|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Spam from weird IP 118.189.136.119
Okay, but what's the trojan signature look like? How should people be checking to see if they're compromised? -----Original Message----- From: John Brown [mailto:[email protected]] Sent: Tuesday, June 17, 2003 10:12 AM To: Lars Higham Cc: [email protected] Subject: Re: Spam from weird IP 118.189.136.119 I name this Weird-118rr On Tue, Jun 17, 2003 at 09:48:07AM +0530, Lars Higham wrote: > > > > It would be useful if this exploit could be named and documented at > least for one known instance - > > > Regards, > Lars Higham > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Richard D G Cox > Sent: Monday, June 16, 2003 9:32 PM > To: [email protected] > Subject: Re: Spam from weird IP 118.189.136.119 > > > > On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor" > <[email protected]> wrote: > > | Getting SPAM from 118.189.136.119 relayed by rr.com ? > | > | this network is not allocated, nor announced. I have been looking > | everywhere to find if it has been announced (historical bgp update > | databases, like RIS RIPE / CIDR REPORT / etc..)... I didnt found > | anything.... this probably mean rr.com is routing that network > | internaly. > > This is very likely to be a known exploit I have been tracking. In > all the cases which we have so far confirmed, the spam was not > relayed, but proxied by a trojan executable which is able to mimic a > "previous" header with such a degree of accuracy that it is > indistinguishable from the genuine article! > > | If there is any rr.com guy around. Could you please check this? > > Our advice would be that the server-that-connected-to-you needs to be > taken offline by the security people at its site (which you say is > RoadRunner) and they should have ALL its disk(s) imaged for forensic > analysis purposes. > > Our experience is that sites hit by this exploit will do basic checks > on the server and claim it is uncompromised and "cannot possibly be > sending that spam". Such a claim would be entirely incorrect. You > would need to persuade them that something is wrong, which is > difficult at the best of times. RoadRunner being involved in this > case suggests this may > *not* be the "best of times". > > -- > Richard Cox >
|