[nsp-sec] Large injection AS4134, lots of upstreams
Smith, Donald
Donald.Smith at qwest.com
Tue Apr 22 19:17:08 EDT 2008
If you google for www.nihaorr1.com you will find the target of the "large injection site" that several av companies and some certs are talking about today. This resolves to 219.153.46.28. From there users get directed to a site that trys to exploit several applications.
Some details here:
http://securitylabs.websense.com/content/Alerts/3070.aspx
http://isc.sans.org/diary.html?n&storyid=4294
Here is the actual google search
http://www.google.co.uk/search?q=%3Cscript+src%3Dhttp://www.nihaorr1.com&hl=en&start=0&sa=N
bash-3.1$ whois -h whois.cymru.com 219.153.46.28
AS | IP | AS Name
4134 | 219.153.46.28 | CHINANET-BACKBONE No.31,Jin-rong Street
bash-3.1$ whois -h upstream-whois.cymru.com 219.153.46.28
PEER_AS | IP | AS Name
174 | 219.153.46.28 | COGENT Cogent/PSI
703 | 219.153.46.28 | UUNET - MCI Communications Services, Inc. d/b/a Ve
izon Business
1239 | 219.153.46.28 | SPRINTLINK - Sprint
2828 | 219.153.46.28 | XO-AS15 - XO Communications
2914 | 219.153.46.28 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3257 | 219.153.46.28 | TISCALI-BACKBONE Tiscali Intl Network BV
3320 | 219.153.46.28 | DTAG Deutsche Telekom AG
3549 | 219.153.46.28 | GBLX Global Crossing Ltd.
3561 | 219.153.46.28 | SAVVIS - Savvis
11164 | 219.153.46.28 | TRANSITRAIL - National LambdaRail, LLC
17888 | 219.153.46.28 | SINGTEL-HK SingTel Hong Kong Limited
If someone could get this taken down that would be most beneficial.
donald.smith at qwest.com giac
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list