[ntp:security] Re: Please remove our server from your list!

Daisy Nguyen daisy at cs.columbia.edu
Mon May 9 08:21:17 PDT 2005


I'm sending this request to bugs at ntp.org, security at ntp.isc.org,
webmaster at ntp.isc.org because I have no idea who is the right person to
handle my request. I have been trying to get our server,
timex.cs.columbia.edu, off the NTP public list since 4/27 but have not
yet suceeded (see email below). I hope you can help.

Could you please remove our server, timex.cs.columbia.edu, from your
Public NTP Secondary (stratum 2) Time Servers (number 50) and any other
places on your list as an active ntp server. We are no longer provide the
NTP service for the internet. If you have any questions, please feel
free to contact me.

>50. US NY timex.cs.columbia.edu (128.59.16.20)
>Location: Columbia University Computer Science Department, New York City, NY
>Synchronization: NTP secondary (stratum 2), Sun/Unix
>Service Area: PSINET; NSFNET, NYSER region
>Access Policy: open access, authenticated NTP (DES/MD5) available
>Contact: James Tanis (timekeeper at cs.columbia.edu)
>Note: IP addresses are subject to change; please use DNS


		Thank you for your help,

			Daisy



---------------------------------------------------------------------------

Daisy Nguyen					450 Computer Science
Director, Computing Research Facilities		MC 0401
Computer Science Department			500 West 120th Street
Columbia University				New York, NY 10027
Tel: (212) 939-7140				daisy at cs.columbia.edu
Cell: (347) 782-2345
Fax: (212) 666-0140





>       Date:  Mon, 09 May 2005 14:52:05 +0000
>       From:  "David L. Mills" <mills at udel.edu>
>         To:  Daisy Nguyen <daisy at cs.columbia.edu>
>    Subject:  Re: Please remove our server from your list!
>         Cc:  Rob Chambers <robc at thinkman.com>, cts at cs.columbia.edu, chris at mail.sm
u.edu,
        ib42 at cs.columbia.edu, medina at columbia.edu
>In-reply-to:  <200505091356.j49Duaoq025331 at flame.cs.columbia.edu>
>: User-Agent:  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/200
40804 Netscape/7.2 (ax)
X-Accept-Language:  en-us, en
X-Spam-Checker-Version:  SpamAssassin 2.64 (2004-01-11) on whimsy.udel.edu
X-Spam-Level:  
X-Spam-Status:  No, hits=0.5 required=4.1 tests=HTML_MESSAGE,HTML_TITLE_EMPTY 
	autolearn=no version=2.64
X-Sanitizer:  This message has been sanitized!
X-Sanitizer-URL:  http://mailtools.anomy.net/
X-Sanitizer-Rev:  UDEL-ECECIS: Sanitizer.pm,v 1.64 2002/10/22 MIME-Version: 1.0
X-PMX-Version:  4.7.1.128075, Antispam-Engine: 2.0.3.1, Antispam-Data: 2005.5.9.13
X-PerlMx-Spam:  Gauge=X, Probability=10%, Report='LINES_OF_YELLING_3 0.671, __C2300
66_P5 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_ALT
 0, __HAS_MSGID 0, __LINES_OF_YELLING 0, __MIME_HTML 0, __MIME_VERSION 0, __SANE_MS
GID 0'
>
>This is a multi-part message in MIME format.
>--MIMEStream=_0+232076_4693378078033_68816739321
>Content-Type: text/plain; charset="us-ascii"; format="flowed"
>Content-Transfer-Encoding: 7bit
>
>Daisy,
>
>I don't keep the lists and haven't for some time. You will need to 
>contact the current keepers. See the link on my pages or go to www.ntp.org.
>
>Dave
>
>Daisy Nguyen wrote:
>
>>David:
>>
>>Could you please remove our server, timex.cs.columbia.edu, from your
>>Public NTP Secondary (stratum 2) Time Servers (number 50) and any other
>>places on your list as an active ntp server. We are no longer provide the
>>NTP service for the internet. If you have any questions, please feel
>>free to contact me.
>>
>>50. US NY timex.cs.columbia.edu (128.59.16.20)
>>Location: Columbia University Computer Science Department, New York City, NY
>>Synchronization: NTP secondary (stratum 2), Sun/Unix
>>Service Area: PSINET; NSFNET, NYSER region
>>Access Policy: open access, authenticated NTP (DES/MD5) available
>>Contact: James Tanis (timekeeper at cs.columbia.edu)
>>Note: IP addresses are subject to change; please use DNS 
>>
>>			
>>		Thank you for your help,
>>
>>			Daisy
>>
>>
>>
>>---------------------------------------------------------------------------
>>
>>Daisy Nguyen					450 Computer Science
>>Director, Computing Research Facilities		MC 0401
>>Computer Science Department			500 West 120th Street
>>Columbia University				New York, NY 10027
>>Tel: (212) 939-7140				daisy at cs.columbia.edu
>>Cell: (347) 782-2345
>>Fax: (212) 666-0140
>>
>>
>>
>>
>>
>>
>>>      Date:  Sat, 7 May 2005 20:51:16 -0700
>>>      From:  "Rob Chambers" <robc at thinkman.com>
>>>        To:  "Daisy Nguyen" <daisy at cs.columbia.edu>, <webmaster at thinkman.com>
>>>   Subject:  RE: Please remove our server from your list!
>>>        Cc:  <security at columbia.edu>, <hgs at cs.columbia.edu>, <smb at cs.columbia
>>>
>>.edu>,
>>        <medina at columbia.edu>, <cts at cs.columbia.edu>, <chris at mail.smu.edu>
>>
>>>: Content-class:  urn:content-classes:message
>>>
>>X-MimeOLE:  Produced By Microsoft Exchange V6.5.6944.0
>>X-MS-Has-Attach:  
>>X-MS-TNEF-Correlator:  
>>Thread-Topic:  Please remove our server from your list!
>>Thread-Index:  AcVLQivA/qUqYI5FRce9v3SX3jhJrAIPqD5A
>>X-Loop-Detect:  1
>>X-DistLoop-Detect:  1
>>X-PMX-Version:  4.7.1.128075, Antispam-Engine: 2.0.3.1, Antispam-Data: 2005.5.7
>>.9
>>X-PerlMx-Spam:  Gauge=X, Probability=10%, Report='LINES_OF_YELLING_3 0.671, __C
>>230066_P5 0, __CT 0, __CTE 0, __CTYPE_CHARSET_QUOTED 0, __CT_TEXT_PLAIN 0, __HA
>>S_MSGID 0, __IMS_MSGID 0, __LINES_OF_YELLING 0, __MIME_VERSION 0, __SANE_MSGID 
>>0'
>>X-MIME-Autoconverted:  from quoted-printable to 8bit by papermate.cs.columbia.e
>>du id j483q9bF022595
>>X-Status:  
>>X-Keywords:                   
>>X-UID:  68
>>
>>>Thanks Daisy.
>>>
>>>The last time I updated D4's server list, your site was listed on David
>>>Mills list of secondary NTP servers. In fact, it still is. See here:
>>>http://www.eecis.udel.edu/~mills/ntp/clock2a.html
>>>
>>>When I update D4's list of servers, I use an automated process that
>>>takes the sites listed on that page. 
>>>
>>>You should contact David to have your server removed.
>>>
>>>Let me know once that happens, and I'll make note of it for the next D4
>>>update.
