[iwar] "Trojans Sending More Data to Russia " (fwd)
From: Fred Cohen
From: fc@all.net
To: iwar@egroups.com
Mon, 14 Aug 2000 17:07:53 -0700 (PDT)
fc Mon Aug 14 17:09:15 2000
Received: from 207.222.214.225
by localhost with POP3 (fetchmail-5.1.0)
for fc@localhost (single-drop); Mon, 14 Aug 2000 17:09:15 -0700 (PDT)
Received: by multi33.netcomi.com for fc
(with Netcom Interactive pop3d (v1.21.1 1998/05/07) Tue Aug 15 00:09:08 2000)
X-From_: sentto-279987-480-966298075-fc=all.net@returns.onelist.com Mon Aug 14 19:08:20 2000
Received: from ei.egroups.com (ei.egroups.com [208.50.99.235]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id TAA20102 for ; Mon, 14 Aug 2000 19:08:20 -0500
X-eGroups-Return: sentto-279987-480-966298075-fc=all.net@returns.onelist.com
Received: from [10.1.10.35] by ei.egroups.com with NNFMP; 15 Aug 2000 00:07:57 -0000
Received: (qmail 2780 invoked from network); 15 Aug 2000 00:07:54 -0000
Received: from unknown (10.1.10.26) by m1.onelist.org with QMQP; 15 Aug 2000 00:07:54 -0000
Received: from unknown (HELO all.net) (24.1.84.100) by mta1 with SMTP; 15 Aug 2000 00:07:54 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id RAA30727 for iwar@onelist.com; Mon, 14 Aug 2000 17:07:53 -0700
Message-Id: <200008150007.RAA30727@all.net>
To: iwar@egroups.com
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Mon, 14 Aug 2000 17:07:53 -0700 (PDT)
Reply-To: iwar@egroups.com
Subject: [iwar] "Trojans Sending More Data to Russia " (fwd)
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
...
Dear Sirs,
In the last days an Internet Top-Alert was published regarding a wide =
Distributed Daniel of Service (DDOS) Attacks - "Trojans sending more =
data to Russia - =93large amounts of data being sent, illegitimately.... =
to a Russian IP address (194.87.6.X). The cause is most probably a =
Trojan, but whatever it is, it is moving fast... All sites should block =
network traffic from or to 194.87.6.X=94 (The Global Incident Analysis =
Center - GIAC) - more at : http://www.farm9.com/sec080100.htm .
TLS's Intrusion Detection Research Team ("OSPREY") investigated the =
alert since the 01.08.2000 : =20
1.. The TSL's OSPREY Team was located the origin as DEMOS Network, =
large Russian ISP from Moscow : www.demos.net.
2.. TSL's informed DEMOS on August 11, 2000, after accomplished the =
investigation and strongly believe that DEMOS network was manipulated =
and used as a relay for the attacks as well as to the Abuse Team at =
abuse@dol.ru .
3.. DEMOS Technical Director reported TSL's OSPREY Team that the =
attacks from the "Russian IP address (194.87.6.X)" is Demo's Dial-Up =
network and more over the attackers were found and blocked !
4.. The TSL's OSPREY Team is recommended not to send any alerts in any =
level with no deep pre-investigation and clarify the attack issues in =
advance !.=20
More information regarding the TSL's OSPREY Team can be obtain via =
e-mail only : tslinfo@tsl-sec.com.
Sincerely,
Shai Blitzblau
------------------------------ :)
Shai Blitzblau
Research & Technical Operations Director
TSL - Top-notch Security Layers Ltd.
---------------------------------------------------------------------
------------------
http://all.net/