North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: nlayer.net Abuse and Security contact
On Thu, 2003-12-18 at 08:09, John Obi wrote: > Folks, > > I have sent many emails to [email protected] and > [email protected] reporting a security abuse by one > of their users but nothing done up to now. > > If there is real person from nlayer.net please contact > me offline. > > Thanks, > One suggestion is to use an e-mail account other than a yahoo. That might be an issue with abuse/security folks. Dee > -J > > __________________________________ > Do you Yahoo!? > New Yahoo! Photos - easier uploading and sharing. > http://photos.yahoo.com/ > > ______________________________________________________________________ > From: John Obi <[email protected]> > To: [email protected], [email protected] > Cc: [email protected] > Subject: Abuse and spamming trojans via www.darkhell.org > Date: Mon, 15 Dec 2003 22:57:36 -0800 > > Dear Sir/Madam, > > We have known script kiddie who spreads > Download.Trojan and BAT.Trojan. > > The script kiddi runs port scan and infect the users > who use WinNT, 2000 and XP via port 445 if the windows > isn't updated. > > He is issuing commands to the infected PC to download > this setup file which has these trojans. > > http://www.darkhell.org/sh1.exe > > This host is hosting the trojan files which is in > sh1.exe > > When you download this file and you have Norton > Antivirus or Mcafee with latest virus ID, your AV will > detect it directly as below: > > can type: Realtime Protection Scan > Event: Virus Found! > Virus name: Download.Trojan > File: C:\WINNT\system32\Haver\Backsa.exe > Location: Quarantine > Computer: RASHID-ALKUBAIS > User: Administrator > Action taken: Clean failed : Quarantine succeeded : > Access denied > Date found: Tue Dec 16 09:23:12 2003 > > Scan type: Realtime Protection Scan > Event: Virus Found! > Virus name: BAT.Trojan > File: C:\WINNT\system32\Haver\ceve.bat > Location: Quarantine > Computer: RASHID-ALKUBAIS > User: Administrator > Action taken: Clean failed : Quarantine succeeded : > Access denied > Date found: Tue Dec 16 09:23:12 2003 > > > When I got connected to his IRC server I saw this: > > * Dns resolved sh1.cellfiles.org to 81.134.89.149 > > [07:01] * Connecting to 81.134.89.149 (6667) > - > [07:01] -irc.DarkHell.Org- *** Looking up your > hostname... > > - > There are 437 users and 0 invisible on 1 servers > 2 channels formed > I have 437 clients and 0 servers > - > > ======================== > > [07:01] * Now talking in #sh1- > [07:01] <[H0-3250]> !pfast stop > [07:01] <[H0-3250]> !syn 66.90.92.202 6667 500 > [07:01] <[H0-3250]> !pfast 444444 66.90.92.202 6667 > [07:02] <[H0-3250]> !syn 202.91.32.181 6667 500 > [07:02] <[H0-3250]> !pfast stop > [07:02] <[H0-3250]> !pfast 444444 202.91.32.181 6667 > [07:02] <[H0-3250]> !syn 69.65.31.3 6667 500 > [07:02] <[H0-3250]> !pfast stop > [07:02] <[H0-3250]> !pfast 444444 69.65.31.3 6667 > [07:02] <[H0-3250]> !ipscan > [07:02] <[H0-3250]> !syn 66.151.29.193 6667 500 > > ======================================== > > - > [H0-3250] is > [email protected] * h3h3 > [H0-3250] on +#sh1- > [H0-3250] using irc.DarkHell.Org DarkHell server > [H0-3250] has been idle 18secs, signed on Mon Dec 15 > 14:53:28 > [H0-3250] End of /WHOIS list. > - > > ================================================== > > And he issuing these DDoS attacks against the IRC > servers around the globe and the http servers. > > The traceroute to www.darkhell.org shows that it's > hosted in your network. > > Show Level 3 (Baltimore, MD) Traceroute to > www.darkhell.org (69.22.169.27) > > 1 so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0 > msec > so-6-1-0.mp1.Baltimore1.Level3.net (4.68.112.65) 0 > msec > so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0 > msec > 2 so-0-1-0.bbr2.Washington1.Level3.net > (64.159.0.230) 0 msec > so-6-1-0.mp2.Baltimore1.Level3.net (4.68.112.73) 0 > msec > so-0-1-0.bbr2.Washington1.Level3.net > (64.159.0.230) 0 msec > 3 so-6-1-0.bbr1.Washington1.Level3.net > (64.159.0.106) 4 msec > so-7-0-0.edge1.Washington1.Level3.net > (209.244.11.14) 0 msec > so-6-1-0.bbr1.Washington1.Level3.net > (64.159.0.106) 4 msec > 4 209.0.227.118 4 msec > so-6-0-0.edge1.Washington1.Level3.net > (209.244.11.10) 0 msec > 209.0.227.118 4 msec > 5 209.0.227.118 4 msec > pos3-1-2488M.cr2.WDC2.gblx.net (67.17.67.58) > [AS3549 {GBLX}] 4 msec > 209.0.227.118 0 msec > 6 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) > [AS3549 {GBLX}] 76 msec > pos3-1-2488M.cr1.WDC2.gblx.net (67.17.67.54) > [AS3549 {GBLX}] 4 msec > so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) > [AS3549 {GBLX}] 76 msec > 7 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) > [AS3549 {GBLX}] 76 msec > so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238) > [AS3549 {GBLX}] 80 msec > so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) > [AS3549 {GBLX}] 76 msec > 8 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) > [AS4474 {GVIL1}] 80 msec > so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238) > [AS3549 {GBLX}] 80 msec > gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) > [AS4474 {GVIL1}] 76 msec > 9 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) > [AS4474 {GVIL1}] 80 msec > ge-1-1-0.cr1.sfo1.nlayer.net (69.22.143.178) > [AS4474 {GVIL1}] 76 msec > gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) > [AS4474 {GVIL1}] 80 msec > 10 ge4-4.hr1.sfo1.nlayer.net (69.22.143.10) [AS4474 > {GVIL1}] 108 msec > ge-1-1-0.cr1.sfo1.nlayer.net (69.22.143.178) > [AS4474 {GVIL1}] 76 msec > ge4-4.hr1.sfo1.nlayer.net (69.22.143.10) [AS4474 > {GVIL1}] 80 msec > 11 ge1-1.hr1.sfo1.nlayer.net (69.22.143.2) [AS4474 > {GVIL1}] 80 msec > customer.ge1-5.hr1.sfo1.nlayer.net (69.22.128.230) > [AS4474 {GVIL1}] 80 msec > ge1-1.hr1.sfo1.nlayer.net (69.22.143.2) [AS4474 > {GVIL1}] 76 msec > 12 SV4.DNSLISTS.NET (69.22.169.27) [AS27638 > {HOSTANY-ASN}] 80 msec > customer.ge1-5.hr1.sfo1.nlayer.net (69.22.128.230) > [AS4474 {GVIL1}] 76 msec > SV4.DNSLISTS.NET (69.22.169.27) [AS27638 > {HOSTANY-ASN}] 80 msec > > I'm asking you to stop this abuse kindly ASAP. > > Thanks, > > -J > > > > __________________________________ > Do you Yahoo!? > New Yahoo! Photos - easier uploading and sharing. > http://photos.yahoo.com/ -- Alaska Wireless Systems http://www.akwireless.net -=- "Take Control of Your E-Mail!" (907)349-4308 Office - AIM = awswired
|