[nsp-sec] political ddos? www.president.gov.ge
Rob Thomas
robt at cymru.com
Sun Jul 20 17:33:42 EDT 2008
Hi, Jose.
Thanks for the heads-up!
> C&C IP 207.10.234.244
This IP is no stranger to C&C activity. It has hosted IRC botnets as
well as malware in the past.
timestamp | ip | asn | category |
comment
--------------------- ---------------- ------ ------------
-------------------------------------------------------------
2008-03-29 06:32:14 | 207.10.234.244 | 1785 | botnetcc | category:
botweb url: http://207.10.234.244/cgi-bin/get.cgi
2008-06-04 12:48:15 | 207.10.234.244 | 1785 | malwareurl |
http://banks-money.com/exe.php
We see one sample in our malware menagerie that points to this IP.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- ---------------- ----------
---------- ------
2008-03-29 06:32:14 | 5ce107052e7bc9696b7eae1c48550771b85d60b8 |
0f9e33701f10cf50402efbfb060e7905 | 207.10.234.244 | 80 | 6 |
It appears to be a CentOS Linux box running Apache 2.2.3 with PHP 5.1.6.
Two Russians exchanged this server as early as 2008-04-22 13:54:09 UTC.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the nsp-security
mailing list