@Home/ZA users

Printable View

August 7th, 2001, 12:27 AM
zipulrich

@Home/ZA users

I just got off the phone with an @Home network admin. He asks that users of @Home send a copy of their ZA log as an attachment to [email protected], with a brief note explaining what you're sending. They're trying to get hold of all @Home users running IIS that are infected with CodeRed, as those machines are pinging all the other @Home users....and apparently are unaware of what's going on.
Getting hit 100-150x per hour is slowing down a lot of people, and it gets REALLY annoying, too. https://discussions.virtualdr.com/
August 7th, 2001, 12:48 AM
maxximilian

Thanks for the info Zipulrich. My ZA log file is now over a megabyte, but if they want it.... https://discussions.virtualdr.com/

------------------
Be not afraid of greatness. Some are born great, some achieve greatness, and some have greatness thrust upon 'em.

MAXXIMILIAN'S
August 7th, 2001, 12:57 AM
Train

Boy are they slowing things down. Sitting behind a hardware firewall, all you see is the slowing down of page openings.

------------------
SMILE
and post back
[ Book mark this post to find it again]
August 7th, 2001, 07:21 AM
zipulrich

Maxx, I just sent another log - 3 1/2 hours, 164 hits! https://discussions.virtualdr.com/

[This message has been edited by zipulrich (edited 08-07-2001).]
August 7th, 2001, 07:40 AM
J A L

Hi,
I am having trouble with contious streams of data. Latency is what I thought it was. I have a stealth Ip Address and have no viruses on my network. Grr so some virus is causing all this the last week or so?? I am using @home service too. https://discussions.virtualdr.com/

------------------
Some of the good things in life are free! :) Cable Internet isn't one of them!!
August 7th, 2001, 08:05 AM
zipulrich

J A L, check your firewall logs...any I.P. addresses that start with "24." is most likely another @Home user.

Fun, ain't it?
August 7th, 2001, 09:50 AM
Dickster

Oh wow, I just deleted my log file last night. It was over 8 mb! I am getting pinged at least 30 times an hour. I'll start a new log and send it in. Thanks for the tip!
August 7th, 2001, 10:21 AM
Spike143

Just to let everyone know, it's not just @Home that is getting hits Road Runner and many others are having the same problem.
Spike
August 7th, 2001, 02:42 PM
JoeHenry

Zipulrich, what is IIS? I have @home but in the dark about IIS. I had over 300 hits over a 3 day period. I sent the list to @home but don't know if that was the right thing to do or not. Thanks for the info. Joe

I just found and reviewed Johnny Canucks post and answers for IIS. Sorry to bother again. Thanks, Joe

------------------
Celeron 366, 8GBHD, 128 MB Ram, IE5.5(Main) & NS Browsers, Windows 98, Outlook Express Mail.

[This message has been edited by JoeHenry (edited 08-07-2001).]

[This message has been edited by JoeHenry (edited 08-07-2001).]
August 7th, 2001, 03:12 PM
JoeHenry

I just received a reply from [email protected] concerning the hits I sent to them. Any comments? They replied as follows:

It appears that you are reporting a portscan by a computer with an IP
address of 24.0.0.203. This computer in our corporate domain and is
approved to perform proactive scanning of the network. It is actively
scanning our network for security problems in our customers'
configuration which could be exploited. We have been seeing a
significant number of customers installing networking software which is
leaving their computers open to attack, this is why we must respond in
this way. You may see it scanning 2-3 times a day. This proactive
scanning is allowed by the Acceptable Use Policy, which can be reviewed
at the following URL:
http://www.home.com/aup/

The relevant section is quoted below. It can be found under the last
section of the AUP, under the heading, 'Violation of Acceptable Use
Policy':

"Although Excite@Home has no obligation to monitor the Services and/or
the network, Excite@Home and its various affiliates and partners reserve
the right to monitor bandwidth, usage, and content from time to time to
operate the Services; to identify violations of this Policy; and/or to
protect the network and @Home users."

If you were also reporting scans by other computers in the @Home domain,
please compose a new email message and send a report for each IP address
separately.

The @Home Network Policy Management Team

Tracking ID #1000
August 7th, 2001, 03:32 PM
JoeHenry

Yes, JohnKing, they sound like government employees covering their buttocks. Anything to confuse and/or cloud the issue. I'm vulnerable, being a novice, but they must think everyone else is, too.
Thanks for your comment. Joe https://discussions.virtualdr.com/
August 7th, 2001, 03:37 PM
jasaroony

I'm getting 100+ pings per hour, all from ip addresses starting 24.27. Does this do anything or do i have a reason to be concerned?
August 7th, 2001, 03:57 PM
Daizy

Well, fellow @home users, It's nice to see I'm not losing my mind over here! https://discussions.virtualdr.com/ I've upped my zonealrm settings to local: high and internet: high, did a trojan scan, and a virus scan....ran adaware incase I missed something......all to find out that you all are getting pinged just the same as I am. I'm getting hit about a hundred times every two hours.

Daizy

------------------
Hope this helps.
August 7th, 2001, 04:06 PM
DanC

Seems to me they might be getting overwhelmed and not able to sort thru all the monster ZA logs. Did they say a separate email for each entry in the log or each 24.xxx entry? They have to compare log entries with their own records, it's gotta be a monster task.

I don't use @home but I'm getting lots of hits from my own isp's dns numbers. I think it's a proactive search to find and help fix infected users, not an indication that they are themselves infected. I just turned off the alerts and look thru the log now and then.

