IBM C-Planners' - Trojan Scanned- Paranoia ?

Posted by Colin Blanks on 29 January 2001 at 18:20:22:

I blocked a scan with the Netbus trojan from an IBM Netherlands address. I sent the traceroute log to Abuse@IBM.net & await a response - Its a good thing I am not paranoid !!!

Posted by Les Bremner on 30 January 2001 at 10:27:32:

In Reply to: Maybe off topic- Trojan Scanned- Paranoia ? posted by Colin Blanks on 29 January 2001 at 18:20:22:

I am sorry, but I do not understand any of this.
What is a 'Netbus trojan'?
Who was trying to do what to whom? Please expand in layman's terms.
Should we be taking any action? Should we be worried?

Posted by Alan Murphy on 31 January 2001 at 08:27:08:

In Reply to: Maybe off topic- Trojan Scanned- Paranoia ? posted by Colin Blanks on 29 January 2001 at 18:20:22:

: I blocked a scan with the Netbus trojan from an IBM Netherlands address. I sent the traceroute log to Abuse@IBM.net & await a response - Its a good thing I am not paranoid !!!

So it seems that someone at IBM Netherlands is now interested in our activities. Please let us know about any reply you get from Abuse@IBM.net

For information:
'Netbus' is a remote administration 'Trojan' program which allows a remote hacker to get any information from your computer including passwords. He can execute programs in your computer, copy files, read mail, plant other trojans or viruses, monitor the keystrokes etc. When you are connected, anyone with the Netbus Clientprogram can sneak in to your computer without your permission or knowledge. For more information do a search using 'Netbus Trojan'.

Posted by Boudicca on 02 February 2001 at 21:29:10:

In Reply to: Maybe off topic- Trojan Scanned- Paranoia ? posted by Colin Blanks on 29 January 2001 at 18:20:22:

: I blocked a scan with the Netbus trojan from an IBM Netherlands address. I sent the traceroute log to Abuse@IBM.net & await a response - Its a good thing I am not paranoid !!!

Colin, what you need is some help. You might naturally think of
contacting IBM's Information Security Practice in Amsterdam. Oh
guess what? That's in the Netherlands.

Before you do you might just consider page 25 of IBM's Annual
report for 1999. Get it from http://www.ibm.com follow links to
Investors.

For those who would rather not dirty themselves in such perilous
transit then here's the text (Copyright IBM Corporation - yeah...
Copyright on a dirty joke. What next?): Editor's comments in
brackets.

INFORMATION SECURITY PRACTICE
amsterdam the netherlands [ed : you got it folks ISP is a Nation, the
but the fair City of Amsterdam is simply a common a common noun
and The Netherlands not a Nation - Lou's educating us in the Lou
World. Thank You Oh Great One!]

Well anyway we continue...

Nanette (top left window... [Ed " with the telescope snooping,
That's Lou's telescoper not mine."],Han (center)and Daniel
(top right) are on the wanted list [ed."Very prophetic but rather
light on names Lou"]). Our customers pay them and their teams
of industry specialists [ed. "which industries... snooping?"]
and "ethical hackers" [Ed "We know already IBM isn't ethical so
what is an "ethical hacker"?]to exploit business vulnerablities and attack computer
systems .....

Read Lou's oroginal to believe.

Hope the Trojan drew a Big Blank with you Colin. Spot on report.
Move to Security State Black. Webmaster, advise on counter
measures.

Boudicca - Queen of the Britons

Posted by Alan Murphy on 03 February 2001 at 13:45:01:

In Reply to: Re: It is on topic- Trojan Scanned- Paranoia? Maybe not. posted by Boudicca on 02 February 2001 at 21:29:10:

The item referred to by Boudicca can be found in the IBM Annual Report 1999 - see the URL:
"http://www.ibm.com/annualreport/1999/"

There is a picture taken at night showing 3 people behind windows in a lighted upstairs room. The text reads:
----------------------------------------
Information Security Practice
Amsterdam the Netherlands

Nanette (top left window), Han(center) and Daniel(top right) are on the wanted list. Our customers pay them and their teams of industry specialists and "ethical hackers" to exploit business vulnerabilities and attack computer systems in order to stress-test company defenses and evaluate risks. As security moves to the top of customers' agendas, with growing requirements to protect against theft, industrial espionage and fraud, IBM's information security practice is doubling its revenue annually.
-------------------------------------------

The trace of the Netbus Trojan attack shows that the attempt came from IBM Netherlands, via Belgium and the UK IBM networks.

