Hey roadrunner ppl
Yoda
nimda virus off of the road runner network. Attempts are constantly made on
my machine to infect it.
Shut down servers that are infected now! There is no excuse for it.
H
says...
http://security.rr.com/probing.htm
They do scan for the Nimda virus. CUstomers probably just aren't cleaning
themselves up.
-H
Yoda
server.
"H" <not....@verizon.net> wrote in message
news:MPG.17912b76f...@news.verizon.net...
Don Voorhees
Have you reported the RR IP addresses that you're logging to
ab...@rr.com? RR does scan for infected pc's, but with millions of users,
and the likelihood that many of the infected machines are not online full
time, the odds of a scan catching them all is slim. If RR were to scan
aggressively and continuously, the uproar from all the other users being
hit with the scans would be tremendous.
Don
Cablenetguy
Send your logs to ab...@rr.com . For more information on security go to
http://security.rr.com
---
Mark
Otherwise known as
-------------
Cablenetguy
"Yoda" <m...@yoda.com> wrote in message
news:m5GV8.36762$CJ2.3...@twister.neo.rr.com...
Mad Fenian
>>They do scan for the Nimda virus. CUstomers probably just aren't cleaning
>>themselves up.
>>
>>-H
The how do you explain at least 10 attempts to unleash that virus on
my computer? Each time I killfile an e-mail address a new one tries
to send me the virus all through my rr e-mail addy.
Murray Watson
now...@nohow.com says...
What's being discussed here, email virus' or WORMs?? Can we pick one
or the other, it's awful confusing in one thread.
--
The spammer should be deleted from your network after more than a
couple of complaints, or IMMEDIATELY if they are shown to be
using forged headers, foreign relays, and other spammer tricks.
Tsu Dho Nimh - Thu, 04 Jul 2002 04:43:43 -0700
Leythos
Cable...@invalid.com says...
> Hey Yoda!
> Send your logs to ab...@rr.com . For more information on security go to
> http://security.rr.com
> ---
> Mark
Sending logs to Abuse is almost as good as posting here. I log every
inbound attempt to my sql server - it logs every detail. I export this
list, keeping only the RR ones, and send it as a CSV to abuse @rr.com
only to have them ask me to send it as text - the morons don't even know
that csv is TEXT!.
Even after speaking with one of the morons, they didn't seem to
understand - they want the destination IP (My IP) shown in each attempt
- I told them that it was redundant information and already included in
the email. Next they asked for what GMT it was - I said all times are -5
GMT and are OHIO USA EST. They still didn't understand.
If you don't provide the LOGS in a specific format they won't ready
them.
--
--
Leyth...@columbus.rr.com
(Remove 999 to reply to me)
Leythos
UseAddr...@pandora.orbl.org says...
> On Sun, 07 Jul 2002 02:51:25 GMT, in
> <MPG.179176b34...@news-server.columbus.rr.com>, Leythos
> time zone and destination IP. If you want their help, knock off
> the pissing contest with them. You won't win it.
>
> The real problem (once you give them the data they need) is that
> after the central ab...@rr.com guys look at the data, they send
> it on to the local RR group (in your case the rdc-kc.rr.com guys)
> and that's almost surely where the ball is getting dropped.
>
> After some persistence on my own part in contacting someone
> higher up on my local level, my reports to ab...@rr.com are now
> acted upon. I suggest you do the same. Try for your local VP &
> General Manager and tell him you're paying for TOS enforcement
> and not getting it.
>
> Also - only one IP per report, and provide the full past history
> of probes from that IP. Any decent firewall log analysis program
> can extract such info. They aren't going to do anything about a
> single probe, so show a history of probes from troublesome IPs.
>
> This is how I do it and I'm seeing prompt action since I the
> VP&GM "rejuvenated" the local security guys.
I hate to say it, but it's not a pissing contest - it's a matter of the
morons at the first contact level reading from a script and not
understanding anything but the script.
I send the logs sorted by IP, attack/probe type, first contact date,
last contact date, number of contacts.... This information follows what
they ask for, but contains a wee bit more.
