[nsp-sec] rundll841.com wwwDOTwin496.com wwwDOTtag58.com err68.com and sysid72.com sqlinjection sites.
William Salusky
william.salusky at aol.net
Thu Jun 5 10:27:22 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have some basic overview on the fluxnet that serves much of the recent
mass Sql Injection/Flash based driveby garbage.
I've shared it elsewhere, so sharing here.
http://handlers.sans.org/wsalusky/ws/index.php/HydraFlux
http://handlers.sans.org/wsalusky/ws/index.php/HydraFlux_1_forum-php
W
Smith, Donald wrote:
| ----------- nsp-security Confidential --------
|
| wwwDOTrundll841.com leads to wwwDOTwin496.com which leads to
| sysid72.com which is the same exploit site the other injections were
| using.
| sysid72.com shutdown is fast fluxed and was included in yesterday's
| report.
| They are reusing some of their compromised systems to host more then one
| domain so you will see some repeats.
|
| wwwDOTtag58.com leads to err68.com which is also fast fluxed and leads
| to sysid72.com.
|
| These lead to flash exploits served up from sysid72.com.
| wwwDOTrundll841.com. 10M IN A 81.190.201.98
| wwwDOTrundll841.com. 10M IN A 83.50.119.14
| wwwDOTrundll841.com. 10M IN A 81.190.41.4
| wwwDOTrundll841.com. 10M IN A 156.17.227.218
| wwwDOTrundll841.com. 10M IN A 83.24.132.177
| wwwDOTrundll841.com. 10M IN A 62.21.3.212
| wwwDOTrundll841.com. 10M IN A 78.92.73.240
| wwwDOTrundll841.com. 10M IN A 99.225.66.211
| wwwDOTrundll841.com. 10M IN A 77.253.116.48
| wwwDOTrundll841.com. 10M IN A 83.242.74.153
| wwwDOTrundll841.com. 10M IN A 82.143.130.48
| wwwDOTrundll841.com. 10M IN A 82.159.61.76
|
| Bulk mode; whois.cymru.com [2008-06-04 17:41:10 +0000]
| 812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable Communications
| Inc.
| 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
| Network ofDE
| 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
| 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
| network
| 8970 | 156.17.227.218 | WASK WROCMAN-EDU educational part of WASK
| network,Wroclaw, Poland
| 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
| 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
| 16338 | 82.159.61.76 | AUNA_TELECOM-AS Cableuropa - ONO
| 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
| 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
| 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
| 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
| UPSTREAMS
| $ cat whois.up
| Bulk mode; peer-whois.cymru.com [2008-06-04 17:42:21 +0000]
| 174 | 82.159.61.76 | COGENT Cogent/PSI
| 174 | 99.225.66.211 | COGENT Cogent/PSI
| 1273 | 82.159.61.76 | CW Cable and Wireless plc
| 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
| 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
| 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
| 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
| 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
| 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
| 3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
| 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
| 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
| network
| 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
| network
| 6453 | 82.159.61.76 | GLOBEINTERNET TATA Communications
| 6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
| 6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
| 7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
| 8501 | 156.17.227.218 | PIONIER-AS PIONIER, National Research and
| Education Network in Poland
| 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
| 11537 | 99.225.66.211 | ABILENE - Internet2
| 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
| Network
| 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
| System
| 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
| 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
| 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
| 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
| 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
|
| wwwDOTwin496.com. 10M IN A 62.21.3.212
| wwwDOTwin496.com. 10M IN A 81.190.201.98
| wwwDOTwin496.com. 10M IN A 78.92.73.240
| wwwDOTwin496.com. 10M IN A 77.253.116.48
| wwwDOTwin496.com. 10M IN A 78.152.16.102
| wwwDOTwin496.com. 10M IN A 99.194.80.27
| wwwDOTwin496.com. 10M IN A 83.24.132.177
| wwwDOTwin496.com. 10M IN A 83.50.119.14
| wwwDOTwin496.com. 10M IN A 81.190.41.4
| wwwDOTwin496.com. 10M IN A 12.207.206.75
| wwwDOTwin496.com. 10M IN A 62.21.81.188
| wwwDOTwin496.com. 10M IN A 83.11.193.104
| wwwDOTwin496.com. 10M IN A 82.143.130.48
|
| Bulk mode; whois.cymru.com [2008-06-04 18:21:19 +0000]
| 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
| Network of TDE
| 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
| 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
| network
| 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
| network
| 6478 | 12.207.206.75 | ATT-INTERNET3 - AT&T WorldNet Services
| 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
| 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
| 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
| 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
| 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
| 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
| 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
| 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
|
| UPSTREAMS
| Bulk mode; peer-whois.cymru.com [2008-06-04 18:21:21 +0000]
| 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
| 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
| 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
| 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
| 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
| 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
| 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
| 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
| 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
| 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
| 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
| network
| 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
| network
| 7018 | 12.207.206.75 | ATT-INTERNET4 - AT&T WorldNet Services
| 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
| 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
| 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
| Network
| 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
| System
| 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
| 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
| 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
| Services
| 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
| 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
| 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
|
| wwwDOTtag58.com. 10M IN A 82.143.130.48
| wwwDOTtag58.com. 10M IN A 83.50.119.14
| wwwDOTtag58.com. 10M IN A 78.92.73.240
