[AusNOG] qld transport contact

Admin Chris admincs at heartland.com.au
Thu Dec 13 14:17:58 EST 2012 

Our email server has been getting nailed over the last two weeks, basically
attacks from all over the world.  It'll get a few bad connections from a
certain IP address, then that IP address would be discarded and another one
used.  IPS would be useless in this situation.

Yesterday, one of our users was complaining of a large number of bounce
backs for emails he didn't send.  Somehow someone was using his email
address externally to see a large number of spam emails out with some sort
of embedded image/file.  Still trying to work it out.

There was only three IP addresses the connections were coming from, all from
China  I've still got the IP addresses Matt if you want to compare them. 

Anyone else seen anything like this lately?

Chris Scholfield

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net
[mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Matt Perkins
Sent: Thursday, 13 December 2012 2:08 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] qld transport contact

All the Ip's I have found so far originate in china or HK. I just got two in
between the last two posts on Ausnog. The Imbedded graphics come from the VB
website. So VB could go change those referees/graphics right away to
indicate it's a spam. Attachment reports to be a zipped pdf. But is a file
named virgin-itinerary.pdf.exe file is a PE32 executable for MS windows 32
bit.

I haven't looked inside yet to see what's in the honypot within. If I get a
chance this arvo I will pop it's cork in the sand pit.

Matt.




On 13/12/12 1:43 PM, Sean K. Finn wrote:
> I thought PDF's were the PREFERRED delivery method of Malware these days?
>
> By the way, I've been getting QANTAS ones too. Definitely a coordinated
and targeted zerg rush of malware.
>
> Considering the Zerg Rush style of tactic, I wonder where the origin might
be?
>
> S.
>
> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net 
> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Paul Gear
> Sent: Thursday, December 13, 2012 12:08 PM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] qld transport contact
>
> On 12/13/2012 11:54 AM, Nathan Ridge wrote:
>> Wow... so now hundreds or  thousands of people that are actually 
>> travelling soon open the virus under instruction from virgin to do 
>> so, that's lazy, they will be raped over this, they should have been 
>> much more explicit saying only open the attachment if it is a pdf not 
>> zip or exe and make sure you scan with an uptodate av program before
opening.
> PDFs are not exempted from buffer overrun & sandbox escape
vulnerabilities.  End users should be advised not to open ANY attachments
which they aren't expecting.
>
> Paul
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog


--
/* Matt Perkins
         Direct 1300 137 379     Spectrum Networks Ptd. Ltd.
         Office 1300 133 299     matt at spectrum.com.au
         Fax    1300 133 255     Level 6, 350 George Street Sydney 2000
         SIP 1300137379 at sip.spectrum.com.au
         PGP/GNUPG Public Key can be found at  http://pgp.mit.edu */

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list