[Dshield] MyDoom-A/B

John Sage jsage at finchhaven.com
Sun Feb 1 23:33:33 GMT 2004


Johannes:

On Sun, Feb 01, 2004 at 09:34:19AM -0500, Johannes B. Ullrich wrote:
> From: "Johannes B. Ullrich" <jullrich at sans.org>
> To: list at dshield.org
> Date: Sun, 01 Feb 2004 09:34:19 -0500
> Subject: [Dshield] MyDoom-A/B
> 
> 
> Well, mydoom a & b are now in full swing dDOS'ing sco.com and
> microsoft.com respectively.
> 
> At this point, it looks like 'www.sco.com' is down, but Microsoft.com
> doesn't show an impact so far.
> 
> At least Rogers appears to have changed the sco.com DNS record to
> 127.0.0.1. I haven't heard reports from other ISPs, but if you could
> check please and let me know if your ISP is using this to reduce the
> damage on its own infrastructure.


comcast.net's DNS (at least what I should be using, if I weren't
running my own nameservice), at Sun Feb 1 15:20:50 PST 2004, are
seeing this:


[jsage at sparky /storage/virii] $ dig @204.127.198.4 any sco.com

; <<>> DiG 9.2.1 <<>> @204.127.198.4 any sco.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36817
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4
 
;; QUESTION SECTION:
;sco.com.                       IN      ANY
 
;; ANSWER SECTION:
sco.com.                56335   IN      NS      c7ns1.center7.com.
sco.com.                56335   IN      NS      ns.calderasystems.com.
sco.com.                56335   IN      NS      ns2.calderasystems.com.
sco.com.                56335   IN      NS      nsca.sco.com.
sco.com.                1483    IN      SOA     ns.calderasystems.com. hostmaster.caldera.com. 2004020103 3600 900 604800 1800
 
;; AUTHORITY SECTION:
sco.com.                56335   IN      NS      c7ns1.center7.com.
sco.com.                56335   IN      NS      ns.calderasystems.com.
sco.com.                56335   IN      NS      ns2.calderasystems.com.
sco.com.                56335   IN      NS      nsca.sco.com.
 
;; ADDITIONAL SECTION:
c7ns1.center7.com.      16205   IN      A       216.250.142.20
ns.calderasystems.com.  23503   IN      A       216.250.130.1
ns2.calderasystems.com. 1280    IN      A       216.250.130.5
nsca.sco.com.           9628    IN      A       132.147.210.253
 
;; Query time: 331 msec
;; SERVER: 204.127.198.4#53(204.127.198.4)
;; WHEN: Sun Feb  1 15:21:16 2004
;; MSG SIZE  rcvd: 297



[jsage at sparky /storage/virii] $ dig @63.240.76.4 any sco.com

; <<>> DiG 9.2.1 <<>> @63.240.76.4 any sco.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64708
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4
 
;; QUESTION SECTION:
;sco.com.                       IN      ANY
 
;; ANSWER SECTION:
sco.com.                126692  IN      NS      c7ns1.center7.com.
sco.com.                126692  IN      NS      ns.calderasystems.com.
sco.com.                126692  IN      NS      ns2.calderasystems.com.
sco.com.                126692  IN      NS      nsca.sco.com.
sco.com.                581     IN      SOA     ns.calderasystems.com. hostmaster.caldera.com. 2004020103 3600 900 604800 1800
 
;; AUTHORITY SECTION:
sco.com.                126692  IN      NS      c7ns1.center7.com.
sco.com.                126692  IN      NS      ns.calderasystems.com.
sco.com.                126692  IN      NS      ns2.calderasystems.com.
sco.com.                126692  IN      NS      nsca.sco.com.
 
;; ADDITIONAL SECTION:
c7ns1.center7.com.      14688   IN      A       216.250.142.20
ns.calderasystems.com.  117062  IN      A       216.250.130.1
ns2.calderasystems.com. 124494  IN      A       216.250.130.5
nsca.sco.com.           18054   IN      A       132.147.210.253
 
;; Query time: 178 msec
;; SERVER: 63.240.76.4#53(63.240.76.4)
;; WHEN: Sun Feb  1 15:22:23 2004
;; MSG SIZE  rcvd: 297



However, traceroutes seem to be being dropped before being handed off
from att.net to xo.net:

[jsage at sparky /storage/virii] $ traceroute sco.com

traceroute to sco.com (216.250.128.12), 30 hops max, 38 byte packets

 1  greatwall (192.168.1.2)  0.479 ms  0.323 ms  0.229 ms
 2  10.130.176.1 (10.130.176.1)  8.228 ms  11.146 ms  6.988 ms
 3  12.244.82.65 (12.244.82.65)  9.150 ms  9.791 ms  16.694 ms
 4  12.244.64.1 (12.244.64.1)  12.397 ms  8.487 ms  10.204 ms
 5  12.244.72.18 (12.244.72.18)  10.915 ms  9.171 ms  13.131 ms
 6  tbr1-p012402.st6wa.ip.att.net (12.122.5.174)  13.201 ms  11.471 ms  19.591 ms
 7  tbr2-cl1.sffca.ip.att.net (12.122.12.113)  119.140 ms  26.411 ms  24.891 ms
 8  ggr1-p370.sffca.ip.att.net (12.123.13.69)  129.919 ms  25.032 ms  26.181 ms
 9  * * *
10  * * *
11  * *


Whereas at about 6:25am this morning (Sunday) and earlier traceroutes
were going all the way through to xo.net in Salt Lake City UT:

 1  greatwall (192.168.1.2)  2.041 ms  61.784 ms  2.190 ms
 2  10.130.176.1 (10.130.176.1)  8.086 ms  8.595 ms  8.065 ms
 3  12.244.82.65 (12.244.82.65)  9.043 ms  9.467 ms  8.428 ms
 4  12.244.64.1 (12.244.64.1)  9.063 ms  8.991 ms  10.623 ms
 5  12.244.72.18 (12.244.72.18)  9.943 ms  12.037 ms  10.291 ms
 6  tbr1-p012402.st6wa.ip.att.net (12.122.5.174)  11.081 ms  11.161 ms  10.339 ms
 7  tbr2-cl1.sffca.ip.att.net (12.122.12.113)  28.016 ms  46.656 ms  28.884 ms
 8  ggr1-p370.sffca.ip.att.net (12.123.13.69)  25.046 ms  27.466 ms  25.466 ms

 9  p14-0.IR1.PaloAlto-CA.us.xo.net (206.111.12.145)  26.974 ms  30.998 ms  28.736 ms
10  p5-2-0.RAR2.SanJose-CA.us.xo.net (65.106.5.177)  26.996 ms  28.649 ms  28.470 ms
11  p6-0-0.RAR1.LA-CA.us.xo.net (65.106.0.17)  38.364 ms  34.032 ms  38.312 ms
12  p0-0-0-0.RAR2.LA-CA.us.xo.net (65.106.1.50)  35.427 ms  34.222 ms  34.347 ms13  p4-0-0.MAR2.SaltLake-UT.us.xo.net (65.106.5.74)  70.366 ms  69.310 ms  69.114 ms
14  p15-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.46)  67.889 ms  67.118 ms  69.014 ms
15  205.158.14.114.ptr.us.xo.net (205.158.14.114)  70.079 ms  72.594 ms  69.164
ms
16  * * *
17  * * *




- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list