>>>
>>>--rob chambers
>>>
>>>-----Original Message-----
>>>From: Daisy Nguyen [mailto:daisy at cs.columbia.edu] 
>>>Sent: Wednesday, April 27, 2005 8:59 AM
>>>To: webmaster at thinkman.com
>>>Cc: security at columbia.edu; hgs at cs.columbia.edu; smb at cs.columbia.edu;
>>>medina at columbia.edu; cts at cs.columbia.edu; chris at mail.smu.edu
>>>Subject: Please remove our server from your list!
>>>
>>>To whom it may concern:
>>>
>>>Our server, timex.cs.columbia.edu, has been under attack by several
>>>machines in the internet on port 37. We contacted the Law School of
>>>Southern Methodist University who has 5 machines that repeatedly sent
>>>
>>inquiry to this port. We were told that, they have been using
>>
>>>Dimension4 software of www.thinkman.com. This software has our server
>>>as an available choice out of the box (see email below)
>>>
>>>We are no longer provide NTP (port 123), time (port 37) and daytime
>>>(port 13) service to internet machines.  This email is a formal request
>>>for thinkman.com to remove timex.cs.columbia.edu from your list. We
>>>appreciate your quick response to our request.
>>>
>>>			Sincerely,
>>>
>>>			Daisy Nguyen
>>>
>>>
>>>
>>>------------------------------------------------------------------------
>>>---
>>>
>>>Daisy Nguyen					450 Computer Science
>>>Director, Computing Research Facilities		MC 0401
>>>Computer Science Department			500 West 120th Street
>>>Columbia University				New York, NY 10027
>>>Tel: (212) 939-7140				daisy at cs.columbia.edu
>>>Cell: (347) 782-2345
>>>Fax: (212) 666-0140
>>>
>>>
>>>
>>>------- Forwarded Message
>>>
>>>Return-Path: chris at mail.smu.edu
>>>Delivery-Date: Tue Apr 26 17:46:41 2005
>>>Return-Path: <chris at mail.smu.edu>
>>>Received: from cs.columbia.edu (cs.columbia.edu [128.59.16.20])
>>>	by papermate.cs.columbia.edu (8.12.10/8.12.10) with ESMTP id
>>>j3QLkZbF019489
>>>	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
>>>verify=NOT)
>>>	for <daisy at papermate.cs.columbia.edu>; Tue, 26 Apr 2005 17:46:35
>>>-0400 (EDT)
>>>Received: from s31xe5.systems.smu.edu (s31xe5.systems.smu.edu
>>>[129.119.70.74])
>>>	by cs.columbia.edu (8.12.10/8.12.10) with ESMTP id
>>>j3QLkSqs013506
>>>	for <daisy at cs.columbia.edu>; Tue, 26 Apr 2005 17:46:29 -0400
>>>(EDT)
>>>X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
>>>Content-class: urn:content-classes:message
>>>MIME-Version: 1.0
>>>Content-Type: text/plain;
>>>	charset="us-ascii"
>>>Subject: RE: Law.smu.edu machines are attacking port 37 
>>>Date: Tue, 26 Apr 2005 16:46:22 -0500
>>>Message-ID:
>>><B6446C11A7C1964599C536A4230D107B01EB7394 at s31xe5.systems.smu.edu>
>>>X-MS-Has-Attach: 
>>>X-MS-TNEF-Correlator: 
>>>Thread-Topic: Law.smu.edu machines are attacking port 37 
>>>Thread-Index: AcVKo9mAXGqYZGEdR1eNSE0DrN3Y6gAA8I9wAABpU7A=
>>>From: "Smith, Chris" <chris at mail.smu.edu>
>>>To: "Daisy Nguyen" <daisy at cs.columbia.edu>
>>>X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.0.3.1, Antispam-Data:
>>>2005.4.26.8
>>>X-PerlMx-Spam: Gauge=X, Probability=10%, Report='LINES_OF_YELLING_3
>>>0.671, __C230066_P5 0, __CT 0, __CTE 0, __CTYPE_CHARSET_QUOTED 0,
>>>__CT_TEXT_PLAIN 0, __HAS_MSGID 0, __IMS_MSGID 0, __LINES_OF_YELLING 0,
>>>__MIME_VERSION 0, __SANE_MSGID 0, __query.bondedsender.org_TIMEOUT '
>>>Content-Transfer-Encoding: 8bit
>>>X-MIME-Autoconverted: from quoted-printable to 8bit by
>>>papermate.cs.columbia.edu id j3QLkZbF019489
>>>
>>>FYI, the software was an older version of Dimension 4 from
>>>www.thinkman.com, distributed with your time server as an available
>>>choice "out of the box."
>>>
>>>- --
>>>J. Christian Smith - Information Security Manager
>>>Information Technology Services, Southern Methodist University, Dallas
>>>PGP fingerprint: B6A7 7B14 653F C98C 4355 2436 4850 9A1D FCA8 DAD4
>>>
>>>
>>>- -----Original Message-----
>>>From: Smith, Chris 
>>>Sent: Tuesday, April 26, 2005 4:39 PM
>>>To: 'Daisy Nguyen'
>>>Subject: RE: Law.smu.edu machines are attacking port 37 
>>>
>>>Staff have confirmed that the machines were actually setup to use
>>>cs.columbia.edu for time service. They were supposed to be synching
>>>every 15 minutes. It is not clear when your machine stopped offering
>>>this service, but it worked at some point in the past. Probably the fact
>>>that it is no longer offered is responsible for the higher packet rate
>>>as connections are retried, and the software has a fairly aggressive
>>>failure response.
>>>
>>>- --
>>>J. Christian Smith - Information Security Manager
>>>Information Technology Services, Southern Methodist University, Dallas
>>>PGP fingerprint: B6A7 7B14 653F C98C 4355 2436 4850 9A1D FCA8 DAD4
>>>
>>>
>>>- -----Original Message-----
>>>From: Daisy Nguyen [mailto:daisy at cs.columbia.edu] 
>>>Sent: Tuesday, April 26, 2005 4:07 PM
>>>To: Smith, Chris
>>>Subject: Re: Law.smu.edu machines are attacking port 37 
>>>
>>>Chris:
>>>
>>>Could you please find out what is going on with the attack on port 37.
>>>Since the attack is not confined to your machines only, several other
>>>internet machines also doing the same thing. I think we may have new
>>>worm or virus. It also can be DDOS.  It's just as important for us to
>>>know the nature of the attack as much as stopping the attack.
>>>
>>>			Daisy
>>>
>>>
>>>
>>>>      Date:  Tue, 26 Apr 2005 15:31:11 -0500
>>>>      From:  "Smith, Chris" <chris at mail.smu.edu>
>>>>        To:  "Daisy Nguyen" <daisy at cs.columbia.edu>, "Pan, James"
>>>>
>>><pan at mail.s
>>>mu.edu>
>>>
>>>>   Subject:  RE: Law.smu.edu machines are attacking port 37 
>>>>        Cc:  "Meikle, R. Bruce" <rbm at mail.smu.edu>,
>>>>
>>>       "Law School Technical Support" <lawtech at mail.smu.edu>,
>>>       <cts at cs.columbia.edu>
>>>
>>>>: X-MimeOLE:  Produced By Microsoft Exchange V6.5.7226.0
>>>>
>>>Content-class:  urn:content-classes:message
>>>X-MS-Has-Attach:  
>>>X-MS-TNEF-Correlator:  
>>>Thread-Topic:  Law.smu.edu machines are attacking port 37 
>>>Thread-Index:  AcVKnOjtQ0572/KwR56PuoLC3R7BLQAAU7cw
>>>X-PMX-Version:  4.7.1.128075, Antispam-Engine: 2.0.3.1, Antispam-Data:
>>>2005.4.2
>>>6.7
>>>X-PerlMx-Spam:  Gauge=IIIIIII, Probability=7%, Report='__C230066_P5 0,
>>>__CT 0, 
>>>__CTE 0, __CTYPE_CHARSET_QUOTED 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0,
>>>__IMS_MSGI
>>>D 0, __LINES_OF_YELLING 0, __MIME_VERSION 0, __SANE_MSGID 0'
>>>X-MIME-Autoconverted:  from quoted-printable to 8bit by
>>>papermate.cs.columbia.e
>>>du id j3QKVKbF010224
>>>
>>>>Thanks, Daisy. I've confirmed this activity, and put a stop to it.
