[Dshield] Port 135

keithtarrant@spamcop.net keithtarrant at spamcop.net
Sun Oct 20 02:57:30 GMT 2002


KickerRick -

I'm trying to figure out the effectiveness of what you are doing.

So Rick, do you send the messages to any IP that sends you a port 80 probe
on a day when you have time to do so, or do you have some other selection
criterion?

For the percentages below, I'm trying to get an idea if this is 20%, 50%
or 80% effective.  I realize you can't give me answers + or - 1%, but how
about + or - 20%?

For the port 80 probes where you send the first message, do you get an
additional probe after sending the first message less than say 20% of the
time?  (In other words, is it 80% effective?)

For the cases where you get an additional port 80 probe after sending the
second (shutdown) message, do you get a third probe less than 20% of the
time?  (In other words, after 2 messages are .2 * .2 = .04 sites still
sending port 80 probes -- that is 96% effective.)

(My personal opinion remains that this messaging should only be done by
experts like DShield, MyNetWatchman and ISPs, because of the danger of the
messaging tool being used to send abusive or incorrect or advertising
messages in the hands of the general population.

However, as a programmer/analyst/project leader not depending on security
threats for my income, who has had some but limited academic and work
exposure to the law, reading over the discussions, any doubts I have as to
the legality of sending messages to existing common services where no
effort has been made to restrict their use (with either software "fences"
or software "no tresspassing signs") are gone -- let along fear of
prosecution or ethical doubts.

I mean, a person can question anything and that is fine.  But people are
distributing Sub 7 openly on the internet -- you can do a search in Google
with different spellings of Sub 7, and go through the results looking for
sites that either have it, or have links to download sites.  And Sub 7 has
functions that can only be used for malicious purposes.  And I haven't
seen IT security professionals falling all over themselves to shutdown
these Sub 7 distribution sites, the Google results aren't filled with dead
links.  And the FBI isn't acting either, on Sub 7 distribution or its use
on the public.)

- Keith


----- Original Message -----
From: "KickerRick" <kickerrick at kickerrick.servebeer.com>
To: <list at dshield.org>
Sent: Saturday, October 19, 2002 1:19 AM
Subject: Re: [Dshield] Port 135


>     I've been doing this since Code Red came out. A program called
SendAMess
> 2.0 sits in the tray with a text message giving links to removing nimda
and
> code red infections. I go through my IDS autoblock and firewall logs,
> unblock and message the infected computer. Rarely do the infected
computers
> return, but occasionally when they do it's usually because someone
either is
> impatiently hitting OK to get rid of the pop up, or they just don't care
I
> figure.
>     Now I get "unethical", and send the infected computer a shutdown
> message, which pops a message up whic gets the point across that their
> computer is infected and needs maintenance; "VIRUS/TROJAN INFECTION
> ALERT-SHUTTING DOWN!". Their computer then initiates a normal shut down,
> including asking them if they want to save any open text files.
>     I know the latter will rankle a few, but nothing else seems to work.
> This does. There are a few instances where neither a net send or
shutdown
> will work, and I'm not sure, but I believe this is because the IP of the
> infected coumpter has changed, which also brings up the point that a few
> computers will erroneously receive the message because I usually send
the
> messages out at the end of the day, so some earlier IPs may have
changed.
> These I send notices to the ISP telling them that the possibly infected
> computer didn't respond to net send warnings, and would they please
forward
> the warning to the user. Of course these are auto-acked and ignored I'm
> sure. Maybe not.
>
>
> ----- Original Message -----
> From: "Jon R. Kibler" <Jon.Kibler at aset.com>
> To: <list at dshield.org>
> Sent: Wednesday, October 16, 2002 7:38 AM
> Subject: Re: [Dshield] Port 135
>
>
> > You know, a public domain version of this tool, used to send text-only
> messages, could be quite useful!
> >
> > Q: What is the biggest problem we have dealing with infected systems?
> > A: Contacting the actual admin of the system.
> >
> > Thus, my idea:
> > Almost any system insecure enough to be infected by Nimda, SQLSnake,
etc.
> is probably insecure enough to have Port 135 open. Therefore, we could
take
> a public domain version of the spam tool described in this article,
> integrate it into our IDSes, and when we get hit by an infected system,
> blast back to the system console a Pop-Up Message along the lines of
"Hey
> dummy, your system is infected by [insert parasite name]. How about
doing a
> better job of securing your systems?". At least would would then know
that
> someone knows about the infected system!
> >
> > Just a thought... a little perverse thought maybe, but a thought just
the
> same.
> >
> > Jon Kibler
> > A.S.E.T., Inc.
> > Charleston, SC  USA
> >
> > Roger wrote:
> > >
> > > Getting  suspicious hits on port 135?  This may explain it.  A new
breed
> > > of spam slam.
> > >
> > > http://www.wired.com/news/technology/0,1282,55795,00.html
> > >
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
>
>
>
>
>





More information about the list mailing list