The logs contain everything they ask for, with the exception that the
destination IP (which is mine) is not included since it's the same for
every entry - I include the destination IP in the report, just not on
every line.
I get great support at every level in the company, except this one.
I really don't care about winning - I send the logs, they can do what
they want with them. As I see trends I enter the IP, subnet, or entire
class A network in my BAN list and I don't see them again.
Wolf
norton too.
--
Da Wolf
----------------------------------------------------------------
Please post all reponse to UseNet. All
email to me is routed to /dev/null
"Mad Fenian" <now...@nohow.com> wrote in message
news:gvMV8.45207$Wi.14...@twister.nyc.rr.com...
Captain America maybe
infected or compromised and fdisk and reload windows. Good first step but
they then never run windows updates. So in a week or twenty minutes they are
once again infected.
Cycle starts over
They are pointed to the MS site for the correct fixes usually but mist of
these people are using the PC like a TV set. Plug it in and use it. We just
aren't there yet for those folks.
Modems are turned off and customers are made aware of the issue.
It is ongoing and will not change until the OS does most likely.
The mention of contact your local VP might wake some people up. Remember
TW(the locals) is a cable company and they don't always understand the need
to constantly monitor and instruct customers on items like this.
Send the logs in the requested format the offending PC owners will be
contacted.
Jon
"Yoda" <m...@yoda.com> wrote in message
news:m5GV8.36762$CJ2.3...@twister.neo.rr.com...
ShadowDragon
news:MPG.1791636cf...@news-server.carolina.rr.com...
> In article <gvMV8.45207$Wi.14...@twister.nyc.rr.com>,
> now...@nohow.com says...
> > On Sat, 06 Jul 2002 21:30:09 GMT, H <not....@verizon.net> scribbled:
> >
> > >>They do scan for the Nimda virus. CUstomers probably just aren't
cleaning
> > >>themselves up.
> > >>
> > >>-H
> >
> > The how do you explain at least 10 attempts to unleash that virus on
> > my computer? Each time I killfile an e-mail address a new one tries
> > to send me the virus all through my rr e-mail addy.
>
> What's being discussed here, email virus' or WORMs?? Can we pick one
> or the other, it's awful confusing in one thread.
Nimda is both.
(from http://www.cert.org/advisories/CA-2001-26.html )
This worm propagates through email arriving as a MIME
"multipart/alternative" message consisting of two sections. The first
section is defined as MIME type "text/html", but it contains no text, so the
email appears to have no content. The second section is defined as MIME type
"audio/x-wav", but it contains a base64-encoded attachment named
"readme.exe", which is a binary executable.
Due to a vulnerability described in CA-2001-06 (Automatic Execution of
Embedded MIME Types), any mail software running on an x86 platform that uses
Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to
render the HTML mail automatically runs the enclosed attachment and, as
result, infects the machine with the worm. Thus, in vulnerable
configurations, the worm payload will automatically be triggered by simply
opening (or previewing) this mail message. As an executable binary, the
payload can also be triggered by simply running the attachment.
The email message delivering the Nimda worm appears to also have the
following characteristics:
The text in the subject line of the mail message appears to be variable.
There appear to be many slight variations in the attached binary file,
causing the MD5 checksum to be different when one compares different
attachments from different email messages. However, the file length of the
attachment appears to consistently be 57344 bytes.
The worm also contains code that will attempt to resend the infected email
messages every 10 days.
Sean L. - funky
special alright? Not to mention my flawless RR service. wow. hahahaha
Murray Watson
dont...@causethisaddressis.invalid says...
You're right. Having long ago patched the IIS servers I'm in control
of and not having any Solaris boxes I've only thought about Nimda as
an email bourn viri.
But back to nowhere's complaint, if he's getting email virus attacks,
he needs to look for where the email comes from. I don't think RR is
scanning emails for nimda.
Not to say that my Apache doesn't get pounded by my neighbors' IIS
servers. I lose a few hundred, maybe a thousand packets worth of
bandwidth throughout the day, several hundred lines worth of bytes in
my logs.
RR could be more proactive in shutting them down, as a side benefit,
more people would become more aware of their own environment and
responsibilities to the 'Net.