alt.2600 removed.
In comp.os.linux.advocacy, linux.freak.detector@xxxxxxxxx
<linux.freak.detector@xxxxxxxxx>
wrote
on Sat, 20 Oct 2007 16:45:41 -0700
<1192923941.834003.326810@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>:
> Anyone else receiving attacks from these 2 sites?
> I visted both recently and shortly afterwards I started getting
> attacks from both.
> I suspect it has to do with my using a Windows browser because I also
> visted the sites on another network using a Linux browser and got no
> such DDoS attacks.
>
> I have filed formal complaints against both host sites.
>
OK, dumb questions time.
[1] What sort of attacks? Various worms, malware, and
other such interesting scriptbits can attack on
virtually any open port nowadays, and certainly
unsecured systems are an invitation to disaster,
just waiting to happen.
The Internet Storm Center (isc.sans.org) suggests
that the top rising port is #1130 -- associated
with the Noknok trojan. Other ports are also noted:
1130 - Noknok
62165 - no service known
1231 - menandmice-lpm
13117 - no service known
44762 - no service known
62400 - no service known
18270 - no service known
5902 - vnc-2
13721 - bpbrm Protocol (VERITAS NetBackup)
1070 - GMRUpdateSERV
And this is under threat level Green. I'd hate for
it to go to Yellow, Orange, or Red.
A search for Noknok dredged up Fono as an alternate
name. It appears to be a standard trojan, setting
itself up as a server on the victim's system; the
actual client is a black hat. It is somewhat
difficult to remove according to
http://www.spywareguide.com/product_show.php?id=1503
Since it is a trojan it is possible Roy's site
infected you -- though I for one would put the
probability as being ridiculously low.
[2] www.schestowitz.com resolves to 84.18.207.65;
www.boycottnovell.com to 72.29.75.151. The only
attack I'd notice through my logs would be port 22;
my NAT blocks everything else. Granted, I've not
tried to visit those two websites from home lately.
The last such attack is from 81.25.28.146 (which shall
dutifully go into my hosts.deny). This resolves
into somewhere in Tartarnet.cz, a strange little
website with a three-headed mythological guardian.
I don't read Czech as a rule. This appears to be a
compromised Linux website. (That's right--Linux.
Server: Apache
X-Powered-By: PHP/4.4.6-pl0-gentoo
Expires: Thu, 19 Nov 1981 08:52:00 GMT
This particular website is pretty seriously botched,
whoever's in charge down there. If you're reading
this group and can understand English, whoever you are:
FIX YOUR WEBSITE! :-P )
[3] It most likely does have to do with you using Internet
Explorer. You'll want a good disinfectant.
[4] I would be curious as to where you filed those formal
complaints. Presumably the best place to file would
be on the uplink -- if you can find it.
[5] Boycottnovell.com is showing on its homepage a small
amount of Javascript, apparently for implementation
of Google ads. I'm not horribly impressed with the
styling (as implemented in HTML; visually it's not
too bad). I don't see much of a threat here.
Schestowitz.com contains an embedded style sheet --
not the best construct in my book but does save a
URL fetch -- and some javascript "thanks to Kevin
Werbach", whose primary purpose appears to play
"swap the image depending on time of day". The page
validation (an interesting feature) indicates a couple
of minor problems, both having to do with '/>'. Not
much threat there, either.
[6] Since you are crossposting this from and to known troll
territory, I'm setting followups to restrict to COLA
exclusively.
--
#191, ewill3@xxxxxxxxxxxxx
Linux. Because vaporware only goes so far.
--
Posted via a free Usenet account from http://www.teranews.com
|
|
