|
Virginia Tech DShield |
|
FightBack Results
We steadily increased the number of e-mail we sent to ISPs. Almost all of them respond with a quick 'auto reply' indicating that they received the message and 'are working on it'. In a few cases, we get a little more details, sometimes within a day. Most ISPs will not confirm an action against a user.
Excerpts from responses we got after sending FightBack reports:
|
Date: Mon, 23 Dec 2002 12:58:16 -0800 (PST) Thanks. The customer has been alerted they may have the SQLSnake
worm and that they should apply the MS patches which will close the
exploit this worm uses. Have a happy holiday.
Thank you for notifying us of this incident. We removed the
system from our network and we are inspecting it for viruses/worms.
Thank you for your report. We found this user and we took appropriate
measures against him.
Thanks for the heads up. I have initiated contact with the owner of the
computer.
Thank you for reporting the problem. This host is likely to be infected by
the Nimda worm. All its traffic is now blocked at our main router.
Best regards.
We have forwarded your request to our Network Abuse Group. We would like to thank you for informing us about this issue. |
|
Date: Wed, 04 Dec 2002 21:26:49 +0200 We found the customer and took the proper reaction against him. Thank
you for your warning.
Thank you for reporting the problem. I have just blocked any traffic coming
from this host at our main router. You should not be scanned any more.
Best regards.
The host with IP XXX.XXX.XXX.XXX belongs to one of our customers, a
public school. We have informed our customer and received the reply that
they have found a virus/worm on their computer, which is now cleaned.
Immediate action was taken by Xxxxxx Xxxxxx University to stop this serious offense. We have shut down the network port of the machine and will not allow it back on the Internet until the offending service is removed. Thank you for your assistance and please feel free to contact me if you
have any
questions.
Resolved. This was a colo customer of our we have disabled him till the machine can be cleaned and/or re-installed |
|
Date: Thu, 14 Nov 2002 15:49:24 -0500 Hi We had contacted the customer in question yesterday and they had
their IT support person clean up the code red virus and NINDA from their
equipment.
Thank you. yes we just brought this box online and have not applied all patches. sorry
for any inconvenience.
this is down stream ADSL client... We have informed them that they
have a virus and have giving them 24 hours to fix...
This matter has been resolved, it was the action of the Slapper
Virus which had infected one of my machines.
Host with IP XXX.XXX.XXX.XXX looks like has been infected by Nimda
or Code Red worm. I have proceeded to block access to Internet from/to
infected machine. It will not be reconnected until it will be
safe and clean again.
Thanks for sending us your email about the portscaning activity from the host XXX.XXX.XXX.XXX. On 11 of Nov we received the first complaint about the portscanning activity from this host and contacted with the administrator of this network. The same day at about 12:00 CET we received an email from the network administrator of this network telling us that the hosts had been disconnected from the network and we closed this incident. |
|
Date: Tue, 29 Oct 2002 12:10:02 -0600 We are aware of the problem. It is a virus infected machine. We were
informed it was fixed. I'm re-access listing the box.
Thanks for the info, this was due to a 'slapper' worm on the server
(XXX.XXX.XXX.XXX) which has now been patched.
This server, XXX.XXX.XXX.XXX was taken off our network on 10/27 and
put back 10/28 after being rebuilt after it was hacked. Your note is one
of many,
we apologize for any inconvenience and believe the situation has
been remedied.
Thank you for reporting the problem. All the traffic coming from this host
is blocked at our main router since yesterday. So you should not be scanned
any more.
Thank you for your information. We will revise this PC. |
|
Date: Wed, 23 Oct 2002 05:55:18 -0400 Thanks We saw the problem yesterday and found the user. Actually someone added a
wireless access point in our dorm. It's disconnected now
The server at XXX.XXX.XXX.XXX was compromised. The
site has now secured the server and redeployed it in another capacity.
Thank you for informing us of our infected customer. The customer has
been informed and the virus should be removed from the clients computer as
soon as possible.
Sorry for the hassles. We caught it and have corrected. Thank you.
