North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Operational impact of filtering SMB/NETBIOS traffic?

  • From: Jeremy T. Bouse
  • Date: Mon Nov 20 00:15:23 2000

David Avery was said to been seen saying:
> I would hope leased line/colo machines would be better set up, but I am probably
> dreaming.
	One would think this to be true but I have found it quite often to
be the opposite... I've had to deal with countless intrusion attempts against
our network only to find that the box attacking me had been owned by some
script kiddie on the net because the admin of the box had failed to secure
it before placing it online... I've found this to be true with school
districts (had one in Colorado a several weeks ago) and commercial companies
(had a company in Dallas, TX right after the school district incident)...
In fact in the case of the Colorado school district attempt I had the 
admin tell me he had only put the machine online on Thursday, however by
Sunday I had already recorded attempts from it... 

> Just for referance I an one of the net/security admins at
> and there are a number of win* worms running arounf in the wild carrying
> the client as part of their payload.
> So far in the past 3 months ( since the worms appeared) I have logged
> over 400,000 unique IP addresses returning data to 
> from installs created by the worms. We have spot checked a number of 
> these IPs and find win9x boxes with open C shares and signs on multiple
> infestation including QAZ and other DDoS payloads.
	This would not surprise me at all... I've noticed quite a few
QAZ style signature attempts coming from repeated Cable & Wireless IP blocks
recently... As I'm on a C&W backbone I'm routinely scan'd by other C&W
IPs which have been infect'd and some have even been from clients of my
own ISP...

	Jeremy T. Bouse
	UnderGrid Network Services, LLC

| Jeremy T. Bouse  -  UnderGrid Network Services, LLC  -  |
|       All messages from this address should be atleast PGP/GPG signed       |
|        Public PGP/GPG fingerprint and location in headers of message        |
|     If received unsigned (without requesting as such) DO NOT trust it!      |
| [email protected]  -  NIC Whois: JB5713  -  [email protected] |

Attachment: pgp00018.pgp
Description: PGP signature