Ah, the good ol' ISP problems

[Martijn]

I woke up this morning and noticed I was disconnected from the net by my ISP. They told me too look in my mailbox for more details. This is what they sent me:

Official warning for distributing wormviruses by ip xxx.xxx.xxx.xxx
Dear customer,

In response to complaints we recieved, we have temporarily disabled your internet service. We noticed your IP to be distributing wormviruses over the internet. Logs this, traffic that, blah blah blah.

You will have to remove the worm by downloading a virusscanner. Blah blah blah.

We also suggest using a firewall. Blah blah blah.

If we notice you are still distributing wormviruses in 24 hours, we will have to take action by disabling your service until you have solved your (notice that word) problems. Blah blah blah.


Sincerely,
Telfort Internet Abuse

So I sent them this reply:

Dear Sir/Madam,

This email was in my mailbox when I woke up. Of course I did a virus scan on all of my machines, but none of them were infected. I use McAfee 8.5 Corporate with the latest updates installed.
I would like to know why I got this email. Is it possible that you send me the log files in question so I can examine them myself? I run various distributed computing programs, a webserver and a gameserver. It could be that one of these programs is causing trouble.
If you cannot confirm the source of the problem, I will consider this email illegitimate. I am willing to 'limit' my internet usage, but I would like to know the source of the problem, for I cannot take action otherwise. I am looking forward to a response.

Have a nice day,
Martijn Kruit

N.B.
Wormviruses do not exist. It is either a worm or a virus, not both. Worms do not need files to distribute themselves, unlike virusses. Also, worms mostly infect networks, whereas viruses infect software.

Could MJ12 be the source of the problem? I mean, it is constantly downloading various IPs, then sending data back to a server?

[twilyth]

I'd wait for Movieman to respond since he's the expert, but MJ12 should be completely passive - i.e., no "distribution". Either the 'complaints' are bogus or you've been hacked and your machine is being used as a sporge zombie or something similar. I would call them and try to get to level 2 tech support. Then you can find out what protocols are being used - email, telnet, etc - to do the distribution. That should help narrow down the possibilities. But if you have a decent firewall, I don't see how this could happen.

The only other thing I can think of is that whoever is sending out this crap is spoofing their ip address and using yours instead, but it would be nice to think that the ISP would have checked and eliminated this possibility before shutting you down.

Good luck.

[Martijn]

Yeah, I got this in return from them:

Event Date Time, Destination IP, IP Protocol, Target Port, Issue Description, Source Port, Event Count
EventRecord: 17 May 2008 11:26:52, 70.96.x.x, 6, 445, Sasser/Agobot/GenericBot, 25297, 1
EventRecord: 17 May 2008 11:26:40, 70.96.x.x, 6, 445, Sasser/Agobot/GenericBot, 25894, 1
EventRecord: 17 May 2008 11:26:29, 70.96.x.x, 6, 445, Sasser/Agobot/GenericBot, 25577, 1
EventRecord: 17 May 2008 11:26:04, 70.96.x.x, 6, 445, Sasser/Agobot/GenericBot, 24782, 1
EventRecord: 17 May 2008 11:24:33, 70.96.x.x, 6, 445, Sasser/Agobot/GenericBot, 21757, 1

And a lot more, but it definitely means it's not MJ12. Also, they specifically noted that they didn't give a damn about what I did with my internet, which is good .

Oh well, I've blocked the port and I should be good to go now.

[twilyth]

According to wikipedia - http://en.wikipedia.org/wiki/List_of...P_port_numbers - port 445 can be either

445/TCP Microsoft-DS Active Directory, Windows shares
445/UDP Microsoft-DS SMB file sharing

So it looks like the malware is targeting filesharing apps.

I don't know if blocking ports is going to help. Sounds like you still might have an infection. Hopefully some security guys will chime in.

[i found nemo]

damn ... makes me want to unshare my drive for the network ...

[Movieman]

This is a new one on me.
I run MJ12 and do between 3.5-6 million urls a day and no AV on the machines as it slows them down.
Yea, I know,AV, but we can argue that till the cows come home.

[Mekoa]

I occasionally get grief from one particular domain, .RU. Always flags up dodgy virii, trojans etc for some weird ass domain names.

Bar that, never had any issues.

[Martijn]

I've updated all my firwalls again, haven't had any issues since. MJ12 is also going pretty well. I've got it capped at either 800k URLs/20GB since I'll also do some downloading right now.

[DeadlyFire]

I've updated all my firwalls again, haven't had any issues since. MJ12 is also going pretty well. I've got it capped at either 800k URLs/20GB since I'll also do some downloading right now.

Good to hear you're back in the game! Come join us in this Friday's MJ12 beatdown

[Martijn]

Good to hear you're back in the game! Come join us in this Friday's MJ12 beatdown

Overtaking Team Norway : 107.93 Days

I don't get it?

[Frisch]

It's calculated from the last seven days overall gain , divided with seven, on Free-DC's stats. Meaning, the last seven days, there hasn't been a big daily difference. Therefore you will get those big changes, when a new day starts.