Thanks. We have received your mail about unwanted network activities from the host XXX.XXX.XXX.XXX. Work is in progress to find out what has happened, and to take action, so that this will not happen again. The host in question is currently disconnected from the network. Thank you very much for notifying us, and please accept our apologies for any problems that this may have caused you. |
|
Date: Mon, 21 Oct 2002 10:50:52 +0200 Thank you for this report, we have contacted the customer and he's going solved the problem. If you still have a problem with this IP number please let us know so we can take further steps to stop this. Date: Tue, 8 Oct 2002 16:49:47 -0500 We have confirmed your report and it appears to be a machine infected with CodeRed. We have been led to believe that this machine is no longer on our network. Please do notify us if you should see any additional scans. Thanks for the notice,
I have contacted this customer of ours and let them know that they have a server with this worm on it. I let them know it requires immediate attention and they need to get this removed from the machine. The system admin for them has already started to look into this. Thanks for notifying us of the problem.
Thank you for telling us about problems on our server, caused by the NIMDA infection. We took all actions needed to check problem and currently server is fixed. I would like to apologize for any inconveniences caused. In case any problems occur again, we would appreciate if you let us know.
Thank you for notifying us of this issue. We have located the system that was initiating these scans. It was infected with a strain of a virus called cinik. Please see http://www.cert.org/advisories/CA-2002-27.html for more information. Our system administrator has been notified and the system has been cleaned. The scans should no longer be happening but please let us know if any further issues arise. |
|
Date: Fri, 04 Oct 2002 09:02:56 -0700 We had two systems infected w/Nimda, they were disconnected from the
network and cleaned on 10.2.02. Thank You
The machine at IP address xxx.xxx.xxx.xxx had
been compromised via the Linux 'Slapper' worm. It has since been
pulled off the network and is being rebuilt. Thank you
We confirm that the MOL device with address XXX.XXX.XXX.XXX was
affected by the W32.Nimda virus. This device and others in its group have
been pulled off the network, they will remain disconnected until certified
clean.
We detected this activity on 9/29 and took the system involved, off of our network. Thank you for the notification. After the contact with the suspect machine's (XXX.XXX.XXX.XXX) administrator and according to his last report, we inform you that the involved machine has been shutted down & dispatched from the network and it has been started the roll out procedure for the machine's software checking and an afterall reconfiguration. In details: The intruder's malicious software (script), after a sucessfull portscanning at the target machine, exploited the leak of the older version of wu-ftd and took administration privilages to the system. After that it tried to establish connection through FTP port to other targets -The wu-ftpd has been removed. |
|
Date: Tue, 03 Sep 2002 17:33:41 +0200 We've contacted the owner of IP XXX.XXX.XXX.XXX The machine was compromised and had an SQL server installed with SA as user and no password. On behalf of our client, we apologize for
whatever inconvenience you might have experienced
Thank you for the notification, and sorry to give you a lot of trouble for this. We checked that machine and found that trojan JAVA virus ``NOCLOSE''
infected it.
So, We excluded the virus and recommended machine's user
to update virus-definitions more frequently.
Thanks for the notification. This is a machine operated by one of our PhD-students, and it has been compromised (through apache). The intruders appear to have been scanning for weak ftp-servers. The problem was corrected Friday. We take security seriously, and apologize for any problems caused
by this.
We have contacted the responsible person and adviced them to clean the system. Should no action be taken until 17.00 CEST, we will take the system offline. Thank you for contacting us. |
|
Date: Mon, 26 Aug 2002 09:52:58 +0200 Thank you very much for bringing this matter to our attention. We confirm that XXX.XXX.XXX.XXX is a customer's host in our network. We have contacted our customer and told him to fix this problem as soon as possible. We also want to apologize for any inconvinience. |
|
Date: Fri, 23 Aug 2002 09:00:18 +0200 the administrator told me that a new computer was installed and had gone online for testing purposes before the installation was really complete. A few hours of this state were enough for an intrusion. The computer is taken off the net and will be installed c_o_m_p_l_e_t_e_l_y before connecting it. Thank you for your valuable information.
we highly appreciate your detailed information which is very helpful for our work: The computer with the IP address xxx.xxx.xxx.xxx has already been
taken off the net and will not be reconnected until the problem is
settled. The administrator is making his investigations, we will
keep you informed about the results.
