[Dshield] Unauthorised program access

Laurie Kennedy cblmaint at cblptyltd.com.au
Wed Feb 11 22:52:56 GMT 2004


This is the text I sent to the Telstra Australia 'Abuse' contact on their website.

>I administer the IT for Competency Based Learning Pty Ltd (CBL) at 62 Siganto Drive OXENFORD QLD 4212.
>
>I am unable to access the FTP service provided by Bigpond, and paid for in good faith by CBL, unless I unblock a series >of firewall ports and allow an Unauthorised program to access 144.140.8.32.
>
>inetnum:      144.140.0.0 - 144.140.255.255
>netname:      TELSTRAINTERNET33-AU
>descr:        Telstra Internet
>descr:        Locked Bag 5744
>descr:        Canberra
>descr:        ACT 2601
>country:      AU
>admin-c:      TIAR-AP
>tech-c:       TIAR-AP
>mnt-by:       MAINT-AU-TIAR-AP
>remarks:      -----
>remarks:      All reports regarding SPAM or security breaches
>remarks:      should be addressed to abuse at telstra.net
>remarks:      ------
>changed:      hostmaster at arin.net 20011126
>changed:      hm-changed at apnic.net 20031215
>status:       UNSPECIFIED
>changed:      hm-changed at apnic.net 20031224
>source:       APNIC
>
>Please tell 'them' they can come and talk to us at CBL whenever they like. I will even allow them to inspect the CBL >network (if they get approval from the CBL CEO). 

I always had a suspicion that MSBLASTER could actually be called the MSAUDIT worm with 80 million PC's connecting to the MS site prior to the attack. Why would any competent programmer create a sophisticated program that could be defeated so easily? My Firewall logs show that the Ipv4 address space for EU worldwide tried to enter our network at 9:19 Australian EST yesterday 11th Feb and again at 10:18 on a different IP. If anybody was scanning for this they would have to cover over a million addresses per second to hit it, and infect it again, in 59 mins.

The MYDOOM attack on the CBL firewall started yesterday after applying the latest 'critical' MS security patch. Here's a summary of the log.

8:51 Turk Telecom 81.212.12.37
8:57 Liberty Surf France 213.36.59.52
9:19 Ipv4 EU worldwide 67.87.22.226
9:24 AOL VA 172.194.75.42
9:41 Optimum Online NY 68.198.147.130
10:18 Ipv4 EU worldwide 218.16.131.47

I then turned off the broadband.

It looks like this is an inside 'Boondoogle' on the global IT industry. Is anybody else seeing this sort of attack on the MYDOOM port? When you think about it, the people who haven't introduced any legislation to cover the internet around the globe, do this so their own hackers can operate with immunity.

Laurence N. Kennedy
Competency Based Learning.


More information about the list mailing list