| wwwDOTtag58.com. 10M IN A 78.152.16.102
| wwwDOTtag58.com. 10M IN A 77.253.116.48
| wwwDOTtag58.com. 10M IN A 83.24.132.177
| wwwDOTtag58.com. 10M IN A 81.190.41.4
| wwwDOTtag58.com. 10M IN A 99.194.80.27
| wwwDOTtag58.com. 10M IN A 62.21.81.188
| wwwDOTtag58.com. 10M IN A 62.21.3.212
| wwwDOTtag58.com. 10M IN A 83.11.193.104
| wwwDOTtag58.com. 10M IN A 81.190.201.98
|
| Bulk mode; whois.cymru.com [2008-06-04 18:10:22 +0000]
| 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
| Network of TDE
| 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
| 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
| network
| 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
| network
| 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
| 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
| 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
| 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
| 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
| 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
| 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
| 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
| UPSTREAMS
| Bulk mode; peer-whois.cymru.com [2008-06-04 18:10:29 +0000]
| 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
| 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
| 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
| 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
| 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
| 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
| 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
| 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
| 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
| 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
| 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
| network
| 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
| network
| 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
| 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
| 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
| Network
| 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
| System
| 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
| 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
| 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
| Services
| 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
| 19151 | 24.196.230.18 | WVFIBER-1 - WV FIBER LLC
| 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
| 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
|
| err68.com. 10M IN A 78.152.16.102
| err68.com. 10M IN A 65.78.241.194
| err68.com. 10M IN A 83.242.74.153
| err68.com. 10M IN A 81.190.201.98
| err68.com. 10M IN A 148.81.132.211
| err68.com. 10M IN A 81.190.41.4
| err68.com. 10M IN A 83.24.132.177
| err68.com. 10M IN A 84.38.90.168
| err68.com. 10M IN A 78.130.145.225
| err68.com. 10M IN A 77.253.116.48
| err68.com. 10M IN A 83.11.193.104
| err68.com. 10M IN A 62.21.81.188
| err68.com. 10M IN A 80.200.201.15
| err68.com. 10M IN A 99.225.66.211
|
| 812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable Communications
| Inc.
| 1887 | 148.81.132.211 | NASK-ACADEMIC NASK
| 5432 | 80.200.201.15 | BELGACOM-SKYNET-AS Belgacom regional ASN
| 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
| network
| 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
| network
| 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
| 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
| 15227 | 65.78.241.194 | WVFIBERNET - FiberNet of West Virginia
| 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
| 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
| 21415 | 78.130.145.225 | INTERNETGROUP-AS-BG Internet Group Ltd.
| 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
| 39349 | 84.38.90.168 | TVKDIANA-AS Telewizja Kablowa Diana s.j.
| 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
| UPSTREAMS
| Bulk mode; peer-whois.cymru.com [2008-06-04 18:05:28 +0000]
| 174 | 99.225.66.211 | COGENT Cogent/PSI
| 1239 | 65.78.241.194 | SPRINTLINK - Sprint
| 1239 | 80.200.201.15 | SPRINTLINK - Sprint
| 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
| 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
| 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
| 3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
| 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
| 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
| 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
| network
| 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
| network
| 5617 | 84.38.90.168 | TPNET Polish Telecom_s commercial IP
| network
| 6453 | 80.200.201.15 | GLOBEINTERNET TATA Communications
| 6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
| 6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
| 6774 | 80.200.201.15 | ASN-BICS Belgacom International Carrier
| Services
| 7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
| 8246 | 84.38.90.168 | GTS-POLSKA-AS GTS Polska Sp. z o.o.
| 8501 | 148.81.132.211 | PIONIER-AS PIONIER, National Research and
| Education Network in Poland
| 8866 | 78.130.145.225 | BTC-AS Bulgarian Telecommunication Company
| Plc.
| 9070 | 78.130.145.225 | ITD ITD Network Bulgarian ISP
| 11537 | 99.225.66.211 | ABILENE - Internet2
| 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
| 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
| Network
| 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
| 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
| 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
| 20960 | 84.38.90.168 | TKTELEKOM-AS Telekomunikacja Kolejowa is an
| ISP operating in Poland
| 24671 | 84.38.90.168 | PILICKA-AS MNI Telecom Sp. z o.o.
| 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
| 34224 | 78.130.145.225 | NETERRA-AS Neterra Ltd.
|
| Security through obscurity WORKS against some worms and ssh attacks:)
| Donald.Smith at qwest.com giac
|
|
| This communication is the property of Qwest and may contain
confidential or
| privileged information. Unauthorized use of this communication is
strictly
| prohibited and may be unlawful. If you have received this communication
| in error, please immediately notify the sender by reply e-mail and
destroy
| all copies of the communication and any attachments.
|
|
| _______________________________________________
| nsp-security mailing list
| nsp-security at puck.nether.net
| https://puck.nether.net/mailman/listinfo/nsp-security
|
| Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
| community. Confidentiality is essential for effective Internet
security counter-measures.
| _______________________________________________
|
- --
William Salusky
william.salusky at aol.net
Sr. Technical Security Investigator - AOL Operations Security
703-265-4924 (desk)
703-201-8873 (cell)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
iD8DBQFIR/fJXyx2ON3+G40RAvltAJ423dCPFgAr84QmKXwSmoW4JB7jtwCfU7QY
BBnTJ0LPzDDXa41CiRmIN1I=
=5ypT
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list