[nsp-sec] [SPAM] rundll841.com wwwDOTwin496.com wwwDOTtag58.comerr68.com and sysid72.com sqlinjection sites.
Smith, Donald
Donald.Smith at qwest.com
Thu Jun 5 19:28:49 EDT 2008
Steve would that be fast flux controllers or fast flux end nodes? or both?
Having the controllers allows us to take some kind of action.
Having the end nodes means we can notify although since we don't know WHAT they have we would have to use a generic bot notification.
donald.smith at qwest.com giac
________________________________
From: Stephen Gill [mailto:gillsr at cymru.com]
Sent: Wed 6/4/2008 3:23 PM
To: Smith, Donald; nsp-security at puck.nether.net
Subject: Re: [SPAM] [nsp-sec] rundll841.com wwwDOTwin496.com wwwDOTtag58.comerr68.com and sysid72.com sqlinjection sites.
We may have a fastflux feed available soon, so if there are any folks that
would like to contribute to it for the ASN Alerts, please let us know!
Cheers,
-- steve
On 6/4/08 11:30 AM, "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> ----------- nsp-security Confidential --------
>
> wwwDOTrundll841.com leads to wwwDOTwin496.com which leads to
> sysid72.com which is the same exploit site the other injections were
> using.
> sysid72.com shutdown is fast fluxed and was included in yesterday's
> report.
> They are reusing some of their compromised systems to host more then one
> domain so you will see some repeats.
>
> wwwDOTtag58.com leads to err68.com which is also fast fluxed and leads
> to sysid72.com.
>
> These lead to flash exploits served up from sysid72.com.
> wwwDOTrundll841.com. 10M IN A 81.190.201.98
> wwwDOTrundll841.com. 10M IN A 83.50.119.14
> wwwDOTrundll841.com. 10M IN A 81.190.41.4
> wwwDOTrundll841.com. 10M IN A 156.17.227.218
> wwwDOTrundll841.com. 10M IN A 83.24.132.177
> wwwDOTrundll841.com. 10M IN A 62.21.3.212
> wwwDOTrundll841.com. 10M IN A 78.92.73.240
> wwwDOTrundll841.com. 10M IN A 99.225.66.211
> wwwDOTrundll841.com. 10M IN A 77.253.116.48
> wwwDOTrundll841.com. 10M IN A 83.242.74.153
> wwwDOTrundll841.com. 10M IN A 82.143.130.48
> wwwDOTrundll841.com. 10M IN A 82.159.61.76
>
> Bulk mode; whois.cymru.com [2008-06-04 17:41:10 +0000]
> 812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable Communications
> Inc.
> 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
> Network ofDE
> 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
> 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
> network
> 8970 | 156.17.227.218 | WASK WROCMAN-EDU educational part of WASK
> network,Wroclaw, Poland
> 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
> 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
> 16338 | 82.159.61.76 | AUNA_TELECOM-AS Cableuropa - ONO
> 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
> 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
> 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
> 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
> UPSTREAMS
> $ cat whois.up
> Bulk mode; peer-whois.cymru.com [2008-06-04 17:42:21 +0000]
> 174 | 82.159.61.76 | COGENT Cogent/PSI
> 174 | 99.225.66.211 | COGENT Cogent/PSI
> 1273 | 82.159.61.76 | CW Cable and Wireless plc
> 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
> 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
> 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
> 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
> 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
> 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
> 3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
> 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
> 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
> network
> 6453 | 82.159.61.76 | GLOBEINTERNET TATA Communications
> 6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
> 6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
> 7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
> 8501 | 156.17.227.218 | PIONIER-AS PIONIER, National Research and
> Education Network in Poland
> 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
> 11537 | 99.225.66.211 | ABILENE - Internet2
> 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
> Network
> 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
> System
> 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
> 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
> 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
> 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
> 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
>
> wwwDOTwin496.com. 10M IN A 62.21.3.212
> wwwDOTwin496.com. 10M IN A 81.190.201.98
> wwwDOTwin496.com. 10M IN A 78.92.73.240
> wwwDOTwin496.com. 10M IN A 77.253.116.48
> wwwDOTwin496.com. 10M IN A 78.152.16.102
> wwwDOTwin496.com. 10M IN A 99.194.80.27
> wwwDOTwin496.com. 10M IN A 83.24.132.177
> wwwDOTwin496.com. 10M IN A 83.50.119.14
> wwwDOTwin496.com. 10M IN A 81.190.41.4
> wwwDOTwin496.com. 10M IN A 12.207.206.75
> wwwDOTwin496.com. 10M IN A 62.21.81.188
> wwwDOTwin496.com. 10M IN A 83.11.193.104
> wwwDOTwin496.com. 10M IN A 82.143.130.48
>
> Bulk mode; whois.cymru.com [2008-06-04 18:21:19 +0000]
> 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
> Network of TDE
> 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
> 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
> network
> 6478 | 12.207.206.75 | ATT-INTERNET3 - AT&T WorldNet Services
> 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
> 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
> 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
> 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
> 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
> 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
> 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
> 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
>
> UPSTREAMS
> Bulk mode; peer-whois.cymru.com [2008-06-04 18:21:21 +0000]
> 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
> 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
> 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
> 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
> 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
> 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
> 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
> 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
> 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
> 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
> 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
> network
> 7018 | 12.207.206.75 | ATT-INTERNET4 - AT&T WorldNet Services
