[nsp-sec] Large injection AS4134, lots of upstreams

Gong, Yiming yiming.gong at xo.com
Wed Apr 23 10:00:40 EDT 2008 

Trying to work with Chinese ISP on this now.

Regards,
 
Yiming
 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Smith, Donald
> Sent: Tuesday, April 22, 2008 6:17 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Large injection AS4134, lots of upstreams
> 
> ----------- nsp-security Confidential --------
> 
> If you google for www.nihaorr1.com you will find the target 
> of the "large injection site" that several av companies and 
> some certs are talking about today. This resolves to 
> 219.153.46.28. From there users get directed to a site that 
> trys to exploit several applications.
> Some details here:
> http://securitylabs.websense.com/content/Alerts/3070.aspx
> http://isc.sans.org/diary.html?n&storyid=4294
>  
>  
> Here is the actual google search 
>  
> http://www.google.co.uk/search?q=%3Cscript+src%3Dhttp://www.ni
> haorr1.com&hl=en&start=0&sa=N
>  
>  
> bash-3.1$ whois -h whois.cymru.com 219.153.46.28
> AS      | IP               | AS Name
> 4134    | 219.153.46.28    | CHINANET-BACKBONE No.31,Jin-rong Street
> bash-3.1$ whois -h upstream-whois.cymru.com 219.153.46.28
> PEER_AS | IP               | AS Name
> 174     | 219.153.46.28    | COGENT Cogent/PSI
> 703     | 219.153.46.28    | UUNET - MCI Communications 
> Services, Inc. d/b/a Ve
> izon Business
> 1239    | 219.153.46.28    | SPRINTLINK - Sprint
> 2828    | 219.153.46.28    | XO-AS15 - XO Communications
> 2914    | 219.153.46.28    | NTT-COMMUNICATIONS-2914 - NTT 
> America, Inc.
> 3257    | 219.153.46.28    | TISCALI-BACKBONE Tiscali Intl Network BV
> 3320    | 219.153.46.28    | DTAG Deutsche Telekom AG
> 3549    | 219.153.46.28    | GBLX Global Crossing Ltd.
> 3561    | 219.153.46.28    | SAVVIS - Savvis
> 11164   | 219.153.46.28    | TRANSITRAIL - National LambdaRail, LLC
> 17888   | 219.153.46.28    | SINGTEL-HK SingTel Hong Kong Limited
>  
> If someone could get this taken down that would be most beneficial.
>  
> donald.smith at qwest.com giac
>  
> 
> 
> This communication is the property of Qwest and may contain 
> confidential or
> privileged information. Unauthorized use of this 
> communication is strictly 
> prohibited and may be unlawful.  If you have received this 
> communication 
> in error, please immediately notify the sender by reply 
> e-mail and destroy 
> all copies of the communication and any attachments.
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list