[nsp-sec] rundll841.com wwwDOTwin496.com wwwDOTtag58.com err68.com and sysid72.com sqlinjection sites.
Smith, Donald
Donald.Smith at qwest.com
Wed Jun 4 14:30:30 EDT 2008
wwwDOTrundll841.com leads to wwwDOTwin496.com which leads to
sysid72.com which is the same exploit site the other injections were
using.
sysid72.com shutdown is fast fluxed and was included in yesterday's
report.
They are reusing some of their compromised systems to host more then one
domain so you will see some repeats.
wwwDOTtag58.com leads to err68.com which is also fast fluxed and leads
to sysid72.com.
These lead to flash exploits served up from sysid72.com.
wwwDOTrundll841.com. 10M IN A 81.190.201.98
wwwDOTrundll841.com. 10M IN A 83.50.119.14
wwwDOTrundll841.com. 10M IN A 81.190.41.4
wwwDOTrundll841.com. 10M IN A 156.17.227.218
wwwDOTrundll841.com. 10M IN A 83.24.132.177
wwwDOTrundll841.com. 10M IN A 62.21.3.212
wwwDOTrundll841.com. 10M IN A 78.92.73.240
wwwDOTrundll841.com. 10M IN A 99.225.66.211
wwwDOTrundll841.com. 10M IN A 77.253.116.48
wwwDOTrundll841.com. 10M IN A 83.242.74.153
wwwDOTrundll841.com. 10M IN A 82.143.130.48
wwwDOTrundll841.com. 10M IN A 82.159.61.76
Bulk mode; whois.cymru.com [2008-06-04 17:41:10 +0000]
812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable Communications
Inc.
3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
Network ofDE
5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
network
8970 | 156.17.227.218 | WASK WROCMAN-EDU educational part of WASK
network,Wroclaw, Poland
12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
16338 | 82.159.61.76 | AUNA_TELECOM-AS Cableuropa - ONO
21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
UPSTREAMS
$ cat whois.up
Bulk mode; peer-whois.cymru.com [2008-06-04 17:42:21 +0000]
174 | 82.159.61.76 | COGENT Cogent/PSI
174 | 99.225.66.211 | COGENT Cogent/PSI
1273 | 82.159.61.76 | CW Cable and Wireless plc
1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
5511 | 83.24.132.177 | OPENTRANSIT France Telecom
5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
network
5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
network
6453 | 82.159.61.76 | GLOBEINTERNET TATA Communications
6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
8501 | 156.17.227.218 | PIONIER-AS PIONIER, National Research and
Education Network in Poland
8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
11537 | 99.225.66.211 | ABILENE - Internet2
12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
Network
12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
System
12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
wwwDOTwin496.com. 10M IN A 62.21.3.212
wwwDOTwin496.com. 10M IN A 81.190.201.98
wwwDOTwin496.com. 10M IN A 78.92.73.240
wwwDOTwin496.com. 10M IN A 77.253.116.48
wwwDOTwin496.com. 10M IN A 78.152.16.102
wwwDOTwin496.com. 10M IN A 99.194.80.27
wwwDOTwin496.com. 10M IN A 83.24.132.177
wwwDOTwin496.com. 10M IN A 83.50.119.14
wwwDOTwin496.com. 10M IN A 81.190.41.4
wwwDOTwin496.com. 10M IN A 12.207.206.75
wwwDOTwin496.com. 10M IN A 62.21.81.188
wwwDOTwin496.com. 10M IN A 83.11.193.104
wwwDOTwin496.com. 10M IN A 82.143.130.48
Bulk mode; whois.cymru.com [2008-06-04 18:21:19 +0000]
3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
Network of TDE
5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
network
5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
network
6478 | 12.207.206.75 | ATT-INTERNET3 - AT&T WorldNet Services
7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
UPSTREAMS
Bulk mode; peer-whois.cymru.com [2008-06-04 18:21:21 +0000]
1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
5511 | 83.11.193.104 | OPENTRANSIT France Telecom
5511 | 83.24.132.177 | OPENTRANSIT France Telecom
5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
network
5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
network
7018 | 12.207.206.75 | ATT-INTERNET4 - AT&T WorldNet Services
8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
Network
12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
System
13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
Services
15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
wwwDOTtag58.com. 10M IN A 82.143.130.48