Thank you for informing us.
The machine in question was taken off the network and cleaned on the
morning of 8/19/02 by the system administrator responsible for it.
It has been re-installed and re-patched with the latest.
Thank you for your recent report to abuse@XXXXXX.XXX In accordance with our AUP we have take appropriate action to resolve this issue. ** Resolution Fixed Nimda with a patch
The owner of the machine referenced has been contacted and informed of the presence of the worm on his machine. The owner has also been requested to check any other machines which may be on the local area network. Thank you for informing us of this issue so that we could take action. |
|
Date: Fri, 9 Aug 2002 19:59:22 -0600 The user moved back to Apache after being hit using IIS temporarily. We think we are safe again. Keep up the good work.
It appears that this is indeed a Nimda attack.
We have contacted our customer about their open proxy. IP
xxx.xxx.xxx.xxx has been compromised by hackers
The machine with IP xxx.xxx.xxx.xxx has been disconected from the internet.
I have contacted the end user in question and have verified that port
scanning was due to NIMDA. The end user in question has taken measures to
combat the situation.
Thank you for the notification. It has been taken care of
(old server affected by Nimda)
Hello If your computers have any problem, please e mail me. Thank you so much and good luck. |
|
Date: Thu, 1 Aug 2002 13:10:07 -0500 (CDT) Thanks ..the box has been cleaned.
Machine was compromised by outside attackers.
Machine has had scanning
software removed and the machine was secured to prevent further incidents.
The problem with machine, IP-number xxx.xxx.xxx.xxx, has been solved.
We aplogize for any inconvenience.
Hello, |
|
Date: Thu, 25 Jul 2002 08:39:55 +0200 thank you very much for bringing this matter to our attention. We confirm that xxx.xxx.xxx.xxx is a customer's host in our network. This customer had 'Code Red' on his system. According to our customer this problem has been fixed on July 23. If there ary any further complaints please do not hesitate to contact us.
Mr. Xxxx Xxxxx by the way, who had been reporting this incident to you, is
also one of our customers and had been reporting this to us, too.
The host had been infected by Nimda. We have deleted the virus
already. If you see any additional probes please inform us at xxxx@xxxxx.de
Hi I do not think that he had any knowledge of what had happened to
his PC. This particular customer should not cause any further problems.
Thank you for your report. This host has been taken offline.
Please notify us if you experience any further incidents.
It's solved now. An idiot
just installed a w2000 machine without protection
on that IP address. We've disconnected the machine.
We are continuously fighting against Nimda outbreak in the dorms.
Fighting windmills, that is.
Dear Dshield.org, Now, this IP should have free from probing status.
Please let me know, if it has not bother you anymore.
IIS was removed and the machine was cleaned of all viruses. If you detect that this machine is still causing problems, please let us know. Thanks. |
|
Date: Fri, 12 Jul 2002 13:05:59 +0200 Hi Dshield, We've contacted the owner of IP xxx.xxx.xxx.xxx. The machine was compromised and was re-installed this morning. The machine was running without antivirus protection while he was downloading Win2000 SP2, and was infected during this time. On behalf on our client, we apologize for
whatever inconvenience you might have experienced.
Thanks for notifying us of regarding this system.
We have contacted the individual responsible for this machine. They took
the system down this morning and rebuilt it.
Thanks for your warning. The host xxx.xxx.xxx.xxx was disconnected at 17:00 last Friday 5.
Today, Monday 8, host administrator was examining signs of compromise,
the IIS (Internet Information Server) was installed.
Host administrator xxx.xxx.xxx.xxx reinstalled completely without IIS.
This system has been shut down by it's administrator. It will
remain off of the network until it has been cleaned up.
The administrators of this network send us a email last
week about some hosts in their contituence that had been infected
by the IIS worm, and they were patching the system. The hosts were
disconnected last week. This incident is now closed.
