North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Williams/UUNET/Sprint

  • From: Jeff Kell
  • Date: Mon Jul 21 20:05:48 2003

Richard A Steenbergen wrote:
On Mon, Jul 21, 2003 at 02:37:34PM -0400, Deepak Jain wrote:

Has anyone had to deal with this in their BGP filter tables?

5 (  4 ms  11 ms  4 ms
6  GigabitEthernet5-0.GW4.IAD8.ALTER.NET (  4 ms  4 ms  4 ms
7 (  3 ms  4 ms  6 ms
8 (  4 ms  5 ms  5 ms
9 (  6 ms  6 ms  6 ms
0 (  6 ms  6 ms  6 ms
1  POS7-0.BR4.DCA6.ALTER.NET (  8 ms  6 ms  7 ms
2 (  8 ms  8 ms  8 ms

Is Williams getting transit to Sprint via UUNET or vice versa? Sorry if I
have been out of the loop on this.
Regarding Williams, here is an excerpt of an abuse complaint I sent to them (and Edge 1 - theoretically one of their customers):

As the end result of chasing down spam originating from one of our
hosts, we discovered the host was infected with the Jeem backdoor
trojan.  This was found "in the wild" Thursday, July 17, and
examination of our PIX logs showed that the proxy source was various
IPs in the 69.44.28.x netblock, registered to Edge 1 Networks, but
yielding reverse DNS names in WCG.NET.  The machine was removed from
the network, but the proxy attempts from 69.44.28.x (and a few other
addresses) continued for quite some time (logs are included below).
It is quite clear from the logs that for each incoming proxy, the
machine responded with an SMTP connection to the spammer's next

In the process of finding the trojan and identifying the traffic
source, we placed the machine on a sniffer and reconnected to the
network today (Friday, July 18).  Within five minutes, the machine
was again swarmed by hosts in the 69.44.28.x netblock.  If you want
the ethereal trace file, I can supply it, but the results are the
same.  It was quickly removed from the network, and the proxy
attempts continued.