[Dshield] Sobig IP list site.

Richard Roy RoyR at justicetrax.com
Fri Aug 22 21:25:33 GMT 2003


First of all Thanks go out to John Sage for providing the link below for
the site that has a script keeping and eye on the 20 IP addys with
sobig.f

http://207.195.54.37/sobig.html

I contacted the maintainer of the site and asked him (about 1:30 pm AZ
time) to add the DNS hostname info to the page, providing it was not too
much of an interruption to him.  Well he did so, and I'm curious as to
something.  The majority of these hostnames resolve to ppp connection
hosts or dial ups which are usually a dhcp pool of addys.  Given
that...and the writer launching phase II a week later, how would you
know any of them would be the same system after a week.  My experience
with dialups (a bit dated I might add) is that once you cut the
connection, the address goes back into the pool as immediately expired
so that it can be given to another caller dialing in.

Am I off base here?  I guess I don't follow the logic of targeting an
attack to happen after the worm reaches an estimated peak, using dial
ups that may or may not be there aside from the fact that the IP might
be there but in a dial up pool it might not be the same computer. 

Just my $.02

Richard Roy
Network Administrator
JusticeTrax Inc
602-938-0059 x102
royr at justicetrax.com




More information about the list mailing list