It looks like our machine with IP xxx.xxx.xxx.xxx is infected with Nimda or RedCode worm. I have contacted the Administrator of the machine to ask him to solve the problem and have blocked access from IP to Internet; it will not be reconected until we will be completely sure the machine is clean and safe. We regret any inconvenience we may have caused.
xxx.xxx.xxx.xxx is one of our user. We have informed him/her and asked for explanation,maybe virus issue(JS_SQLSPIDA.B). If you are attacked again, please mail us. We will stop his internet access after certain evident collected. Sorry for bothering you. |
|
Date: Wed, 12 Jun 2002 05:04:03 +0700 (Viet Nam) Our customer who is contact for this IP address, has inflected by some Viruses. We had notified them to avoid this problem. Please let me know if this problem still occurs.
the customer was informed and asked to secure his server to prevent
server's misuse. Please inform us if this activity reoccurs.
The customers machine was hacked and being used to probe other machines. This issue has been taken care of. Thank you for the notification,
The server was infected by nimda. On Thursday, 6/6/02
we cleaned the Nimda virus off of this server.
We have located the server infected with this Virus and resolved
your issue. Please accept our apologies and notify us if this event
reoccurs. Thank you for your patience.
We apologize for any inconvenience this may cause. The IP address:
xxx.xxx.xxx.xxx that infected was from one of our customers' networks. We are
informing the customer of this incident, and will have them fix the issue.
Should you have assistance needed, please feel free to contact me.
Thank you for identifiying a Nimda infection, the server in question has been cleaned and fixed. The web that was penetrated has been deleted. |
|
Date: Thu, 23 May 2002 13:13:37 -0400 Thank you for the update. We have scanned all our servers and computers
and came up with the JS/SQLSpida.b.worm virus. They have all been
deleted and we are changing the security on our firewall.
We have isolated the problem on the machine in question and taken appropriate steps to stop further attacks of this kind. Thank you for informing us of the initial problem and we are sorry for any inconvenience caused. I would like to take this time to also thank you for the service that you are supplying to help rid the world of these nasty worm critters. Keep up the good work.
My network has been infected with the SQLsnake. It will be eradicated
today. Thanks for the notice.
Hi DShield-Team, thanks for your information concerning the abuse of our server. We have eliminated the worm. |
|
Date: Tue, 30 Apr 2002 16:03:18 -0400
I just went to the IP (xxx.xxx.xxx.xxx), and sure enough the typical 'nimda popup' did show up. This machine is Nimda infected. |
|
Date: Fri, 19 Apr 2002 11:07:35 -0700 This appears to be a newly installed server, and not all the MS
patches have been applied, we have taken the
system offline for investigation.
I believe I have taken care of the problem and yes we did have a virus on our server. Once Again Thanks
Thanks. This problem was fixed, we had nimda virus on that server.
Thanx for the info. This is the hostmaster of Xxxxxxx.com. We acknowledge your concern
and appreciate your notification. We experienced Nimda Worm
outbreak yesterday. It has been under control. If it continues, please
do not hesitate to inform us.
The IP number has been traced to a new co located machine, we
have removed this server from the network until we find the cause which we
are now working on, first thoughts is that this is a virus rather than
that the machine has been compromised. If we find different we will let you
know.
We have a tech on the way to secure this machine at this time. |
|
Date: Tue, 9 Apr 2002 15:23:13 +0200 We have taken due note of your mail dealing with unauthorized attempt made to your computer. Xxxxxx Xxxxxxxxx has taken the measures needed to check the identity of the hacker, since such a conduct is indeed contrary to common netiquette. We have closed his connection today 2002/04/09
Thanks .. Nimda was found and the box cleaned.
Thanks for the info. This machine is/was owned one of our colocated clients (now
former). It is disconnected from our network for good ...
We have notified the user of this IP and they are taking care of it. |
|
Date: Mon, 1 Apr 2002 16:05:12 -0700 this was locked down April 1 10:30PST thanks for the notice
Thank you for your vigilance. An FTP server at XXXXXX got
infected and it has been turned off. If you have any
questions, please do not hesitate to contact me.
