Williams/UUNET/Sprint
Jeff Kell
jeff-kell at utc.edu
Tue Jul 22 00:02:02 UTC 2003
Richard A Steenbergen wrote:
> On Mon, Jul 21, 2003 at 02:37:34PM -0400, Deepak Jain wrote:
>
>>Has anyone had to deal with this in their BGP filter tables?
>>
>>5 washdc5lce1-oc48.wcg.net (64.200.95.118) 4 ms 11 ms 4 ms
>>6 GigabitEthernet5-0.GW4.IAD8.ALTER.NET (157.130.30.245) 4 ms 4 ms 4 ms
>>7 0.so-1-2-0.XR2.IAD8.ALTER.NET (152.63.41.34) 3 ms 4 ms 6 ms
>>8 0.so-0-0-0.CL2.IAD5.ALTER.NET (152.63.38.142) 4 ms 5 ms 5 ms
>>9 201.at-2-0-0.XR2.DCA6.ALTER.NET (152.63.35.49) 6 ms 6 ms 6 ms
>>0 0.so-1-3-0.XL2.DCA6.ALTER.NET (152.63.35.118) 6 ms 6 ms 6 ms
>>1 POS7-0.BR4.DCA6.ALTER.NET (152.63.41.233) 8 ms 6 ms 7 ms
>>2 POS5-3.sl-bb22-rly.sprint.net (204.255.169.130) 8 ms 8 ms 8 ms
>>
>>Is Williams getting transit to Sprint via UUNET or vice versa? Sorry if I
>>have been out of the loop on this.
Regarding Williams, here is an excerpt of an abuse complaint I sent to
them (and Edge 1 - theoretically one of their customers):
> As the end result of chasing down spam originating from one of our
> hosts, we discovered the host was infected with the Jeem backdoor
> trojan. This was found "in the wild" Thursday, July 17, and
> examination of our PIX logs showed that the proxy source was various
> IPs in the 69.44.28.x netblock, registered to Edge 1 Networks, but
> yielding reverse DNS names in WCG.NET. The machine was removed from
> the network, but the proxy attempts from 69.44.28.x (and a few other
> addresses) continued for quite some time (logs are included below).
> It is quite clear from the logs that for each incoming proxy, the
> machine responded with an SMTP connection to the spammer's next
> recipient.
>
> In the process of finding the trojan and identifying the traffic
> source, we placed the machine on a sniffer and reconnected to the
> network today (Friday, July 18). Within five minutes, the machine
> was again swarmed by hosts in the 69.44.28.x netblock. If you want
> the ethereal trace file, I can supply it, but the results are the
> same. It was quickly removed from the network, and the proxy
> attempts continued.
Jeff
More information about the NANOG
mailing list