OT: RC Vaccine?

George Toft plug-discuss@lists.PLUG.phoenix.az.us
Wed, 08 Aug 2001 07:47:08 -0700


Hi gary,

This is interesting as I have seen port scans on ports under 1024,
such as 23, 80, 111, 137 and 139.  The one port 80 scan that I tracked 
down was definitely not QWest - it was a porn server.

I have VDSL in Anthem.  

Anyone care to probe port 80 on 130.13.163.229?  I would appreciate
it.

George


Gary Nichols wrote:
> 
> Let me clarify what Kevin just said:
> 
> If you are a VDSL (TV) customer, your ports are already blocked.  My
> machines that are located on my LAN at home haven't seen ONE instance of
> this (I have the 1MB up/ 1MB down service).
> 
> If you are a DSL (Megabit) customer, your ports are not blocked.  I
> think this is because they mix residential and business customers on the
> same IP space.  If you are a residential customer, your TOS states that
> you aren't allowed to run services behind their IP space.  Business
> customers OTOH are allowed to run services.
> 
> The reason I know this is because when Qwest blocked ports to VDSL
> customers way back (http://www.garynichols.com/stories.php?story=47) I
> called and screamed foul.  I really didn't expect to get anywhere, I
> just like yelling at Qwest.  *grin*
> 
> Cheers,
> Gary
> 
> On 07 Aug 2001 06:37:36 -0700, Kevin Brown wrote:
> > Actually that's not true.  Qwest/Cox could stop it from hitting their customers
> > by putting in an Access Control List (ACL) in the routers.  According to my TOS
> > I'm not allowed to be running any services, so if they block incoming requests
> > to ports less than 1024, or just block the individual ports (21,22,23,80,
> > etc...) then this worm wouldn't be able to affect any of Qwest's/Cox's
> > non-business users.  The problem is they have chosen not to do this.
> >
> > > > Just had a crazy thought about all this RC mess. How about writing an
> > > > anti-worm-worm (or vaccine) that uses the same infection method, but
> > > > removes all copies of the RC and RCII worm from the system, notifies the
> > > > system admin of each box it's run on and then kills itself after a
> > > > specified date? You could then write a script on your apache system that
> > > > logs the IP of the infected host, and then schedules an
> > > > anti-infection-infection to be run later. Whaddya think? Good, bad, ugly?
> > > > =op
> >
> > >  What if this same program installed a batch file or AT command to launch the
> > > antivirus and or just go to windows update and get the patch for this worm.
> > > Better yet just formatted the HD. Because of it I have extremely low
> > > bandwidth, 60-100kbps on my cable modem which usually has downstream
> > > throughput of 2+mbps, my brother in-law has Qwest DSL and can't even get
> > > online because of this thing. The worst part is they (Cox/Qwest) can do
> > > nothing about it.
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss