From owner-freebsd-isp@FreeBSD.ORG  Fri Aug 22 14:25:50 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B8D5516A4BF
	for <freebsd-isp@freebsd.org>; Fri, 22 Aug 2003 14:25:50 -0700 (PDT)
Received: from satin.sensation.net.au
	(c210-49-158-113.brodm1.vic.optusnet.com.au [210.49.158.113])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AC7DC43FDF
	for <freebsd-isp@freebsd.org>; Fri, 22 Aug 2003 14:25:49 -0700 (PDT)
	(envelope-from rowan@sensation.net.au)
Received: from satin.sensation.net.au (localhost [127.0.0.1])
	by satin.sensation.net.au (8.12.8/8.12.6) with ESMTP id h7MLPmoq035595
	for <freebsd-isp@freebsd.org>; Sat, 23 Aug 2003 07:25:48 +1000 (EST)
	(envelope-from rowan@sensation.net.au)
Received: from localhost (rowan@localhost)h7MLPmw2035592
	for <freebsd-isp@freebsd.org>; Sat, 23 Aug 2003 07:25:48 +1000 (EST)
X-Authentication-Warning: satin.sensation.net.au: rowan owned process doing
	-bs
Date: Sat, 23 Aug 2003 07:25:47 +1000 (EST)
From: Rowan Crowe <rowan@sensation.net.au>
To: freebsd-isp@freebsd.org
In-Reply-To: <047a01c368f2$d0a933f0$0d3f11c8@ncrj.rnp.br>
Message-ID: <Pine.BSF.4.21.0308230722470.35459-100000@satin.sensation.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: sobig effects - batten down the hatches
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Aug 2003 21:25:51 -0000

On Fri, 22 Aug 2003, Alex Soares de Moura wrote:

> Yes, we've applied ACLs to some destinations known it would try
> to access and in the programmed time, we started to get hits on the
> ACLs:
> 
>     deny ip any host 67.73.21.6 log (558 matches)
>     deny ip any host 68.38.159.161 log (470 matches)
>     deny ip any host 67.9.241.67 log (593 matches)
>     deny ip any host 66.131.207.81 log (460 matches)
>     deny ip any host 65.177.240.194 log (623 matches)
>     deny ip any host 65.93.81.59 log (441 matches)
>     deny ip any host 65.95.193.138 log (622 matches)
>     deny ip any host 65.92.186.145 log (478 matches)
>     deny ip any host 63.250.82.87 log (644 matches)
>     deny ip any host 65.92.80.218 log (459 matches)
>     deny ip any host 61.38.187.59 log (621 matches)
>     deny ip any host 24.210.182.156 log (498 matches)
>     deny ip any host 24.202.91.43 log (630 matches)
>     deny ip any host 24.206.75.137 log (490 matches)
>     deny ip any host 24.197.143.132 log (664 matches)
>     deny ip any host 12.158.102.205 log (488 matches)
>     deny ip any host 24.33.66.38 log (685 matches)
>     deny ip any host 218.147.164.29 log (475 matches)
>     deny ip any host 12.232.104.221 log (646 matches)
>     deny ip any host 68.50.208.96 log (519 matches)

Hi Alex:

Where did you get this list of IPs? How long ago did you see the accesses
start? I've been hunting around google and news sites, but so far I can't
find any articles that say anything more than "it will happen" ...

Cheers.


--
Rowan Crowe - Melbourne, Australia