cancel
Showing results for 
Search instead for 
Did you mean: 

People on adsl getting infected with viruses and worms

N/A

People on adsl getting infected with viruses and worms

Ive noticed that there seems to be a bit of a problem for people coming onto adsl recently ... and thats viruses like the code redworm- i seem to get scanned daily by infected computers(example below). I thought that it might be a good idea if plus.net would send some info about patching etc to people
in an email. maybe something along these lines: http://scram.on.to/secure_system.html -a tutorial i wrote some time ago.


06/13/2002 16:21:53 Denial of Service Major Incoming TCP 212.202.72.81 212.56.105.180 1 06/13/2002 16:21:48 06/13/2002 16:21:48
(code redworm attack in the logs ... hope you know what that does .... and plz note time!)

trace and what ip do i get?
195.166.128.6

Then whois this ipHuhHuh
Results:
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 195.166.128.0 - 195.166.129.255
netname: PLUSNET-CORE
descr: Core Loopback Addresses
descr: Core Point-to-Point links
descr: PlusNet Technologies Ltd
country: GB
admin-c: PLUS1-RIPE
tech-c: PNET2-RIPE
status: ASSIGNED PA
notify: ripe-admin@plus.net
mnt-by: MAINT-AS6871
changed: alang@plus.net 20030216
source: RIPE

route: 195.166.128.0/19
descr: FORCE9-NET
origin: AS6871
mnt-by: MAINT-AS6871
changed: nick@force9.net 19970513
source: RIPE

role: Plusnet Hostmaster
address: PlusNet Technologies Ltd
address: Technology Building
address: Terry Street
address: Sheffield
address: S9 2BU
address: UK
phone: +44 114 2200084
e-mail: hostmaster@plus.net
trouble: ------------------------------------------------
trouble: Please do NOT e-mail abuse to the contacts given
trouble: here, e-mail them to abuse@plus.net instead.
trouble: ------------------------------------------------
trouble: Network Status and Information Page:
trouble: http://portal.plus.net/supportpages.html
trouble: ------------------------------------------------
trouble: Support 24*7 Phone: (UK) 0845 140 0200
trouble: ------------------------------------------------
admin-c: AW570-RIPE
tech-c: RB156-RIPE
tech-c: BO184-RIPE
tech-c: SB195-RIPE
tech-c: ML146-RIPE
nic-hdl: PNET2-RIPE
notify: ripe-admin@plus.net
mnt-by: MAINT-AS6871
changed: alang@plus.net 20030117
changed: bohara@plus.net 20030514
source: RIPE

person: PlusNet Ripe Admin
address: Plusnet Technologies Ltd
address: Technology Building
address: Terry Street
address: Sheffield
address: S9 2BU
address: GB
phone: +44 114 22 00000
fax-no: +44 114 22 00088
e-mail: ripe-admin@plus.net
nic-hdl: PLUS1-RIPE
notify: ripe-admin@plus.net
changed: bohara@plus.net 20030514
source: RIPE



Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (212.56.***.***) has visited 1 times today.
9 REPLIES
N/A

People on adsl getting infected with viruses and worms

Quote

06/13/2002 16:21:53 Denial of Service Major Incoming TCP 212.202.72.81 212.56.105.180 1 06/13/2002 16:21:48 06/13/2002 16:21:48


As noted in a previous thread (regarding port scanning), you seem to be tracing the IP to the wrong system.

Can you please post how from the above quote, you get the IP 195.166.128.6?

This IP is not mentioned anywhere.

However, if you are performing a traceroute on the IP 212.202.72.81, then you are mis-reading the result.

Quote

traceroute to 212.202.72.81 (212.202.72.81), 30 hops max, 38 byte packets
1 192.168.1.1 (192.168.1.1) 0.911 ms
2 pth-ag1.plus.net (195.166.128.11) 16.731 ms
3 gi1-1.pth-gw4.telehouse.core.plus.net (212.159.1.3) 25.689 ms
4 lon1-10.nildram.net (213.208.106.89) 18.090 ms
5 lon1-11.nildram.net (195.149.20.137) 19.077 ms
6 peergw-decix.fra.qsc.de (80.81.192.41) 40.386 ms
7 core1.muc.qsc.de (213.148.139.245) 42.107 ms
8 bsn1.muc.qsc.de (213.148.139.211) 44.501 ms
9 port-212-202-72-81.reverse.qsc.de (212.202.72.81) 57.122 ms


The IP you talk of is the second hop along the route. Each line is a device that your data has to travel through. These are not the offending hosts.

The offending host is the IP your are tracing.
N/A

People on adsl getting infected with viruses and worms

ill send you the raw log .... then you can tell me! im not trying to be trouble ... just wandering why .... anyway .... i posted something on the other thread ... and the stuff at the top still stands.
N/A

People on adsl getting infected with viruses and worms

all im trying to do here is stop those poeple beeing infected. im not the techie here- by no means. maybe some @ plus.net can inform us if that plus.net (IP adress) is one of their personal boxes .... or a user.
thanks
marc
jberry
Grafter
Posts: 1,886
Registered: 08-06-2007

People on adsl getting infected with viruses and worms

Hi there,

195.166.128.6 reverses to pth-ag2.plus.net.

This is one of the servers in telehouse that your ADSL connection terminates on. The reason that the traceroute goes to this IP address is proably just because the trace is blocked after this hop for some reason.

212.202.72.81 where the attack is coming from is actually a german company called QSE. If you forward you firewall logs to abuse@qsc.de then they will be able to contact the person in question.

At the moment, we do actually monitor for things like this as we get e-mails to our abuse department when people pick this up, and we then contact the person in question to ask them to virus scan their machine(s).

Regards,
N/A

People on adsl getting infected with viruses and worms

okay then ... thanks ... um .. so you dont think its worth sending mails to microsoft users telling them to patch their systems etc?
jberry
Grafter
Posts: 1,886
Registered: 08-06-2007

People on adsl getting infected with viruses and worms

Hi again,

To be honest the overheads at our end would make this unworkable and we get enough complaints about us "spamming" customers about stuff that doesn't apply to them.

The onus is on the customer to make sure their system is fully patched and not infected by a virus and even if we sent e-mails to everybody then there would still be people who would either not read the mail or have a "it won't happen to me" attitude.

Hope that explains a bit better why we don't do this.

Regards,
N/A

People on adsl getting infected with viruses and worms

sure .... understand!
N/A

People on adsl getting infected with viruses and worms

It is seriously irresponsible and a lack of regard for other people if people don’t virus scan there system ones in awhile. (At lest once a month) Hackers & Viruses suck, im lucky to say i have never had a Evil virus (i think)
but i regularly scan my computer and NEVER download a suspicious file from any ware, I don’t have a good firewall, just zone alarm but i keep my ad-aware & Norton 2003 up to date
N/A

Automate it!

As others have mentioned, there's not a lot that an ISP can do about it. However, there are still things that you can do!

I downloaded Apache::CodeRed from http://cpan.perl.com. Every time my server gets hit by CodeRed it sends an email to the sysadmin telling them to patch their server (in fact it's a bit more sophisticated than that I think).

Took a little patching to get it working on Apache2, but it's fine now. I still get hit a few times a day, even though my web server isn't "published" anywhere and CodeRed is a couple of years old.

--> Stephen