[Scottish] The yellow peril?

Paul Millar scottish at mailman.lug.org.uk
Thu Jul 24 14:13:01 2003 

Probably just a bit of spam:
  http://lists.insecure.org/lists/incidents/2003/Jan/0132.html

Paul.

On Thu, 24 Jul 2003, Colin Fraser wrote:
> Just found the following in /var/log/messages:
> 
> Jul 24 13:23:44 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC= 
> SRC=62.134.72.190 DST=213.122.60.116 LEN=288 TOS=0x00 PREC=0x00 TTL=114 
> ID=28413 PROTO=UDP SPT=4288 DPT=135 LEN=268
> Jul 24 13:23:45 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC= 
> SRC=62.134.72.190 DST=213.122.60.116 LEN=108 TOS=0x00 PREC=0x00 TTL=114 
> ID=28699 PROTO=UDP SPT=4288 DPT=135 LEN=88
> Jul 24 13:23:46 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC= 
> SRC=62.134.72.190 DST=213.122.60.116 LEN=108 TOS=0x00 PREC=0x00 TTL=114 
> ID=29034 PROTO=UDP SPT=4288 DPT=135 LEN=88
> Jul 24 13:23:48 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC= 
> SRC=62.134.72.190 DST=213.122.60.116 LEN=108 TOS=0x00 PREC=0x00 TTL=114 
> ID=29679 PROTO=UDP SPT=4288 DPT=135 LEN=88
> Jul 24 13:23:52 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC= 
> SRC=62.134.72.190 DST=213.122.60.116 LEN=108 TOS=0x00 PREC=0x00 TTL=114 
> ID=31031 PROTO=UDP SPT=4288 DPT=135 LEN=88
> Jul 24 13:24:00 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC= 
> SRC=62.134.72.190 DST=213.122.60.116 LEN=108 TOS=0x00 PREC=0x00 TTL=114 
> ID=33632 PROTO=UDP SPT=4288 DPT=135 LEN=88
> Jul 24 13:24:16 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC= 
> SRC=62.134.72.190 DST=213.122.60.116 LEN=116 TOS=0x00 PREC=0x00 TTL=114 
> ID=38734 PROTO=UDP SPT=4288 DPT=135 LEN=96
> 
> A whois shows that the source IP is registered to someone in the People's 
> Republic of China. Before I go off half-cocked on this one, Has anyone any 
> idea what it might be about? I've done a google and spotted a virus alert  
> about HLLP.4288 but can't find a description, other than that it affects .COM 
> and .EXE (another good reason for avoiding microdog!).
> 
> Of course, our friend in China might be a victim (if he's got the virus and 
> it's trying to contact other instances through the net).
> 
> Anyone got any idea of what's going on or suggestions on my next step?
> 
> Cheers,
> 
> Colin
> 
> _______________________________________________
> Scottish mailing list
> Scottish@mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/scottish
> 

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
Particle Physics (Theory & Experimental) Groups                Dr Paul Millar 
Department of Physics and Astronomy                     paulm@astro.gla.ac.uk
University of Glasgow                                 paulm@physics.gla.ac.uk
Glasgow, G12 8QQ, Scotland             http://www.astro.gla.ac.uk/users/paulm 
+44 (0)141 330 4717        A54C A9FC 6A77 1664 2E4E  90E3 FFD2 704B BF0F 03E9
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --