[nsp-sec] AS7018 | AT&T WorldNet Services
Rob Thomas
robt at cymru.com
Fri Feb 22 14:46:11 EST 2008
Hi, Steve.
> Can a representative from AS7018 | AT&T WorldNet Services contact
> me off
> list? I have a customer reporting UDP packet love from AS3776 |
> 64.75.176.16.
Sorry to hear about the DDoS! I suspect it's at least partially
controlled by those behind this seemingly dangerous URL. VISIT WITH
SCRIPTING DISABLED!
< h x x p : / / users5.nofeehost.com / capusha / safeon.txt >
Feel free to read the code there and correct my assumptions about it,
but it appears to run the "id" command on the host and return the
results. Reaching that site seems to be done only through redirects
from several other sites.
64.75.176.16 may be part of a Unix-based botnet and it appears to be
a FreeBSD box. It's also visited the following botnet:
l0lz.programxp.com 207.189.104.86
e2.emr3.net 207.189.104.86
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, "Out of coffee!");
More information about the nsp-security
mailing list