Williams/UUNET/Sprint

Jeff Kell jeff-kell at utc.edu
Tue Jul 22 00:02:02 UTC 2003


Richard A Steenbergen wrote:
> On Mon, Jul 21, 2003 at 02:37:34PM -0400, Deepak Jain wrote:
> 
>>Has anyone had to deal with this in their BGP filter tables?
>>
>>5  washdc5lce1-oc48.wcg.net (64.200.95.118)  4 ms  11 ms  4 ms
>>6  GigabitEthernet5-0.GW4.IAD8.ALTER.NET (157.130.30.245)  4 ms  4 ms  4 ms
>>7  0.so-1-2-0.XR2.IAD8.ALTER.NET (152.63.41.34)  3 ms  4 ms  6 ms
>>8  0.so-0-0-0.CL2.IAD5.ALTER.NET (152.63.38.142)  4 ms  5 ms  5 ms
>>9  201.at-2-0-0.XR2.DCA6.ALTER.NET (152.63.35.49)  6 ms  6 ms  6 ms
>>0  0.so-1-3-0.XL2.DCA6.ALTER.NET (152.63.35.118)  6 ms  6 ms  6 ms
>>1  POS7-0.BR4.DCA6.ALTER.NET (152.63.41.233)  8 ms  6 ms  7 ms
>>2  POS5-3.sl-bb22-rly.sprint.net (204.255.169.130)  8 ms  8 ms  8 ms
>>
>>Is Williams getting transit to Sprint via UUNET or vice versa? Sorry if I
>>have been out of the loop on this.

Regarding Williams, here is an excerpt of an abuse complaint I sent to 
them (and Edge 1 - theoretically one of their customers):

> As the end result of chasing down spam originating from one of our
> hosts, we discovered the host was infected with the Jeem backdoor
> trojan.  This was found "in the wild" Thursday, July 17, and
> examination of our PIX logs showed that the proxy source was various
> IPs in the 69.44.28.x netblock, registered to Edge 1 Networks, but
> yielding reverse DNS names in WCG.NET.  The machine was removed from
> the network, but the proxy attempts from 69.44.28.x (and a few other
> addresses) continued for quite some time (logs are included below).
> It is quite clear from the logs that for each incoming proxy, the
> machine responded with an SMTP connection to the spammer's next
> recipient.
> 
> In the process of finding the trojan and identifying the traffic
> source, we placed the machine on a sniffer and reconnected to the
> network today (Friday, July 18).  Within five minutes, the machine
> was again swarmed by hosts in the 69.44.28.x netblock.  If you want
> the ethereal trace file, I can supply it, but the results are the
> same.  It was quickly removed from the network, and the proxy
> attempts continued.

Jeff





More information about the NANOG mailing list