ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Security threats Toolkit

Story: Lycos army shoots itself in foot?

  • Previous comment

Posted by: Anonymous (Friday 3 December 2004, 11:10 AM)

  • Reply

The "defacement" is not likely to have been a defacement - the nanog@nanog.org mailing list of the north american network operator group has a post stating that at least one backbone seems to have redirected any IP addresses it controls, that try to hit the makelovenotspam page (presumably to download the screensaver) to a warning page saying it had logged their IP.

Here's a post on the nanog mailing list, which gives a full sequence -

Hannigan, Martin wrote:
>> -----Original Message-----
>> From: Lionel [mailto:nop@alt.net]
>> Sent: Thursday, December 02, 2004 8:40 AM
>> To: Hannigan, Martin
>> Cc: nanog list
>> Subject: Re: How many backbones here are filtering the
>> makelovenotspam scr eensaver site?
>>
>>
>> On Thu, 2 Dec 2004 08:27:38 -0500 , "Hannigan, Martin"
>> wrote:
>>
>>>>> Hosted on a cablemodem? Tch, tch, how the mighty have fallen
>>>
>>>
>>> The blocks are widespread.
>>>
>>> The reports of hackers are incorrect. The blackholes are
>> what is stopping
>>> them.
>>
>> What amazing efficiency. I can't help but wonder if these
>> same providers
>> are as quick at blackholing spamsite hosts, or blocking the zombies
>> on their user networks from spewing spam on port 25?
>
> If you tied all the spammers into a few controllers, you see it happen
> immediately.
>
> I've been following the news reports on this. Here's a quick summary
> of "what I know" without making any judgement or opinion:
>
>
> - The lycos screensaver campaign activated Tuesday
> - Major networks began activating blocks
> - When the controllers can't be reached, the clients die off
> - If screensaver is active when controllers die, it runs
> off the current target list.
> - If screensaver deactivates, then activates, it can't
> contact the servers and tells the user it's "off the internet"
> (I can't verify the veracity of the update process i.e. if it
> will die while active)
> - Blocks started going up early Wednesday morning
> - The press began reporting hackers due to an apparentdefacement
> being seen by many users. What they actually saw was the banner of
> an ISP that had blackholed the traffic and redirected port
> 80 to a notice.
> - Lycos moved their application to a hosting facility with bigger
> pipes
> - Target sites began using redirects sending the traffic back
> to Lycos
> - Press reports are coming out today regarding the blackholes
> - SpamCop is the source of the target list via a page that is public
> off of the SpamCop site (SpamCop is does not appear to have
> complicity)
> - The effectiveness of the blackholes is rising
> - There are a reported 100K clients downloaded. Less than you would
> expect due to the voluminous press coverage. Probably a result of
> the blackhole activity as well.
>
> I'm really not sure if Lycos knows about the blackholes at
> this point as the press has been reporting "hackers" all the while.
> If you think it's hacked, check the route.
>
> Here's some operational data captured via ethereal
>
> The target list generated by the botnet controller:
>
> GET
> /xml/69426058014054/94772079193788/35264029467456/12122010129438/CONFIG_2865
> 2023942308.xml HTTP/1.1
> Referer:
> http://backend.makelovenotspam.com/xml/69426058014054/94772079193788/3526402
> 9467456/12122010129438/CONFIG_28652023942308.xml
> x-flash-version: 7,0,19,0
> User-Agent: Shockwave Flash
> Host: backend.makelovenotspam.com
> Cache-Control: no-cache
>
> HTTP/1.1 200 OK
> Server: Resin/2.1.14
> Content-Type: text/xml; charset=UTF-8
> Content-Length: 2889
> Connection: close
> Date: Thu, 02 Dec 2004 15:22:00 GMT
>
>
> domain="myshopinternetcompany.com"
> url="http://myshopinternetcompany.com/?e=aa5100" bytes="357460680"
> hits="2572309" percentage

  • Previous comment

  • Reply to this comment
  • Return to story
  • Report this as offensive


Full Talkback thread

Sentry Posts Blog

Nasa and the virus

Yesterday the BBC ran a story about a computer virus making it into orbit, which I read with incredulity. OK, it's a nice silly season story on the surface, but what really got me was... More

3 comments

Customer data found on eBay server hig...

The recent news about customer details being retrieved from a server sold on eBay is yet another story about the sorry state of information security in the electronic age (see: http://news.zdnet.co.uk/...m).... More

Post a comment

Does it matter if you are an aardvark...

In spam terms, apparently it does. According to Cambridge University security expert Richard Clayton, if your email address is aardvark at animal.net, you are more likely to receive... More

1 comment