> There was some discussion on Incidents last month about hidden Wingate > proxy servers being installed on systems without the owner's knowledge, > listening on non-standard ports. I have since done some research on these > and have discovered they are being installed by the Sobig.a (BigBoss) virus. > This is something the AV companies missed in every analysis I have read. This > is unfortunate because these proxies are being used in a big way by spammers. > I have written an analysis of the method of infection from beginning to end: > > http://www.lurhq.com/sobig.html found mention of one in my spam log. wonder if 66.190.154.95 is spammers ip address... also, interesting to see what happens when that comcast customer's proxy is used to try to tell comcast they have a problem there: 3F1D43810F: reject: RCPT from bgp552493bgs.ewndsr01.nj.comcast.net[68.38.184.185]: 554 Service unavailable; Client host [68.38.184.185] blocked using socks.relays.osirusoft.com; (2003/04/10) Open proxy: telnet(1181); from=<Lisa2923fat_private> to=<spamtrapat_private> proto=SMTP helo=<66.190.154.95> use it to talk to comcast's smtp server, just for fun. host -t mx comcast.net comcast.net mail is handled by 0 mx00.comcast.net. telnet 68.38.184.185 1181 MNGTR>mx00.comcast.net 25 mx00.comcast.net 25 Connecting to host mx00.comcast.net...Connected 571 Blocked for abuse 4/6/2003 Please send blacklist removal requests to blacklist_comcastnetat_private - Be sure to include your mail server IP address ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 21 2003 - 14:31:43 PDT