CYA stuff? Sounds like they're just trying to take care of business during a really difficult time.

------------------
"If you look at the sun without shielding your eyes, you'll go blind. If you look at the moon without covering your eyes, you'll become a poet." --Serge Bouchard
August 7th, 2001, 04:11 PM
Mac-99_take2

I just got one of those "@home security probes" it happened on my port 119

Instead of originating HTTP it was NNTP from 24.0.0.203 (TCP Port 34934) [TCP Flags: S].

The lookup of the address turned up this IP

authorized-scan1.security.home.net

I seemed to get two probes really quickly from them too...so there's your secuirty probes.....

Mac

[This message has been edited by Mac-99_take2 (edited 08-07-2001).]
August 7th, 2001, 05:07 PM
Trish-A

I use charterpa cable service. Below is part of the reply I recieved when questioning the probes to port 80 going from an avgerage of 4 per day to over 150 a day (not counting probes to other ports).

Thanks for your concern.

Our servers are not vulnerable to the Code Red worm since we do not use NT.
Unfortunately, people probing ports is simply part of being on the Internet. If we were to block the ports you listed, our customers would not be able to surf the web and perform DNS lookups (which your computer does without notifying the user).

I hope this helps to clear things up.

XXXXXXX
Senior Systems Administrator - Charter Business Networks

Yes Senior... clear as mud...

------------------
Si Hoc Legere Scis Nimium Eruditionis Habes.
(translation: If you can read this you're
overeducated)
August 7th, 2001, 05:11 PM
Verity

Try here: http://www.webopedia.com/TERM/I/IIS.html

Quote:

Originally posted by JoeHenry:
Zipulrich, what is IIS? I have @home but in the dark about IIS. I had over 300 hits over a 3 day period. I sent the list to @home but don't know if that was the right thing to do or not. Thanks for the info. Joe

I just found and reviewed Johnny Canucks post and answers for IIS. Sorry to bother again. Thanks, Joe
August 7th, 2001, 05:14 PM
Ed S

Here is what Road Runner sent us in the Ohio area last night. (8/6)

ROAD RUNNER ALERT

VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.

Dear Road Runner Subscriber:

Road Runner, like many other ISPs and indeed the entire Internet, has
today experienced an attack on its network which is apparently
attributeable to the Code Red virus. It is possible that this virus has
infected the PC's of Road Runner's subscribers using the Microsoft
Windows NT or Microsoft Windows 2000 operating systems. Infected PC's
may continue to flood the Internet and Road Runner's network with virus
generated messages (even without your being aware of it).

Road Runner is working to alert all of its subscribers to this problem
and to instruct them on where to find and install the patch necessary to
eliminate the virus. In the meantime, Road Runner subscribers may
experience slow network response, flashing connectivity lights on the
cable modem, and other symptoms (such as unusual port scan log activity
or increased firewall activity) while Road Runner and the Internet
community work to control the impact of this virus.

IF YOUR PC IS RUNNING WINDOWS 2000 OR WINDOWS NT, PLEASE IMMEDIATELY
DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.

IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR
ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

We ask for your patience while Road Runner continues to work with the
Internet community to address this virus.

Thank you.

Road Runner Security

[This message has been edited by Ed S (edited 08-07-2001).]
August 7th, 2001, 06:14 PM
Train

Well, we seem to be back up to speed out here. Would have been nice if they would take the time to notify people as Ed S posted. Too lazy?

------------------
SMILE
and post back
[ Book mark this post to find it again]
August 7th, 2001, 07:52 PM
zipulrich

(IIS is Microsoft's Internet Information Server - works with NT and Win2K)

Well, I just mailed them my log of this afternoon - 247 probes. Looking through them, most are from users, not @Home's own servers.

On the phone with them last night, they seemed real eager to rid their customers of CodeRed. It was their suggestion to e-mail them the firewall logs.
Perhaps the task seems too overwhelming today...........
August 7th, 2001, 07:55 PM
zipulrich

Just received this:

Dear Zip Ulrich,

It appears that you are reporting receiving traffic that is related to
the Code Red virus.

If you are receiving 'get' command strings from an @Home user or users,
directed at port 80, it is likely that that originating machine has been
compromised by the Code Red virus. One of the effects it has is to
cause infected machines to search for other machines that would be
exploitable. Machines that are running unpatched versions of Windows NT
Server or 2000, with a Web Server and IIS (Microsoft Index Server 2.0 or
Indexing Service in Windows 2000) are vulnerable to this exploit. If
you are NOT running this OS and services, your computer is not subject
to this particular compromise. For more information on this situation,
point your browser here:
http://www.microsoft.com/technet/sec...n/MS01-033.asp http://news.excite.com/news/ap/010805/20/code-red http://news.cnet.com/news/0-1003-201-6625599-0.html

If you have are running this Operating System, Microsoft suggests that
you obtain and run the patch as soon as possible:

For Windows NT: http://www.microsoft.com/Downloads/R...eleaseID=30833

For Windows 2000: http://www.microsoft.com/Downloads/R...eleaseID=30800

The @Home Network is currently working on proactive measures to respond
to this situation. You should see this activity cease from @Home
subscribers in the near future. Thank you for your report.

The @Home Network Policy Management Team

Well, whatever..............

[This message has been edited by zipulrich (edited 08-07-2001).]