>>>>
>>>>--
>>>>J. Christian Smith - Information Security Manager
>>>>Information Technology Services, Southern Methodist University, Dallas
>>>>PGP fingerprint: B6A7 7B14 653F C98C 4355 2436 4850 9A1D FCA8 DAD4
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: Daisy Nguyen [mailto:daisy at cs.columbia.edu] 
>>>>Sent: Tuesday, April 26, 2005 3:17 PM
>>>>To: Pan, James
>>>>Cc: Smith, Chris; Meikle, R. Bruce; Law School Technical Support;
>>>>cts at cs.columbia.edu
>>>>Subject: Re: Law.smu.edu machines are attacking port 37 
>>>>
>>>>James:
>>>>
>>>>Even if these machines are not infected, they are still as of this
>>>>moment each sending at least 1 packet a second on port 37 to
>>>>cs.columbia.edu. If you believe this behavior to be legitimate, please
>>>>explain. Otherwise, I feel that this requires further investigation on
>>>>your part.
>>>>
>>>>I appreciate your help on this matter.
>>>>
>>>>bash-2.05# date
>>>>Tue Apr 26 16:16:01 EDT 2005
>>>>bash-2.05# snoop port 37 |grep smu
>>>>Using device /dev/bge (promiscuous mode)
>>>>dseiter.law.smu.edu -> cs.columbia.edu TIME C port=1058 
>>>>cs.columbia.edu -> dseiter.law.smu.edu TIME R port=1058 
>>>>advoc24b-3.law.smu.edu -> cs.columbia.edu TIME C port=2853 
>>>>cs.columbia.edu -> advoc24b-3.law.smu.edu TIME R port=2853 
>>>>advoc24b-3.law.smu.edu -> cs.columbia.edu TIME C port=2854 
>>>>cs.columbia.edu -> advoc24b-3.law.smu.edu TIME R port=2854 
>>>>dseiter.law.smu.edu -> cs.columbia.edu TIME C port=1059 
>>>>cs.columbia.edu -> dseiter.law.smu.edu TIME R port=1059 
>>>>advoc24b-3.law.smu.edu -> cs.columbia.edu TIME C port=2854 
>>>>cs.columbia.edu -> advoc24b-3.law.smu.edu TIME R port=2854 
>>>>dseiter.law.smu.edu -> cs.columbia.edu TIME C port=1059 
>>>>cs.columbia.edu -> dseiter.law.smu.edu TIME R port=1059 
>>>>advoc24b-3.law.smu.edu -> cs.columbia.edu TIME C port=2855 
>>>>cs.columbia.edu -> advoc24b-3.law.smu.edu TIME R port=2855 
>>>>dseiter.law.smu.edu -> cs.columbia.edu TIME C port=1060 
>>>>cs.columbia.edu -> dseiter.law.smu.edu TIME R port=1060 
>>>>advoc24b-3.law.smu.edu -> cs.columbia.edu TIME C port=2855 
>>>>cs.columbia.edu -> advoc24b-3.law.smu.edu TIME R port=2855 
>>>>smeyers.carr.smu.edu -> cs.columbia.edu TIME C port=3803 
>>>>cs.columbia.edu -> smeyers.carr.smu.edu TIME R port=3803 
>>>>lmontez.law.smu.edu -> cs.columbia.edu TIME C port=3587 
>>>>cs.columbia.edu -> lmontez.law.smu.edu TIME R port=3587 
>>>>advoc24b.law.smu.edu -> cs.columbia.edu TIME C port=3885 
>>>>cs.columbia.edu -> advoc24b.law.smu.edu TIME R port=3885 
>>>>smeyers.carr.smu.edu -> cs.columbia.edu TIME C port=3803 
>>>>cs.columbia.edu -> smeyers.carr.smu.edu TIME R port=3803 
>>>>mblachly.law.smu.edu -> cs.columbia.edu TIME C port=2431 
>>>>cs.columbia.edu -> mblachly.law.smu.edu TIME R port=2431 
>>>>
>>>>
>>>>			
>>>>			Daisy
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>      Date:  Tue, 26 Apr 2005 14:10:49 -0500
>>>>>      From:  "Pan, James" <pan at mail.smu.edu>
>>>>>        To:  "Daisy Nguyen" <daisy at cs.columbia.edu>
>>>>>   Subject:  RE: Law.smu.edu machines are attacking port 37
>>>>>        Cc:  <chris at smu.edu>, "Meikle, R. Bruce" <rbm at mail.smu.edu>,
>>>>>
>>>><lawtech
>>>>@smu.edu>
>>>>
>>>>>: X-MimeOLE:  Produced By Microsoft Exchange V6.5.7226.0
>>>>>
>>>>Content-class:  urn:content-classes:message
>>>>X-MS-Has-Attach:  
>>>>X-MS-TNEF-Correlator:  
>>>>Thread-Topic:  Law.smu.edu machines are attacking port 37
>>>>Thread-Index:  AcVKiyX5V+Eff3KETTuADW4GENC1mwAB3aiA
>>>>X-Priority:  1
>>>>Priority:  Urgent
>>>>Importance:  high
>>>>X-PMX-Version:  4.7.1.128075, Antispam-Engine: 2.0.3.1, Antispam-Data:
>>>>2005.4.2
>>>>6.6
>>>>X-PerlMx-Spam:  Gauge=X, Probability=10%, Report='PRIORITY_NO_NAME
>>>>0.716, __C23
>>>>0066_P5 0, __CT 0, __CTE 0, __CTYPE_CHARSET_QUOTED 0, __CT_TEXT_PLAIN
>>>>
>>>0,
>>>
>>>>__HAS_
>>>>MSGID 0, __HAS_X_PRIORITY 0, __IMS_MSGID 0, __MIME_VERSION 0,
>>>>__SANE_MSGID 0'
>>>>X-MIME-Autoconverted:  from quoted-printable to 8bit by
>>>>papermate.cs.columbia.e
>>>>du id j3QJB1bF029803
>>>>
>>>>>Daisy:
>>>>>
>>>>>Thank you for the email.  I am forwarding your message our campus
>>>>>network department for further investigation.  (I have called and
>>>>>notified them regarding the current situation.)  
>>>>>
>>>>>Our team has checked out two of the six systems in the law school and
>>>>>
>>>>no
>>>>
>>>>>infection of any kind has been detected.
>>>>>Our team will inspect the remaining units immediately.
>>>>>
>>>>>If you have any questions, please do not hesitate to contact me.
>>>>>
>>>>>Sincerely,
>>>>>
>>>>>Jp :)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>James Pan
>>>>>Assistant Director for Computing and Technology Services
>>>>>Southern Methodist University - Dedman School of Law
>>>>>Tel. 214-768-1820
>>>>>Fax. 214-768-4330
>>>>>
>>>>>For the quickest reply, please email us at: lawtech at smu.edu
>>>>>
>>>>>All email will typically be answered within 24 hours.