wwwDOTtag58.com. 10M IN A 83.50.119.14
wwwDOTtag58.com. 10M IN A 78.92.73.240
wwwDOTtag58.com. 10M IN A 78.152.16.102
wwwDOTtag58.com. 10M IN A 77.253.116.48
wwwDOTtag58.com. 10M IN A 83.24.132.177
wwwDOTtag58.com. 10M IN A 81.190.41.4
wwwDOTtag58.com. 10M IN A 99.194.80.27
wwwDOTtag58.com. 10M IN A 62.21.81.188
wwwDOTtag58.com. 10M IN A 62.21.3.212
wwwDOTtag58.com. 10M IN A 83.11.193.104
wwwDOTtag58.com. 10M IN A 81.190.201.98
Bulk mode; whois.cymru.com [2008-06-04 18:10:22 +0000]
3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
Network of TDE
5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
network
5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
network
7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
UPSTREAMS
Bulk mode; peer-whois.cymru.com [2008-06-04 18:10:29 +0000]
1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
5511 | 83.11.193.104 | OPENTRANSIT France Telecom
5511 | 83.24.132.177 | OPENTRANSIT France Telecom
5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
network
5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
network
8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
Network
12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
System
13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
Services
15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
19151 | 24.196.230.18 | WVFIBER-1 - WV FIBER LLC
24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
err68.com. 10M IN A 78.152.16.102
err68.com. 10M IN A 65.78.241.194
err68.com. 10M IN A 83.242.74.153
err68.com. 10M IN A 81.190.201.98
err68.com. 10M IN A 148.81.132.211
err68.com. 10M IN A 81.190.41.4
err68.com. 10M IN A 83.24.132.177
err68.com. 10M IN A 84.38.90.168
err68.com. 10M IN A 78.130.145.225
err68.com. 10M IN A 77.253.116.48
err68.com. 10M IN A 83.11.193.104
err68.com. 10M IN A 62.21.81.188
err68.com. 10M IN A 80.200.201.15
err68.com. 10M IN A 99.225.66.211
812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable Communications
Inc.
1887 | 148.81.132.211 | NASK-ACADEMIC NASK
5432 | 80.200.201.15 | BELGACOM-SKYNET-AS Belgacom regional ASN
5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
network
5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
network
12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
15227 | 65.78.241.194 | WVFIBERNET - FiberNet of West Virginia
21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
21415 | 78.130.145.225 | INTERNETGROUP-AS-BG Internet Group Ltd.
30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
39349 | 84.38.90.168 | TVKDIANA-AS Telewizja Kablowa Diana s.j.
43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
UPSTREAMS
Bulk mode; peer-whois.cymru.com [2008-06-04 18:05:28 +0000]
174 | 99.225.66.211 | COGENT Cogent/PSI
1239 | 65.78.241.194 | SPRINTLINK - Sprint
1239 | 80.200.201.15 | SPRINTLINK - Sprint
1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
5511 | 83.11.193.104 | OPENTRANSIT France Telecom
5511 | 83.24.132.177 | OPENTRANSIT France Telecom
5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
network
5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
network
5617 | 84.38.90.168 | TPNET Polish Telecom_s commercial IP
network
6453 | 80.200.201.15 | GLOBEINTERNET TATA Communications
6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
6774 | 80.200.201.15 | ASN-BICS Belgacom International Carrier
Services
7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
8246 | 84.38.90.168 | GTS-POLSKA-AS GTS Polska Sp. z o.o.
8501 | 148.81.132.211 | PIONIER-AS PIONIER, National Research and
Education Network in Poland
8866 | 78.130.145.225 | BTC-AS Bulgarian Telecommunication Company
Plc.
9070 | 78.130.145.225 | ITD ITD Network Bulgarian ISP
11537 | 99.225.66.211 | ABILENE - Internet2
12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
Network
12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
20960 | 84.38.90.168 | TKTELEKOM-AS Telekomunikacja Kolejowa is an
ISP operating in Poland
24671 | 84.38.90.168 | PILICKA-AS MNI Telecom Sp. z o.o.
24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
34224 | 78.130.145.225 | NETERRA-AS Neterra Ltd.
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list