| View previous topic :: View next topic |
| Author |
Message |
KyferEz
Trooper
Joined: May 08, 2006
Posts: 34
|
 Posted: Fri Aug 31, 2007 8:53 pm Post subject: |
|
|
Thanks for the heads up on th nameservers. I have corrected that problem!
|
|
| Back to top |
|
 |
brewt
SIRT Handler
Premium Member
Joined: May 29, 2007
Posts: 792
Location: USA
|
| Posted: Fri Aug 31, 2007 8:57 pm Post subject: |
|
|
| KyferEz wrote: | | Yes, please don't report my domain! |
The irony that would create.
|
|
| Back to top |
|
|
tembow
Blue Angel
Premium Member
Joined: Oct 10, 2005
Posts: 2931
|
| Posted: Fri Aug 31, 2007 10:01 pm Post subject: |
|
|
Ah, thsat's better
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1526
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;thecarpcstore.com. IN A
;; ANSWER SECTION:
thecarpcstore.com. 3600 IN A 127.0.0.1
Nothing quite like letting the DoS source shoot at its foot which is in its mouth. It might even prompt the innocent to wonder why his/her machine seems to be tieing itself up in knots
|
|
| Back to top |
|
|
spamislame
SIRT Handler
Joined: Apr 19, 2006
Posts: 202
|
|
| Back to top |
|
|
efa
Lieutenant
Joined: Aug 31, 2007
Posts: 163
Location: Italy
|
| Posted: Sat Sep 01, 2007 9:06 am Post subject: |
|
|
it is funny that DNS report also wth cache=off report the old one.
A direct Whois query report the updated value
|
|
| Back to top |
|
|
Tromso
Corporal
Premium Member
Joined: May 25, 2007
Posts: 59
|
|
| Back to top |
|
|
tembow
Blue Angel
Premium Member
Joined: Oct 10, 2005
Posts: 2931
|
| Posted: Sat Sep 01, 2007 12:42 pm Post subject: |
|
|
Now that the IP = 127.0.0.1 it should be possible to see if the attack is via DNS resolution (ie directed at thecarcstore.com) or is via the IP address that the site was previously on.
I see that the Storm virus only has IP level attack capability . . . so a check with your service provider is in order.
|
|
| Back to top |
|
|
KyferEz
Trooper
Joined: May 08, 2006
Posts: 34
|
| Posted: Sun Sep 02, 2007 4:11 am Post subject: |
|
|
According to my host the attack has decreased significantly due to the new IP. I hasn't fully ceased however, but that is likely due to recent name server issues... We will know shortly.
KyferEz
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Benzyl
Cadet
Joined: Jun 13, 2007
Posts: 7
Location: Uk
|
| Posted: Wed Sep 05, 2007 10:07 pm Post subject: |
|
|
It seems possible, then, that all that i.p address spam with various .exe payloads may have been to gather up enough of a botnet force that various sites can continually be attacked at an intermediate level to keep them off the air for good rather than purely for spamming. Or are they just trying to clear the decks for a back to school surge of activity in the next month.
|
|
| Back to top |
|
|
AlphaCentauri
SIRT Handler
Premium Member
Joined: Nov 20, 2003
Posts: 2858
|
| Posted: Wed Sep 05, 2007 10:34 pm Post subject: |
|
|
| Benzyl wrote: | | It seems possible, then, that all that i.p address spam with various .exe payloads may have been to gather up enough of a botnet force that various sites can continually be attacked at an intermediate level to keep them off the air for good rather than purely for spamming. |
I should think that sort of development would be the push necessary to get someone (besides us) serious about taking infected machines off the internet immediately.
Even the relatively stationary targets that distribute ecard.exe etc. seem to stay up for about 48 hours after I send a report to the ISP; at least I can recheck them and see if there has been a response. I have no way of knowing when or if any action is taken at all regarding infected machines on dynamic IP addresses that are sending spam or participating in DDoS attacks. And 48 hours is way too long when you are talking about 48 hours of attack x many thousands of machines.
There is plenty of spam to go around, and the ISP's really shouldn't need us to harvest their own IP addresses from it -- they should be collecting it automatically from spamtrap addresses so there can be immediate action. And I do think they need to disconnect their subscribers, not just throttle them. Each bot probably is only contributing a modest amount of bandwidth, but there are just so many of them. As far as losing customers, a large percentage of the victims are using ISPs that are local monopolies and probably wouldn't know how to shop around for another service anyway.
|
|
| Back to top |
|
|
Randy67
Corporal
Joined: May 18, 2006
Posts: 61
Location: USA
|
| Posted: Wed Sep 05, 2007 10:36 pm Post subject: |
|
|
| Quote: |
It seems possible, then, that all that i.p address spam with various .exe payloads may have been to gather up enough of a botnet force that various sites can continually be attacked at an intermediate level to keep them off the air for good rather than purely for spamming. |
Benzyl,
That's what I've been thinking for the past month. I'm not getting near the ecard junk this week. I guess the spammers' forces are built up enough with Comcast and Road Runner PCs.
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
| Posted: Wed Sep 05, 2007 10:38 pm Post subject: |
|
|
"Even the relatively stationary targets that distribute ecard.exe etc. seem to stay up for about 48 hours after I send a report to the ISP"
As an aside, I've seen ISPs respond to us inside 30 minutse for eCards. So looks like we need you too.
_________________
Paul Laudanski - http://www.laudanski.com
http://www.linkedin.com/pub/1/49a/17b
|
|
| Back to top |
|
|
GHeather_UK
Sergeant
Premium Member
Joined: Feb 08, 2007
Posts: 134
Location: UK
|
| Posted: Wed Sep 05, 2007 11:56 pm Post subject: |
|
|
| AlphaCentauri wrote: | | And I do think they need to disconnect their subscribers, not just throttle them. Each bot probably is only contributing a modest amount of bandwidth, but there are just so many of them. |
Agreed - most AUP's forbid spamming, so if your IP is found to be doing this, then surely the ISP has a right to close access. If the user at that address is found to be a "victim", then the ISP should be able to graciously restore service once the PC is clean. But if it happens again, boot them off permanently for spamming. Sounds fair to me.
The problem is "victim" here can also be read as being "gullible", "stupid", "careless" and other such words. Education should be dispensed with the letter the customer should receive explaining why their connection has been terminated and in some cases, that may mean additional expense to the user (eg buying anti-virus software and maybe even a legitimate copy of Windows, although preferably not from some OEM store they heard of by e-mail, of course !).
Any number of bots removed from a botnet or other such compromised system has got to be a good thing, sadly I think the ISP's need to take some responsibility for dealing with the problem even though it is not of their making. If a company earns themselves a reputation for zero tolerance, I would imagine they would not be knowingly targeted by spammers who by default, already seem to have embraced certain far east networks to register their bogus domains who don't care who they grant a name to so long as the money comes in.
|
|
| Back to top |
|
|
spamislame
SIRT Handler
Joined: Apr 19, 2006
Posts: 202
|
| Posted: Thu Sep 06, 2007 12:03 am Post subject: |
|
|
| Paul wrote: | | aa419.org is now under heavy attack and is offline. |
Really showing their stripes, these botnet owners, aren't they?
This is only going to make it that much more of a direct connection between pharmacy spam, stock spam, and now outright criminal fraud.
Sure it may take a while, but as this year's arrests and convictions can attest: it works, and the result is always the same.
SiL
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
