Blaster worm at Paradise

Discussion in 'NZ Computing' started by Col^, Sep 17, 2003.

  1. Col^

    Col^ Guest

    I did a survey on hits at my firewall over a period of about 3 days .

    Whilst using a 202.0.xxx.xxx DNS number I was getting probes on port 135 from
    Paradise users in that DNS range totalling 12 per cent of all probes.

    Whilst using a 203.79.xxx.xxx DNS number I was getting probes on port 135 from
    paradise users in the DNS range totalling 14.7 percent of all probes .

    I am still getting pings from paradise users at the rate of 30 - 100 per
    hour depending on the time .

    ******
    Paradise reply to an email I sent

    Hi There

    Thank you for your e-mail. It is normal to receive ICMP data for various
    reasons. This should not be of any concern unless it occurs repeatedly in a
    very short period of time. Hacking activities would normally involve TCP or
    UDP port scans rather than ICMP.

    Regards,

    Paradise Net Abuse Team




    --

    Col

    Phone answering machine message - "...If you want
    to buy marijuana, press the hash key..."
     
    Col^, Sep 17, 2003
    #1
    1. Advertising

  2. Col^

    Mark Remfrey Guest

    My firewall log has at least 90% of Port 135 scans emanating from Xtra
    dialup accounts.

    I emailed the abuse team my logfile and suggested they get proactive about
    it, and email these accounts telling them to sort their shit out as it was
    impedeing (sp?) my enjoyment of service. I was even kind enough to filter
    out only the Xtra stuff (because they only handle Xtra stuff). That was
    several days ago, and all I got was an automated return email say thanks,
    we'll look into it.

    It aslo makes you wonder about the still infected comps around the place
    that keep constantly crashing. Actually, it makes you wonder more about the
    people using them.

    Regards,
    Mark

    "Col^" <> wrote in message
    news:...
    > I did a survey on hits at my firewall over a period of about 3 days .
    >
    > Whilst using a 202.0.xxx.xxx DNS number I was getting probes on port 135

    from
    > Paradise users in that DNS range totalling 12 per cent of all probes.
    >
    > Whilst using a 203.79.xxx.xxx DNS number I was getting probes on port 135

    from
    > paradise users in the DNS range totalling 14.7 percent of all probes .
    >
    > I am still getting pings from paradise users at the rate of 30 - 100

    per
    > hour depending on the time .
    >
    > ******
    > Paradise reply to an email I sent
    >
    > Hi There
    >
    > Thank you for your e-mail. It is normal to receive ICMP data for various
    > reasons. This should not be of any concern unless it occurs repeatedly in

    a
    > very short period of time. Hacking activities would normally involve TCP

    or
    > UDP port scans rather than ICMP.
    >
    > Regards,
    >
    > Paradise Net Abuse Team
    > --
    >
    > Col
    >
    > Phone answering machine message - "...If you want
    > to buy marijuana, press the hash key..."
     
    Mark Remfrey, Sep 17, 2003
    #2
    1. Advertising

  3. Col^

    steve Guest

    Mark Remfrey wrote:

    > It aslo makes you wonder about the still infected comps around the place
    > that keep constantly crashing. Actually, it makes you wonder more about the
    > people using them.
    >
    > Regards,
    > Mark


    Don't wonder.

    They don't know what's wrong and have no idea how to fix it.

    As long as the PC works - sorta - they will limp along and keep their
    heads firmly planted in the ground.

    I've seem this so many times I now regard it as the default behaviour
    for a huge chunk of the human population.

    Denial.

    Not everyone. Not even most. But a large minority.
     
    steve, Sep 18, 2003
    #3
  4. Col^

    Mark Remfrey Guest

    "steve" <> wrote in message
    news:9w8ab.1960$...
    > Mark Remfrey wrote:
    >
    > > It aslo makes you wonder about the still infected comps around the place
    > > that keep constantly crashing. Actually, it makes you wonder more about

    the
    > > people using them.
    > >

    > Don't wonder.
    >
    > They don't know what's wrong and have no idea how to fix it.