I spoke with the customer this morning and he is aware that
he was spreading Nimda. He has scrubbed his system. You should not
have any more network intrusions.
This machine has been removed from the network and is being reformatted. |
|
Date: Mon, 18 Mar 2002 09:13:31 -0500 There was a machine on that network that was infected with the Nimda Virus
the machine has been cleaned sucessfully sorry for any inconvenience.
Thank you for letting me know of this problem. We have removed this
machine for our network and are having our computer forensic specialist
analize this machine to find if we can track down the responsible party.
The user of this IP address has found a virus on their system and removed
it. Thank you for your prompt attention in notifying us regarding this
issue.
I have contacted the owner of this PC and requested it's removal from the
network until it has been reformatted and security patches added.
XXX.XXX.XXX.XXX is one of our transparent proxy servers. The system that generated the CodeRed attacks was XXX.XXX.XXX.XXX. It has been filtered since 14th March. |
|
Date: Mon, 11 Mar 2002 07:31:20 +0100 (CET) I forwarded your message concerning probable Nimda attacks from our Network to the Administzrator of XXX.XXX.XXX.XXX which is obviously an IIS-Server: lanmanager.lanmgr-2.server.xxxTable.xxxxxEntry.xxxxName.xx.xx.xx.xx : DISPLAY STRING- (ascii): IIS Admin-Dienst I will stop this server imediately adressing port 80 of other
internet
servers and our intranet servers as well, until I get response from the
responsable.
This mail relay has been taken offline. Thank you for informing us.
Thank-you for your report. We became aware of this last week - the computer was isolated until all necssary security patches had been applied. Problem fixed Friday 8th |
|
Date: Fri, 08 Mar 2002 15:37:18 -0500 Thank you for the report. We have already taken action against this
system
Hello Dshield Please pass our apologies on to XXXX for the scan. This box was put up
in a hurry and not properly secured by one of our users. We are working
with them immediately to fix this situation.
This server has been taken offline. Thank you for informing us.
Thanks for this report. We noticed activity earlier today and have had this computer pulled off the network until it can be reformatted and patched. |
|
Date: Thu, 07 Mar 2002 10:11:45 -0800 This a dorm user and has been temporarily disabled until we can determine what they were doing and appropriate disciplinary action can be taken. |
|
Date: Tue, 5 Mar 2002 09:10:51 -0800 Port 80 has been shut down on this IP.
The network segment concerned was isolated from the rest of the Net
shortly before noon of 28 Feb, Middle European Time.
The machine
with address NNN.NNN.NNN.NNN had the virus NIMDA which has
been eliminated. We hope you don't receive any more problems from this
address.
we will identify the user and take further actions against him. Thank you for your information. |
|
Date: Mon, 18 Feb 2002 13:35:04 -0500 (EST) Thank you for the notification of illicit activity coming from a computer in the University of XXXXX XXXXXX domain. This was a faculty member's computer that was found to have the "mummy" virus when the eSafe virus scanner was ran on the computer. We have attempted to disinfect this computer to prevent the unauthorized intrusions to your and other networks. Again thanks for the notification; and if there is anything else we can do, please let me know. |
|
Date: Wed, 20 Feb 2002 16:02:52 +0100 thank you for this information. I forwarded your mail to the IT-manager of the Xxxxxxx Institute at Xxxxxx where the net is in use. I hope he can identify the culprit and tell him that his job is at stake if this happens again. |
|
Date: Thu, 14 Feb 2002 08:18:32 -0600 (CST) Our IDS caught him and blocked it. They say it is fixed. The IDS is no longer seeing an outbound attack. |
|
Date: Thu, 7 Feb 2002 08:26:06 -0900 Thank you for notifying us that one of our customers is infected
with the nimda virus. We will be notifying them that they are
infected and to clean there machine and apply the appropriate security
patches so that a reinfection does not happen again.
The Nimda infected computer has been unplugged from the network. It
will be cleaned before reconnecting.
