Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > Blaster worm at Paradise

Reply
Thread Tools

Blaster worm at Paradise

 
 
Col^
Guest
Posts: n/a
 
      09-17-2003
I did a survey on hits at my firewall over a period of about 3 days .

Whilst using a 202.0.xxx.xxx DNS number I was getting probes on port 135 from
Paradise users in that DNS range totalling 12 per cent of all probes.

Whilst using a 203.79.xxx.xxx DNS number I was getting probes on port 135 from
paradise users in the DNS range totalling 14.7 percent of all probes .

I am still getting pings from paradise users at the rate of 30 - 100 per
hour depending on the time .

******
Paradise reply to an email I sent

Hi There

Thank you for your e-mail. It is normal to receive ICMP data for various
reasons. This should not be of any concern unless it occurs repeatedly in a
very short period of time. Hacking activities would normally involve TCP or
UDP port scans rather than ICMP.

Regards,

Paradise Net Abuse Team




--

Col

Phone answering machine message - "...If you want
to buy marijuana, press the hash key..."
 
Reply With Quote
 
 
 
 
Mark Remfrey
Guest
Posts: n/a
 
      09-17-2003
My firewall log has at least 90% of Port 135 scans emanating from Xtra
dialup accounts.

I emailed the abuse team my logfile and suggested they get proactive about
it, and email these accounts telling them to sort their **** out as it was
impedeing (sp?) my enjoyment of service. I was even kind enough to filter
out only the Xtra stuff (because they only handle Xtra stuff). That was
several days ago, and all I got was an automated return email say thanks,
we'll look into it.

It aslo makes you wonder about the still infected comps around the place
that keep constantly crashing. Actually, it makes you wonder more about the
people using them.

Regards,
Mark

"Col^" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I did a survey on hits at my firewall over a period of about 3 days .
>
> Whilst using a 202.0.xxx.xxx DNS number I was getting probes on port 135

from
> Paradise users in that DNS range totalling 12 per cent of all probes.
>
> Whilst using a 203.79.xxx.xxx DNS number I was getting probes on port 135

from
> paradise users in the DNS range totalling 14.7 percent of all probes .
>
> I am still getting pings from paradise users at the rate of 30 - 100

per
> hour depending on the time .
>
> ******
> Paradise reply to an email I sent
>
> Hi There
>
> Thank you for your e-mail. It is normal to receive ICMP data for various
> reasons. This should not be of any concern unless it occurs repeatedly in

a
> very short period of time. Hacking activities would normally involve TCP

or
> UDP port scans rather than ICMP.
>
> Regards,
>
> Paradise Net Abuse Team
> --
>
> Col
>
> Phone answering machine message - "...If you want
> to buy marijuana, press the hash key..."



 
Reply With Quote
 
 
 
 
steve
Guest
Posts: n/a
 
      09-18-2003
Mark Remfrey wrote:

> It aslo makes you wonder about the still infected comps around the place
> that keep constantly crashing. Actually, it makes you wonder more about the
> people using them.
>
> Regards,
> Mark


Don't wonder.

They don't know what's wrong and have no idea how to fix it.

As long as the PC works - sorta - they will limp along and keep their
heads firmly planted in the ground.

I've seem this so many times I now regard it as the default behaviour
for a huge chunk of the human population.

Denial.

Not everyone. Not even most. But a large minority.

 
Reply With Quote
 
Mark Remfrey
Guest
Posts: n/a
 
      09-18-2003

"steve" <(E-Mail Removed)> wrote in message
news:9w8ab.1960$(E-Mail Removed)...
> Mark Remfrey wrote:
>
> > It aslo makes you wonder about the still infected comps around the place
> > that keep constantly crashing. Actually, it makes you wonder more about

the
> > people using them.
> >

> Don't wonder.
>
> They don't know what's wrong and have no idea how to fix it.


That was the basis for telling Xtra they should be proactive and not keeping
their customers guessing as to whether they have a problem or not.

> As long as the PC works - sorta - they will limp along and keep their
> heads firmly planted in the ground.


People should have more of a vested interest in what they probably paid very
good money for. It's like a car, it needs regular tune-ups and maintenance.

> I've seem this so many times I now regard it as the default behaviour
> for a huge chunk of the human population.
> Denial.


Out of sight, out mind.

> Not everyone. Not even most. But a large minority.


I had to read that twice... (was getting the majors and minors mixed up)

Regards,
Mark


 
Reply With Quote
 
T.N.O.
Guest
Posts: n/a
 
      09-18-2003
"steve" wrote
> .....and yet...we have old dungers on the road....
> They can only be that way for lack of maintenance. Probably the same
> people.
> ........


Actually, I disagree... the reason for having "old dungers" on the road is
more likely to be good maintainence than a lack of it.


 
Reply With Quote
 
Chris Wilkinson
Guest
Posts: n/a
 
      09-18-2003
Hi there,

Col^ wrote:
> I did a survey on hits at my firewall over a period of about 3 days .
>
> Whilst using a 202.0.xxx.xxx DNS number I was getting probes on port 135 from
> Paradise users in that DNS range totalling 12 per cent of all probes.
>
> Whilst using a 203.79.xxx.xxx DNS number I was getting probes on port 135 from
> paradise users in the DNS range totalling 14.7 percent of all probes .


