Has there been another major windows worm attack?

I was doing some casual 'Net reading about TK programming tonight - no TV,
music or noise of any kind other than my typing. I suddenly realised that
I was hearing my hard drive going berserk, which was strange since I had
been reading the same page for several minutes. I assumed that Firefox
or Thunderbird was doing an update or something like that.

Then I realised that the noise was from the drive in my firewall. I
brought up the log and I was being hit multiple times a second (on a 26k
dialup line, no less) with stuff from random addresses and trying random
ports. Never seen the log fill so fast.

Doing a lookup on several incoming addresses, they seem to be legit,
although I will wager that while Joe Noob's WinPC in Pennsylvania may be
trying to hit me, Joe doesn't know it.

I assume that some WinWorm has hit again. Not a big deal, just curious.
Although with my very limited bandwidth, I can't afford to lose any to
this stuff.

Anybody?

RMK

On Thu, 31 Aug 2006 22:07:10 +0000, RMK <(E-Mail Removed)> wrote:

>Then I realised that the noise was from the drive in my firewall.
...
>Anybody?

Timestamp filter: 12 hours from Sep 01 01:03:19 to Sep 01 13:03:19 (+1000)
Reading /var/log/messages
Checked 13819 records plus 0 repeats to find 453 from deltree.
Protocol summary: 374 UDP, 79 TCP

25/tcp 2 | . . . . 0.4
80/tcp 10 |(( . . . . 2.2
135/tcp 7 |( . . . . 1.5
137/udp 2 | . . . . 0.4
139/tcp 2 | . . . . 0.4
445/tcp 27 |((((( . . . . 6.0
1026/udp 208 |(((((((((((((((((((((((((((((((((((((( . 45.9
1027/udp 160 |(((((((((((((((((((((((((((((. . 35.3
1433/tcp 7 |( . . . . 1.5
2100/tcp 3 |( . . . . 0.7
3306/tcp 3 |( . . . . 0.7
4899/tcp 7 |( . . . . 1.5
8080/tcp 1 | . . . . 0.2
12879/tcp 2 | . . . . 0.4
40568/tcp 2 | . . . . 0.4
62559/tcp 3 |( . . . . 0.7
others 7 |( . . . . 1.5
total 453 + - - - - + - - - - + - - - - + - - - - + - - -
0 12.0% 24.0% 36.0% 48.0%

Classify junk:
371 drop msft messenger spam
30 drop adaptive deny, msft tcp
20 reject msft common ports, tcp
10 drop web crawler calming
10 reject junk, tcp
9 drop request from low port
2 drop msft common ports, udp
1 drop junk, other (policy)

Just the usual here 81% messenger spam...

Grant.
--
http://bugsplatter.mine.nu/

Damn. When I set up my new Debian Shuttle, I didn't import my Pan
settings and just now realised that I have had this Alan idiot blocked for
years but don't now.

I never assumed that this self ordained vigilante with the large mouth is
still, uh - well, actually I am not sure what he is trying to pass himself
off as, but I am surprised that he is still polluting the groups. Anyway,
he is back in the kill list, but alas, there goes some more of my very
limited bandwidth.

Sorry, guys. I didn't really post well the first time. I was only
commenting on a particular situation and was't really asking for a fix,
since there really isn't one as long as the laws against violent and
terminal actions against 'Net pests remain in effect.

The barrage of hits stopped sometime during the night and there is no
indication of anything now. A few imcp pings but that is all. Actually,
if I was lucky enough to have broadband of some kind out here, I probably
wouldn't even notice such activity, but any degregation is immediately
apparent when the phone company has your line split/filtered/clamped to a
max rate of 26k.

