Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST=
Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha=
ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som=
e of the public media, such as google, DroneBL, as well as several Anti-Mal=
ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire=
ly GONE, we should not have any further issues.=0AIn the case that somethin=
g=A0does arise, such as an exploited host, we're currently developing a gam=
e plan for=A0response to=A0the issues.=0ATo make the best effort towards co=
mbatting=A0abuse on our network, here's what I have planned so far for ANY =
Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,=
Call/Email the client whom the affected machine is leased to.=0AStep 3, Al=
low the client=A0the option to=A0investigate the machine further (Nullroute=
access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o=
r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the =
Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments=
? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.=
If it's clear that the server owner is the cause of the abusive material e=
tc, the client will then be immediately cancelled. No questions.=A0=0A=0A=
=0AIt seems that this approach will be the best supported by the anti-abuse=
communities, so please let me know your input.=0A=0AThank you for your tim=
e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A=
=0A=0A----- Original Message ----=0AFrom: Paul Wall <pauldotwall@gmail.com>=
=0ATo: Mark Foo <mark.foo.dog@gmail.com>=0ACc: nanog@nanog.org=0ASent: Tues=
day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage=
: NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on =
UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon=
th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a=
nd Drive Slow,=0APaul Wall=0A=0A=0A
Speaking of missing memos... mailing lists are not highly compatible
with HTML or some clients that like to encode list mail. The above is
what your mail looked like to some people.
I would suggest a different Step 1. Instead of killing power, simply
isolate the affected machine. This might be as simple as putting up a
firewall rule or two, if it is simply sending outgoing SMTP spam, or
for more complex issues, downing the port facing the machine in question.
Killing the power may destroy useful forensic clues about what happened
to the system, and may damage the system.
... JG
it's probably easiest (depending on the network gear of course) to
just put the lan port into an isolated VLAN. It's not the 100%
solution (some badness rm's itself once it loses connectivity to the
internets) but it'd make things simpler for the client/LEA when they
need to figure out what happened.
-chris
using bolt cutters on cables has a certain satisfaction...
In article <200809240320.m8O3KIw0019735@aurora.sol.net> you write:
Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST=
Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha=
ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som=
e of the public media, such as google, DroneBL, as well as several Anti-Mal=
ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire=
[snipped]
Speaking of missing memos... mailing lists are not highly compatible
with HTML or some clients that like to encode list mail. The above is
what your mail looked like to some people.
Most email from Yahoo is like this. Yahoo doesn't know how
to do quoted-printable properly. It displays ok if you
speak mime but not if you don't. The intent of quoted-printable
is to display ASCII nicely if you don't have a mime compliant
reader.
Mark
RFC 2045.
The Quoted-Printable encoding is intended to represent data that
largely consists of octets that correspond to printable characters in
the US-ASCII character set. It encodes the data in such a way that
the resulting octets are unlikely to be modified by mail transport.
If the data being encoded are mostly US-ASCII text, the encoded form
of the data remains largely recognizable by humans. A body which is
entirely US-ASCII may also be encoded in Quoted-Printable to ensure
the integrity of the data should the message pass through a
character-translating, and/or line-wrapping gateway.
also
(4) (Line Breaks) A line break in a text body, represented
as a CRLF sequence in the text canonical form, must be
represented by a (RFC 822) line break, which is also a
CRLF sequence, in the Quoted-Printable encoding. Since
the canonical representation of media types other than
text do not generally include the representation of
line breaks as CRLF sequences, no hard line breaks
(i.e. line breaks that are intended to be meaningful
and to be displayed to the user) can occur in the
quoted-printable encoding of such types. Sequences
like "=0D", "=0A", "=0A=0D" and "=0D=0A" will routinely
appear in non-text data represented in quoted-
printable, of course.
NANOG:
Look, the people posting here who are trashing Intercage are pure security
analysts -- they
know and understand the evil that is Intercage. STOP TRYING TO ASSIST
INTERCAGE
-- you are effectively aiding and abetting the enemy.
Intercage/Atrivo hosts the malware c&c botnets that DDoS your systems and
networks.
Intercage/Atrivo hosts the spyware that compromises your users' passwords.
Intercage/Atrivo hosts the adware that slows your customers' machines.
Don't take my word for it, DO YOUR OWN RESEARCH:
http://www.google.com/search?hl=en&q=intercage+malware
You don't get called the ***American RBN*** for hosting a couple bad
machines. They
have and will continue to host much of the malware pumped out of America.
THEY
ARE NOT YOUR COMRADES.
These people represent the most HIGHLY ORGANZIED CRIME you will ever
come across. Most people were afraid to speak out against them until this
recent ground swell.
This is the MALWARE CARTEL. GET THE PICTURE?
Many links have been posted here that prove this already -- instead of
asking
what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT--
because there are NONE.