[From nobody Fri Oct  9 17:20:48 2009
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on stamps.cs.ucsb.edu
X-Spam-Level: 
X-Spam-Status: No, score=-4.0 required=5.0 tests=HTML_MESSAGE,
	RCVD_IN_DNSWL_MED shortcircuit=no autolearn=failed version=3.2.5
Received: from stamps.cs.ucsb.edu (stamps.cs.ucsb.edu [128.111.41.14])
	by letters.cs.ucsb.edu (8.13.1/8.13.1) with ESMTP id n99NFvdX000390
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Fri, 9 Oct 2009 16:15:57 -0700
Received: from Waldron (waldron.cs.ucsb.edu [128.111.41.237])
	by stamps.cs.ucsb.edu (8.13.1/8.13.1) with ESMTP id n99NFrUw025847;
	Fri, 9 Oct 2009 16:15:53 -0700
From: "Matthew Turk" <mturk@cs.ucsb.edu>
To: "'Andreas Boschke'" <andreas@cs.ucsb.edu>
Cc: "'Tobias Hollerer'" <holl@cs.ucsb.edu>
References: <CA2D7AD7-0E56-4368-AB51-78C5B4DCB3A5@cs.ucsb.edu>
In-Reply-To: <CA2D7AD7-0E56-4368-AB51-78C5B4DCB3A5@cs.ucsb.edu>
Subject: RE: [COMS #28641] [UCSB-OIT #165624] 128.111.28.95 Infected With
	Conficker
Date: Fri, 9 Oct 2009 16:15:38 -0700
Organization: UCSB
Message-ID: <04b201ca4936$69f7f580$3de7e080$@ucsb.edu>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_04B3_01CA48FB.BD991D80"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpJNTcZD3QoHNyWSeO7j6j1HDc1cAAAPLiA
Content-Language: en-us
X-Greylist: Sender succeeded STARTTLS authentication, not delayed by
	milter-greylist-4.0a6 (letters.cs.ucsb.edu [128.111.41.13]);
	Fri, 09 Oct 2009 16:15:57 -0700 (PDT)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0a6
	(stamps.cs.ucsb.edu [128.111.41.14]);
	Fri, 09 Oct 2009 16:15:53 -0700 (PDT)
X-Virus-Scanned: clamav-milter 0.95.1 at stamps
X-Virus-Status: Clean

This is a multi-part message in MIME format.

------=_NextPart_000_04B3_01CA48FB.BD991D80
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Andreas,

 

Can you tell us anything more about the machine? MAC address or location?
(We have two lab locations: trailer and Elings Hall).

 

Thanks,

            Matthew

 

From: Andreas Boschke [mailto:andreas@cs.ucsb.edu] 
Sent: Friday, October 09, 2009 4:07 PM
To: Tobias Hollerer; Matthew Turk
Subject: [COMS #28641] [UCSB-OIT #165624] 128.111.28.95 Infected With
Conficker

 

Hi Tobias and Matthew:

 

Would you please ask your students to fix this please?

 

Thanks, 

 

-Andreas 

 

On Fri Oct 09 10:06:55 2009, security@ucsb.edu wrote:

> Greetings,

> 

> 128.111.28.95 is infected with the Conficker worm. Here is a sample of

> the worm reporting to a controller:

> 

> T 2009/10/08 15:28:53.201435 128.111.28.95:54445 -> 83.68.16.6:80 [AP]

> GET /search?q=0 HTTP/1.0.

> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;

> .NET CLR 2.0.50727; .NET CLR 1.0.3705; .NET CLR 3.0.04506.648; .NET

> CLR 3.5.21022).

> Host: 83.68.16.6.

> Pragma: no-cache.

> .

> 

> Please investigate and advise.

> 

 


------=_NextPart_000_04B3_01CA48FB.BD991D80
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:"Arial","sans-serif";
	color:#000099;
	font-weight:normal;
	font-style:normal;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple style=3D'word-wrap: =
break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>

<div class=3DSection1>

<p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:#000099'>Andreas,<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:#000099'><o:p> </o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:#000099'>Can you tell us anything more about the machine? MAC =
address or
location? (We have two lab locations: trailer and Elings =
Hall).<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:#000099'><o:p> </o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:#000099'>Thanks,<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:#000099'>         &nbs=
p;  Matthew<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:#000099'><o:p> </o:p></span></p>

<div>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0in 0in 0in'>

<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andreas =
Boschke
[mailto:andreas@cs.ucsb.edu] <br>
<b>Sent:</b> Friday, October 09, 2009 4:07 PM<br>
<b>To:</b> Tobias Hollerer; Matthew Turk<br>
<b>Subject:</b> [COMS #28641] [UCSB-OIT #165624] 128.111.28.95 Infected =
With
Conficker<o:p></o:p></span></p>

</div>

</div>

<p class=3DMsoNormal><o:p> </o:p></p>

<p class=3DMsoNormal>Hi Tobias and Matthew:<o:p></o:p></p>

<div>

<p class=3DMsoNormal><o:p> </o:p></p>

</div>

<div>

<p class=3DMsoNormal>Would you please ask your students to fix this =
please?<o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><o:p> </o:p></p>

</div>

<div>

<p class=3DMsoNormal>Thanks, <o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><o:p> </o:p></p>

</div>

<div>

<p class=3DMsoNormal>-Andreas <o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><o:p> </o:p></p>

</div>

<div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>On
Fri Oct 09 10:06:55 2009, <a =
href=3D"mailto:security@ucsb.edu">security@ucsb.edu</a>
wrote:</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
Greetings,</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>> =
</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
128.111.28.95 is infected with the Conficker worm. Here is a sample =
of</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
the worm reporting to a controller:</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>> =
</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
T 2009/10/08 15:28:53.201435 128.111.28.95:54445 -> 83.68.16.6:80 =
[AP]</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
GET /search?q=3D0 HTTP/1.0.</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; =
SV1;</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
.NET CLR 2.0.50727; .NET CLR 1.0.3705; .NET CLR 3.0.04506.648; =
.NET</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
CLR 3.5.21022).</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
Host: 83.68.16.6.</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
Pragma: no-cache.</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
.</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>> =
</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>>
Please investigate and advise.</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'>> =
</span><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif"'><o:p>&nbsp=
;</o:p></span></p>

</div>

</div>

</div>

</body>

</html>

------=_NextPart_000_04B3_01CA48FB.BD991D80--
]