[nsp-sec] Bracing For Impact... MS08-067 -- ACK 12179

Mike Palladino mpalladino at internap.com
Thu Oct 23 17:47:59 EDT 2008 

Hi Nick,

Ack for 12179, we'll take care of it.

Thank you!
-Mike

--------------------------------------------------------------------------
Mike Palladino, CCDP, CCNP              Internap Network Operations Center
Manager, Network Operations Center
                                         NOC: 1.877.THE.INOC
Email: mpalladino at internap.com          Email: noc at internap.com

    *The contents of this email message are confidential and proprietary*
--------------------------------------------------------------------------


On Thu, 23 Oct 2008, Nicholas Ianelli wrote:

> ----------- nsp-security Confidential --------
>
> Ugh, hit send to soon, there is also the following:
>
> perlbody.t35.com.	14400	IN	A	66.45.237.219
> summertime.1gokurimu.com. 3600  IN      A       59.106.116.229
> doradora.atzend.com.    14400   IN      A       69.162.76.42
>
>
> Bulk mode; whois.cymru.com [2008-10-23 21:11:52 +0000]
> 9370    | 59.106.116.229   | SAKURA-B SAKURA Internet Inc.
> 19318   | 66.45.237.219    | NJIIX-AS-1 - NEW JERSEY INTERNATIONAL
> INTERNET EXCHANGE LLC
> 30008   | 69.162.76.42     | COLOGUYS - ColoGuys
>
>
> Bulk mode; peer-whois.cymru.com [2008-10-23 21:11:52 +0000]
> 2497    | 59.106.116.229   | IIJ Internet Initiative Japan Inc.
> 2516    | 59.106.116.229   | KDDI KDDI CORPORATION
> 2828    | 66.45.237.219    | XO-AS15 - XO Communications
> 3356    | 69.162.76.42     | LEVEL3 Level 3 Communications
> 7473    | 59.106.116.229   | SINGTEL-AS-AP Singapore Telecom
> 7473    | 66.45.237.219    | SINGTEL-AS-AP Singapore Telecom
> 12179   | 69.162.76.42     | INTERNAP-2BLK - Internap Network Services
> Corporation
> 19080   | 66.45.237.219    | ASN-WBS-01 - WBS Connect, LLC
>
> Nick
>
> Nicholas Ianelli wrote:
>> ----------- nsp-security Confidential --------
>>
>> - From malware analysis:
>>
>> HTTP check in:
>> 59.106.145.58
>>
>>
>> The following three IPs are pinged with the payload:
>>
>> abcde12345fghij6789
>>
>> 212.227.93.146
>> 64.233.189.147
>> 202.108.22.44
>>
>>
>> Bulk mode; whois.cymru.com [2008-10-23 21:06:14 +0000]
>> 4808    | 202.108.22.44    | CHINA169-BJ CNCGROUP IP network China169
>> Beijing Province Network
>> 8560    | 212.227.93.146   | ONEANDONE-AS 1&1 Internet AG
>> 9370    | 59.106.145.58    | SAKURA-B SAKURA Internet Inc.
>> 15169   | 64.233.189.147   | GOOGLE - Google Inc.
>>
>>
>>
>> Bulk mode; peer-whois.cymru.com [2008-10-23 21:06:14 +0000]
>> 174     | 212.227.93.146   | COGENT Cogent/PSI
>> 174     | 64.233.189.147   | COGENT Cogent/PSI
>> 1239    | 64.233.189.147   | SPRINTLINK - Sprint
>> 1299    | 212.227.93.146   | TELIANET TeliaNet Global Network
>> 2497    | 59.106.145.58    | IIJ Internet Initiative Japan Inc.
>> 2516    | 59.106.145.58    | KDDI KDDI CORPORATION
>> 2516    | 64.233.189.147   | KDDI KDDI CORPORATION
>> 2828    | 212.227.93.146   | XO-AS15 - XO Communications
>> 2828    | 64.233.189.147   | XO-AS15 - XO Communications
>> 2914    | 212.227.93.146   | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
>> 2914    | 64.233.189.147   | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