>>>>>
>>>>>
>>>>>
>>>>>-----Original Message-----
>>>>>From: Daisy Nguyen [mailto:daisy at cs.columbia.edu] 
>>>>>Sent: Tuesday, April 26, 2005 1:10 PM
>>>>>To: Pan, James
>>>>>Subject: Law.smu.edu machines are attacking port 37
>>>>>
>>>>>Mr. Pan:
>>>>>
>>>>>This morning we found that one of our servers has been continuously
>>>>>attacked by many hosts on the internet, including six machines in the
>>>>>law.smu.edu domain. These machines are continuously trying to connect
>>>>>
>>>>to
>>>>
>>>>>the machine cs.columbia.edu on TCP port 37. Port 37 is the "time"
>>>>>service port.
>>>>>
>>>>>As well as stopping this traffic, **we would like to find out exactly
>>>>>what is causing the traffic, such as worm or virus, so we can beware
>>>>>
>>>of
>>>
>>>>>the behavior of the attack. You may want to look into Sobol worm
>>>>>(http://www.sarc.com/avcenter/venc/data/w32.sober.j@mm.html). If you
>>>>>could investigate and let us know, it would be extremely helpful.
>>>>>
>>>>>Here is a list of hosts from the law.smu.edu domain:
>>>>>advoc24b.law.smu.edu
>>>>>dseiter.law.smu.edu
>>>>>lmontez.law.smu.edu
>>>>>mblachly.law.smu.edu
>>>>>refoffice.law.smu.edu
>>>>>smeyers.carr.smu.edu (not law.smu.edu)
>>>>>
>>>>>
>>>>>And this is what tcpdump on one host looks like:
>>>>>
>>>>>14:01:29.146144 mblachly.law.smu.edu.3696 > cs.columbia.edu.time: S
>>>>>1443432656:1443432656(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>>>>>14:01:29.146190 cs.columbia.edu.time > mblachly.law.smu.edu.3696: R
>>>>>0:0(0) ack
>>>>>1443432657 win 0 (DF)
>>>>>14:01:29.583876 mblachly.law.smu.edu.3696 > cs.columbia.edu.time: S
>>>>>1443432656:1443432656(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>>>>>14:01:29.583920 cs.columbia.edu.time > mblachly.law.smu.edu.3696: R
>>>>>0:0(0) ack
>>>>>1 win 0 (DF)
>>>>>14:01:31.647524 mblachly.law.smu.edu.3697 > cs.columbia.edu.time: S
>>>>>422914012:422914012(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>>>>>14:01:31.647556 cs.columbia.edu.time > mblachly.law.smu.edu.3697: R
>>>>>0:0(0) ack
>>>>>422914013 win 0 (DF)
>>>>>14:01:32.208596 mblachly.law.smu.edu.3697 > cs.columbia.edu.time: S
>>>>>422914012:422914012(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>>>>>14:01:32.208643 cs.columbia.edu.time > mblachly.law.smu.edu.3697: R
>>>>>0:0(0) ack
>>>>>1 win 0 (DF)
>>>>>14:01:32.755405 mblachly.law.smu.edu.3697 > cs.columbia.edu.time: S
>>>>>422914012:422914012(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>>>>>14:01:32.755456 cs.columbia.edu.time > mblachly.law.smu.edu.3697: R
>>>>>0:0(0) ack
>>>>>1 win 0 (DF)
>>>>>14:01:34.806654 mblachly.law.smu.edu.3698 > cs.columbia.edu.time: S
>>>>>3082342921:3082342921(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>>>>>14:01:34.806695 cs.columbia.edu.time > mblachly.law.smu.edu.3698: R
>>>>>0:0(0) ack
>>>>>3082342922 win 0 (DF)
>>>>>14:01:35.271292 mblachly.law.smu.edu.3698 > cs.columbia.edu.time: S
>>>>>3082342921:3082342921(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>>>>>14:01:35.271322 cs.columbia.edu.time > mblachly.law.smu.edu.3698: R
>>>>>0:0(0) ack
>>>>>1 win 0 (DF)
>>>>>14:01:35.818747 mblachly.law.smu.edu.3698 > cs.columbia.edu.time: S
>>>>>3082342921:3082342921(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>>>>>14:01:35.818805 cs.columbia.edu.time > mblachly.law.smu.edu.3698: R
>>>>>0:0(0) ack
>>>>>1 win 0 (DF)
>>>>>14:01:37.882571 mblachly.law.smu.edu.3699 > cs.columbia.edu.time: S
>>>>>2138935627:2138935627(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>>>>>14:01:37.882608 cs.columbia.edu.time > mblachly.law.smu.edu.3699: R
>>>>>0:0(0) ack
>>>>>2138935628 win 0 (DF)
>>>>>14:01:38.442938 mblachly.law.smu.edu.3699 > cs.columbia.edu.time: S
>>>>>2138935627:2138935627(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>>>>>14:01:38.442978 cs.columbia.edu.time > mblachly.law.smu.edu.3699: R
>>>>>0:0(0) ack
>>>>>1 win 0 (DF)
>>>>>14:01:38.882535 mblachly.law.smu.edu.3699 > cs.columbia.edu.time: S
>>>>>2138935627:2138935627(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>>>>>
>>>>>
>>>>>If you have any questions regarding this matter, please feel free to
>>>>>contact me.
>>>>>
>>>>>			
>>>>>			Thank you for your help,
>>>>>
>>>>>				Daisy
>>>>>
>>>>>
>>>>>
>>>>>----------------------------------------------------------------------
>>>>>
>>>- -
>>>
>>>>-
>>>>
>>>>>---
>>>>>
>>>>>Daisy Nguyen					450 Computer Science
>>>>>Director, Computing Research Facilities		MC 0401
>>>>>Computer Science Department			500 West 120th Street
>>>>>Columbia University				New York, NY 10027
>>>>>Tel: (212) 939-7140				daisy at cs.columbia.edu
>>>>>Cell: (347) 782-2345
>>>>>Fax: (212) 666-0140
>>>>>
>>>>>
>>>>>
>>>------- End of Forwarded Message
>>>
>>>
>>>
>
>
>--MIMEStream=_0+232076_4693378078033_68816739321
>Content-Type: text/html; charset="us-ascii"; name="unnamed.html"
>Content-Transfer-Encoding: 7bit
>
><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
><html>
><head>
>  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
>  <title></title>
></head>
><body bgcolor="#ffffff" text="#000000">
><tt>Daisy,<br>
><br>
>I don't keep the lists and haven't for some time. You will need to
>contact the current keepers. See the link on my pages or go to
><a class="moz-txt-link-abbreviated" href="http://www.ntp.org">www.ntp.org</a>.<br>
><br>
>Dave<br>
><br>
>Daisy Nguyen wrote:</tt>
><blockquote cite="mid200505091356.j49Duaoq025331 at flame.cs.columbia.edu"
> type="cite">
>  <pre wrap=""><tt>David:
>
>Could you please remove our server, timex.cs.columbia.edu, from your
>Public NTP Secondary (stratum 2) Time Servers (number 50) and any other
>places on your list as an active ntp server. We are no longer provide the
>NTP service for the internet. If you have any questions, please feel
>free to contact me.