> 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
> 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
> 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
> Network
> 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
> System
> 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
> 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
> 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
> Services
> 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
> 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
> 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
>
> wwwDOTtag58.com. 10M IN A 82.143.130.48
> wwwDOTtag58.com. 10M IN A 83.50.119.14
> wwwDOTtag58.com. 10M IN A 78.92.73.240
> wwwDOTtag58.com. 10M IN A 78.152.16.102
> wwwDOTtag58.com. 10M IN A 77.253.116.48
> wwwDOTtag58.com. 10M IN A 83.24.132.177
> wwwDOTtag58.com. 10M IN A 81.190.41.4
> wwwDOTtag58.com. 10M IN A 99.194.80.27
> wwwDOTtag58.com. 10M IN A 62.21.81.188
> wwwDOTtag58.com. 10M IN A 62.21.3.212
> wwwDOTtag58.com. 10M IN A 83.11.193.104
> wwwDOTtag58.com. 10M IN A 81.190.201.98
>
> Bulk mode; whois.cymru.com [2008-06-04 18:10:22 +0000]
> 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
> Network of TDE
> 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
> 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
> network
> 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
> 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
> 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
> 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
> 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
> 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
> 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
> 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
> UPSTREAMS
> Bulk mode; peer-whois.cymru.com [2008-06-04 18:10:29 +0000]
> 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
> 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
> 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
> 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
> 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
> 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
> 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
> 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
> 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
> 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
> 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
> network
> 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
> 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
> 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
> Network
> 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
> System
> 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
> 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
> 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
> Services
> 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
> 19151 | 24.196.230.18 | WVFIBER-1 - WV FIBER LLC
> 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
> 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
>
> err68.com. 10M IN A 78.152.16.102
> err68.com. 10M IN A 65.78.241.194
> err68.com. 10M IN A 83.242.74.153
> err68.com. 10M IN A 81.190.201.98
> err68.com. 10M IN A 148.81.132.211
> err68.com. 10M IN A 81.190.41.4
> err68.com. 10M IN A 83.24.132.177
> err68.com. 10M IN A 84.38.90.168
> err68.com. 10M IN A 78.130.145.225
> err68.com. 10M IN A 77.253.116.48
> err68.com. 10M IN A 83.11.193.104
> err68.com. 10M IN A 62.21.81.188
> err68.com. 10M IN A 80.200.201.15
> err68.com. 10M IN A 99.225.66.211
>
> 812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable Communications
> Inc.
> 1887 | 148.81.132.211 | NASK-ACADEMIC NASK
> 5432 | 80.200.201.15 | BELGACOM-SKYNET-AS Belgacom regional ASN
> 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
> network
> 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
> 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
> 15227 | 65.78.241.194 | WVFIBERNET - FiberNet of West Virginia
> 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
> 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
> 21415 | 78.130.145.225 | INTERNETGROUP-AS-BG Internet Group Ltd.
> 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
> 39349 | 84.38.90.168 | TVKDIANA-AS Telewizja Kablowa Diana s.j.
> 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
> UPSTREAMS
> Bulk mode; peer-whois.cymru.com [2008-06-04 18:05:28 +0000]
> 174 | 99.225.66.211 | COGENT Cogent/PSI
> 1239 | 65.78.241.194 | SPRINTLINK - Sprint
> 1239 | 80.200.201.15 | SPRINTLINK - Sprint
> 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
> 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
> 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
> 3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
> 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
> 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
> 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 84.38.90.168 | TPNET Polish Telecom_s commercial IP
> network
> 6453 | 80.200.201.15 | GLOBEINTERNET TATA Communications
> 6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
> 6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
> 6774 | 80.200.201.15 | ASN-BICS Belgacom International Carrier
> Services
> 7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
> 8246 | 84.38.90.168 | GTS-POLSKA-AS GTS Polska Sp. z o.o.
> 8501 | 148.81.132.211 | PIONIER-AS PIONIER, National Research and
> Education Network in Poland
> 8866 | 78.130.145.225 | BTC-AS Bulgarian Telecommunication Company
> Plc.
> 9070 | 78.130.145.225 | ITD ITD Network Bulgarian ISP
> 11537 | 99.225.66.211 | ABILENE - Internet2
> 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
> 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
> Network
> 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
> 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
> 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
> 20960 | 84.38.90.168 | TKTELEKOM-AS Telekomunikacja Kolejowa is an
> ISP operating in Poland
> 24671 | 84.38.90.168 | PILICKA-AS MNI Telecom Sp. z o.o.
> 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
> 34224 | 78.130.145.225 | NETERRA-AS Neterra Ltd.
>
> Security through obscurity WORKS against some worms and ssh attacks:)
> Donald.Smith at qwest.com giac
>
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com <http://www.cymru.com/> | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list