nanog mailing list archives
Re: nlayer.net Abuse and Security contact
From: "W.D.McKinney" <dee () akwireless net>
Date: Thu, 18 Dec 2003 08:18:04 -0900
On Thu, 2003-12-18 at 08:09, John Obi wrote:
Folks, I have sent many emails to abuse () nlayer net and security () nlayer net reporting a security abuse by one of their users but nothing done up to now. If there is real person from nlayer.net please contact me offline. Thanks,
One suggestion is to use an e-mail account other than a yahoo. That might be an issue with abuse/security folks. Dee
-J __________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ ______________________________________________________________________ From: John Obi <dalnetuzer () yahoo com> To: abuse () hostany com, DNSLISTS.NETTFcK49 () privacypost com Cc: abuse () nlayer net Subject: Abuse and spamming trojans via www.darkhell.org Date: Mon, 15 Dec 2003 22:57:36 -0800 Dear Sir/Madam, We have known script kiddie who spreads Download.Trojan and BAT.Trojan. The script kiddi runs port scan and infect the users who use WinNT, 2000 and XP via port 445 if the windows isn't updated. He is issuing commands to the infected PC to download this setup file which has these trojans. http://www.darkhell.org/sh1.exe This host is hosting the trojan files which is in sh1.exe When you download this file and you have Norton Antivirus or Mcafee with latest virus ID, your AV will detect it directly as below: can type: Realtime Protection Scan Event: Virus Found! Virus name: Download.Trojan File: C:\WINNT\system32\Haver\Backsa.exe Location: Quarantine Computer: RASHID-ALKUBAIS User: Administrator Action taken: Clean failed : Quarantine succeeded : Access denied Date found: Tue Dec 16 09:23:12 2003 Scan type: Realtime Protection Scan Event: Virus Found! Virus name: BAT.Trojan File: C:\WINNT\system32\Haver\ceve.bat Location: Quarantine Computer: RASHID-ALKUBAIS User: Administrator Action taken: Clean failed : Quarantine succeeded : Access denied Date found: Tue Dec 16 09:23:12 2003 When I got connected to his IRC server I saw this: * Dns resolved sh1.cellfiles.org to 81.134.89.149 [07:01] * Connecting to 81.134.89.149 (6667) - [07:01] -irc.DarkHell.Org- *** Looking up your hostname... - There are 437 users and 0 invisible on 1 servers 2 channels formed I have 437 clients and 0 servers - ======================== [07:01] * Now talking in #sh1- [07:01] <[H0-3250]> !pfast stop [07:01] <[H0-3250]> !syn 66.90.92.202 6667 500 [07:01] <[H0-3250]> !pfast 444444 66.90.92.202 6667 [07:02] <[H0-3250]> !syn 202.91.32.181 6667 500 [07:02] <[H0-3250]> !pfast stop [07:02] <[H0-3250]> !pfast 444444 202.91.32.181 6667 [07:02] <[H0-3250]> !syn 69.65.31.3 6667 500 [07:02] <[H0-3250]> !pfast stop [07:02] <[H0-3250]> !pfast 444444 69.65.31.3 6667 [07:02] <[H0-3250]> !ipscan [07:02] <[H0-3250]> !syn 66.151.29.193 6667 500 ======================================== - [H0-3250] is Have () devilz-E8805F6 in-addr btopenworld com * h3h3 [H0-3250] on +#sh1- [H0-3250] using irc.DarkHell.Org DarkHell server [H0-3250] has been idle 18secs, signed on Mon Dec 15 14:53:28 [H0-3250] End of /WHOIS list. - ================================================== And