Blueyonder's Nimda/CodeRed infected users.

Moderators: John, Sharon, Fossil, Lucky Poet, crusty_bint, Jazza, dazza

Blueyonder's Nimda/CodeRed infected users.

Postby kn0wledge » Mon Apr 19, 2004 12:38 am

For those of you who run servers of any kind, which are connected online. Have you been receiving a lot of attacks from Nimda/CodeRed infected users? Have a lot of them been from Blueyonder IP addresses? Mine have. I have been fucking plagued with attacks, and I am sick of emailing Blueyonder (who also happen to be my own ISP) and passing on details of infected users, only for them to do NOTHING.

The straw that broke the camel's back came tonight, when my logs showed over forty attacks from one IP address over a two-hour time span. So I have adopted a new strategy, and I encourage those of you (if there are any. I might be alone on this one) who have the same problem to do the same thing.

Copy and paste every attack entry into an email message and send it to [email protected]. I just did mine, and the message ran to over seven megabytes. A (heavily edited) copy can be found HERE.

I urge you, do the same. This is getting out of hand.
Last edited by kn0wledge on Tue Apr 20, 2004 12:56 am, edited 1 time in total.
Eat a ham for Jesus.
User avatar
kn0wledge
Third Stripe
Third Stripe
 
Posts: 936
Joined: Tue Feb 24, 2004 8:30 pm
Location: Bonkle (seriously)

Re: Blueyonder's Nimda/CodeRed infected users.

Postby duncan » Mon Apr 19, 2004 12:02 pm

kn0wledge wrote:For those of you who run servers of any kind, which are connected online. Have you been receiving a lot of attacks from Nimda/CodeRed infected users? Have a lot of them been from Blueyonder IP addresses? Mine have. I have been fucking plagued with attacks, and I am sick of emailing Blueyonder (who also happen to be my own ISP) and passing on details of infected users, only for them to do NOTHING.

The straw that broke the camel's back came tonight, when my logs showed over forty attacks from one IP address over a two-hour time span. So I have adopted a new strategy, and I encourage those of you (if there are any. I might be alone on this one) who have the same problem to do the same thing.

Copy and paste every attack entry into an email message and send it to [email protected]. I just did mine, and the message ran to over seven megabytes. A (heavily edited) copy can be found HERE.

I urge you, do the same. This is getting out of hand.


Nimda? yeah, that was a real problem for us.... in 2001!

I'd guess it's someone in the Uddingston area, judging by that hostname (cable.ubr09.uddi.blueyonder.co.uk).
User avatar
duncan
Third Stripe
Third Stripe
 
Posts: 1150
Joined: Tue Aug 27, 2002 9:54 am
Location: Glasgow

Postby kn0wledge » Mon Apr 19, 2004 2:22 pm

Pretty much every Blueyonder user in Lanarkshire and South Glasgow connects through Uddingston; it's the main node for this region. And yea, you would think that people don't have 3yr old virii on their computers. Fucking idiots.
Eat a ham for Jesus.
User avatar
kn0wledge
Third Stripe
Third Stripe
 
Posts: 936
Joined: Tue Feb 24, 2004 8:30 pm
Location: Bonkle (seriously)

Here's what I did...

Postby gordonjcp » Mon Apr 19, 2004 7:00 pm

right, spotted a Code Red attack scroll past in my webserver logs. So, I thought...
ping it! Yes, it's up. Ok...
portscan it? Ahaa, it has NetBIOS ports open (Windows file sharing)
ok... smbmount it (command line tool for attaching Windows shared drives to Linux machines). Drive C was shared, and writable.

Ok...... let's change his destop picture. Yup, and change that... and delete those, and change that, and...

you get the idea.
User avatar
gordonjcp
First Stripe
First Stripe
 
Posts: 64
Joined: Thu Aug 14, 2003 2:40 pm
Location: Kirkintilloch


Return to Random Distractions

Who is online

Users browsing this forum: No registered users and 19 guests