Thanks
RMK

*** Sorry again about triggering that AC whingding.

On Thu, 31 Aug 2006 22:07:10 +0000, RMK <(E-Mail Removed)> wrote:

>I was doing some casual 'Net reading about TK programming tonight - no TV,
>music or noise of any kind other than my typing. I suddenly realised that
>I was hearing my hard drive going berserk, which was strange since I had
>been reading the same page for several minutes. I assumed that Firefox
>or Thunderbird was doing an update or something like that.
>
>Then I realised that the noise was from the drive in my firewall. I
>brought up the log and I was being hit multiple times a second (on a 26k
>dialup line, no less) with stuff from random addresses and trying random
>ports. Never seen the log fill so fast.
>
>Doing a lookup on several incoming addresses, they seem to be legit,
>although I will wager that while Joe Noob's WinPC in Pennsylvania may be
>trying to hit me, Joe doesn't know it.
>
>I assume that some WinWorm has hit again. Not a big deal, just curious.
>Although with my very limited bandwidth, I can't afford to lose any to
>this stuff.
>
>Anybody?
>
>RMK

There is no unusual noise here. Why did you not post some of the
output? There is no way we can guess.
--
buck

On Thu, 31 Aug 2006 22:07:10 +0000, RMK wrote:
>
> I assume that some WinWorm has hit again. Not a big deal, just curious.

http://news.zdnet.com/2100-1009_22-6111583.html

> Although with my very limited bandwidth, I can't afford to lose any to
> this stuff.

Nothing you can do about external systems wasting your limited
bandwidth when they are hunting for this weeks exploits.

On Thu, 31 Aug 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed)>, RMK wrote:

>Then I realised that the noise was from the drive in my firewall. I
>brought up the log and I was being hit multiple times a second (on a 26k
>dialup line, no less) with stuff from random addresses and trying random
>ports. Never seen the log fill so fast.

What protocol? If UDP, there really isn't that much you can do, other
than perhaps talk to your ISP and ask about them blocking 1025-1035/udp
at their perimeter. Last time I looked, I was seeing about a Megabyte
of trash per day per IP address. Pointing out that waste of the ISP's
bandwidth might get some results (though not from the phone-droid at
the help desk - they can't even _spell_ UDP, never mind know what it is).
Note that DNS uses UDP, and such a filter _could_ have a very minor impact
on DNS replies.

One of the ISPs I use is fairly small, and I'm able to talk to the
technical types. I was able to convince them to install such a filter.
A month or so later, I detected more messenger spam, and asked WTF. The
filter was still in place. A little more testing by the ISP revealed
that another customer was infected, and running a messenger spam daemon.
Remember than UDP is connectionless, and the IP address can be (and with
messenger spam, often is) spoofed. Oh, and I should mention that the other
two ISPs I have access to could care less about the bandwidth waste.

>Although with my very limited bandwidth, I can't afford to lose any to
>this stuff.

With UDP, you don't have a choice. The packet was delivered before you
have any chance to filter/drop it. With TCP, as long as they are not
hitting a port where you have some server, the bandwidth wastage is
comparatively light. They send a SYN packet - "I want to talk". Your
network stack (don't even need a firewall for this) sends back a RST
packet - "Nobody home, FOAD". That's less than 100 bytes each way.
You can probably save the wear and tear on your disk by not bothering
to log this crap. It was blocked - there's nothing further you can do -
ignore it.

Old guy

On comp.os.linux.networking, in <(E-Mail Removed)>, "buck" wrote:
> Path: text.usenetserver.com!atl-c01.usenetserver.com!news.usenetserver.com!pc02.us enetserver.com!fe24.usenetserver.com.POSTED!2c623e 1d!not-for-mail
> From: buck <(E-Mail Removed)>
> Newsgroups: comp.os.linux.networking
> Subject: Re: Has there been another major windows worm attack?
> Message-ID: <(E-Mail Removed)>
> References: <(E-Mail Removed)>
> X-Newsreader: Forte Agent 1.91/32.564

A windoze-wanker. Whatta surprise.

Too busy running his punk mouth on hundreds of newsgroups to even
remember to change the 'user-agent' header for this sockpuppet.

> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> X-Original-NNTP-Posting-Host: john.chsoft.com
> X-Original-Trace: 1 Sep 2006 11:04:43 -0700, john.chsoft.com
> Lines: 30

Lot of good that will do anyone:

$ host john.chsoft.com
john.chsoft.com CNAME premium.geo.yahoo.akadns.net
premium.geo.yahoo.akadns.net A 66.94.237.68
premium.geo.yahoo.akadns.net A 66.94.237.69
premium.geo.yahoo.akadns.net A 66.94.237.70
premium.geo.yahoo.akadns.net A 66.94.237.73
premium.geo.yahoo.akadns.net A 66.94.237.74
premium.geo.yahoo.akadns.net A 66.94.237.76
premium.geo.yahoo.akadns.net A 66.94.237.78
premium.geo.yahoo.akadns.net A 66.94.237.80
premium.geo.yahoo.akadns.net A 66.94.237.85

