[Dshield] What is the fun of this? Daily 70 packets to 1026 and 1027

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Wed Mar 30 19:43:46 GMT 2005


list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org>
wrote on Wednesday, March 30, 2005 3:52 PM (EET) UTC+3 on behalf of
jayjwa

| On Mon, 28 Mar 2005, Freek de Kruijf wrote:
| 
| -> Since about a month and a half I get daily
| -> about 70 UDP packages to the ports 1026 and 1027 from one
| IP-address 
| -> 61.172.244.159 (Shanghai, China).
| 
| That one host appeared over 7 times in the short time I was monitoring
| this. It appeared to have a lone SSH port and one snmp port open,
| everything else filtered.
| 
| -> firewall in my Linux box. I examened the content once with tcpdump
| and 
| -> ethereal and the content showed some advertisement of a website;
| forgot 
| -> what it was about.
| 
| www.win-fix.com. The usual "your machine is infected with spyware, go
| now and download this" scam. It redirects around circles and chases
| its own tail, then lands finally to a download, "setup.exe". I peeked
| at the imports and what was easily visible in the binary and it does
| some pretty registry intensive operations. If you didn't have
| spyware, you will after running this little gem.
| 
| 
|   Naturally I complained at the mail address
| -> associated with the IP-address, wanglin at shaidc.com, but this
| turned out 
| -> to be a non-existing address, however abuse at shaidc.com seemed to
| exist, 
| -> however no reaction.
| 
| 
| I wrote up a nice abuse report and sent it out to that address, the
| one of the super-spamming host, and all the contacts of the IPs
| involved, included all the proof, logs, packet dumps, etc. Not a one
| response; I couldn't belive it! (not)
| 
| What is the 'Net coming to when a confirmed/reported spammer/scammer
| can just fire away at will and be completely immune from consequeces?


jayjwa, Freek et al.

Did you send the abuse report(s) to ip-admin at mail.online.sh.cn as well?

Found this address for via SpamCop (please see further below for
detailed info).

- Pete


    "Only one passion could drive me away from my habits of study;
                              but was it not also study?"
               Honoré de Balzac (1799-1850), French author.



http://www.spamcop.net/sc?track=61.172.244.159
SpamCop v 1.418.2.2 (C) Ironport Systems Inc., 1998-2005 , All rights
reserved.
Parsing input: 61.172.244.159
host 61.172.244.159 (getting name) no name
Routing details for 61.172.244.159
Report routing for 61.172.244.159: ip-admin at mail.online.sh.cn
Statistics:
61.172.244.159 not listed in bl.spamcop.net
More Information..
61.172.244.159 not listed in dnsbl.njabl.org
61.172.244.159 not listed in dnsbl.njabl.org
61.172.244.159 not listed in cbl.abuseat.org
61.172.244.159 listed in dnsbl.sorbs.net ( 127.0.0.6 )
61.172.244.159 not listed in relays.ordb.org.
Reporting addresses:
ip-admin at mail.online.sh.cn 
http://www.spamcop.net/sc?action=showroute;ip=61.172.244.159;typecodes=2
1,16
Reports routes for 61.172.244.159:
routeid: 6375845 61.172.0.0 - 61.172.255.255 to:
ip-admin at mail.online.sh.cn
Administrator interested in all reports

    Friday, July 30, 2004 09:37:26 +0300
    Corrupt notes were found here - combined raw data below:
    [Note added by 24.78.154.2, 24.66.94.140 (no name)]
    i'm the admin who takes charge of the anti-spam work in my network.
it
    appears that you send all the spam abuse to
hostmaster at ns.chinanet.cn.net,
    which belongs to CHINANET(my headquater), not CHINANET-SH. so i'd
like to
    suggest you, please forward me the all spam abuse in the future, i
need
    these mails, they are evidences. any further information please feel
free
    writing to me via this mail address.

    these IP ranges is under my control:

    61.172.0.0/16
    61.171.0.0/16
    61.173.0.0/16
    61.170.0.0/16
    218.78.0.0/16
    218.79.0.0/16
    218.80.0.0/16
    218.81.0.0/16

    best regards,

    ***********************************************
    CHINANET-ShangHai IP Admininstrator
    Anti-Spam TEAM, CHINANET-SH

    Shanghai Telecom Corporation, CHINA
    ip-admin
    ip-admin at mail.online.sh.cn
    2003-11-18
    *********************************************** 1069217531





More information about the list mailing list