|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Port 139 scans
http://www.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html Ben Browning wrote: > > At 09:54 AM 9/28/00 -0700, [email protected] wrote: > >By the way, we identified a couple instances of the virus that Ken Lindahl > >mentioned in his earlier post. > > Indeed, nearly all of my woes have disappeared with this information. > Thanks Ken! > > Additionally, I set a trap for it yesterday. I opened a Windows box up to > all internet traffic, made it nice and insecure (let me tell ya, that took > a lot of work ;), and dialed it up. Then every half hour or so I checked > for it. After an hour, I had a bug in a bottle. > > Busting out the handy hex editor, I scrolled down, and down, and down, > until what should appear before my burning eyes, but Lo! An IP address... > > ...which points to an open mail relay somewhere in China (202.106.185.107) > which then is used to send the info(likely the IP addy of the infected box) > to the local user nongmin_cn . If anyone else goes through this process, > I'd be interested in knowing about it. > > I already sent off abuse complaints to the upstreams for that IP. Hope they > can read English :) > > --- > Ben Browning <[email protected]> > oz.net Network Operations > Tel (206) 443-8000 Fax (206) 443-0500 > http://www.oz.net/ -- ------------------------------------------------------------ Roland Dobbins <[email protected]> // 818.535.5024 voice
|