I guessed that port 135 hacks would constitute more % than that, but
total firewall blocks have more than halved on my system in the last
week....maybe people are getting the message and are installing
firewalls to keep gremlins out...

> I am still getting pings from paradise users at the rate of 30 - 100 per
> hour depending on the time


I get a lot from Paradise too. Xtra surprisingly rates quite low down
the list in terms of my firewall volume, despite their big market share.

> Paradise reply to an email I sent
>
> Hi There
>
> Thank you for your e-mail. It is normal to receive ICMP data for various
> reasons. This should not be of any concern unless it occurs repeatedly in a
> very short period of time. Hacking activities would normally involve TCP or
> UDP port scans rather than ICMP.


I don't agree entirely with them. Usually hackers ICMP 'ping' a string
of IP addresses until one replies, then start scanning ports with TCP
and/or UDP on that IP address.

I also believe (techies feel free to refute this!) that hackers are
phreaking IP addresses from packets routed through servers they may
be connected to. I confirmed this by doing a traceroute to a website
somewhere in Europe, then watched firewall activity for a few minutes.
Surprisingly many of the blocked port hacks my firewall logged during
the time directly after doing the traceroute came from IP addresses
located on several of the servers the traceroute had resolved...

Kind regards,

Chris Wilkinson, Christchurch.

 
Reply With Quote
 
Howard
Guest
Posts: n/a
 
      09-18-2003
Chris Wilkinson wrote:

> I also believe (techies feel free to refute this!) that hackers are
> phreaking IP addresses from packets routed through servers they may
> be connected to. I confirmed this by doing a traceroute to a website
> somewhere in Europe, then watched firewall activity for a few minutes.
> Surprisingly many of the blocked port hacks my firewall logged during
> the time directly after doing the traceroute came from IP addresses
> located on several of the servers the traceroute had resolved...


Now that's interesting.

How does one get to own (legitimately) one of the servers along the route? I
thought it would be only ISPs who would be routing ICMP traffic.

The reason I ask is I once said to my father that he should think about
encrypting his email. He invited me to prove the risk by reproducing one of
his private emails grabbed off the web. I was stumped - my thinking went I'd
have to own a router along the route. Means that we trust ISP staff, but
other than that the risk is small.

Or am I wrong and it really is easy to grab email off the web?


 
Reply With Quote
 
steve
Guest
Posts: n/a
 
      09-18-2003
T.N.O. wrote:
> "steve" wrote
>
>>.....and yet...we have old dungers on the road....
>>They can only be that way for lack of maintenance. Probably the same
>>people.
>>........

>
> Actually, I disagree... the reason for having "old dungers" on the road is
> more likely to be good maintainence than a lack of it.


I had in mind rusted out and blowing oily smoke.

Your picture may well have differed.

 
Reply With Quote
 
AD.
Guest
Posts: n/a
 
      09-18-2003
On Thu, 18 Sep 2003 19:44:19 +1200, Howard wrote:

> How does one get to own (legitimately) one of the servers along the route?
> I thought it would be only ISPs who would be routing ICMP traffic.
>
> The reason I ask is I once said to my father that he should think about
> encrypting his email. He invited me to prove the risk by reproducing one
> of his private emails grabbed off the web. I was stumped - my thinking
> went I'd have to own a router along the route. Means that we trust ISP
> staff, but other than that the risk is small.
>
> Or am I wrong and it really is easy to grab email off the web?


Depends on the network, ie cable modem connections used to be (maybe still
are?) on a shared segment and you could watch the neighbourhoods traffic
go past.

Or someone could take over his ISPs mail server, or if they control
another machine on the same network as the mail server they could try some
layer 2 ARP tricks to confuse switches etc

But you're right, most of that stuff wouldn't be easy to pull off without
a pretty lax ISP.

Cheers
Anton
 
Reply With Quote
 
Uncle StoatWarbler
Guest
Posts: n/a
 
      09-18-2003
On Thu, 18 Sep 2003 14:12:14 +1200, steve wrote:

> As long as the PC works - sorta - they will limp along and keep their
> heads firmly planted in the ground.
>
> I've seem this so many times I now regard it as the default behaviour
> for a huge chunk of the human population.
>
> Denial.
>
> Not everyone. Not even most. But a large minority.



TV servicemen will tell you that they routinely see people putting up with
incredibly shitty pictures - snowstorms, ghosts, colour/geometry screwups,
etc.

The usual comment is that they're used to it. They never realise how BAD
things are until they see joe bloggs perfect setup next door.


Kinda like the guy at $orkplace whose computer just got replaced with a
dual 2.4GHz p4/Xeon. It's at _least_ 8 times faster than the problematic
dual AMD2100+ it replaced.

And there I am, sitting with a p2/400...


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm Lord Shaolin Computer Security 6 08-20-2003 10:39 PM
Blaster Worm BasketCase Computer Support 24 08-18-2003 09:10 AM
Blaster worm is so kool justfiles@aol.com Computer Support 6 08-16-2003 10:53 PM
Re: Blaster Worm Update Jay Computer Support 5 08-13-2003 09:28 PM
blaster worm Mr. Smiley Computer Support 7 08-13-2003 04:10 AM



Advertisments