Announcement

Collapse
No announcement yet.

Sobig question

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Sobig question

    Hi folks,

    Dammit -- some moron got the sobig virus and they are blasting one of my accounts. (Sorry Blackwave -- I thought my friends were smarter than that... Then again, Sobig harvests anything that looks like an email address, so it's not necessarily a "friend"; just someone with my email address on their system. Could be from a saved usenet posting, Bugtraq, Defcon, ...)

    The guy uses a Comcast Cable modem, is located in Fruitland Park, Lake County, Florida, and his IP address is "68.59.154.144".

    Both nmap and nessus show a closed system -- likely a home firewall.

    Comcast says that I should call him, but they won't give me the person's name or number. (And they asked dumb questions like "How do you know where they are, but don't know who they are?" and "Are you sure they are infected and you aren't?" and "What is Linux? Is that a virus?")

    NOTE: I am NOT advocating/asking/requesting attacking the guy. I want to identify him, tell him he's an idiot, and get his system cleaned. DoS'ing him would not stop him from sending the virus.

    Does anyone have any suggestions?

  • #2
    yeah i am getting a few hundred from comcast as well, as well as from pacbell. I have gotten into a few emails back and forth from people thinking I have the damned thing... which is pretty much impossible with web mail-based.
    haha, looks like this dickhead has both of us in his address book, although the SoBig.F also can retrieve from web sites...

    Received: from JR02 (pcp01037184pcs.frtprk01.fl.comcast.net [68.59.154.144])
    X-MailScanner: Found to be clean
    Importance: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MSMail-Priority: Normal
    X-Priority: 3 (Normal)
    MIME-Version: 1.0
    Content-Type: multipart/mixed;


    I put up a countdown for SoBig.G which is less than two weeks

    come to think of it, I recall the feds saying that most spammers come from FL... who knows what they know...

    Comment


    • #3
      Originally posted by blackwave
      which is pretty much impossible with web mail-based.
      I say again...use Pine. You can't go wrong with Pine (not that it would stop some dipshit with you in his address book from opening the attachment, but at least you can know without a shadow of a doubt that YOU aren't infected...no "pretty much impossible" about it).
      perl -e 'print pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'

      Comment


      • #4
        Originally posted by Chris
        I say again...use Pine. You can't go wrong with Pine (not that it would stop some dipshit with you in his address book from opening the attachment, but at least you can know without a shadow of a doubt that YOU aren't infected...no "pretty much impossible" about it).
        Well as soon as hushmail offers Pine for a secure interface I will hop on that... as for now, no Pine option, just a java-based web client.

        These things would have to happen for me to be infected.
        . i would have to download the .pif/.scr file
        . i would have to execute it
        . i would have to allow an outgoing connection
        . it would probably help if I had any type of address book

        ... this is what I mean by "pretty much impossible"... since nothing is impossible. :D

        Comment


        • #5
          its webbased mail for me using mozilla. Thats hard to get infected from.
          hmmmm...... nice round set of features....good price.... but will it draw attention....? will supermodels stop in their tracks and say, "damn! who's that guy with the SEXY laptop?!" - I don't remember who possibly blackwave

          Comment


          • #6
            Originally posted by blackwave
            Well as soon as hushmail offers Pine for a secure interface I will hop on that... as for now, no Pine option, just a java-based web client.

            These things would have to happen for me to be infected.
            . i would have to download the .pif/.scr file
            . i would have to execute it
            . i would have to allow an outgoing connection
            . it would probably help if I had any type of address book

            ... this is what I mean by "pretty much impossible"... since nothing is impossible. :D
            Well...just based on the number of times I have mistyped hushmail as hushamil and had my email to you bounce I think we both know that the words Address Book aren't in my vocabulary;)
            perl -e 'print pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'

            Comment


            • #7
              Just an FYI, no one with that ip or partial 68.59.154.* has ever logged on to these forums...

              Comment


              • #8
                Ok, smack me now... apparently, I got infected. Two people have sent me emails with my IP and computer name in the headers. I was in XP for a while, and I guess I must have picked it up. I remember clicking on one attachment absentmindedly one day in my webmail (yes, I know... just shoot me...), but I ran my virus scanner right away, and it didn't find anything.

                Now, here's the kicker... I rebooted into Safe Mode and turned off the recovery tool, as everything said to do. I scanned with Norton, MacAfee, and Trend Micro's free online tool... nothing. I used Network Associate's Stinger cleanup tool... again, nothing. I got out of Windows so that it would stop sending this damn thing all over creation, but nothing is picking it up! Even stranger is that I've only used OE to send two e-mails, and I don't have an address book in it... it apparently sent to the two that I had sent things to, and then grabbed more addresses from my Inbox when I checked my mail with it.