    That was the basis for telling Xtra they should be proactive and not keeping
    their customers guessing as to whether they have a problem or not.

    > As long as the PC works - sorta - they will limp along and keep their
    > heads firmly planted in the ground.


    People should have more of a vested interest in what they probably paid very
    good money for. It's like a car, it needs regular tune-ups and maintenance.

    > I've seem this so many times I now regard it as the default behaviour
    > for a huge chunk of the human population.
    > Denial.


    Out of sight, out mind.

    > Not everyone. Not even most. But a large minority.


    I had to read that twice... :) (was getting the majors and minors mixed up)

    Regards,
    Mark
     
    Mark Remfrey, Sep 18, 2003
    #4
  5. Col^

    T.N.O. Guest

    "steve" wrote
    > .....and yet...we have old dungers on the road.... :)
    > They can only be that way for lack of maintenance. Probably the same
    > people.
    > ........


    Actually, I disagree... the reason for having "old dungers" on the road is
    more likely to be good maintainence than a lack of it.
     
    T.N.O., Sep 18, 2003
    #5
  6. Hi there,

    Col^ wrote:
    > I did a survey on hits at my firewall over a period of about 3 days .
    >
    > Whilst using a 202.0.xxx.xxx DNS number I was getting probes on port 135 from
    > Paradise users in that DNS range totalling 12 per cent of all probes.
    >
    > Whilst using a 203.79.xxx.xxx DNS number I was getting probes on port 135 from
    > paradise users in the DNS range totalling 14.7 percent of all probes .


    I guessed that port 135 hacks would constitute more % than that, but
    total firewall blocks have more than halved on my system in the last
    week....maybe people are getting the message and are installing
    firewalls to keep gremlins out...

    > I am still getting pings from paradise users at the rate of 30 - 100 per
    > hour depending on the time


    I get a lot from Paradise too. Xtra surprisingly rates quite low down
    the list in terms of my firewall volume, despite their big market share.

    > Paradise reply to an email I sent
    >
    > Hi There
    >
    > Thank you for your e-mail. It is normal to receive ICMP data for various
    > reasons. This should not be of any concern unless it occurs repeatedly in a
    > very short period of time. Hacking activities would normally involve TCP or
    > UDP port scans rather than ICMP.


    I don't agree entirely with them. Usually hackers ICMP 'ping' a string
    of IP addresses until one replies, then start scanning ports with TCP
    and/or UDP on that IP address.

    I also believe (techies feel free to refute this!) that hackers are
    phreaking IP addresses from packets routed through servers they may
    be connected to. I confirmed this by doing a traceroute to a website
    somewhere in Europe, then watched firewall activity for a few minutes.
    Surprisingly many of the blocked port hacks my firewall logged during
    the time directly after doing the traceroute came from IP addresses
    located on several of the servers the traceroute had resolved...

    Kind regards,

    Chris Wilkinson, Christchurch.
     
    Chris Wilkinson, Sep 18, 2003
    #6
  7. Col^

    Howard Guest

    Chris Wilkinson wrote:

    > I also believe (techies feel free to refute this!) that hackers are
    > phreaking IP addresses from packets routed through servers they may
    > be connected to. I confirmed this by doing a traceroute to a website
    > somewhere in Europe, then watched firewall activity for a few minutes.
    > Surprisingly many of the blocked port hacks my firewall logged during
    > the time directly after doing the traceroute came from IP addresses
    > located on several of the servers the traceroute had resolved...


    Now that's interesting.

    How does one get to own (legitimately) one of the servers along the route? I
    thought it would be only ISPs who would be routing ICMP traffic.

    The reason I ask is I once said to my father that he should think about
    encrypting his email. He invited me to prove the risk by reproducing one of
    his private emails grabbed off the web. I was stumped - my thinking went I'd
    have to own a router along the route. Means that we trust ISP staff, but
    other than that the risk is small.