For those concerned about external invasion of their PCs when connected to the internet, there is a good article on page 104 of the March 2001 PC MAGAZINE (www.pcmag.co.uk). This article, "Defence Strategy", reviews a number of 'personal firewalls':

1. BlackIce Defender 2.1 - www.networkice.com
2. McAfee Personal firewall - www.mcafee.co.uk
3. Norton Personal Firewall 2.0 - www.symantec.com/region/uk
4. SafeGuard Personal Firewall 1.0 - www.ultimaco.com
5. Sphinx - www.biodata.com
6. ZoneAlarm Pro - www.zonelabs.com

Prices range from £25 to £50

Hope that helps
Alan Murphy (Webmaster)

Posted by Colin Blanks on 04 February 2001 at 07:25:34:

In Reply to: Re: It is on topic- Trojan Scanned- Paranoia? Maybe not. posted by Boudicca on 02 February 2001 at 21:29:10:

Now Moved to Security State Black. Iceni security suite installed. It is now impossible to send this.

Posted by Brian Marks on 04 February 2001 at 19:08:27:

In Reply to: Re: Maybe off topic- Trojan Scanned- Paranoia ? posted by Les Bremner on 30 January 2001 at 10:27:32:

I suggest you should be worried at about the same level as you worry about viruses, or
a bit less. Viruses tend to do some damage, scanners are more interested in getting
something valuable from your files. You can buy protection against either fairly cheaply
and if it keeps itself up-to-date by fetching info on the latest dangers electronically it
will be good protection. (One of the other appends has details of recommended "firewalls"
that thwart the scanners.)

[If you think it is IBM doing the scanning, as hinted in some of the messages, then discount
the advice above. Worry because there is nothing you can do - the super-experts can, I expect,
bypass any off-the-shelf protection.]

Posted by ACPlanner on 05 February 2001 at 19:47:25:

In Reply to: Maybe off topic- Trojan Scanned- Paranoia ? posted by Colin Blanks on 29 January 2001 at 18:20:22:

If you run Unix on your box, you can fake your IP address. For info, what was the IP address that tried to attack you. Email me if you prefer

Posted by Colin Blanks on 06 February 2001 at 18:17:47:

In Reply to: Paranoia? posted by Colin Blanks on 04 February 2001 at 07:25:34:

27/01/01 07:42:06] Incoming hack attempt from IP Address: 139.92.144.231
[27/01/01 07:42:06] Hacker is attempting to gain access using the Netbus trojan.
[27/01/01 07:42:06] Hacker's connection was terminated by Lockdown 2000.
[27/01/01 07:42:06] Log auto-saved to: 01272001.LOG
[27/01/01 07:42:06] Attempting trace route... Please stand by...
[27/01/01 07:42:06] Attempting to trace hacker's connection... Please stand by...
[27/01/01 07:42:06] 27/01/01 07:42:06-[From 139.92.144.231]-
[27/01/01 07:42:53] => imsnet-cl10-hg10-bletchley.mdip.bt.net
[27/01/01 07:42:53] => 172.16.93.30
[27/01/01 07:42:53] => 172.16.93.38
[27/01/01 07:42:53] => 172.16.93.65
[27/01/01 07:42:53] => core2-pos7-0.bletchley.ukcore.bt.net
[27/01/01 07:42:53] => core2-pos7-0.telehouse.ukcore.bt.net
[27/01/01 07:42:53] => lond1br1-3-1-0.lo.uk.ibm.net
[27/01/01 07:42:53] => 152.158.104.1
[27/01/01 07:42:53] => bg02l.sof.bg.ibm.net
[27/01/01 07:42:53] => 139.92.144.231

Posted by Boudicca on 06 February 2001 at 22:52:32:

