I was running the network abuse & security dept at speakeasy.net around 2001. The nimda worm was in full throttle. We had a customer with a dsl line, about 12 ips, a home-brew server farm, and a serious net-geek inferiority complex. We got complaints of nimda traffic from one of his computers which he vehemently denied even running windows on. Never one not to double check my own work, I telnet'd to port 25 of the machine and was greeted with a "Microsoft SMTP:" prompt. Again to port 21, "Microsoft FTP:" and port port 80, "Microsoft IIS".
I sent him an log of my connections and he demanded we were mistaken, he wanted proof of arp info/ mac addresses against the ips we received. So I sent him the arp info we had on our router (at this point I was just wanting to see where he would go from here). Of course he denied that the NIC belonged to any of his machines, and that someone must have spoofed his network. Within an hour we had a new mac address cached on our router for the ip in question (he just switched machines).
Unfortunatley he hadn't figured out that the router would just cache it on a different ip. So I checked the rest of his ip addies on our router...there it was. I made sure to call him to notify him that it was still there (on a different addy). God knows we didn't want that spoofed mac addy there! So he switched it again. I made subsequent calls and he switched it again, and a gain, and again. Finally it disappeared.
I wasn't satisfied until we made him buy a new NIC for his machine. Hehehehe...
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
sorry.
no subject
Yeah... I know that feeling!
no subject
I sent him an log of my connections and he demanded we were mistaken, he wanted proof of arp info/ mac addresses against the ips we received. So I sent him the arp info we had on our router (at this point I was just wanting to see where he would go from here). Of course he denied that the NIC belonged to any of his machines, and that someone must have spoofed his network. Within an hour we had a new mac address cached on our router for the ip in question (he just switched machines).
Unfortunatley he hadn't figured out that the router would just cache it on a different ip. So I checked the rest of his ip addies on our router...there it was. I made sure to call him to notify him that it was still there (on a different addy). God knows we didn't want that spoofed mac addy there! So he switched it again. I made subsequent calls and he switched it again, and a gain, and again. Finally it disappeared.
I wasn't satisfied until we made him buy a new NIC for his machine. Hehehehe...
no subject
Well done!
no subject
"you're wankers, tossers and every possible mould i can wish".... mmm was he happy?
no subject
no subject