[Dshield] SoBig question

John D. lists at webcrunchers.com
Thu Aug 21 21:21:36 GMT 2003


>I'll be the first to say it, luck is on my side.  My MTA has only received 20 SoBigs, I understand that it's almost impossible to track down the infected host so maybe I'm way off with this but here goes.  I've checked my SMTP logs and found  that each one of them has come from the following host.

That's not entirely true....   It IS possible to track down the infected hosts,  but furst we have to wait for Phase 2 to start.   Eventually we are going to be getting a HUGE increase is spam really soon.   The spam would be coming from Infected machines.   The first Received header's IP address would be the infected machine.

Ping this machine...   if no response,  then user has his/her machine turned off.   When pings come back,  then portscan the machine and look for the port numbers used by the WinGate proxy...   Telnet into the proxy and access it to confirm it.

>Is it safe to say that cpe-66-75-70-192.socal.rr.com [66.75.70.192]is infected?

Same as above...  Ping 66.75.70.192 ocassionally until you get a response.  Try during the times you think they might have their machines turned on.   Looks to be a cable modem user from the RDNS you mentioned above.

this may not always work,  depending on the lease time of the DHCP,  but if they have a consumer router connected,  they MIGHT have it configured wrong.  Most routers block suspicious port numbers be default.

John





More information about the list mailing list