he issuing these DDoS attacks against the IRC servers around the globe and the http servers. The traceroute to www.darkhell.org shows that it's hosted in your network. Show Level 3 (Baltimore, MD) Traceroute to www.darkhell.org (69.22.169.27) 1 so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0 msec so-6-1-0.mp1.Baltimore1.Level3.net (4.68.112.65) 0 msec so-11-0.hsa2.Baltimore1.Level3.net (4.68.112.70) 0 msec 2 so-0-1-0.bbr2.Washington1.Level3.net (64.159.0.230) 0 msec so-6-1-0.mp2.Baltimore1.Level3.net (4.68.112.73) 0 msec so-0-1-0.bbr2.Washington1.Level3.net (64.159.0.230) 0 msec 3 so-6-1-0.bbr1.Washington1.Level3.net (64.159.0.106) 4 msec so-7-0-0.edge1.Washington1.Level3.net (209.244.11.14) 0 msec so-6-1-0.bbr1.Washington1.Level3.net (64.159.0.106) 4 msec 4 209.0.227.118 4 msec so-6-0-0.edge1.Washington1.Level3.net (209.244.11.10) 0 msec 209.0.227.118 4 msec 5 209.0.227.118 4 msec pos3-1-2488M.cr2.WDC2.gblx.net (67.17.67.58) [AS3549 {GBLX}] 4 msec 209.0.227.118 0 msec 6 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) [AS3549 {GBLX}] 76 msec pos3-1-2488M.cr1.WDC2.gblx.net (67.17.67.54) [AS3549 {GBLX}] 4 msec so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) [AS3549 {GBLX}] 76 msec 7 so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) [AS3549 {GBLX}] 76 msec so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238) [AS3549 {GBLX}] 80 msec so4-0-0-2488M.cr1.PAO2.gblx.net (67.17.92.241) [AS3549 {GBLX}] 76 msec 8 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) [AS4474 {GVIL1}] 80 msec so2-0-0-2488M.ar3.PAO2.gblx.net (67.17.67.238) [AS3549 {GBLX}] 80 msec gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) [AS4474 {GVIL1}] 76 msec 9 gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) [AS4474 {GVIL1}] 80 msec ge-1-1-0.cr1.sfo1.nlayer.net (69.22.143.178) [AS4474 {GVIL1}] 76 msec gblx.ge-1-0-0.cr1.pao1.nlayer.net (69.22.143.193) [AS4474 {GVIL1}] 80 msec 10 ge4-4.hr1.sfo1.nlayer.net (69.22.143.10) [AS4474 {GVIL1}] 108 msec ge-1-1-0.cr1.sfo1.nlayer.net (69.22.143.178) [AS4474 {GVIL1}] 76 msec ge4-4.hr1.sfo1.nlayer.net (69.22.143.10) [AS4474 {GVIL1}] 80 msec 11 ge1-1.hr1.sfo1.nlayer.net (69.22.143.2) [AS4474 {GVIL1}] 80 msec customer.ge1-5.hr1.sfo1.nlayer.net (69.22.128.230) [AS4474 {GVIL1}] 80 msec ge1-1.hr1.sfo1.nlayer.net (69.22.143.2) [AS4474 {GVIL1}] 76 msec 12 SV4.DNSLISTS.NET (69.22.169.27) [AS27638 {HOSTANY-ASN}] 80 msec customer.ge1-5.hr1.sfo1.nlayer.net (69.22.128.230) [AS4474 {GVIL1}] 76 msec SV4.DNSLISTS.NET (69.22.169.27) [AS27638 {HOSTANY-ASN}] 80 msec I'm asking you to stop this abuse kindly ASAP. Thanks, -J __________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/
-- Alaska Wireless Systems http://www.akwireless.net -=- "Take Control of Your E-Mail!" (907)349-4308 Office - AIM = awswired
Current thread:
- nlayer.net Abuse and Security contact John Obi (Dec 18)
- Re: nlayer.net Abuse and Security contact W.D.McKinney (Dec 18)
- Re: nlayer.net Abuse and Security contact Richard A Steenbergen (Dec 18)
- <Possible follow-ups>
- RE: nlayer.net Abuse and Security contact Mike Damm (Dec 18)
- RE: nlayer.net Abuse and Security contact Henry Linneweh (Dec 18)