[Dshield] What is the fun of this? Daily 70 packets to 1026 and 1027

jayjwa jayjwa at atr2.ath.cx
Wed Mar 30 12:52:10 GMT 2005

On Mon, 28 Mar 2005, Freek de Kruijf wrote:

-> Since about a month and a half I get daily 
-> about 70 UDP packages to the ports 1026 and 1027 from one IP-address 
-> (Shanghai, China).

That one host appeared over 7 times in the short time I was monitoring 
this. It appeared to have a lone SSH port and one snmp port open, 
everything else filtered.

-> firewall in my Linux box. I examened the content once with tcpdump and 
-> ethereal and the content showed some advertisement of a website; forgot 
-> what it was about.

www.win-fix.com. The usual "your machine is infected with spyware, go now 
and download this" scam. It redirects around circles and chases its own 
tail, then lands finally to a download, "setup.exe". I peeked at the 
imports and what was easily visible in the binary and it does some pretty 
registry intensive operations. If you didn't have spyware, you will after 
running this little gem.

  Naturally I complained at the mail address 
-> associated with the IP-address, wanglin at shaidc.com, but this turned out 
-> to be a non-existing address, however abuse at shaidc.com seemed to exist, 
-> however no reaction.

I wrote up a nice abuse report and sent it out to that address, the one of 
the super-spamming host, and all the contacts of the IPs involved, 
included all the proof, logs, packet dumps, etc. Not a one response; I 
couldn't belive it! (not)

What is the 'Net coming to when a confirmed/reported spammer/scammer can 
just fire away at will and be completely immune from consequeces?

checking for broken Samba configure files ...
head: `-1' option is obsolete; use `-n 1'
Try `head --help' for more information.
result: ... Yes

More information about the list mailing list