                If anyone has any ideas on how to get rid of this damned thing, please share. I'm not an idiot... I've updated my virus definitions, I've followed the cleanup tips to a "T", and NOTHING is picking up whatever it is I have. I'm about to just wipe out the partition, which wouldn't be too terrible since it's pretty new and doesn't have much, but I'd rather clean it if I can.
                the fresh princess of 1338

                What did I do to make you think I give a shit?

                Comment


                • #9
                  Originally posted by octalpussy
                  Ok, smack me now... apparently, I got infected. Two people have sent me emails with my IP and computer name in the headers. I was in XP for a while, and I guess I must have picked it up. I remember clicking on one attachment absentmindedly ...
                  If you are infected, follow the removal instructions at http://www.symantec.com/avcenter/ven...obig.f@mm.html. I've found that the manual steps are very effective. (A few of my customers opened it.)

                  Originally posted by blackwave
                  Just an FYI, no one with that ip or partial 68.59.154.* has ever logged on to these forums...
                  Did they ever log into www.defcon.org? (It would be in the web logs.) I have lots of account names. My account for the forums is different from my account listed at www.defcon.org? (Actually, I really suspect BugTraq since I used that account there too.)

                  Comment


                  • #10
                    Originally posted by blackwave
                    yeah i am getting a few hundred from comcast as well, ...I put up a countdown for SoBig.G which is less than two weeks
                    Every release of SoBig (except for Sobig-A) had an expiration date, when it would delete itself. (http://www.zdnet.com.au/newstech/sec...0277672,00.htm and http://www.lurhq.com/sobig-e.html) SoBig-F expires on Sept. 10 (more than a week away). If the author follows his pattern, then SoBig-G may overlap, but probably is slated for no later than Sept 10. I'm betting it will be released on Sept. 8.

                    come to think of it, I recall the feds saying that most spammers come from FL... who knows what they know...
                    :-)
                    You're probably talking about the DHS Club. (http://www.theclubbuiltonspam.com/)


                    Originally posted by Chris
                    I say again...use Pine.
                    Pine is for losers. I use elm and mutt, with the occasional OpenWebMail (only because I hate FTP'ing files from Windows to Linux for making attachments).
                    Last edited by guano; August 29, 2003, 04:36.

                    Comment


                    • #11
                      Originally posted by guano
                      If you are infected, follow the removal instructions at http://www.symantec.com/avcenter/ven...obig.f@mm.html. I've found that the manual steps are very effective. (A few of my customers opened it.)
                      Wow... funny... those instructions are EXACTLY what I detailed in my message as things I've already done. Now why didn't I think of that before?
                      the fresh princess of 1338

                      What did I do to make you think I give a shit?

                      Comment


                      • #12
                        Originally posted by octalpussy
                        Wow... funny... those instructions are EXACTLY what I detailed in my message as things I've already done. Now why didn't I think of that before?
                        In that case... Are you SURE you have Sobig-F? There are minor variations between Sobig-A/B/C/D/E/F, and the removal steps are slightly different. You could have A or E (both are still active today), or if your system clock is way off, B/C/D could also be active (unlikely).

                        Comment


                        • #13
                          my forums pals are all infected!

                          like SARS in canada! its out of control!

                          (kelvin continues to check all mail through palm...... ahhh, the win virus safe palm....)
                          the fresh prince of 1337

                          To learn how to hack; submit your request

                          Comment


                          • #14
                            Originally posted by KeLviN
                            (kelvin continues to check all mail through palm...... ahhh, the win virus safe palm....)
                            d00d.. it isn't about what os or client you are running... it is about being on a list... once you are on that list the all the shit starts to come to you... regardless of what you are running...

                            Comment


                            • #15
                              Originally posted by guano
                              In that case... Are you SURE you have Sobig-F? There are minor variations between Sobig-A/B/C/D/E/F, and the removal steps are slightly different. You could have A or E (both are still active today), or if your system clock is way off, B/C/D could also be active (unlikely).
                              No, I'm not sure. I don't know what it is, because none of my virus scanners are picking it up. The e-mails it is sending out have subjects of "help" and something about "baby $2000 USD play this game".
                              the fresh princess of 1338

                              What did I do to make you think I give a shit?

                              Comment

                              Working...
                              X