Incident Report Re: DO YOU BELIEVE IN REINCARNATION? CLICK HERE!

J Kinsley (jkinsley@bticc.net)
Thu, 17 Jun 1999 18:07:03 -0400

> Path: news.bticc.net!not-for-mail
> From: bmpokv@pastlife.com
> Newsgroups: lists.fwb.users,lists.ifmail
> Subject: DO YOU BELIEVE IN REINCARNATION? CLICK HERE! 7192
> Date: 17 Jun 1999 17:28:38 GMT
> Organization: BTI Communications -- http://www.bticc.net/
> Lines: 18
> Distribution: lists
> Message-ID: <7kbb86$fdc$48@osiris.bticc.net>
> NNTP-Posting-Host: 200.244.102.179
> X-Trace: osiris.bticc.net 929640518 15788 200.244.102.179 (17 Jun 1999 17:28:38 GMT)
> X-Complaints-To: news@news.bticc.net
> NNTP-Posting-Date: 17 Jun 1999 17:28:38 GMT
> Xref: news.bticc.net lists.fwb.users:3 lists.ifmail:1
>
> ************************************************************
> DO YOU BELIEVE IN REINCARNATION?
> ************************************************************
>
> Do you want to know who you were and where you lived in your
> past life?
>
> Click here-> http://www.pridesites.com/pastlife
>
> ************************************************************
>
> This message was posted with POST AGENT
> The BEST bulk news poster
> Download your FREE copy now at:
> http://postagent.com/default.asp?fromAgentID=1819
>
> qjgyqgmywbyjgmlwemenevzjpxxomxgst
>

This message is an incident report regarding a spam attack that
took place this afternoon (17 June 1999). At 17:28 GMT our
internal news server was compromised by a mad spammer.
Fortunately, we were able to get the server shutdown in time to
prevent the spam from propagating to the major news hiearchies
and our FidoNet distribution. However, we have a number of gated
mailing lists on the server which have instant distribution and
thus got hit by the spam. The result has been a deluge of
complaints to our abuse address. Since it would take the rest of
the week to reply to them all, this report is being sent to each
individual who sent a complaint as well as the lists that were
spammed and the appropriate parties involved in the incident.

The attacker used a bogus From: header using pastlife.com, but
the origin IP was 200.244.102.179. After some time with nslookup
and whois, I sent an e-mail to the Brazilian Research Network
where the IP was part of their class A subnet. Within minutes
Cristine Hoeper of nic.br sent me the nic record of
highway.com.br where the the attack originated. A few minutes
later I also got the following reply from Fernando Bravo of
highway.com.br. Thanks guys and gals for the extremely fast
response.

Date: Thu, 17 Jun 1999 16:40:49 -0300
From: Cristine Hoepers <cristine@nic.br>
To: jkinsley@horus.bticc.net,
nbso@nic.br,
cert-br@pangeia.com.br
Cc: bravo@highway.com.br
Subject: [bravo@highway.com.br: RE: System attack from 200.244.102.179]

----- Forwarded message from Fernando Bravo <bravo@highway.com.br> -----

Delivered-To: cristine@nic.br
X-ROUTED: Thu, 17 Jun 1999 16:38:32 -0300
From: "Fernando Bravo" <bravo@highway.com.br>
To: <cristine@nic.br>
Subject: RE: System attack from 200.244.102.179
Date: Thu, 17 Jun 1999 16:39:51 -0300
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.0810.800
In-Reply-To: <tcppop3.3232577@bbs.highway.com.br>
Importance: Normal

The person will be advised no to do so. This IP belongs to a pools of modems
of our dial up users.
I will do it personally.

Thanks for reporting it to us.

BEst regards,

Fernando Bravo

> -----Original Message-----
> From: cristine@nic.br [mailto:cristine@nic.br]
> Sent: Thursday, June 17, 1999 16:21
> To: Fernando Bravo
> Subject: Re: System attack from 200.244.102.179
>
>
>
>
> This IP belongs to 'HIGHWAY.COM.BR' domain.
> I'm forwarding your e-mail to the person responsible
> for this domain. Contact information follows:
>
>
> handle:NET-200-244-102-0-24
> ip-network:200.244.102.0/24
> class-ip-network:200.244.102.0
> network-type:C
> organization-name:FERNANDO BRAVO SOFTWARE LTDA
> organization-postal:RIO DE JANEIRO/RJ
> updated:19990617
>
> HIGHWAY.COM.BR
> F.BRAVO SOFTWARE LTDA
> Av.Ataulfo de Paiva, 135, Sls 805/806
> 22449-900 - Rio de Janeiro - RJ
>
> Points of contact
> Adm : FEB <bravo@HIGHWAY.COM.BR>
> Tec : FEB <bravo@HIGHWAY.COM.BR>
> Bil : FEB <bravo@HIGHWAY.COM.BR>
>
>
> Thank you for your report,
>
> Cristine
> NIC BR Security Office <nbso@nic.br>
> cristine@nic.br
>
>
----- End forwarded message -----

I have implemented an even more fascist posting policy on the
news server, but I am still not sure how the remote managed to
post since posting had already been restricted to the local
subnet. I have already noticed that several additional attempts
to access the news server have taken place while it was turned
off from other IP's in the 200.244.102 subnet. I will be
forwarding a copy of those logs to highway.com.br and keeping a
close watch on the server over the next few days. If there are
any INN-2.x gurus reading this, feel free to send me a message
privately as I would like to make sure this never happens again
without having to permantly shutdown the server.

I apologize for any inconveniences and/or problems this has
caused to anyone. I would also like to thank all those involved
in helping me track down the originator for their quick replies.
Finally, please forgive me for 'spamming' this incident report,
but it is the only way I can let the lists know the problem is
being resolved without spending the next week responding to
individual complaints.

Regards,
Jarrod Kinsley
System Administrator
BTI Communications

--
Jarrod S. Kinsley
System Administrator
BTI Communications




-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/