[Scg-sec] Any word from SCO or Microsoft

Christopher L. Morrow chris at UU.NET
Fri Jan 30 16:02:14 EST 2004 

On Fri, 30 Jan 2004, Smith, Donald wrote:

> telnet www.microsoft.com 80
> get /
> "bad request invalid verb"

yea, GET versus get :(

>
> telnet www.sco.com 80
> get /
> ^M
> "FW-1 at tw-vw-sco-ut-00: Sorry, the method you tried to use is not allowed. Sorry the method you tried to use is not allowed."
>

tell them to turn OFF syndefender :)

> Notice the different reactions to the get. SCO identifies their firewall software :-(
>
> Donald.Smith at qwest.com GCIA
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
> eye reserve the write to be rong butt don't xercise it two off ten.
>
> > -----Original Message-----
> > From: Sarah Garfinkel [mailto:sbg at microsoft.com]
> > Sent: Friday, January 30, 2004 12:01 PM
> > To: Sean Donelan; Smith, Donald
> > Cc: scg-doom at puck.nether.net
> > Subject: RE: [Scg-doom] Any word from SCO or Microsoft
> >
> >
> >
> > Microsoft has no plans right now to renumber to a new block for any of
> > our services.  The MyDoom.B variant that has been seen and
> > tested by us
> > has not proven to have a successful DoS attack vector, and if someone
> > were to fix the variant without a total rewrite it would keep
> > doing DNS
> > queries, so changing to a new IP address would seem a very temporary
> > measure at best.  I have not been looking as much at the (maybe more
> > successful) variant aimed at SCO so not sure if that is the
> > same set up
> > or not.  Obviously, if the virus mutated to a different
> > threat, we will
> > respond to the new attack style as best we can and would consider
> > renumbering if it made sense (sorry, we do not currently have a
> > throwaway block to give out for such a scenario).
> >
> > We are basically in a full alert status and have all hands standing by
> > to start working if the network/service starts getting attacked.  If
> > anyone has done any tests on the MyDoom.B that seem to show something
> > different from our conclusions I would be appreciate hearing the
> > details, either on-list or off-list.
> >
> > We are here and want to keep the communications channels open.  I am
> > monitoring this list and I am going to get a couple of my security
> > conscious coworkers on here as well so we can make sure we have no
> > single person failure.
> >
> > Again, my phone number at work is 425-707-3926.  My Service Operations
> > Center (please don't redistribute or abuse as this is not a public
> > number ;) is: 425-705-2686 and just ask for the Networking
> > group (called
> > SOCNet).  They can escalate to an on-call engineer (by coincidence
> > myself until Wednesday) if they cannot handle the issue in house.
> >
> >
> > Thanks for the help!
> > Sarah Garfinkel
> > MSN Global Network Engineering
> >
> > > -----Original Message-----
> > > From: scg-doom-bounces at puck.nether.net [mailto:scg-doom-
> > > bounces at puck.nether.net] On Behalf Of Sean Donelan
> > > Sent: Friday, January 30, 2004 9:57 AM
> > > To: Smith, Donald
> > > Cc: scg-doom at puck.nether.net
> > > Subject: RE: [Scg-doom] Any word from SCO or Microsoft
> > >
> > > On Fri, 30 Jan 2004, Smith, Donald wrote:
> > > > Actually it would be helpful if they moved it right
> > before the ddos
> > > starts even if they are not affected.
> > > > It would make it easier for us to acquire the list of infected
> > hosts.
> > > > Justin, do you know when they will be moving this dns
> > entry to point
> > at
> > > the new_to_be_blackholed_address?
> > >
> > > Its SCO's call, but from a public relations viewpoint I think both
> > targets
> > > want to try to keep their sites up for as long as possible.  Just
> > likethe
> > > ISPs plan on forwarding the packets for as long as possible.
> > >
> > > 1. attack fizzles
> > > 2. attack succeeds, but they withstand it
> > > 3. attack succeeds and they go down in flames
> > > 4. they pack up and go home, attack succeeds by default
> > >
> > > We'll be standing by if anyone needs help putting out the
> > flames.  But
> > > until someone calls for help, we'll let the packets flow.
> > >
> > > sean donelan
> > > sbc security guy
> > > _______________________________________________
> > > Scg-doom mailing list
> > > Scg-doom at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/scg-doom
> >
> >
>
> _______________________________________________
> scg-sec mailing list
> scg-sec at puck.nether.net
> https://puck.nether.net/mailman/listinfo/scg-sec
>

More information about the scg-sec mailing list