dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
61
share rss forum feed

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to jjjacer

Re: Multiple supported properties

Are these business accounts? How is Qwest determining the infected computers and why do they care? It is not cable and one infected computer should not affect anything else on the Qwest network. I mean they advertise your own private connection.
Are they going by ports used. if so maybe just blocking those ports if they are not normally needed by your hotel guests.

jjjacer

join:2004-05-07
Jefferson, WI
This is from one of our sites, they did not get blocked but got a warning.

-----Original Message-----
From: abuse-nonverbose@qwest.net [mailto:abuse-nonverbose@qwest.net]
Sent: Tuesday, August 23, 2011 8:45 AM
To: **********
Subject: [AB-M18797798O] Virus Infected Bot Traffic and Qwest's Acceptable
Use Policy

Customer ID: ***************************
Circuit ID: ********

Qwest Security Services has received notification about malicious traffic
originating from this account. This means that this computer or another
computer on your network is trying to infect, attack, or gain unauthorized
access to other computers on the Internet.

This malicious traffic has been determined to be from some form of a "Bot"
instance.

Computers infected with bots are considered compromised hosts. They may be
used
to send spam (also called Unsolicited Bulk Email, or UBE), scan other
computers
for vulnerabilities, take advantage of security holes, perform identity
theft,
and/or be used as part of Distributed Denial of Service (DDoS) attacks.
These
programs also allow computers used by attackers or spammers to hide their
identity and location. These bots are often spread by viruses or worms.

Please see the Acceptable Use Policy at:
»www.qwest.com/legal/usagePolicy.html

Please make sure that the system software is up to date, that antivirus
software is installed with current antivirus signatures, and that your hard
disk(s) have been scanned to detect and remove all viruses, worms, trojans,
or
other software which allow unauthorized remote control of your systems.

Qwest also recommends checking to be sure that you are not running an open
proxy or an open relay. More information on open relays can be found at:
»www.mail-abuse.com/an_sec3rdparty.html

If you believe you have an open proxy, check the documentation for your
proxy
server or firewall for information on how best to secure it.

The date, time (GMT), IP addresses, and Qwest Circuit-ID identified
in our investigation are as follows:

Date IP Circuit-ID Additional Info
=================== =============== ========================
========================================
2011-08-21 13:51:18 72.164.191.114 13645521 infection =>
'bots', subtype => 'sinkhole', port => '2180', cc => 74.208.164.166 ,
cc_port => '80', type => 'tcp', count => '1', p0f_detail => '2000 SP4, XP
SP1+', sourceSummary => 'Drone Report', p0f_genre => 'Windows'
2011-08-21 13:51:18 72.164.191.114 13645521 infection =>
'bots', subtype => 'sinkhole', port => '2180', cc => 74.208.164.166 ,
cc_port => '80', type => 'tcp', count => '1', p0f_detail => '2000 SP4, XP
SP1+', sourceSummary => 'Drone Report', p0f_genre => 'Windows'

Regards,
--
Qwest Security Services sysop@qwest.net, abuse@qwest.net

Acceptable Use Policy
»www.qwest.com/legal/usagePolicy.html