>> 3257    | 64.233.189.147   | TISCALI-BACKBONE Tiscali Intl Network BV
>> 3356    | 212.227.93.146   | LEVEL3 Level 3 Communications
>> 3549    | 64.233.189.147   | GBLX Global Crossing Ltd.
>> 3561    | 64.233.189.147   | SAVVIS - Savvis
>> 4565    | 212.227.93.146   | MEGAPATH2-US - MegaPath Networks Inc.
>> 4565    | 64.233.189.147   | MEGAPATH2-US - MegaPath Networks Inc.
>> 4657    | 64.233.189.147   | STARHUBINTERNET-AS Starhub Internet, Singapore
>> 4837    | 202.108.22.44    | CHINA169-BACKBONE CNCGROUP China169 Backbone
>> 7132    | 64.233.189.147   | SBIS-AS - AT&T Internet Services
>> 7473    | 59.106.145.58    | SINGTEL-AS-AP Singapore Telecom
>> 7473    | 64.233.189.147   | SINGTEL-AS-AP Singapore Telecom
>> 10310   | 212.227.93.146   | YAHOO-1 - Yahoo!
>> 10310   | 64.233.189.147   | YAHOO-1 - Yahoo!
>> 11164   | 64.233.189.147   | TRANSITRAIL - National LambdaRail, LLC
>> 11537   | 64.233.189.147   | ABILENE - Internet2
>> 15606   | 212.227.93.146   | NASK-TRANSIT NASK Transit AS
>> 15606   | 64.233.189.147   | NASK-TRANSIT NASK Transit AS
>> 28513   | 64.233.189.147   | Uninet S.A. de C.V.
>>
>>
>> Nick
>>
>> Nicholas Ianelli wrote:
>>> There was a miscreant chatting about this last month, basically stating
>>> that they found a way to "re-infect" people via ports 135/445. Unclear
>>> if they had the code to do so, but it would be interesting to see if
>>> this was already being exploited.
>>
>>> I'll see what I can dig up.
>>
>>> Ok, found it, logs dated from 2008.09.02
>>
>>> falesco found a way of exploiting dcom and lsass again
>>> so hes put them on a fud bot hes had for month
>>> selling source for 250 euros
>>> 249k bots
>>> for 3500 euros
>>
>>> If this is true, may be worthwhile getting LE involvement.
>>
>>> Nick
>>
>>> White, Gerard wrote:
>>>> ----------- nsp-security Confidential --------
>>>> Greetings.
>>
>>
>>>> As you are all aware (hopefully), Microsoft has recently released a
>>>> patch outside of their normal cycle.
>>
>>
>>>> In my opinion, this was probably touched off as a result of a painful
>>>> decision between releasing a patch
>>>> that, if reverse-engineered, would touch off heavy miscreant activity -
>>>> vs. not releasing the patch, and
>>>> playing the waiting game.
>>
>>
>>>> So, also in my opinion, it probably won't be long (days?) before
>>>> miscreants attempt to take advantage
>>>> of this opportunity...  I would like to ask the community to watch their
>>>> darknets for spikes in TCP/135,
>>>>  & TCP/445.
>>
>>
>>>> While the basic details are available here:
>>>> http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
>>
>>
>>>> I Strongly encourage everyone to read better details here:
>>>> http://blogs.technet.com/swi/
>>
>>
>>>> GW
>>>> 855 - Bell Aliant
>>
>>
>>>> _______________________________________________
>>>> nsp-security mailing list
>>>> nsp-security at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>>> _______________________________________________
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> ------------ Output from gpg ------------
> gpg: Signature made Thu 23 Oct 2008 05:12:09 PM EDT using DSA key ID 80636480
> gpg: Can't check signature: public key not found
>
>

More information about the nsp-security mailing list