[unisog] Distributed spam attack

James Morris jmorris at cac.washington.edu
Mon Dec 15 21:58:34 GMT 2003


I can get www.rx357.com to resolve to 202.102.249.103 (didn't try the
others), but connecting results in a Directory Listing Denied error.
Connecting to the IP results (with lynx) in a page that is almost entirely
what I think is Chinese.  The few English readable strings are:
	admin at ccol.com.cn
	mailfaq1.gif
	POP3: mail.yourname.com
	SMTP: mail.yourname.com
and a set of numbers: 0371-5908995
The numbers are probably a phone number.  Googling them shows the number
relates in some way to www.ccol.com.cn and our friend admin at ccol.com.cn
above as well as some other webpages.

I haven't had a change to wander through our logs to see if we've seen any
traffic from the IP or ccol.com.cn, but it doesn't ring any bells.

-James

--James Morris-----------------------Systems Engineer----------------
University of Washington             Computing & Communications
4545 15 AV NE, Seattle, WA 98105     Campus Box: 354841
E-mail: jmorris at cac.washington.edu               voice (206) 221-3848
---------------------------------------------------------------------
 
-----Original Message-----
From: Joseph Brennan [mailto:brennan at columbia.edu] 
Sent: Monday, December 15, 2003 07:58
To: unisog at sans.org
Subject: [unisog] Distributed spam attack

We have over 350 Spamcop reports this morning.

A spammer with URLs that may be in China staged a big distributed
spam run this weekend using a large network of compromised PCs.
URLs in text: www.rx357.com, www.2004hosting.org, www.2004hosting.net.
Can people at other places resolve those names and connect?  I can't.
China has interfered with connections from Columbia U before.

The spam run was preceded by scans to port 65506/tcp of no known
significance at the time we saw them.  About a dozen students'
Windows boxes that had been scanned were used this weekend in
the spam run.  On Google I see many other examples sent from IPs
in many domains.  Sample message below.  All this for a penny-ante
cable descrambler product?  Or is there more to it, if you can
open the web page?

Joseph Brennan         Columbia University in the City of New York
Academic Technologies Group                   brennan at columbia.edu




Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-12=
51">
<META content=3D"MSHTML 6.00.2800.1141" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<font color=3D"white">convolve delectable agamemnon cabinetry resume talen=
t pauline philosoph shopkeep horatio signet wiry gases brett=20</font><br>=

<body>

<p>Th</earthshaking>e ul</berry>timate d</feint>igital
ca</derbyshire>ble f</nocturnal>ilter</p>
<p>Th</betty>e fil</z's>ter wi</simpleminded>ll al</writ>low
yo</surveillant>u t</hobart>o rec</flux>eive a</toolkit>ll
t</draw>he ch</redbird>annels t</monic>hat y</niacin>ou
or</tote>der wi</actinolite>th y</aqua>our r</marque>emove
cont</washbasin>rol!</p>
<p>pay</slice>perviews, adu</inspiration>lt mov</stephanotis>ies,s</brockl=
e>port
even</voss>ts,s</embattle>pecial ev</nolo>ents!
<a href=3D"http://www.2004hosting.net/cable/">
se</indigo>e n</cairn>ow!</a></p><p>
<a href=3D"http://www.2004hosting.net/cable/">
<img %RANDOM_TEXT border=3D"0"
src=3D"http://www.2004hosting.net/fiter.jpg"></a></p>

<br>
<font color=3D"white">befogging denial ferromagnet neoconservative amman c=
himeric commission healthy baleen e lourdes angelo heard beryl buchwald cl=
ark=20</font>
</BODY>
</HTML>





---------- End Forwarded Message ----------





More information about the unisog mailing list