[nsp-sec] Large injection AS4134, lots of upstreams (AS4812 also involved)
Brian Eckman
eckman at umn.edu
Wed Apr 23 11:18:10 EDT 2008
FWIW, Infected clients are given a laundry list of malware to download,
including:
hXXp://1.haoliuliang.net/ma/1.exe
hXXp://1.haoliuliang.net/ma/2.exe
hXXp://1.haoliuliang.net/ma/3.exe
hXXp://1.haoliuliang.net/ma/4.exe
hXXp://1.haoliuliang.net/ma/5.exe
hXXp://1.haoliuliang.net/ma/6.exe
hXXp://1.haoliuliang.net/ma/7.exe
hXXp://1.haoliuliang.net/ma/8.exe
hXXp://1.haoliuliang.net/ma/9.exe
hXXp://1.haoliuliang.net/ma/10.exe
hXXp://2.haoliuliang.net/ma/11.exe
hXXp://2.haoliuliang.net/ma/12.exe
hXXp://2.haoliuliang.net/ma/13.exe
hXXp://2.haoliuliang.net/ma/14.exe
hXXp://2.haoliuliang.net/ma/15.exe
hXXp://2.haoliuliang.net/ma/16.exe
hXXp://2.haoliuliang.net/ma/17.exe
hXXp://2.haoliuliang.net/ma/18.exe
hXXp://2.haoliuliang.net/ma/19.exe
hXXp://2.haoliuliang.net/ma/20.exe
hXXp://2.haoliuliang.net/ma/21.exe
hXXp://2.haoliuliang.net/ma/22.exe
hXXp://2.haoliuliang.net/ma/23.exe
> host 1.haoliuliang.net
1.haoliuliang.net has address 222.73.44.134
> host 2.haoliuliang.net
2.haoliuliang.net has address 222.73.44.135
AS | IP | AS Name
4812 | 222.73.44.134 | CHINANET-SH-AP China Telecom (Group)
PEER_AS | IP | AS Name
4134 | 222.73.44.135 | CHINANET-BACKBONE No.31,Jin-rong Street
Non-infected clients are drawn to gg.haoliuliang.net and gg.haoliuliang.com,
but I've only seen infected clients going to 1.haoliuliang.net and
2.haoliuliang.net.
Brian
Smith, Donald wrote:
> ----------- nsp-security Confidential --------
>
> If you google for www.nihaorr1.com you will find the target of the "large injection site" that several av companies and some certs are talking about today. This resolves to 219.153.46.28. From there users get directed to a site that trys to exploit several applications.
> Some details here:
> http://securitylabs.websense.com/content/Alerts/3070.aspx
> http://isc.sans.org/diary.html?n&storyid=4294
>
>
> Here is the actual google search
>
> http://www.google.co.uk/search?q=%3Cscript+src%3Dhttp://www.nihaorr1.com&hl=en&start=0&sa=N
>
>
> bash-3.1$ whois -h whois.cymru.com 219.153.46.28
> AS | IP | AS Name
> 4134 | 219.153.46.28 | CHINANET-BACKBONE No.31,Jin-rong Street
> bash-3.1$ whois -h upstream-whois.cymru.com 219.153.46.28
> PEER_AS | IP | AS Name
> 174 | 219.153.46.28 | COGENT Cogent/PSI
> 703 | 219.153.46.28 | UUNET - MCI Communications Services, Inc. d/b/a Ve
> izon Business
> 1239 | 219.153.46.28 | SPRINTLINK - Sprint
> 2828 | 219.153.46.28 | XO-AS15 - XO Communications
> 2914 | 219.153.46.28 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3257 | 219.153.46.28 | TISCALI-BACKBONE Tiscali Intl Network BV
> 3320 | 219.153.46.28 | DTAG Deutsche Telekom AG
> 3549 | 219.153.46.28 | GBLX Global Crossing Ltd.
> 3561 | 219.153.46.28 | SAVVIS - Savvis
> 11164 | 219.153.46.28 | TRANSITRAIL - National LambdaRail, LLC
> 17888 | 219.153.46.28 | SINGTEL-HK SingTel Hong Kong Limited
>
> If someone could get this taken down that would be most beneficial.
>
> donald.smith at qwest.com giac
>
>
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
More information about the nsp-security
mailing list