>
>50. US NY timex.cs.columbia.edu (128.59.16.20)
>Location: Columbia University Computer Science Department, New York City, NY
>Synchronization: NTP secondary (stratum 2), Sun/Unix
>Service Area: PSINET; NSFNET, NYSER region
>Access Policy: open access, authenticated NTP (DES/MD5) available
>Contact: James Tanis (<a class="moz-txt-link-abbreviated" href="mailto:timekeeper@
cs.columbia.edu">timekeeper at cs.columbia.edu</a>)
>Note: IP addresses are subject to change; please use DNS 
>
>			
>		Thank you for your help,
>
>			Daisy
>
>
>
>---------------------------------------------------------------------------
>
>Daisy Nguyen					450 Computer Science
>Director, Computing Research Facilities		MC 0401
>Computer Science Department			500 West 120th Street
>Columbia University				New York, NY 10027
>Tel: (212) 939-7140				<a class="moz-txt-link-abbreviated"
 href="mailto:daisy at cs.columbia.edu">daisy at cs.columbia.edu</a>
>Cell: (347) 782-2345
>Fax: (212) 666-0140
>
>
>
>
>
></tt></pre>
>  <blockquote type="cite">
>    <pre wrap=""><tt>      Date:  Sat, 7 May 2005 20:51:16 -0700
>      From:  "Rob Chambers" <a class="moz-txt-link-rfc2396E" href="mailto:robc at thi
nkman.com">&lt;robc at thinkman.com&gt;</a>
>        To:  "Daisy Nguyen" <a class="moz-txt-link-rfc2396E" href="mailto:daisy at cs
.columbia.edu">&lt;daisy at cs.columbia.edu&gt;</a>, <a class="moz-txt-link-rfc2396E" 
href="mailto:webmaster at thinkman.com">&lt;webmaster at thinkman.com&gt;</a>
>   Subject:  RE: Please remove our server from your list!
>        Cc:  <a class="moz-txt-link-rfc2396E" href="mailto:security at columbia.edu">
&lt;security at columbia.edu&gt;</a>, <a class="moz-txt-link-rfc2396E" href="mailto:hg
s at cs.columbia.edu">&lt;hgs at cs.columbia.edu&gt;</a>, &lt;<a class="moz-txt-link-abbr
eviated" href="mailto:smb at cs.columbia">smb at cs.columbia</a>
></tt></pre>
>  </blockquote>
>  <pre wrap=""><!----><tt>.edu&gt;,
>        <a class="moz-txt-link-rfc2396E" href="mailto:medina at columbia.edu">&lt;med
ina at columbia.edu&gt;</a>, <a class="moz-txt-link-rfc2396E" href="mailto:cts at cs.colu
mbia.edu">&lt;cts at cs.columbia.edu&gt;</a>, <a class="moz-txt-link-rfc2396E" href="m
ailto:chris at mail.smu.edu">&lt;chris at mail.smu.edu&gt;</a>
></tt></pre>
>  <blockquote type="cite">
>    <pre wrap=""><tt>: Content-class:  urn:content-classes:message
></tt></pre>
>  </blockquote>
>  <pre wrap=""><!----><tt>X-MimeOLE:  Produced By Microsoft Exchange V6.5.6944.0
>X-MS-Has-Attach:  
>X-MS-TNEF-Correlator:  
>Thread-Topic:  Please remove our server from your list!
>Thread-Index:  AcVLQivA/qUqYI5FRce9v3SX3jhJrAIPqD5A
>X-Loop-Detect:  1
>X-DistLoop-Detect:  1
>X-PMX-Version:  4.7.1.128075, Antispam-Engine: 2.0.3.1, Antispam-Data: 2005.5.7
>.9
>X-PerlMx-Spam:  Gauge=X, Probability=10%, Report='LINES_OF_YELLING_3 0.671, __C
>230066_P5 0, __CT 0, __CTE 0, __CTYPE_CHARSET_QUOTED 0, __CT_TEXT_PLAIN 0, __HA
>S_MSGID 0, __IMS_MSGID 0, __LINES_OF_YELLING 0, __MIME_VERSION 0, __SANE_MSGID 
>0'
>X-MIME-Autoconverted:  from quoted-printable to 8bit by papermate.cs.columbia.e
>du id j483q9bF022595
>X-Status:  
>X-Keywords:                   
>X-UID:  68
></tt></pre>
>  <blockquote type="cite">
>    <pre wrap=""><tt>Thanks Daisy.
>
>The last time I updated D4's server list, your site was listed on David
>Mills list of secondary NTP servers. In fact, it still is. See here:
><a class="moz-txt-link-freetext" href="http://www.eecis.udel.edu/~mills/ntp/clock2
a.html">http://www.eecis.udel.edu/~mills/ntp/clock2a.html</a>
>
>When I update D4's list of servers, I use an automated process that
>takes the sites listed on that page. 
>
>You should contact David to have your server removed.
>
>Let me know once that happens, and I'll make note of it for the next D4
>update.
>
>--rob chambers
>
>-----Original Message-----
>From: Daisy Nguyen [<a class="moz-txt-link-freetext" href="mailto:daisy at cs.columbi
a.edu">mailto:daisy at cs.columbia.edu</a>] 
>Sent: Wednesday, April 27, 2005 8:59 AM
>To: <a class="moz-txt-link-abbreviated" href="mailto:webmaster at thinkman.com">webma
ster at thinkman.com</a>
>Cc: <a class="moz-txt-link-abbreviated" href="mailto:security at columbia.edu">securi
ty at columbia.edu</a>; <a class="moz-txt-link-abbreviated" href="mailto:hgs at cs.columb
ia.edu">hgs at cs.columbia.edu</a>; <a class="moz-txt-link-abbreviated" href="mailto:s
mb at cs.columbia.edu">smb at cs.columbia.edu</a>;
><a class="moz-txt-link-abbreviated" href="mailto:medina at columbia.edu">medina at colum
bia.edu</a>; <a class="moz-txt-link-abbreviated" href="mailto:cts at cs.columbia.edu">
cts at cs.columbia.edu</a>; <a class="moz-txt-link-abbreviated" href="mailto:chris at mai
l.smu.edu">chris at mail.smu.edu</a>
>Subject: Please remove our server from your list!
>
>To whom it may concern:
>
>Our server, timex.cs.columbia.edu, has been under attack by several
>machines in the internet on port 37. We contacted the Law School of
>Southern Methodist University who has 5 machines that repeatedly sent
></tt></pre>
>  </blockquote>
>  <pre wrap=""><!----><tt>inquiry to this port. We were told that, they have been 
using
></tt></pre>
>  <blockquote type="cite">
>    <pre wrap=""><tt>Dimension4 software of <a class="moz-txt-link-abbreviated" hr
ef="http://www.thinkman.com">www.thinkman.com</a>. This software has our server
>as an available choice out of the box (see email below)
>
>We are no longer provide NTP (port 123), time (port 37) and daytime
>(port 13) service to internet machines.  This email is a formal request
>for thinkman.com to remove timex.cs.columbia.edu from your list. We
>appreciate your quick response to our request.
