RE: Source of Windows PopUp SPAM

From: Brenna Primrose (primroseat_private)
Date: Tue Oct 15 2002 - 15:06:51 PDT

Next message: Ron Trenka: "Re: Source of Windows PopUp SPAM"

Previous message: Hugo van der Kooij: "Re: Cacheflow proxy abuse (was: no subject)"
In reply to: Lawrence Baldwin: "Source of Windows PopUp SPAM"
Next in thread: H C: "RE: Source of Windows PopUp SPAM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Before one of my servers received the popup, BlackICE alerted me to the
following on my personal (non-server) machine:

Intruder information:

 IP:  207.44.141.140
 Name:  WEBPOPUP06
 DNS:  WEBPOPUP06
 Node:  WEBPOPUP06
 Workgroup:  WORKGROUP
 NetBIOS:  WEBPOPUP06     
 MAC:  005056630372


Hack attempts by this intruder:

  Date & Time: 2002-10-14 16:00:34 (-5:00 GMT)
  Time Zone: Central Daylight Time
  MSRPC UDP port probe (port=135)
  Victim IP: 147.134.47.171
  Attempts: 2

  Date & Time: 2002-10-15 02:41:15 (-5:00 GMT)
  Time Zone: Central Daylight Time
  MSRPC UDP port probe (port=135)
  Victim IP: 147.134.47.171
  Attempts: 2

4 intrusions detected from this intruder.


BlackICE Defender personal firewall log entries:

Severity,Timestamp,IssueID,IssueName,IntruderIP,IntruderName,VictimIP,Vi
ctimName,Parameters,Count,ResponseLevel,IntruderPort,VictimPort,PacketFl
ags
1,2002-10-14 16:00:34,2003405,MSRPC UDP port
probe,207.44.141.140,WEBPOPUP06,147.134.47.171,,port=135&reason=Firewall
ed,2,,1803,135,00006911
1,2002-10-15 02:41:15,2003405,MSRPC UDP port
probe,207.44.141.140,WEBPOPUP06,147.134.47.171,,port=135&reason=Firewall
ed,2,,1302,135,00006911


(This report was generated by VisualICE Report Utility 4.7)

The computer at 207.44.141.140 (annoyingly named "WEBPOPUP06") is the
culprit in our case.  The ISP has been notified.

These spammers are freakin' annoying!

Brenna



http://profiles.yahoo.com/absolut_contagion 
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00tat_private 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 
------END GEEK CODE BLOCK------
-----Original Message-----
From: Lawrence Baldwin [mailto:pckboyat_private] 
Sent: Sunday, October 13, 2002 12:27 PM
To: incidentsat_private
Subject: Source of Windows PopUp SPAM



I've believe I have figured out the hosts that were used to send the
recent
rash of PopUP SPAM:

http://www.mynetwatchman.com/kb/security/articles/popupspam/

Lawrence Baldwin
myNetWatchman.com

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ron Trenka: "Re: Source of Windows PopUp SPAM"
Previous message: Hugo van der Kooij: "Re: Cacheflow proxy abuse (was: no subject)"
In reply to: Lawrence Baldwin: "Source of Windows PopUp SPAM"
Next in thread: H C: "RE: Source of Windows PopUp SPAM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 15:54:31 PDT