Subj : Netscan -s curio
To   : All
From : Mike Luther
Date : Thu Aug 21 2003 10:11 am

During the morning madness trying to cope with all the what's new virus and 
other web browsing I notice a curio.

Box begins constant small picking network activity at high throughput but small 
spacket sizes.  Reminiscent of the old smash attempt from Netbios over OS/2 of 
many months ago, but tiny packets. OK, fireup netstat -s and see what's plugged 
in.

Interesting:

   Socket  Foreigh Port   Local  ID
   0       www.http..80   55266  12.106.145.9     FIN_WAIT_2
   0       www.http..80   55268  12.106.145.9     FIN_WAIT_2
   0       www.http..80   55270  12.106.145.9     FIN_WAIT_2
   0       www.http..80   55272  12.106.145.9     FIN_WAIT_2

Browser has hung during IWB use to www.warpstork.org.  I tried four times at 
www.warpstock.org to review the 2003 information on San Francisco.  OK, for 
research, fire up another box and hit it for test.  Yep, hangs there too. Host 
12.106.145.9 rings back os2voice.org folks.  And yep, direct to the 
os2voice.org site is jammed too folks.

OK, so each of these traces back to a still waiting jam from visiting 
os2voice.org when I punch the stop button.  These are the remains of that? I 
can't believe the statistical result of a step by two up those port numbers for 
THREE itterations!  That's a way out math result I am being asked to accept 
here on faith ....

Looking at gmane and so on, these four ports aren't even alleged to be related 
to whatever for to OS2 with the possible exception of 55266 which is an Apache 
update assignment.  55268 is a FreeBSD update assignment.  55270 is a Kaffe 
Java issue and 55272 is a FreeBSD update assignment.

Can't be a bug in IWB in that NS 4.6.1 shows the same behavior on the alternate 
box.  However on it the ports are 63878, 63880 and are stepping up by two each 
there, one for each must force cancel improper connect to os2voice.org for the 
URL.  And VOILA, with two such now open sockets now here comes a THIRD even 
though I did not connect but twice, this time at 63881 and I didn't ask for 
this one ... growl.

Now THIS box is wham, wham, wham via the pipeline.  Once the thumpity starts, 
the only way to shut it down seems to be to re-boot the box.  A scan of the 
entire hard disk with NORMAN and current database for latest August 19th file 
shows nothing left on the hard disks it can find.

Is this something new in Sobig.f we ain't seen yet, based on a Javascript issue 
unseen up until now?  Is OS2VOICE.ORG now involved in a DOS attack despite the 
fact that it is an OS/2 Apache hosted site?

Inquiring mind wants to know.


--> Sleep well; OS/2's still awake! ;)

Mike @ 1:117/3001

--- Maximus/2 3.01
 * Origin: Ziplog Public Port (1:117/3001)

.