[Dshield] What is the fun of this? Daily 70 packets to 1026 and 1027
jayjwa at atr2.ath.cx
Wed Mar 30 12:52:10 GMT 2005
On Mon, 28 Mar 2005, Freek de Kruijf wrote:
-> Since about a month and a half I get daily
-> about 70 UDP packages to the ports 1026 and 1027 from one IP-address
-> 126.96.36.199 (Shanghai, China).
That one host appeared over 7 times in the short time I was monitoring
this. It appeared to have a lone SSH port and one snmp port open,
everything else filtered.
-> firewall in my Linux box. I examened the content once with tcpdump and
-> ethereal and the content showed some advertisement of a website; forgot
-> what it was about.
www.win-fix.com. The usual "your machine is infected with spyware, go now
and download this" scam. It redirects around circles and chases its own
tail, then lands finally to a download, "setup.exe". I peeked at the
imports and what was easily visible in the binary and it does some pretty
registry intensive operations. If you didn't have spyware, you will after
running this little gem.
Naturally I complained at the mail address
-> associated with the IP-address, wanglin at shaidc.com, but this turned out
-> to be a non-existing address, however abuse at shaidc.com seemed to exist,
-> however no reaction.
I wrote up a nice abuse report and sent it out to that address, the one of
the super-spamming host, and all the contacts of the IPs involved,
included all the proof, logs, packet dumps, etc. Not a one response; I
couldn't belive it! (not)
What is the 'Net coming to when a confirmed/reported spammer/scammer can
just fire away at will and be completely immune from consequeces?
checking for broken Samba configure files ...
head: `-1' option is obsolete; use `-n 1'
Try `head --help' for more information.
result: ... Yes
More information about the list