> X-Complaints-To: (E-Mail Removed)
> X-Abuse-Info: Please be sure to forward a copy of ALL headers
> X-Abuse-Info: Otherwise we will be unable to process your complaint properly.
> NNTP-Posting-Date: Fri, 01 Sep 2006 14:04:46 EDT
> Date: Fri, 01 Sep 2006 11:04:43 -0700
> Xref: usenetserver.com comp.os.linux.networking:457311
> X-Received-Date: Fri, 01 Sep 2006 14:04:46 EDT (text.usenetserver.com)
>
>
>
> On Thu, 31 Aug 2006 22:07:10 +0000, RMK <(E-Mail Removed)> wrote:

<article not downloaded:
http://slrn.sourceforge.net/docs/README.offline>

I do believe that the weenie troll is talking to himself.

He does that a lot on the Linux groups, but his head is so far up
his fat ass that he doesn't even notice.

Alan

--
If you replied to an article of mine and are wondering
why I didn't respond to you, the fact is that I didn't
even download your article. For an explanation, see:
http://home.earthlink.net/~alanconnor/newsfilter.html

On comp.os.linux.networking, in <(E-Mail Removed)>, "RMK" wrote:
> Path: text.usenetserver.com!atl-c01.usenetserver.com!news.usenetserver.com!news2.e uro.net!213.132.189.2.MISMATCH!multikabel.net!feed 20.multikabel.net!sn-xt-ams-06!sn-xt-ams-04!sn-post-ams-01!sn-post-sjc-01!supernews.com!corp.supernews.com!not-for-mail
> From: RMK <(E-Mail Removed)>
> Newsgroups: comp.os.linux.networking
> Subject: Has there been another major windows worm attack?
> Date: Thu, 31 Aug 2006 22:07:10 +0000
> Organization: Posted via Supernews, http://www.supernews.com
> Message-Id: <(E-Mail Removed)>
> User-Agent: Pan/0.14.2.91 (As She Crawled Across the Table (Debian GNU/Linux))

Bullschitt. This is a windoze-wanker.

Only an ignorant windows-wanker script kitty would think that a
windows worm attack would have any significance to linux/unix
runners.

Hell, M$ ran for the cover of unix servers the last time there
was a windows worm attack.

> MIME-Version: 1.0
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 8bit
> X-Complaints-To: (E-Mail Removed)
> Lines: 24
> Xref: usenetserver.com comp.os.linux.networking:457297
> X-Received-Date: Thu, 31 Aug 2006 23:05:28 EDT (text.usenetserver.com)

<article not downloaded:
http://slrn.sourceforge.net/docs/README.offline>

There isn't any attack, anyway. This feeb just got bored with
playing with his Spiderman Action Figures and decided to
play childish games (again) with people that are completely
out of his league.

Listen, Junior: Any rotten child with their mommy's computer
and credit card can post under various aliases and through
various newsservers.

That's who you are impressing.

Alan

--
If you replied to an article of mine and are wondering
why I didn't respond to you, the fact is that I didn't
even download your article. For an explanation, see:
http://home.earthlink.net/~alanconnor/newsfilter.html

Alan doesn't believe in anyone else's existence ...

Alan accuses practically everyone of being sock puppets.
Apparently, Alan is the only real person in the newsgroups in which he posts.
(Even Roosta and his towel aren't real.) Recently, Alan has told everyone that
we are all Morely Dotes' sock puppets. In earlier cycles,
we were all apparently sock puppets of Ben Finney.
The choice appears to be arbitrary.

http://www.pearlgates.net/nanae/kooks/ac/fga.shtml


Who is Alan Connor?

Alan "The Usenet Beavis" Connor is a good friend of Bigfoot:
http://tinyurl.com/23r3f

A couple of years ago he was kidnapped and raped by Xena,
the Warrior Princess: http://tinyurl.com/2gjcy

Beavis believes that the MSBlast virus of yesteryear was explicitly
targeting him, for some inexplicable reason: http://tinyurl.com/ifrt

Beavis belongs to a UFO cult: http://tinyurl.com/2hhdx
Beavis's life in a UFO cult: http://tinyurl.com/24jqm
He is a skilled dental surgeon: http://tinyurl.com/3h6a5
Beavis knows all about network security: http://tinyurl.com/5qqb6
And he's also a search engine expert: http://tinyurl.com/9pjnt


So what is he raving about?