>
>			Sincerely,
>
>			Daisy Nguyen
>
>
>
>------------------------------------------------------------------------
>---
>
>Daisy Nguyen					450 Computer Science
>Director, Computing Research Facilities		MC 0401
>Computer Science Department			500 West 120th Street
>Columbia University				New York, NY 10027
>Tel: (212) 939-7140				<a class="moz-txt-link-abbreviated"
 href="mailto:daisy at cs.columbia.edu">daisy at cs.columbia.edu</a>
>Cell: (347) 782-2345
>Fax: (212) 666-0140
>
>
>
>------- Forwarded Message
>
>Return-Path: <a class="moz-txt-link-abbreviated" href="mailto:chris at mail.smu.edu">
chris at mail.smu.edu</a>
>Delivery-Date: Tue Apr 26 17:46:41 2005
>Return-Path: <a class="moz-txt-link-rfc2396E" href="mailto:chris at mail.smu.edu">&lt
;chris at mail.smu.edu&gt;</a>
>Received: from cs.columbia.edu (cs.columbia.edu [128.59.16.20])
>	by papermate.cs.columbia.edu (8.12.10/8.12.10) with ESMTP id
>j3QLkZbF019489
>	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
>verify=NOT)
>	for <a class="moz-txt-link-rfc2396E" href="mailto:daisy at papermate.cs.columb
ia.edu">&lt;daisy at papermate.cs.columbia.edu&gt;</a>; Tue, 26 Apr 2005 17:46:35
>-0400 (EDT)
>Received: from s31xe5.systems.smu.edu (s31xe5.systems.smu.edu
>[129.119.70.74])
>	by cs.columbia.edu (8.12.10/8.12.10) with ESMTP id
>j3QLkSqs013506
>	for <a class="moz-txt-link-rfc2396E" href="mailto:daisy at cs.columbia.edu">&l
t;daisy at cs.columbia.edu&gt;</a>; Tue, 26 Apr 2005 17:46:29 -0400
>(EDT)
>X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
>Content-class: urn:content-classes:message
>MIME-Version: 1.0
>Content-Type: text/plain;
>	charset="us-ascii"
>Subject: RE: Law.smu.edu machines are attacking port 37 
>Date: Tue, 26 Apr 2005 16:46:22 -0500
>Message-ID:
><a class="moz-txt-link-rfc2396E" href="mailto:B6446C11A7C1964599C536A4230D107B01EB
7394 at s31xe5.systems.smu.edu">&lt;B6446C11A7C1964599C536A4230D107B01EB7394 at s31xe5.sy
stems.smu.edu&gt;</a>
>X-MS-Has-Attach: 
>X-MS-TNEF-Correlator: 
>Thread-Topic: Law.smu.edu machines are attacking port 37 
>Thread-Index: AcVKo9mAXGqYZGEdR1eNSE0DrN3Y6gAA8I9wAABpU7A=
>From: "Smith, Chris" <a class="moz-txt-link-rfc2396E" href="mailto:chris at mail.smu.
edu">&lt;chris at mail.smu.edu&gt;</a>
>To: "Daisy Nguyen" <a class="moz-txt-link-rfc2396E" href="mailto:daisy at cs.columbia
.edu">&lt;daisy at cs.columbia.edu&gt;</a>
>X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.0.3.1, Antispam-Data:
>2005.4.26.8
>X-PerlMx-Spam: Gauge=X, Probability=10%, Report='LINES_OF_YELLING_3
>0.671, __C230066_P5 0, __CT 0, __CTE 0, __CTYPE_CHARSET_QUOTED 0,
>__CT_TEXT_PLAIN 0, __HAS_MSGID 0, __IMS_MSGID 0, __LINES_OF_YELLING 0,
>__MIME_VERSION 0, __SANE_MSGID 0, __query.bondedsender.org_TIMEOUT '
>Content-Transfer-Encoding: 8bit
>X-MIME-Autoconverted: from quoted-printable to 8bit by
>papermate.cs.columbia.edu id j3QLkZbF019489
>
>FYI, the software was an older version of Dimension 4 from
><a class="moz-txt-link-abbreviated" href="http://www.thinkman.com">www.thinkman.co
m</a>, distributed with your time server as an available
>choice "out of the box."
>
>- --
>J. Christian Smith - Information Security Manager
>Information Technology Services, Southern Methodist University, Dallas
>PGP fingerprint: B6A7 7B14 653F C98C 4355 2436 4850 9A1D FCA8 DAD4
>
>
>- -----Original Message-----
>From: Smith, Chris 
>Sent: Tuesday, April 26, 2005 4:39 PM
>To: 'Daisy Nguyen'
>Subject: RE: Law.smu.edu machines are attacking port 37 
>
>Staff have confirmed that the machines were actually setup to use
>cs.columbia.edu for time service. They were supposed to be synching
>every 15 minutes. It is not clear when your machine stopped offering
>this service, but it worked at some point in the past. Probably the fact
>that it is no longer offered is responsible for the higher packet rate
>as connections are retried, and the software has a fairly aggressive
>failure response.
>
>- --
>J. Christian Smith - Information Security Manager
>Information Technology Services, Southern Methodist University, Dallas
>PGP fingerprint: B6A7 7B14 653F C98C 4355 2436 4850 9A1D FCA8 DAD4
>
>
>- -----Original Message-----
>From: Daisy Nguyen [<a class="moz-txt-link-freetext" href="mailto:daisy at cs.columbi
a.edu">mailto:daisy at cs.columbia.edu</a>] 
>Sent: Tuesday, April 26, 2005 4:07 PM
>To: Smith, Chris
>Subject: Re: Law.smu.edu machines are attacking port 37 
>
>Chris:
>
>Could you please find out what is going on with the attack on port 37.
>Since the attack is not confined to your machines only, several other
>internet machines also doing the same thing. I think we may have new
>worm or virus. It also can be DDOS.  It's just as important for us to
>know the nature of the attack as much as stopping the attack.
>
>			Daisy
>
>
></tt></pre>
>    <blockquote type="cite">
>      <pre wrap=""><tt>      Date:  Tue, 26 Apr 2005 15:31:11 -0500
>      From:  "Smith, Chris" <a class="moz-txt-link-rfc2396E" href="mailto:chris at ma
il.smu.edu">&lt;chris at mail.smu.edu&gt;</a>
>        To:  "Daisy Nguyen" <a class="moz-txt-link-rfc2396E" href="mailto:daisy at cs
.columbia.edu">&lt;daisy at cs.columbia.edu&gt;</a>, "Pan, James"
></tt></pre>
>    </blockquote>
>    <pre wrap=""><tt><a class="moz-txt-link-rfc2396E" href="mailto:pan at mail.smu.ed
u">&lt;pan at mail.s
>mu.edu&gt;</a>
></tt></pre>
>    <blockquote type="cite">
>      <pre wrap=""><tt>   Subject:  RE: Law.smu.edu machines are attacking port 37
 
>        Cc:  "Meikle, R. Bruce" <a class="moz-txt-link-rfc2396E" href="mailto:rbm@
mail.smu.edu">&lt;rbm at mail.smu.edu&gt;</a>,
></tt></pre>
>    </blockquote>
>    <pre wrap=""><tt>       "Law School Technical Support" <a class="moz-txt-link-
rfc2396E" href="mailto:lawtech at mail.smu.edu">&lt;lawtech at mail.smu.edu&gt;</a>,
>       <a class="moz-txt-link-rfc2396E" href="mailto:cts at cs.columbia.edu">&lt;cts@
cs.columbia.edu&gt;</a>
></tt></pre>
>    <blockquote type="cite">
>      <pre wrap=""><tt>: X-MimeOLE:  Produced By Microsoft Exchange V6.5.7226.0
></tt></pre>
>    </blockquote>
>    <pre wrap=""><tt>Content-class:  urn:content-classes:message
>X-MS-Has-Attach:  
>X-MS-TNEF-Correlator:  
>Thread-Topic:  Law.smu.edu machines are attacking port 37 
>Thread-Index:  AcVKnOjtQ0572/KwR56PuoLC3R7BLQAAU7cw
>X-PMX-Version:  4.7.1.128075, Antispam-Engine: 2.0.3.1, Antispam-Data:
>2005.4.2
>6.7
>X-PerlMx-Spam:  Gauge=IIIIIII, Probability=7%, Report='__C230066_P5 0,
>__CT 0, 
>__CTE 0, __CTYPE_CHARSET_QUOTED 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0,
>__IMS_MSGI
>D 0, __LINES_OF_YELLING 0, __MIME_VERSION 0, __SANE_MSGID 0'
>X-MIME-Autoconverted:  from quoted-printable to 8bit by
>papermate.cs.columbia.e
>du id j3QKVKbF010224
></tt></pre>
>    <blockquote type="cite">
>      <pre wrap=""><tt>Thanks, Daisy. I've confirmed this activity, and put a stop
 to it.
