[nsp-sec] CC at 207.218.241.138 (and 70.85.198.194)
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Wed Feb 6 15:01:24 EST 2008
Heyo Serge / List!
I received a similar report today from an infected customer. (They
believe it's a variant of Trojan Proxy.AFV -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=P)
My customer also provided IP 70.85.198.194.
AS | IP | AS Name
21844 | 70.85.198.194 | THEPLANET-AS - THE PLANET
I get a 403 trying to connect to 70.85.198.194 over port 80, but after
reading the Trend Micro info, when I attempt to use '/forum.php' I see:
<HTML>
error: SID not given
127.0.0.1
</HTML>
V/R,
Matt Swaar
US-CERT Analyst
Serge Droz <serge.droz at switch.ch>
Sent by: nsp-security-bounces at puck.nether.net
02/06/2008 02:50 PM
To
nsp-security at puck.nether.net
cc
Subject
[nsp-sec] CC at 207.218.241.138
----------- nsp-security Confidential --------
Hello
AS | IP | AS Name
13749 | 207.218.241.138 | EVERYONES-INTERNET - Everyones Internet
POST http://207.218.241.138:80/forum.php
Starts sending Mail claiming to originate from Microsoft.
Cheers
Serge
--
SWITCH
Serving Swiss Universities
--------------------------
Serge Droz, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.droz at switch.ch, http://www.switch.ch
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list