[nsp-sec] Large injection AS4134, lots of upstreams (AS4812 also involved)

Gong, Yiming yiming.gong at xo.com
Wed Apr 23 13:39:12 EDT 2008 

Team, 

219.153.46.28 has been blackholed at CT network. 

And for 222.73.44.134 and 222.73.44.135, CT already sent ticket to the
related province (ShangHai) and let them investigate, hopefully tonight
these two will be nailed (it is now midnight in China).

Regards,
 
Yiming
 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Brian Eckman
> Sent: Wednesday, April 23, 2008 10:18 AM
> To: Smith, Donald
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Large injection AS4134, lots of 
> upstreams (AS4812 also involved)
> 
> ----------- nsp-security Confidential --------
> 
> FWIW, Infected clients are given a laundry list of malware to 
> download, 
> including:
> 
> hXXp://1.haoliuliang.net/ma/1.exe
> hXXp://1.haoliuliang.net/ma/2.exe
> hXXp://1.haoliuliang.net/ma/3.exe
> hXXp://1.haoliuliang.net/ma/4.exe
> hXXp://1.haoliuliang.net/ma/5.exe
> hXXp://1.haoliuliang.net/ma/6.exe
> hXXp://1.haoliuliang.net/ma/7.exe
> hXXp://1.haoliuliang.net/ma/8.exe
> hXXp://1.haoliuliang.net/ma/9.exe
> hXXp://1.haoliuliang.net/ma/10.exe
> hXXp://2.haoliuliang.net/ma/11.exe
> hXXp://2.haoliuliang.net/ma/12.exe
> hXXp://2.haoliuliang.net/ma/13.exe
> hXXp://2.haoliuliang.net/ma/14.exe
> hXXp://2.haoliuliang.net/ma/15.exe
> hXXp://2.haoliuliang.net/ma/16.exe
> hXXp://2.haoliuliang.net/ma/17.exe
> hXXp://2.haoliuliang.net/ma/18.exe
> hXXp://2.haoliuliang.net/ma/19.exe
> hXXp://2.haoliuliang.net/ma/20.exe
> hXXp://2.haoliuliang.net/ma/21.exe
> hXXp://2.haoliuliang.net/ma/22.exe
> hXXp://2.haoliuliang.net/ma/23.exe
> 
>  > host 1.haoliuliang.net
> 1.haoliuliang.net has address 222.73.44.134
> 
>  > host 2.haoliuliang.net
> 2.haoliuliang.net has address 222.73.44.135
> 
> AS      | IP               | AS Name
> 4812    | 222.73.44.134    | CHINANET-SH-AP China Telecom (Group)
> 
> PEER_AS | IP               | AS Name
> 4134    | 222.73.44.135    | CHINANET-BACKBONE No.31,Jin-rong Street
> 
> Non-infected clients are drawn to gg.haoliuliang.net and 
> gg.haoliuliang.com, 
> but I've only seen infected clients going to 1.haoliuliang.net and 
> 2.haoliuliang.net.
> 
> Brian
> 
> Smith, Donald wrote:
> > ----------- nsp-security Confidential --------
> > 
> > If you google for www.nihaorr1.com you will find the target 
> of the "large injection site" that several av companies and 
> some certs are talking about today. This resolves to 
> 219.153.46.28. From there users get directed to a site that 
> trys to exploit several applications.
> > Some details here:
> > http://securitylabs.websense.com/content/Alerts/3070.aspx
> > http://isc.sans.org/diary.html?n&storyid=4294
> >  
> >  
> > Here is the actual google search 
> >  
> > 
> http://www.google.co.uk/search?q=%3Cscript+src%3Dhttp://www.ni
> haorr1.com&hl=en&start=0&sa=N
> >  
> >  
> > bash-3.1$ whois -h whois.cymru.com 219.153.46.28
> > AS      | IP               | AS Name
> > 4134    | 219.153.46.28    | CHINANET-BACKBONE No.31,Jin-rong Street
> > bash-3.1$ whois -h upstream-whois.cymru.com 219.153.46.28
> > PEER_AS | IP               | AS Name
> > 174     | 219.153.46.28    | COGENT Cogent/PSI
> > 703     | 219.153.46.28    | UUNET - MCI Communications 
> Services, Inc. d/b/a Ve
> > izon Business
> > 1239    | 219.153.46.28    | SPRINTLINK - Sprint
> > 2828    | 219.153.46.28    | XO-AS15 - XO Communications
> > 2914    | 219.153.46.28    | NTT-COMMUNICATIONS-2914 - NTT 
> America, Inc.
> > 3257    | 219.153.46.28    | TISCALI-BACKBONE Tiscali Intl 
> Network BV
> > 3320    | 219.153.46.28    | DTAG Deutsche Telekom AG
> > 3549    | 219.153.46.28    | GBLX Global Crossing Ltd.
> > 3561    | 219.153.46.28    | SAVVIS - Savvis
> > 11164   | 219.153.46.28    | TRANSITRAIL - National LambdaRail, LLC
> > 17888   | 219.153.46.28    | SINGTEL-HK SingTel Hong Kong Limited
> >  
> > If someone could get this taken down that would be most beneficial.
> >  
> > donald.smith at qwest.com giac
> >  
> > 
> > 
> > This communication is the property of Qwest and may contain 
> confidential or
> > privileged information. Unauthorized use of this 
> communication is strictly 
> > prohibited and may be unlawful.  If you have received this 
> communication 
> > in error, please immediately notify the sender by reply 
> e-mail and destroy 
> > all copies of the communication and any attachments.
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security counter-measures.
> > _______________________________________________
> 
> 
> -- 
> Brian Eckman, Security Analyst
> University of Minnesota
> Office of Information Technology
> Security & Assurance
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list