>
>--
>J. Christian Smith - Information Security Manager
>Information Technology Services, Southern Methodist University, Dallas
>PGP fingerprint: B6A7 7B14 653F C98C 4355 2436 4850 9A1D FCA8 DAD4
>
>
>-----Original Message-----
>From: Daisy Nguyen [<a class="moz-txt-link-freetext" href="mailto:daisy at cs.columbi
a.edu">mailto:daisy at cs.columbia.edu</a>] 
>Sent: Tuesday, April 26, 2005 3:17 PM
>To: Pan, James
>Cc: Smith, Chris; Meikle, R. Bruce; Law School Technical Support;
><a class="moz-txt-link-abbreviated" href="mailto:cts at cs.columbia.edu">cts at cs.colum
bia.edu</a>
>Subject: Re: Law.smu.edu machines are attacking port 37 
>
>James:
>
>Even if these machines are not infected, they are still as of this
>moment each sending at least 1 packet a second on port 37 to
>cs.columbia.edu. If you believe this behavior to be legitimate, please
>explain. Otherwise, I feel that this requires further investigation on
>your part.
>
>I appreciate your help on this matter.
>
>bash-2.05# date
>Tue Apr 26 16:16:01 EDT 2005
>bash-2.05# snoop port 37 |grep smu
>Using device /dev/bge (promiscuous mode)
>dseiter.law.smu.edu -&gt; cs.columbia.edu TIME C port=1058 
>cs.columbia.edu -&gt; dseiter.law.smu.edu TIME R port=1058 
>advoc24b-3.law.smu.edu -&gt; cs.columbia.edu TIME C port=2853 
>cs.columbia.edu -&gt; advoc24b-3.law.smu.edu TIME R port=2853 
>advoc24b-3.law.smu.edu -&gt; cs.columbia.edu TIME C port=2854 
>cs.columbia.edu -&gt; advoc24b-3.law.smu.edu TIME R port=2854 
>dseiter.law.smu.edu -&gt; cs.columbia.edu TIME C port=1059 
>cs.columbia.edu -&gt; dseiter.law.smu.edu TIME R port=1059 
>advoc24b-3.law.smu.edu -&gt; cs.columbia.edu TIME C port=2854 
>cs.columbia.edu -&gt; advoc24b-3.law.smu.edu TIME R port=2854 
>dseiter.law.smu.edu -&gt; cs.columbia.edu TIME C port=1059 
>cs.columbia.edu -&gt; dseiter.law.smu.edu TIME R port=1059 
>advoc24b-3.law.smu.edu -&gt; cs.columbia.edu TIME C port=2855 
>cs.columbia.edu -&gt; advoc24b-3.law.smu.edu TIME R port=2855 
>dseiter.law.smu.edu -&gt; cs.columbia.edu TIME C port=1060 
>cs.columbia.edu -&gt; dseiter.law.smu.edu TIME R port=1060 
>advoc24b-3.law.smu.edu -&gt; cs.columbia.edu TIME C port=2855 
>cs.columbia.edu -&gt; advoc24b-3.law.smu.edu TIME R port=2855 
>smeyers.carr.smu.edu -&gt; cs.columbia.edu TIME C port=3803 
>cs.columbia.edu -&gt; smeyers.carr.smu.edu TIME R port=3803 
>lmontez.law.smu.edu -&gt; cs.columbia.edu TIME C port=3587 
>cs.columbia.edu -&gt; lmontez.law.smu.edu TIME R port=3587 
>advoc24b.law.smu.edu -&gt; cs.columbia.edu TIME C port=3885 
>cs.columbia.edu -&gt; advoc24b.law.smu.edu TIME R port=3885 
>smeyers.carr.smu.edu -&gt; cs.columbia.edu TIME C port=3803 
>cs.columbia.edu -&gt; smeyers.carr.smu.edu TIME R port=3803 
>mblachly.law.smu.edu -&gt; cs.columbia.edu TIME C port=2431 
>cs.columbia.edu -&gt; mblachly.law.smu.edu TIME R port=2431 
>
>
>			
>			Daisy
>
>
>
>
>
></tt></pre>
>      <blockquote type="cite">
>        <pre wrap=""><tt>      Date:  Tue, 26 Apr 2005 14:10:49 -0500
>      From:  "Pan, James" <a class="moz-txt-link-rfc2396E" href="mailto:pan at mail.s
mu.edu">&lt;pan at mail.smu.edu&gt;</a>
>        To:  "Daisy Nguyen" <a class="moz-txt-link-rfc2396E" href="mailto:daisy at cs
.columbia.edu">&lt;daisy at cs.columbia.edu&gt;</a>
>   Subject:  RE: Law.smu.edu machines are attacking port 37
>        Cc:  <a class="moz-txt-link-rfc2396E" href="mailto:chris at smu.edu">&lt;chri
s at smu.edu&gt;</a>, "Meikle, R. Bruce" <a class="moz-txt-link-rfc2396E" href="mailto
:rbm at mail.smu.edu">&lt;rbm at mail.smu.edu&gt;</a>,
></tt></pre>
>      </blockquote>
>      <pre wrap=""><tt>&lt;lawtech
>@smu.edu&gt;
></tt></pre>
>      <blockquote type="cite">
>        <pre wrap=""><tt>: X-MimeOLE:  Produced By Microsoft Exchange V6.5.7226.0
></tt></pre>
>      </blockquote>
>      <pre wrap=""><tt>Content-class:  urn:content-classes:message
>X-MS-Has-Attach:  
>X-MS-TNEF-Correlator:  
>Thread-Topic:  Law.smu.edu machines are attacking port 37
>Thread-Index:  AcVKiyX5V+Eff3KETTuADW4GENC1mwAB3aiA
>X-Priority:  1
>Priority:  Urgent
>Importance:  high
>X-PMX-Version:  4.7.1.128075, Antispam-Engine: 2.0.3.1, Antispam-Data:
>2005.4.2
>6.6
>X-PerlMx-Spam:  Gauge=X, Probability=10%, Report='PRIORITY_NO_NAME
>0.716, __C23
>0066_P5 0, __CT 0, __CTE 0, __CTYPE_CHARSET_QUOTED 0, __CT_TEXT_PLAIN
></tt></pre>
>    </blockquote>
>    <pre wrap=""><tt>0,
></tt></pre>
>    <blockquote type="cite">
>      <pre wrap=""><tt>__HAS_
>MSGID 0, __HAS_X_PRIORITY 0, __IMS_MSGID 0, __MIME_VERSION 0,
>__SANE_MSGID 0'
>X-MIME-Autoconverted:  from quoted-printable to 8bit by
>papermate.cs.columbia.e
>du id j3QJB1bF029803
></tt></pre>
>      <blockquote type="cite">
>        <pre wrap=""><tt>Daisy:
>
>Thank you for the email.  I am forwarding your message our campus
>network department for further investigation.  (I have called and
>notified them regarding the current situation.)  
>
>Our team has checked out two of the six systems in the law school and
></tt></pre>
>      </blockquote>
>      <pre wrap=""><tt>no
></tt></pre>
>      <blockquote type="cite">
>        <pre wrap=""><tt>infection of any kind has been detected.
>Our team will inspect the remaining units immediately.
>
>If you have any questions, please do not hesitate to contact me.
