mysterious complaints from my ISP - could it be Beagle?
P Jones
deerfieldtech at gmail.com
Thu Jan 18 02:33:06 UTC 2007
On 1/17/07, Claude Jones <claude_jones at levitjames.com> wrote:
> For several months now, a box I have up on the net at the office has been
> generating the occasional complaint from my ISP. They generally a few lines
> from a report they've received which are largely uninformative except for the
> fact that they contain the word SPAM in them. I've run port scans,
> chrootkits, monitored my logs, and several other things, and have never found
> anything. Every time I call them, they tell me it's probably someone
> masquerating as me. Just now, I've gotten a fresh complaint which contains
> the following lines reported to my ISP reported to them by whoever their
> upstream provider is (I think it may be Global Crossing)
>
> 7784 | 207.188.230.120 | 2007-01-16 14:53:27 cbl SPAM | ATLANTECH -
> Atlantech Online, Inc.
> 7784 | 209.183.239.194 | 2007-01-16 17:46:43 cbl SPAM | ATLANTECH -
> Atlantech Online, Inc.
> 7784 | 65.79.236.162 | 2007-01-16 01:57:58 w.php srcport 2875 BEAGLE |
> ATLANTECH - Atlantech Online, Inc.
> 7784 | 65.79.236.162 | 2007-01-16 06:30:47 w.php srcport 4544 BEAGLE |
> ATLANTECH - Atlantech Online, Inc.
> 7784 | 65.79.236.162 | 2007-01-16 15:44:26 w.php srcport 3805 BEAGLE |
> ATLANTECH - Atlantech Online, Inc.
>
> The third through fifth entries are the first time Beagle has ever appeared in
> these reports. Does anyone have an insight to what this could be about? By
> the way, the first line IP address is my box - the other IP's are unknown to
> me - maybe they don't even apply. It's funny because when I call tech support
> and try to ask them about it, they're always apologetic, and don't really
> know what these reports mean either...
> --
> Claude Jones
> Brunswick, MD, USA
Claude;
Looks like Atlantech is your ISP, and the three last IPs are infected
with a Beagle trojan variant:
http://www.symantec.com/security_response/writeup.jsp?docid=2005-122421-0146-99&tabid=2
It also looks like your IP and the second IP are being flagged as spam
sources. Your IP is in the CBL, you can see it here:
http://cbl.abuseat.org/lookup.cgi?ip=207.188.230.120&.submit=Lookup
There are directions on the pagge referenced to delist your IP.
-P
More information about the fedora-list
mailing list