In reality, Alan's system is known as a challenge-response or C/R system;
it auto-answers incoming email with a challenge and only lets the email
through if it receives a valid response. There are several problems with
this concept, but Alan doesn't want to hear them. In addition,
Alan's system isn't even a very good implementation of the C/R concept,
as it fails to address the chicken-egg problem that is inherent to C/R:
What if your C/R system sends a challenge to an email address that is
also protected by a C/R system? Because of this, Alan and Timo Salmi,
another C/R advocate, are unable to email eachother. So basically Alan's
system is a broken implementation of a flawed concept.

http://groups.google.com/groups/prof...-MEqh3HQ&hl=en
http://www.pearlgates.net/nanae/kooks/ac/
http://linuxmafia.com/faq/Mail/challenge-response.html
http://www.spamcop.net/fom-serve/cache/329.html#CR
http://www.gatago.com/authors_pgs/13650.html
http://blog.bananasplit.info/?p=84
http://tinyurl.com/23r3f
http://tinyurl.com/ifrt
http://tinyurl.com/2hhdx
http://tinyurl.com/24jqm
http://tinyurl.com/3h6a5
http://tinyurl.com/ys6z4
http://tinyurl.com/5qqb6
http://tinyurl.com/9pjnt

(1) news.admin.net-abuse.email

Also in the headers for "Allan" to read.

Alan doesn't believe in anyone else's existence ...

Alan accuses practically everyone of being sock puppets.
Apparently, Alan is the only real person in the newsgroups in which he posts.
(Even Roosta and his towel aren't real.) Recently, Alan has told everyone that
we are all Morely Dotes' sock puppets. In earlier cycles,
we were all apparently sock puppets of Ben Finney.
The choice appears to be arbitrary.

http://www.pearlgates.net/nanae/kooks/ac/fga.shtml


Who is Alan Connor?

Alan "The Usenet Beavis" Connor is a good friend of Bigfoot:
http://tinyurl.com/23r3f

A couple of years ago he was kidnapped and raped by Xena,
the Warrior Princess: http://tinyurl.com/2gjcy

Beavis believes that the MSBlast virus of yesteryear was explicitly
targeting him, for some inexplicable reason: http://tinyurl.com/ifrt

Beavis belongs to a UFO cult: http://tinyurl.com/2hhdx
Beavis's life in a UFO cult: http://tinyurl.com/24jqm
He is a skilled dental surgeon: http://tinyurl.com/3h6a5
Beavis knows all about network security: http://tinyurl.com/5qqb6
And he's also a search engine expert: http://tinyurl.com/9pjnt


So what is he raving about?

In reality, Alan's system is known as a challenge-response or C/R system;
it auto-answers incoming email with a challenge and only lets the email
through if it receives a valid response. There are several problems with
this concept, but Alan doesn't want to hear them. In addition,
Alan's system isn't even a very good implementation of the C/R concept,
as it fails to address the chicken-egg problem that is inherent to C/R:
What if your C/R system sends a challenge to an email address that is
also protected by a C/R system? Because of this, Alan and Timo Salmi,
another C/R advocate, are unable to email eachother. So basically Alan's
system is a broken implementation of a flawed concept.

http://groups.google.com/groups/prof...-MEqh3HQ&hl=en
http://www.pearlgates.net/nanae/kooks/ac/
http://linuxmafia.com/faq/Mail/challenge-response.html
http://www.spamcop.net/fom-serve/cache/329.html#CR
http://www.gatago.com/authors_pgs/13650.html
http://blog.bananasplit.info/?p=84
http://tinyurl.com/23r3f
http://tinyurl.com/ifrt
http://tinyurl.com/2hhdx
http://tinyurl.com/24jqm
http://tinyurl.com/3h6a5
http://tinyurl.com/ys6z4
http://tinyurl.com/5qqb6
http://tinyurl.com/9pjnt

(1) news.admin.net-abuse.email

Also in the headers for "Allan" to read.