>
>Sincerely,
>
>Jp :)
>
>
>
>
>James Pan
>Assistant Director for Computing and Technology Services
>Southern Methodist University - Dedman School of Law
>Tel. 214-768-1820
>Fax. 214-768-4330
>
>For the quickest reply, please email us at: <a class="moz-txt-link-abbreviated" hr
ef="mailto:lawtech at smu.edu">lawtech at smu.edu</a>
>
>All email will typically be answered within 24 hours.
>
>
>
>-----Original Message-----
>From: Daisy Nguyen [<a class="moz-txt-link-freetext" href="mailto:daisy at cs.columbi
a.edu">mailto:daisy at cs.columbia.edu</a>] 
>Sent: Tuesday, April 26, 2005 1:10 PM
>To: Pan, James
>Subject: Law.smu.edu machines are attacking port 37
>
>Mr. Pan:
>
>This morning we found that one of our servers has been continuously
>attacked by many hosts on the internet, including six machines in the
>law.smu.edu domain. These machines are continuously trying to connect
></tt></pre>
>      </blockquote>
>      <pre wrap=""><tt>to
></tt></pre>
>      <blockquote type="cite">
>        <pre wrap=""><tt>the machine cs.columbia.edu on TCP port 37. Port 37 is th
e "time"
>service port.
>
>As well as stopping this traffic, **we would like to find out exactly
>what is causing the traffic, such as worm or virus, so we can beware
></tt></pre>
>      </blockquote>
>    </blockquote>
>    <pre wrap=""><tt>of
></tt></pre>
>    <blockquote type="cite">
>      <blockquote type="cite">
>        <pre wrap=""><tt>the behavior of the attack. You may want to look into Sob
ol worm
>(<a class="moz-txt-link-freetext" href="http://www.sarc.com/avcenter/venc/data/w32
.sober.j at mm.html">http://www.sarc.com/avcenter/venc/data/w32.sober.j@mm.html</a>). 
If you
>could investigate and let us know, it would be extremely helpful.
>
>Here is a list of hosts from the law.smu.edu domain:
>advoc24b.law.smu.edu
>dseiter.law.smu.edu
>lmontez.law.smu.edu
>mblachly.law.smu.edu
>refoffice.law.smu.edu
>smeyers.carr.smu.edu (not law.smu.edu)
>
>
>And this is what tcpdump on one host looks like:
>
>14:01:29.146144 mblachly.law.smu.edu.3696 &gt; cs.columbia.edu.time: S
>1443432656:1443432656(0) win 64240 &lt;mss 1460,nop,nop,sackOK&gt; (DF)
>14:01:29.146190 cs.columbia.edu.time &gt; mblachly.law.smu.edu.3696: R
>0:0(0) ack
>1443432657 win 0 (DF)
>14:01:29.583876 mblachly.law.smu.edu.3696 &gt; cs.columbia.edu.time: S
>1443432656:1443432656(0) win 64240 &lt;mss 1460,nop,nop,sackOK&gt; (DF)
>14:01:29.583920 cs.columbia.edu.time &gt; mblachly.law.smu.edu.3696: R
>0:0(0) ack
>1 win 0 (DF)
>14:01:31.647524 mblachly.law.smu.edu.3697 &gt; cs.columbia.edu.time: S
>422914012:422914012(0) win 64240 &lt;mss 1460,nop,nop,sackOK&gt; (DF)
>14:01:31.647556 cs.columbia.edu.time &gt; mblachly.law.smu.edu.3697: R
>0:0(0) ack
>422914013 win 0 (DF)
>14:01:32.208596 mblachly.law.smu.edu.3697 &gt; cs.columbia.edu.time: S
>422914012:422914012(0) win 64240 &lt;mss 1460,nop,nop,sackOK&gt; (DF)
>14:01:32.208643 cs.columbia.edu.time &gt; mblachly.law.smu.edu.3697: R
>0:0(0) ack
>1 win 0 (DF)
>14:01:32.755405 mblachly.law.smu.edu.3697 &gt; cs.columbia.edu.time: S
>422914012:422914012(0) win 64240 &lt;mss 1460,nop,nop,sackOK&gt; (DF)
>14:01:32.755456 cs.columbia.edu.time &gt; mblachly.law.smu.edu.3697: R
>0:0(0) ack
>1 win 0 (DF)
>14:01:34.806654 mblachly.law.smu.edu.3698 &gt; cs.columbia.edu.time: S
>3082342921:3082342921(0) win 64240 &lt;mss 1460,nop,nop,sackOK&gt; (DF)
>14:01:34.806695 cs.columbia.edu.time &gt; mblachly.law.smu.edu.3698: R
>0:0(0) ack
>3082342922 win 0 (DF)
>14:01:35.271292 mblachly.law.smu.edu.3698 &gt; cs.columbia.edu.time: S
>3082342921:3082342921(0) win 64240 &lt;mss 1460,nop,nop,sackOK&gt; (DF)
>14:01:35.271322 cs.columbia.edu.time &gt; mblachly.law.smu.edu.3698: R
>0:0(0) ack
>1 win 0 (DF)
>14:01:35.818747 mblachly.law.smu.edu.3698 &gt; cs.columbia.edu.time: S
>3082342921:3082342921(0) win 64240 &lt;mss 1460,nop,nop,sackOK&gt; (DF)
>14:01:35.818805 cs.columbia.edu.time &gt; mblachly.law.smu.edu.3698: R
>0:0(0) ack
>1 win 0 (DF)
>14:01:37.882571 mblachly.law.smu.edu.3699 &gt; cs.columbia.edu.time: S
>2138935627:2138935627(0) win 64240 &lt;mss 1460,nop,nop,sackOK&gt; (DF)
>14:01:37.882608 cs.columbia.edu.time &gt; mblachly.law.smu.edu.3699: R
>0:0(0) ack
>2138935628 win 0 (DF)
>14:01:38.442938 mblachly.law.smu.edu.3699 &gt; cs.columbia.edu.time: S
>2138935627:2138935627(0) win 64240 &lt;mss 1460,nop,nop,sackOK&gt; (DF)
>14:01:38.442978 cs.columbia.edu.time &gt; mblachly.law.smu.edu.3699: R
>0:0(0) ack
>1 win 0 (DF)
>14:01:38.882535 mblachly.law.smu.edu.3699 &gt; cs.columbia.edu.time: S
>2138935627:2138935627(0) win 64240 &lt;mss 1460,nop,nop,sackOK&gt; (DF)
>
>
>If you have any questions regarding this matter, please feel free to
>contact me.
>
>			
>			Thank you for your help,
>
>				Daisy
>
>
>
>----------------------------------------------------------------------
></tt></pre>
>      </blockquote>
>    </blockquote>
>    <pre wrap=""><tt>- -
></tt></pre>
>    <blockquote type="cite">
>      <pre wrap=""><tt>-
></tt></pre>
>      <blockquote type="cite">
>        <pre wrap=""><tt>---
>
>Daisy Nguyen					450 Computer Science
>Director, Computing Research Facilities		MC 0401
>Computer Science Department			500 West 120th Street
>Columbia University				New York, NY 10027
>Tel: (212) 939-7140				<a class="moz-txt-link-abbreviated"
 href="mailto:daisy at cs.columbia.edu">daisy at cs.columbia.edu</a>
>Cell: (347) 782-2345
>Fax: (212) 666-0140
>
>
></tt></pre>
>      </blockquote>
>    </blockquote>
>    <pre wrap=""><tt>------- End of Forwarded Message
>
>
></tt></pre>
>  </blockquote>
></blockquote>
><tt><br>
></tt>
></body>
></html>
>
>--MIMEStream=_0+232076_4693378078033_68816739321--


More information about the security mailing list