    Or am I wrong and it really is easy to grab email off the web?
     
    Howard, Sep 18, 2003
    #7
  8. Col^

    steve Guest

    T.N.O. wrote:
    > "steve" wrote
    >
    >>.....and yet...we have old dungers on the road.... :)
    >>They can only be that way for lack of maintenance. Probably the same
    >>people.
    >>........

    >
    > Actually, I disagree... the reason for having "old dungers" on the road is
    > more likely to be good maintainence than a lack of it.


    I had in mind rusted out and blowing oily smoke.

    Your picture may well have differed.
     
    steve, Sep 18, 2003
    #8
  9. Col^

    AD. Guest

    On Thu, 18 Sep 2003 19:44:19 +1200, Howard wrote:

    > How does one get to own (legitimately) one of the servers along the route?
    > I thought it would be only ISPs who would be routing ICMP traffic.
    >
    > The reason I ask is I once said to my father that he should think about
    > encrypting his email. He invited me to prove the risk by reproducing one
    > of his private emails grabbed off the web. I was stumped - my thinking
    > went I'd have to own a router along the route. Means that we trust ISP
    > staff, but other than that the risk is small.
    >
    > Or am I wrong and it really is easy to grab email off the web?


    Depends on the network, ie cable modem connections used to be (maybe still
    are?) on a shared segment and you could watch the neighbourhoods traffic
    go past.

    Or someone could take over his ISPs mail server, or if they control
    another machine on the same network as the mail server they could try some
    layer 2 ARP tricks to confuse switches etc

    But you're right, most of that stuff wouldn't be easy to pull off without
    a pretty lax ISP.

    Cheers
    Anton
     
    AD., Sep 18, 2003
    #9
  10. On Thu, 18 Sep 2003 14:12:14 +1200, steve wrote:

    > As long as the PC works - sorta - they will limp along and keep their
    > heads firmly planted in the ground.
    >
    > I've seem this so many times I now regard it as the default behaviour
    > for a huge chunk of the human population.
    >
    > Denial.
    >
    > Not everyone. Not even most. But a large minority.



    TV servicemen will tell you that they routinely see people putting up with
    incredibly shitty pictures - snowstorms, ghosts, colour/geometry screwups,
    etc.

    The usual comment is that they're used to it. They never realise how BAD
    things are until they see joe bloggs perfect setup next door.


    Kinda like the guy at $orkplace whose computer just got replaced with a
    dual 2.4GHz p4/Xeon. It's at _least_ 8 times faster than the problematic
    dual AMD2100+ it replaced.

    And there I am, sitting with a p2/400... :)
     
    Uncle StoatWarbler, Sep 18, 2003
    #10
  11. On Thu, 18 Sep 2003 12:19:36 -0700, Roger Ramjet wrote:

    > I can't see the ISP's leaving port 135 off as some
    > people do use this port.


    Yeah, to send winpopup spam.

    Noone should be using netbios/Samba/winrpc across a public network.
     
    Uncle StoatWarbler, Sep 18, 2003
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Blaster worm is so kool

    , Aug 13, 2003, in forum: Computer Support
    Replies:
    6
    Views:
    592
  2. Mr. Smiley

    blaster worm

    Mr. Smiley, Aug 13, 2003, in forum: Computer Support
    Replies:
    7
    Views:
    565
    Boomer
    Aug 13, 2003
  3. Jay

    Re: Blaster Worm Update

    Jay, Aug 13, 2003, in forum: Computer Support
    Replies:
    5
    Views:
    483
    mhicaoidh
    Aug 13, 2003
  4. BasketCase

    Blaster Worm

    BasketCase, Aug 13, 2003, in forum: Computer Support
    Replies:
    24
    Views:
    1,066
    William Poaster
    Aug 18, 2003
  5. Lord Shaolin
    Replies:
    6
    Views:
    2,724
    John Tate
    Aug 20, 2003
Loading...

Share This Page