[Dshield] Re:What is your isp doing

Joseph Stahley 3rd jestahley3 at cox.net
Sat Apr 10 02:08:14 GMT 2004


Hah..you have it easy..Try being on Cox.net, I'm getting probed close to 250
times a hour from their infected machines. I just had a chat with them as
well. Their technicians do not check to see if the machine they are about to
connect to the net are up to date patch and av wise. They do shut down
service on problematic machines on a local level but only after someone
complains loud and long enuff. I have sent many emails to abuse at cox.net, so
many that I have been warned by them that I am abusing the system...Wait it
gets better...They just implemented spam filters for email on their servers
as of Monday of this week and they also warn of fake virus notification
emails that are sent from people claiming to be from their "AV Department",
which contains the virus netsky.p (which I have had at the least 6 or 7 this
week on 3 different accounts that my virus software did pickup and which I
just received another within the past hour).Oh did I mention that the
so-called tech I spoke to did not know that port 3127 was my doom, or that
6129 was dameware.

Anyway forgive the rant, have to vent then work on 2 infected machines..

Joseph


----- Original Message ----- 
From: "Glenn Jarvis" <gaj at sympatico.ca>
To: <list at lists.dshield.org>
Sent: Friday, April 09, 2004 5:56 AM
Subject: [Dshield] Re:What is your isp doing


> >
> >
> >I recently have been receiving certain incoming probes from my ISP, or
what
> >I think is my ISP, RoadRunner.
> >
> >Can anyone help me understand this?
> >
> >Thanks.
> >
> >
> >Steve
> >
> >
> >Here is a sample incase the .txt file doesn’t go through.
> >
> >
> >
> >Date      Time       Dir Rem IP Addr    Remote Name
> >R Port Lcl IP Addr    L Port
> >2004/04/09 00:28:13   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1863  24.161.228.  80
> >2004/04/09 00:28:13   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1852  24.161.228.  1025
> >2004/04/09 00:28:13   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1857  24.161.228.  3127
> >2004/04/09 00:28:13   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1858  24.161.228.  6129
> >2004/04/09 00:28:13   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1850  24.161.228.  2745
> >2004/04/09 00:28:07   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1863  24.161.228.  80
> >2004/04/09 00:28:07   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1852  24.161.228.  1025
> >2004/04/09 00:28:07   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1857  24.161.228.  3127
> >2004/04/09 00:28:07   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1858  24.161.228.  6129
> >2004/04/09 00:28:07   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1850  24.161.228.  2745
> >2004/04/09 00:28:04   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1863  24.161.228.  80
> >2004/04/09 00:28:04   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1858  24.161.228.  6129
> >2004/04/09 00:28:04   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1857  24.161.228.  3127
> >2004/04/09 00:28:04   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1852  24.161.228.  1025
> >2004/04/09 00:28:04   I  24.210.214.179
> >dhcp024-210-214-179.woh.rr.com     1850  24.161.228.  2745
> >
>
> I'm no expert, but I have dealt with this quite a bit lately. I receive
> the same thing from various address's within my ISP's block and once I
> asked them about it, I understood (if they were being accurate and I
> can't see why not)...
>  From what I have been told, they are other rr.com customers who are
> infected. All I do now is see if I get over a certain amount from the
> same address, then forward the log information to them. They then check
> their end,find out who the customer is, and then notify the customer to
> cleanup their system. So far, my isp has been grateful of the reports I
> have sent them ( I usually send it off to them if the originator reachs
> over 50 entries or so, that way I'm not flooding them with reports).
> Anyway, that is my understanding of it, although I'm sure the experts in
> here will probably be much detailed than I am.
>
> HTH
> Glenn
> (excuse the typos, I'm still on my 1st morning cup of wakeup)
>
> _______________________________________________
> list mailing list
> list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>





More information about the list mailing list