This machine was infected with Nimda and has been cleaned. |
|
Date: Mon, 28 Jan 2002 09:58:31 -0600 Thanks for bringing this to our attention. The reports of a NIMDA
infection on this device was confirmed and has been removed/disinfected.
Date: Mon, 28 Jan 2002 11:52:22 -0500 Tested with eEye Retina, concur with your initial email. I informed customer about issue. |
|
Date: Thu, 24 Jan 2002 15:30:59 -0500 The owner of the machine referenced has been contacted and informed of the presence of the worm on his machine. The owner has also been requested to check any other machines which may be on the local area network. Tnank you for informing us of this issue so that we could take action. |
|
Date: Tue, 22 Jan 2002 09:30:50 -0500 Thanks for the heads up. I located the systems and indeed was infected. The user was just building a new system and still hadn't had a chance to apply the patches. Thanks again |
|
Date: Wed, 16 Jan 2002 17:05:08 -0500 (EST) Thank you for contacting Xxxxxxxx University regarding portscanning and other suspicious activity from xxx.xxx.xxx.xxx. This machine was compromised by a remote attacker, and been taken offline as of January 12. System administrators are in the process of evaluating the incident and re-installing and securing the system. It will remain disconnected from the network until it has been thoroughly secured. I apologize for any inconvenience that this may have caused. If you detect any further hostile network traffic from the Xxxxxxxx University network (xxx.xxx.xxx.0/16) |
|
Date: Tue, 15 Jan 2002 18:04:30 +0100 (Germany) Thanks. The system was "hacked", the problem is fixed now. |
|
Date: Fri, 11 Jan 2002 10:11:04 -0500 Thank you for bringing this to our attention. The customer was notified about this situation. They had previously been informed, took the machine offline, reformatted the infected host, and installed Windows2000 with all the patches. They also had purchased anti-virus protection for their entire network. Again, thank you for the notification. |
|
Date: Thu, 27 Dec 2001 15:53:24 -1000 (HST) (Hawaii) The scanning activity originating from xxx.xxx.xxx.xxx should no longer be appearing on your network logs. The user's computer had been compromised by the Nimda worm, which caused the connection to perform the scans that occurred on your network. The computer has been taken down, is being patched, and will not be brought online again until it has been properly secured. |
|
Date: Wed, 26 Dec 2001 19:49:08 -0500 (EST) We have taken steps to secure this account and will be providing our customer with information on trojan horse/virus detection and removal. Please accept our apology and let us know if you see any more activity of this nature. |
|
Date: Wed, 19 Dec 2001 13:33:06 +0900 (Japan) Thank you very much for your caution on Dec. 16. The machine is a Windows 2000 Server and seemed to be affected by the Nimda. Although IIS had been running on that machine without being patched adequately, the administrator had not been aware of that. We got the machine off the network as soon as we received your caution and took necessary action. Now we are sure that the machine is safe and on the network again. We are sorry for all of your inconveniences concerning this matter. Again thank you for your caution. |
|
Date: Tue, 18 Dec 2001 13:15:45 EST We are let you know that thanks to your advise we found in our system a Virus, a Nimba variant. |
|
Date: Tue, 11 Dec 2001 10:38:26 +0200 (Turkey) We are changing the Op.syst. of our servers, replacing Linux instead of NT because of attacking and viruses problems ...... I hope that attacks will be reduced........... |
|
Date: Tue, 11 Dec 2001 10:42:24 +0200 I would like to thank you for warning us about the illegal actions of our customer. We will take action about the problem on our side. Please don't hessitate to let us know if it repeats. |
|
Date: Mon, 26 Nov 2001 08:32:05 -0500 Please accept my apologies for the delay in responding; the University was closed for the Thanksgiving Day holiday, and I have just now only seen your message. However, after several similar reports of probes from the computer in question, the device was blocked so that no further activity of the kind could ensue. The student who owns the computer was away from campus, but left his Linux system active. Clearly, the system was compromised and exploited by an outside hacker during the Xxxxxxx student's absence. A message the student sent me yesterday, after returning to the campus, indicated that he was going to re-install his Linux operating system with appropriate security patches, and would then seek removal of the network block. Please accept my apologies on behalf of Xxxxxxx University for this incident, and thank you for reporting the matter. |