In Reply to: Re: Paranoia? For those of a technical bent here's the trace posted by Colin Blanks on 06 February 2001 at 18:17:47:

Try consulting the Gods at http://www.samspade.org

The Demi Gods there said:

IP block lookup for 139.92.144.231

whois -h whois.arin.net 139.92.144.231

IBM Netherlands N.V. (NET-IBMNETHERLANDS)
Watsonweg 2
1423 ND Uithoorn
The Netherlands

Netname: IBMNETHERLANDS
Netblock: 139.92.0.0 - 139.92.255.255

Coordinator:
EUIBMNIC (EUI-ORG-ARIN) euibmnic@NL.IBM.COM
+49 79 322 8053

Domain System inverse mapping provided by:

NS.UK.IBM.NET 152.158.16.48
NS.DE.IBM.NET 152.158.2.48
NS.NL.IBM.NET 152.158.36.48

---------------------------------------------------

Of course The Netherlands are very big on privacy. Try getting
a phone directory. Looks like one two face has met another. Raise
the Black Flag my Children! No prisoners.

Boudicca

Posted by Ethical Hacker on 07 February 2001 at 21:18:30:

In Reply to: Re: Paranoia? For those of a technical bent here's the trace posted by Colin Blanks on 06 February 2001 at 18:17:47:

You must escalate this until you get resolution. While I worked at IBM, them sort of activity was absolutely forbidden. The proxies will keep a log of who initiated the attack, and you should demand a proper investigation.

Posted by Colin Blanks on 09 February 2001 at 18:11:41:

In Reply to: Re: Paranoia? For those of a technical bent here's the trace posted by Ethical Hacker on 07 February 2001 at 21:18:30:

: An incident reported by you has been updated. Sev: 4
The incident # is listed below. Do not respond to this e-mail.
For Account: UNKNOWN Incident Number: 1444040 Status: RESOLVED
Last Updated: Fri, 09 FEB 2001 05:44:47 (-0500 GMT) PROBLEM UPDATED
*************************************************************************

Summary: FW: Netbus Trojan Scanning

-------------------------------------------------------------------------
RESP 02/09/01 05:44:46

The problem you submitted has already been reported.
We will attach your email address to the original record.
You will receive updates via email when we add text to the record.

-------------------------------------------------------------------------
DUP 02/09/01 05:44:47

Thank you for the feedback. The issue you have reported is currently under
investigation. If this incident was caused by one of our customers, we will tak
all necessary action(s) necessary to prevent any more Internet Service Abuse.

Please continue to inform us of any abuse originating in our domain.
Regards,
postmaster

*************************************************************************

When replying via email, do not alter the reference id in the subject
line and send only new information, do not send entire note again.
Do not send attachments, graphics or images.

Posted by Tally_ho_us on 10 February 2001 at 04:58:38:

In Reply to: Who is 139.92.144.231? Is it Lou Gerstner? Say Lou not so! posted by Boudicca on 06 February 2001 at 22:52:32:

: Try consulting the Gods at http://www.samspade.org

: The Demi Gods there said:

: IP block lookup for 139.92.144.231

: whois -h whois.arin.net 139.92.144.231

: IBM Netherlands N.V. (NET-IBMNETHERLANDS)
: Watsonweg 2
: 1423 ND Uithoorn
: The Netherlands

: Netname: IBMNETHERLANDS
: Netblock: 139.92.0.0 - 139.92.255.255

: Coordinator:
: EUIBMNIC (EUI-ORG-ARIN) euibmnic@NL.IBM.COM
: +49 79 322 8053

: Domain System inverse mapping provided by:

: NS.UK.IBM.NET 152.158.16.48
: NS.DE.IBM.NET 152.158.2.48
: NS.NL.IBM.NET 152.158.36.48

: ---------------------------------------------------

: Of course The Netherlands are very big on privacy. Try getting
: a phone directory. Looks like one two face has met another. Raise
: the Black Flag my Children! No prisoners.

: Boudicca

Why would they want to "Hack" you. You all have been less vocal than your
US counter parts. What would it accomplish???

Back to: Documents Contents