[nsp-sec] ACK 174 RE: Large injection AS4134, lots of upstreams

Shelton, Steve sshelton at Cogentco.com
Wed Apr 23 06:58:45 EDT 2008 

Hello,

Thanks for the heads up, visibility for 219.153.46.28 slightly decreased
on 174.

Steve Shelton
Cogent Abuse

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Smith, Donald
Sent: Tuesday, April 22, 2008 7:17 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Large injection AS4134, lots of upstreams

----------- nsp-security Confidential --------

If you google for www.nihaorr1.com you will find the target of the
"large injection site" that several av companies and some certs are
talking about today. This resolves to 219.153.46.28. From there users
get directed to a site that trys to exploit several applications.
Some details here:
http://securitylabs.websense.com/content/Alerts/3070.aspx
http://isc.sans.org/diary.html?n&storyid=4294
 
 
Here is the actual google search 
 
http://www.google.co.uk/search?q=%3Cscript+src%3Dhttp://www.nihaorr1.com
&hl=en&start=0&sa=N
 
 
bash-3.1$ whois -h whois.cymru.com 219.153.46.28
AS      | IP               | AS Name
4134    | 219.153.46.28    | CHINANET-BACKBONE No.31,Jin-rong Street
bash-3.1$ whois -h upstream-whois.cymru.com 219.153.46.28
PEER_AS | IP               | AS Name
174     | 219.153.46.28    | COGENT Cogent/PSI
703     | 219.153.46.28    | UUNET - MCI Communications Services, Inc.
d/b/a Ve
izon Business
1239    | 219.153.46.28    | SPRINTLINK - Sprint
2828    | 219.153.46.28    | XO-AS15 - XO Communications
2914    | 219.153.46.28    | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3257    | 219.153.46.28    | TISCALI-BACKBONE Tiscali Intl Network BV
3320    | 219.153.46.28    | DTAG Deutsche Telekom AG
3549    | 219.153.46.28    | GBLX Global Crossing Ltd.
3561    | 219.153.46.28    | SAVVIS - Savvis
11164   | 219.153.46.28    | TRANSITRAIL - National LambdaRail, LLC
17888   | 219.153.46.28    | SINGTEL-HK SingTel Hong Kong Limited
 
If someone could get this taken down that would be most beneficial.
 
donald.smith at qwest.com giac
 


This communication is the property of Qwest and may contain confidential
or
privileged information. Unauthorized use of this communication is
strictly 
prohibited and may be unlawful.  If you have received this communication

in error, please immediately notify the sender by reply e-mail and
destroy 
all copies of the communication and any attachments.


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list