[nsp-sec] 1Million Botnet Ips
Juan Carlos Guel Lopez
cguel at seguridad.unam.mx
Mon Jul 7 13:42:16 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hi list,
ACK for ASN 278.
We are working with the main mexican ISP's. We will contact and let them
know.
Saludos
- --JC GUEL
On Fri, 4 Jul 2008, Stephen Gill wrote:
> ----------- nsp-security Confidential --------
>
> Hi Team,
>
> Cert.at has assembled an excellent report on the nadnadzzz.info botnet along
> with a large list of compromised IPs! They have put together an analysis
> summary and individual report files of compromised hosts sorted by ASN at
> the following location:
>
> http://www.cert.at/static/xi3shiZiexu/ips_by_AS/
> username: nadnadzzz
> pass: letmein
>
> Please do not share this URL outside of the nsp-sec community. If you can
> proxy for an entire country, you may be interested in perusing the cctld
> files here:
>
> http://www.cert.at/static/xi3shiZiexu/ips_$CC.csv
> username: nadnadzzz
> pass: letmein
> * Where $CC is your ccTLD country code in capital letters (e.g. "MX")
>
> The report, not for redistribution can be found here:
>
> http://www.cert.at/static/xi3shiZiexu/botnetpaper2.pdf
>
> Finally, here is a brief summary from their team:
>
> > nadnadzzz.info botnet analysis
> > ==============================
> >
> > CERT.at has been analysing the nadnadzzz.info botnet. We were able to track
> > the botnet and extract a list of affected IP addresses.
> > It contains around 950,000 different IPs.
> > While the list is probably not exhaustive and while we expect further C&C
> > servers, we want to share this info with concerned parties from ns-psec and
> > the wider CERT community.
>
> > C&C servers
> > ----------------------
> > 67.43.232.36/32 - seems to be down or blocks us as of 2008/06/30
> > 211.95.79.151/32 - seems to be down or blocks us as of 2008/06/30
> > 211.95.79.165/32 - seems to be down or blocks us as of 2008/06/30
> > 220.196.42.156/32 - seems to be down or blocks us as of 2008/06/30
> > 61.174.17.90/32 - alive as of 2008/06/30
> > 61.174.17.89/32 - alive as of 2008/07/03 17:00 UTC+02
> >
> > Protocol: IRC
> > Port: 7000
> >
> >
> > 5 most affected countries:
> > cnt_ips | countrycode
> > ---------+-------------
> > 254660 | MX
> > 202109 | BR
> > 52377 | CL
> > 50078 | IN
> > 43725 | PL
> >
> >
> > We would appreciate feedback at team at cert.at
>
> Enjoy, and have a Happy 4th of July ;D.
>
> Cheers,
> Steve, Team Cymru.
>
> --
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQEVAwUBSHJVe5lW1rrzglhVAQF7twgA5aSfcm1hwcue4ceYNpLEKSf/raCg2Dzl
TcDnnORyyqKbGiLgLifIUDX+yZrqlp8jEVeiDLhckX3eMhkQje8IUlOiiCbQtC92
eb/4Jopcx2iHqomyrpn1v3ugee5RPvgtxoei49oTbSp7qBnfv7ZYqmkj8MPYmMDJ
hAKh0/WyfokVU0f/vOl+cGzz61QY3WujZD+4JEThmQxa676RZpKSHn0h9OQwHF5o
FqZuJq32Vl3dUQIeaC+DTy9Wyp/Cr3nFenXsxX/7/HtSPBmVJK3i0mUGZpinib6v
dGTzUiNGFIwRLeKynBJJJR0YMNNPDnWhFI21p61HG6wAQi40esjfRg==
=OfjR
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list