Developer Diary: The Hunt for Red Codoctober

Developer Diary

Developer Diary · You Heard It Here First · Monday 26 January 2004

The Hunt for Nimdite 24.130.108.10 Begins

Yesterday I showed my poor server log revealing an attack by Nimda running on a machine with the IP address of 24.130.108.10. I often wonder who these people are that are attacking me. Obviously they must have no idea that their little word processor is scanning the net and attacking thousands of people every day. Who can these people be?

To try to find out I first did a reverse DNS and came up with the identification c-24-130-108-10.we.client2.attbi.com. My next step was to google this client. The only results were from virus logs and one site's log, http://sketchbook.sbc.edu/. The user had visited the sketchbook once. Aha! it's an artist. I guess that explains why they can go years without noticing their machine is infected with a monstrous worm. Too much absinthe.

Step 2 was to do a traceroute to the Nimdite:


Tracing route to c-24-130-108-10.we.client2.attbi.com [24.130.108.10]
over a maximum of 30 hops:

  1    40 ms    50 ms    10 ms  10.217.48.1
  2    10 ms   <10 ms    70 ms  bar01-p5-2.ntckhe1.ma.attbb.net [24.147.0.157]
  3    10 ms    10 ms    10 ms  bic01-d2-0.ndhmhe1.ma.attbb.net [24.91.0.173]
  4    10 ms    10 ms    10 ms  12.125.33.33
  5    10 ms    10 ms    10 ms  gbr2-p60.cb1ma.ip.att.net [12.123.40.142]
  6    10 ms    10 ms    10 ms  tbr2-p012701.cb1ma.ip.att.net [12.122.5.65]
  7    30 ms    30 ms    30 ms  tbr2-cl5.cgcil.ip.att.net [12.122.10.106]
  8    30 ms    40 ms    40 ms  tbr2-cl7.sl9mo.ip.att.net [12.122.10.46]
  9    70 ms   101 ms    80 ms  tbr2-cl2.la2ca.ip.att.net [12.122.10.14]
 10    70 ms    90 ms    70 ms  gar1-p370.lsrca.ip.att.net [12.123.199.242]
 11    80 ms    80 ms    70 ms  12.119.9.22
 12    80 ms    80 ms   100 ms  bar01-p5-0.lsanhe6.ca.attbb.net [24.130.0.185]
 13    80 ms    70 ms    90 ms  bar01-p6-0.cmtnhe1.ca.attbb.net [24.130.0.181]
 14    80 ms    80 ms    70 ms  bar01-d8-0-0.blflhe1.ca.attbb.net [24.130.2.250]
 15    70 ms    90 ms    80 ms  bar01-p0-0-0.lkwdhe1.ca.attbb.net [24.130.64.105]
 16    80 ms    80 ms    80 ms  ubr02-p1-0.lkwdhe1.ca.attbb.net [24.130.64.98]
 17    81 ms   100 ms   100 ms  c-24-130-108-10.we.client2.attbi.com [24.130.108.10]

You can see the daleks in this route, mine at 12.125.33.33 and his at 12.119.9.22, but that is a different problem. The upstream router is ubr02-p1-0.lkwdhe1.ca.attbb.net. Hmm, could lkwd be Lakewood?

Ok, why don't we try the human factor. The sketchbook web site our mystery man accessed is a tiny site run be some artist named Kestner. I will email him and ask him if he knows anyone who lives in Lakewood, California.

Stay tuned for Mr. Kestner's response...

return to John Chamberlain's home · diary index

Developer Diary · about · info@johnchamberlain.com · bio · Revised 26 January 2004 · Pure Content