[nsp-sec] packet love at 81.21.73.240 - 10.7 Gb / 1.2m pps
William Salusky
william.salusky at aol.net
Mon Jul 14 16:02:24 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In case additional supporting data is needed, http sinkhole data
uncovers the following activity today.
=== Different pages requested ===
~ hxxp://life-tablets.cn/e/32cxel.exe
~ hxxp://life-tablets.cn/e/scan1.exe
~ hxxp://life-tablets.cn/e/db.exe
~ hxxp://life-tablets.cn/e/isw.exe
~ hxxp://life-tablets.cn/e/i.exe (returning 404's)
~ hxxp://life-tablets.cn/e/scan2.exe
~ hxxp://life-tablets.cn/e/is.exe (returning 404's)
~ hxxp://life-tablets.cn/e/3238ofsccxel.exe (returning 404's)
~ hxxp://life-tablets.cn/e/ddq.exe (returning 404's)
~ hxxp://life-tablets.cn/e/dd.exe (returning 404's)
~ hxxp://life-tablets.cn/tds/index.php (302 driveby to neiron2009.com)
=== Referers ===
~ hxxp://www.topdommes.co.uk/
~ hxxp://www.eurodahlia.com/
~ hxxp://www.topdommes.co.uk/home.html
Also observed being vhosted on this IP are the following, just in case
they are in fact drive-by leads to additional packet loving bot deployment:
hxxp://opana.cn/opa.html
hxxp://dftreo.com/lf2/index.php
Samples:
2d9a853a8f0ac35cdbedc6f0f39b9940 - life-tablets.cn/e/32cxel.exe
94070ea0c52a408482dbcf47819bf190 - life-tablets.cn/e/scan1.exe
4b0fa3221218362b9fa718f8d1d006ec - life-tablets.cn/e/scan2.exe
795ef146e83b4bff77872e70d2ab7a3f - life-tablets.cn/e/db.exe
678cb21d1b912822d55f94d60f6432a7 - life-tablets.cn/e/isw.exe
Steve Colam wrote:
| ----------- nsp-security Confidential --------
|
| Hi Folks,
|
| We have an attack at 81.21.73.240 which mostly consists
| of ICMP, with some tcp 80 and udp 80 just for fun.
|
| The ICMP packet size varies.
|
| The bots seem to be tracking the A record for
| www.av-sales.co.uk
|
| It's been going on since Friday and has just peaked
| at 10.7Gb/1.2m pps (12:45 GMT0 14/July/2008)
|
| It appears that most src IPs are spoofed.
|
| With some help from Hillar (tx!) we know the C&C
| is hosted on life-tablets.cn
|
| So if would be rather splendid if someone can help shut
| this down...
|
| Tx,
|
| Steve @ AS5413
- --
William Salusky
william.salusky at aol.net
Sr. Technical Security Investigator - AOL Operations Security
703-265-4924 (desk)
703-201-8873 (cell)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
iD8DBQFIe7DPXyx2ON3+G40RAiUVAKCpgNT4J7ODD3ZmeZiStl4Mirv7owCgyfBG
U2ZO27OmORnhso+gDtucJj4=
=Da+z
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list