[Dshield] SoBig question

Milo Milo145 at hotmail.com
Fri Aug 22 01:19:20 GMT 2003


John:

  Thanks for the response, I thought my post got lost in the traffic.  The
item that made me think that this host is infected is that in my SMTP logs I
noticed the nodes NetBIOS name, DEN-COMPUTER .  All 20 over a two day period
show the same results, same IP, Same NetBIOS name but of course different
sender addresses each time.  I did a port scan early this morning and later
this afternoon but the only thing open was 25 and 110, looks like they're
behind a firewall.  It was just a thought on my part to see if we could
start identifying infected hosts.

  Your comments on what's to come is very scary, but 100% true.  I guess
it's time to open the floor on a conversation about what we need to do to
lessen the blow and stop the spam sent to our domains, users and clients.
Could we come up with an SOP as to.

    1.  The steps in identifying an infected host.
    2.  Blocking them at our parameters.
    3.  Informing the infected host(s) NOC and then following up if the
problem continues.

Thanx, Paul


--Original Message----- 
From: John D. [mailto:lists at webcrunchers.com]
Sent: Thu 8/21/2003 5:21 PM
To: General DShield Discussion List
Cc:
Subject: Re: [Dshield] SoBig question


>I'll be the first to say it, luck is on my side.  My MTA has only received
20 SoBigs, I understand that it's almost impossible to track down the
infected host so maybe I'm way off with this but here goes.  I've checked my
SMTP logs and found  that each one of them has come from the following host.

That's not entirely true....   It IS possible to track down the infected
hosts,  but furst we have to wait for Phase 2 to start.   Eventually we are
going to be getting a HUGE increase is spam really soon.   The spam would be
coming from Infected machines.   The first Received header's IP address
would be the infected machine.

Ping this machine...   if no response,  then user has his/her machine turned
off.   When pings come back,  then portscan the machine and look for the
port numbers used by the WinGate proxy...   Telnet into the proxy and access
it to confirm it.

>Is it safe to say that cpe-66-75-70-192.socal.rr.com [66.75.70.192]is
infected?

Same as above...  Ping 66.75.70.192 ocassionally until you get a response.
Try during the times you think they might have their machines turned on.
Looks to be a cable modem user from the RDNS you mentioned above.

this may not always work,  depending on the lease time of the DHCP,  but if
they have a consumer router connected,  they MIGHT have it configured wrong.
Most routers block suspicious port numbers be default.

John




More information about the list mailing list