|
Date: Tue, 20 Nov 2001 11:05:51 -0500 We apologized for any inconvenience this issue may have caused you. This was a recently released server were our production department forgot to install the patch for code red. This server was taken offline yesterday and cleaned up. I assured you that all corrective measures were taken so this will not happened again. |
|
Date: Wed, 07 Nov 2001 10:18:04 +0100 (Sweden) Thank you for reporting the abuse. As your IDS suggest we got a variant the worm nimda at the 5th of november. The worm did not match any virus pattern in the description file of our virus protection system. The description file update of the 5th was unefficient. So until the arrival of a new description file of the 6th we were unprotected against the worms damages. We are currently analyzing what modification of our routines will be necessary to prevent similar events. |
|
Date: 05 Nov 2001 13:55:19 -0500 Thanks for the report. The machine in question has been compromised. We have removed it from from the network and will not reenable access until it has been cleaned of the infection and steps taken to prevent a repeat occurrence. We apologize for the inconvenience. |
|
Date: Thu, 1 Nov 2001 10:22:41 -0500 (EST) Thanks for the notification. I have contacted the customer, and they said they should have this resolved as of today--they worked on it last night, and believe it to be taken care of. If you see any further indication that they may still be infected, please let us know. |
|
Date: Thu, 1 Nov 2001 06:55:42 -0500 (University) xxx.xxx.xxx.xxx was removed from the network on 10/31/01 after we received reports of outgoing probes from several sites. This event is still under investigation, but the machine will not be returned to service until it has been re-secured. We regret any difficulties resulting from these probes. |
|
Date: Mon, 29 Oct 2001 17:51:05 +0100 (Spain) Machine with IP xxx.xxx.xxx.xxx is infected with Nimda or RedCode worm. We have contacted the administrator and asked him to patch and repair the box. It has been disconected from network and it will not be re-connected until we well be sure enough it is completely free of worms and protected aginst new attempts. |
|
Date: Tue, 23 Oct 2001 10:12:50 -0500 We received some other correspondence conserning this IP. The machine at this IP was new to the network and had not been properly patched. The machine was taken off line yesterday and the virus removed. Please let me know if you have any questions. |
|
Date: Thu, 25 Oct 2001 10:15:15 -0400 The computer was infected with (a lot of) virus. It has been cleaned and protection software has been installed. We are sorry for any inconvenience it may have caused. Thank you for your help and cooperation. |
|
Date: Fri, 19 Oct 2001 17:14:06 +0100 (United Kingdom) Thank you for the report, the responsible system has been located and fixed. It was the code-red worm that was responsible for the problem. The address you provided was the address of one of our web caches so it took a little time to trace the infected system. |
|
Date: Mon, 15 Oct 2001 11:15:41 -0400 Sorry, we had a linux box that was inadvertantly put outside of our firewall, and was apparently immediately compromised. It has now been removed from the network. Please advise if you see any additional hostile traffic from our IP range. |
|
Date: Mon, 8 Oct 2001 11:19:26 Thank you for your notice to this problem, our customer's server was compromised and used as a launching point for what appears to be a virus/worm attack. They have taken appropriate security measures to prevent this from happening again. If you need further assistance, please do not hesitate to contact us. Thank you! |
|
Date: Wed, 3 Oct 2001 16:19:12 +1200 (New Zealand) Yes, we've had a number of complaints already regarding that box. I spoke to the customer this morning and instructed them to take the box off the network immediately and disinfect it - properly - please advise if you see any further unsolicited activity from this machine. |
|
Date: Tue, 04 Sep 2001 17:31:34 +0200 (Hungary) Our client has been hacked. He was in holiday. When he arrived, he have reinstalled his computer and he has removed the security holes. |
[ Home | Login | What's New | Intro | Submit | Clients | Web Submission | All Reports | Links | About | Privacy ]