[Dshield] Increased activity

John Dalton dubuque_1 at msn.com
Sun Aug 17 15:59:28 GMT 2003

This was of interest to , as a friend who worked at a small business (dialup
56k, NO Antivirus, No firewall) with a W2K box, unpatched, had odd things
happening with Office products.He thought the boss had done something again,
but found he had not been in town.
After receiving a email from his local ISP that his connections showed some
signs of being infected, he went to Microsoft and Symantec to grab tools and
indeed found the machine had been infected. He followed steps and did what
he could to clean the mess up. Once done, the Office products quit acting up
(problems with inserting a Excel sheet into a word document went away).
Interesting scenario, as I can't see what the Office products problems could
have to do with  Blaster, but actions were too coincidental.

What was funniest was the boss saying why did this happen, and the friend
reminded him of constant reminders he had made to the boss about antivirus
needs at the minimum. Maybe now he will loosen up his wallet, or wait for
the next big problem to occur. This is a work computer that produce goods
for the business and has internet connectivity. As well I believe it is used
as their United Parcel Service machine as well, so they would not be able to
do some shipping if it goes down.

Why I post to this thread is the same friend told me that with the advent of
the Blaster worm warnings, he noticed a significant drop in popup ads, but
ALSO in spam type email, which he was at a loss to explain, unless the ISP
instituted two fixes at the same time.

Thanks for the excellent mailing list, which has helped so many times in
being a Early Warning System.
----- Original Message ----- 
From: "Johannes B. Ullrich" <jullrich at sans.org>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Sunday, August 17, 2003 9:47 AM
Subject: Re: [Dshield] Increased activity

> This message was converted from multipart/signed to ascii armored
> Hash: SHA1
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
> There is a pronounced increase in port 1026 traffic.
> It is expected that popup spammers moved to this port
> to bypass port 135 blocks.
> On Sun, 2003-08-17 at 09:49, Synergy wrote:
> > Hullo - I'm seeing somewhat increased activity here (cox.net, in RI)
> > starting last night, and to a lesser extent on Comcast systems in
> > ME and Seattle WA.  There are three patterns -- one is scanning from
> > the local class-B space, but not to port 135, rather a number of ports
> > the 1000-2000 range.  Here at least these seem to come from remote port
> > 1025.  Second is bursts of scans from port 80 to ports in the 1145-1150
> > range, from IPs that Smartwhois says belong to Akamai.  Third is scans
> > alleging to come from, from port 80 to a number of ports in
> > 1000-2000 range.  There are also a couple of French IPs banging on port
> > 1026...total altogether (here in RI) is maybe 150 or so starting last
> >
> > regds,
> > david
> >
> > --
> > Synergy <synergx at attglobal.net> - 96 Bolton Ave Suite 2, Providence RI
> > 02908 USA
> > 401 274-5827, cell: 401 225-5004, fax: 401 274-4944
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> -- 
> SANS - Internet Storm Center
> http://isc.sans.org
> PGP Key: http://isc.sans.org/jullrich.txt
> Version: GnuPG v1.2.1 (GNU/Linux)
> iD8DBQA/P5WQR1p7hYJvB/wRAnS2AJ0fFrl5fcadD1rEL1ZPpnXhFPrxaACgsT4A
> H0GikFjnHYvXjhXbDMHvcp8Um
> --
> SHA1
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list