The Site > Old Forums > Qwest > Multiple supported properties

reply to DataRiker

Re: Multiple supported properties

Absolutely.

But they are actually not so different.

Our case was unique because most of our internet originated in our Library, which complicated the situation.

According to our law faculty, if it was physically located outside of our main library the same rules would not apply.

WTF...

reply to jjjacer
I'm with DataRiker on this one. This should be considered a public network with little expectancy of filtering/'baddie prevention' (for lack of a better term off the top of my head) beyond bandwidth management. And as long as you have a commercial connection from Qwest (I will assume right away that you are), I'd bitch them out about their 'network management' and if they refuse to do anything about it, take your business elsewhere. Or rather it should be the other way around. Threaten to take your business elsewhere and if they still don't give in, actually follow through with it. That really is your best bet.

As has already been stated, it is going to be VERY difficult to do any proactive filtering to prevent this from happening again, the very least needing to be an upgrade of your firewall combined with tons of man hours to have it set up right and then regularly keeping it up to date on rules so nothing slips through. Once all that would be set and done you enter the slippery slope issue of filtering and potential guest complaints.
--
I swear, some people should have pace-makers installed to free up the resources. Breathing and heart beat taxes their whole system, all of their brain cells wasted on life support.-two bit brains, and the second bit is wasted on parity! ~head_spaz

reply to jjjacer
I do think is would be adviseable to find out the applicable laws for the hotels, rooms/suites, restaurants, shops, coffeeshops, lobby.

It doesn't require a law degree. Most law is written for third-grade readers, with a glossary of the meaning of the difficult words right there. There are also printed phamphlets of applicable laws in "business branch" libraries, law libraries, and the Small Business Administration. Hotel Associations sometimes have it available.

I also think it would be helpful to make a flow chart: labeled boxes (ISP, router, LAN, WiFI) and lines between the boxes with one-way or two-way arrows to see how the data has to flow.

I also think having a box of recycled hard drives, with software to correct any bad sectors, and maybe arrange so another hard drive comes up when the previous hard drive is 80% - all of it run as an external hard drive would be a good idea for his logs. You could pay retail for those storage towers for music at NewEgg or a discount house.

It would be good to see how far their WiFI reaches, and how vulnerable it is to "wardriving".

I think, if you are paid to do a job, then, do it.

If they are not paying enough, they should pay more.

I would write a proposal. It doesn't have to be fancy: here is what I will do for you. The list could include speak to the rep and negotiate better service, find out what other ISPs offer, integrate more of a backup system for logging, (use nice words like costing, rather than purchase), etc.

I know a "consultant" for city and county government who makes big bucks, to report what is available: hardware, software, and service providers.

I would add this: very little "techno-speak" is actually necessary.

If someone just wants to talk circles around you, then, talk to someone else who wants to communicate.

reply to jjjacer
Are these business accounts? How is Qwest determining the infected computers and why do they care? It is not cable and one infected computer should not affect anything else on the Qwest network. I mean they advertise your own private connection.
Are they going by ports used. if so maybe just blocking those ports if they are not normally needed by your hotel guests.

This is from one of our sites, they did not get blocked but got a warning.

-----Original Message-----
From: abuse-nonverbose@qwest.net [mailto:abuse-nonverbose@qwest.net]
Sent: Tuesday, August 23, 2011 8:45 AM
To: **********
Subject: [AB-M18797798O] Virus Infected Bot Traffic and Qwest's Acceptable
Use Policy

Customer ID: ***************************
Circuit ID: ********

Qwest Security Services has received notification about malicious traffic
originating from this account. This means that this computer or another
computer on your network is trying to infect, attack, or gain unauthorized
access to other computers on the Internet.

This malicious traffic has been determined to be from some form of a "Bot"
instance.

Computers infected with bots are considered compromised hosts. They may be
used
to send spam (also called Unsolicited Bulk Email, or UBE), scan other
computers
for vulnerabilities, take advantage of security holes, perform identity
theft,
and/or be used as part of Distributed Denial of Service (DDoS) attacks.
These
programs also allow computers used by attackers or spammers to hide their
identity and location. These bots are often spread by viruses or worms.

Please see the Acceptable Use Policy at:
»www.qwest.com/legal/usagePolicy.html

Please make sure that the system software is up to date, that antivirus
software is installed with current antivirus signatures, and that your hard
disk(s) have been scanned to detect and remove all viruses, worms, trojans,
or
other software which allow unauthorized remote control of your systems.

Qwest also recommends checking to be sure that you are not running an open
proxy or an open relay. More information on open relays can be found at:
»www.mail-abuse.com/an_sec3rdparty.html

If you believe you have an open proxy, check the documentation for your
proxy
server or firewall for information on how best to secure it.

The date, time (GMT), IP addresses, and Qwest Circuit-ID identified
in our investigation are as follows:

Date IP Circuit-ID Additional Info
=================== =============== ========================
========================================
2011-08-21 13:51:18 72.164.191.114 13645521 infection =>
'bots', subtype => 'sinkhole', port => '2180', cc => 74.208.164.166 ,
cc_port => '80', type => 'tcp', count => '1', p0f_detail => '2000 SP4, XP
SP1+', sourceSummary => 'Drone Report', p0f_genre => 'Windows'
2011-08-21 13:51:18 72.164.191.114 13645521 infection =>
'bots', subtype => 'sinkhole', port => '2180', cc => 74.208.164.166 ,
cc_port => '80', type => 'tcp', count => '1', p0f_detail => '2000 SP4, XP
SP1+', sourceSummary => 'Drone Report', p0f_genre => 'Windows'

Regards,
--
Qwest Security Services sysop@qwest.net, abuse@qwest.net

Acceptable Use Policy
»www.qwest.com/legal/usagePolicy.html



reply to jjjacer
Huh?

"Bots" float around on the internet, and "stick" to a vulnerability.

Traced to you? Prove it. Traceroute. Ping. Finger. Ook, they did!

Port 2180 is for LAN. It "could" be on your LAN.

If it is your job, Make the flow chart: clean the data stream.

I was thinking more what I said: if you do write a proposal, I would suggest you present it as better than hiring an outside consultant, which costs more, and if they want to hire an outside consultant, then fine. But if they want you to do the same job as an outside consultant, then pay for the job and when, you have achieved it, return to your salary. Unless, of course, they feel you are worth more money! But the short-term in-house consultant fee is a better deal for them, if you can do the job. They have the written proposal, in handwriting is okay, and you say you think you can do the job.

If not, suggest an outside consultant: be a hero for the suggestion.

However, I really think you can do this.

BotHunter.
BotHunter, a free program from SRI International, works with Unix, Linux, Mac OS, Windows XP, and Vista. Though designed for networks, it can also run on stand-alone desktops and laptops.

Do not discount "disgruntled employees" doing this to the hotels.

"Bots" are good for "side money". It could be the guy working in the parking garage. Use the software to track it down, if it is an "inside job".

reply to jjjacer
For less than 15 dollars a month you can have an unlimited transfer VPN to Sweden.

Your traffic will have a little higher ping times, but I doubt most would even notice.

This would save a lot of headaches and BS. No more DMCA letters ever.