[unisog] Distributed spam attack
jmorris at cac.washington.edu
Mon Dec 15 21:58:34 GMT 2003
I can get www.rx357.com to resolve to 18.104.22.168 (didn't try the
others), but connecting results in a Directory Listing Denied error.
Connecting to the IP results (with lynx) in a page that is almost entirely
what I think is Chinese. The few English readable strings are:
admin at ccol.com.cn
and a set of numbers: 0371-5908995
The numbers are probably a phone number. Googling them shows the number
relates in some way to www.ccol.com.cn and our friend admin at ccol.com.cn
above as well as some other webpages.
I haven't had a change to wander through our logs to see if we've seen any
traffic from the IP or ccol.com.cn, but it doesn't ring any bells.
--James Morris-----------------------Systems Engineer----------------
University of Washington Computing & Communications
4545 15 AV NE, Seattle, WA 98105 Campus Box: 354841
E-mail: jmorris at cac.washington.edu voice (206) 221-3848
From: Joseph Brennan [mailto:brennan at columbia.edu]
Sent: Monday, December 15, 2003 07:58
To: unisog at sans.org
Subject: [unisog] Distributed spam attack
We have over 350 Spamcop reports this morning.
A spammer with URLs that may be in China staged a big distributed
spam run this weekend using a large network of compromised PCs.
URLs in text: www.rx357.com, www.2004hosting.org, www.2004hosting.net.
Can people at other places resolve those names and connect? I can't.
China has interfered with connections from Columbia U before.
The spam run was preceded by scans to port 65506/tcp of no known
significance at the time we saw them. About a dozen students'
Windows boxes that had been scanned were used this weekend in
the spam run. On Google I see many other examples sent from IPs
in many domains. Sample message below. All this for a penny-ante
cable descrambler product? Or is there more to it, if you can
open the web page?
Joseph Brennan Columbia University in the City of New York
Academic Technologies Group brennan at columbia.edu
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-12=
<META content=3D"MSHTML 6.00.2800.1141" name=3DGENERATOR>
<font color=3D"white">convolve delectable agamemnon cabinetry resume talen=
t pauline philosoph shopkeep horatio signet wiry gases brett=20</font><br>=
<p>Th</earthshaking>e ul</berry>timate d</feint>igital
<p>Th</betty>e fil</z's>ter wi</simpleminded>ll al</writ>low
yo</surveillant>u t</hobart>o rec</flux>eive a</toolkit>ll
t</draw>he ch</redbird>annels t</monic>hat y</niacin>ou
or</tote>der wi</actinolite>th y</aqua>our r</marque>emove
<p>pay</slice>perviews, adu</inspiration>lt mov</stephanotis>ies,s</brockl=
<img %RANDOM_TEXT border=3D"0"
<font color=3D"white">befogging denial ferromagnet neoconservative amman c=
himeric commission healthy baleen e lourdes angelo heard beryl buchwald cl=
---------- End Forwarded Message ----------
More information about the unisog