[Dshield] Unauthorised program access

Laurie Kennedy cblmaint at cblptyltd.com.au
Wed Feb 11 22:52:56 GMT 2004

This is the text I sent to the Telstra Australia 'Abuse' contact on their website.

>I administer the IT for Competency Based Learning Pty Ltd (CBL) at 62 Siganto Drive OXENFORD QLD 4212.
>I am unable to access the FTP service provided by Bigpond, and paid for in good faith by CBL, unless I unblock a series >of firewall ports and allow an Unauthorised program to access
>inetnum: -
>netname:      TELSTRAINTERNET33-AU
>descr:        Telstra Internet
>descr:        Locked Bag 5744
>descr:        Canberra
>descr:        ACT 2601
>country:      AU
>admin-c:      TIAR-AP
>tech-c:       TIAR-AP
>mnt-by:       MAINT-AU-TIAR-AP
>remarks:      -----
>remarks:      All reports regarding SPAM or security breaches
>remarks:      should be addressed to abuse at telstra.net
>remarks:      ------
>changed:      hostmaster at arin.net 20011126
>changed:      hm-changed at apnic.net 20031215
>status:       UNSPECIFIED
>changed:      hm-changed at apnic.net 20031224
>source:       APNIC
>Please tell 'them' they can come and talk to us at CBL whenever they like. I will even allow them to inspect the CBL >network (if they get approval from the CBL CEO). 

I always had a suspicion that MSBLASTER could actually be called the MSAUDIT worm with 80 million PC's connecting to the MS site prior to the attack. Why would any competent programmer create a sophisticated program that could be defeated so easily? My Firewall logs show that the Ipv4 address space for EU worldwide tried to enter our network at 9:19 Australian EST yesterday 11th Feb and again at 10:18 on a different IP. If anybody was scanning for this they would have to cover over a million addresses per second to hit it, and infect it again, in 59 mins.

The MYDOOM attack on the CBL firewall started yesterday after applying the latest 'critical' MS security patch. Here's a summary of the log.

8:51 Turk Telecom
8:57 Liberty Surf France
9:19 Ipv4 EU worldwide
9:24 AOL VA
9:41 Optimum Online NY
10:18 Ipv4 EU worldwide

I then turned off the broadband.

It looks like this is an inside 'Boondoogle' on the global IT industry. Is anybody else seeing this sort of attack on the MYDOOM port? When you think about it, the people who haven't introduced any legislation to cover the internet around the globe, do this so their own hackers can operate with immunity.

Laurence N. Kennedy
Competency Based Learning.

More information about the list mailing list