic" and we
the=
> n get a letter from someone's attorney saying, .... are you messing with
ou=
> r clients ip traffic..

They might rant, but their "right" is zilch. It's your network, you pay for
its infrastructure - and noone can tell you what you have to allow in your
segment (unless it's written in some contract ofcourse).

I'm filtering traffic to our own servers routinely, in some cases blocking
more than half the world (Asia, Russia, South America usually). It helps a
lot to cut down on unwanted traffic, unwanted probes, and in general makes
me sleep a lot better at night - less attempted DoS attacks, less work in
the morning to go through the logs.

Which, ofcourse, follows the general chant: If you're invisible, you're off
nicely. Simple packet filters or full-fledged stateful firewalls - that's
more or less a personal choice there.

Jens



--__--__--

_______________________________________________
Dshield mailing list
Dshield at dshield.org
http://www1.dshield.org/mailman/listinfo/list


End of Dshield Digest




More information about the list mailing list