[nsp-sec] [SPAM] rundll841.com wwwDOTwin496.com wwwDOTtag58.comerr68.com and sysid72.com sqlinjection sites.
Stephen Gill
gillsr at cymru.com
Fri Jun 6 11:50:11 EDT 2008
Initially end nodes, but if someone provided a feed of controllers we'd be
happy to add those in as well! For a controller feed someone with a decent
sized broadband network would need to take it on and have a decent sized
fastflux domain feed for watching and probing once they route through their
network.
Cheers,
-- steve
On 6/5/08 4:28 PM, "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> Steve would that be fast flux controllers or fast flux end nodes? or both?
>
> Having the controllers allows us to take some kind of action.
> Having the end nodes means we can notify although since we don't know WHAT
> they have we would have to use a generic bot notification.
>
> donald.smith at qwest.com giac
>
>
> ________________________________
>
> From: Stephen Gill [mailto:gillsr at cymru.com]
> Sent: Wed 6/4/2008 3:23 PM
> To: Smith, Donald; nsp-security at puck.nether.net
> Subject: Re: [SPAM] [nsp-sec] rundll841.com wwwDOTwin496.com
> wwwDOTtag58.comerr68.com and sysid72.com sqlinjection sites.
>
>
>
> We may have a fastflux feed available soon, so if there are any folks that
> would like to contribute to it for the ASN Alerts, please let us know!
>
> Cheers,
> -- steve
>
> On 6/4/08 11:30 AM, "Smith, Donald" <Donald.Smith at qwest.com> wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> wwwDOTrundll841.com leads to wwwDOTwin496.com which leads to
>> sysid72.com which is the same exploit site the other injections were
>> using.
>> sysid72.com shutdown is fast fluxed and was included in yesterday's
>> report.
>> They are reusing some of their compromised systems to host more then one
>> domain so you will see some repeats.
>>
>> wwwDOTtag58.com leads to err68.com which is also fast fluxed and leads
>> to sysid72.com.
>>
>> These lead to flash exploits served up from sysid72.com.
>> wwwDOTrundll841.com. 10M IN A 81.190.201.98
>> wwwDOTrundll841.com. 10M IN A 83.50.119.14
>> wwwDOTrundll841.com. 10M IN A 81.190.41.4
>> wwwDOTrundll841.com. 10M IN A 156.17.227.218
>> wwwDOTrundll841.com. 10M IN A 83.24.132.177
>> wwwDOTrundll841.com. 10M IN A 62.21.3.212
>> wwwDOTrundll841.com. 10M IN A 78.92.73.240
>> wwwDOTrundll841.com. 10M IN A 99.225.66.211
>> wwwDOTrundll841.com. 10M IN A 77.253.116.48
>> wwwDOTrundll841.com. 10M IN A 83.242.74.153
>> wwwDOTrundll841.com. 10M IN A 82.143.130.48
>> wwwDOTrundll841.com. 10M IN A 82.159.61.76
>>
>> Bulk mode; whois.cymru.com [2008-06-04 17:41:10 +0000]
>> 812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable Communications
>> Inc.
>> 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
>> Network ofDE
>> 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
>> 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
>> network
>> 8970 | 156.17.227.218 | WASK WROCMAN-EDU educational part of WASK
>> network,Wroclaw, Poland
>> 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
>> 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
>> 16338 | 82.159.61.76 | AUNA_TELECOM-AS Cableuropa - ONO
>> 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
>> 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
>> 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
>> 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
>> UPSTREAMS
>> $ cat whois.up
>> Bulk mode; peer-whois.cymru.com [2008-06-04 17:42:21 +0000]
>> 174 | 82.159.61.76 | COGENT Cogent/PSI
>> 174 | 99.225.66.211 | COGENT Cogent/PSI
>> 1273 | 82.159.61.76 | CW Cable and Wireless plc
>> 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
>> 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
>> 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
>> 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
>> 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
>> 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
>> 3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
>> 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
>> 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
>> network
>> 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
>> network
>> 6453 | 82.159.61.76 | GLOBEINTERNET TATA Communications
>> 6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
>> 6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
>> 7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
>> 8501 | 156.17.227.218 | PIONIER-AS PIONIER, National Research and
>> Education Network in Poland
>> 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
>> 11537 | 99.225.66.211 | ABILENE - Internet2
>> 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
>> Network
>> 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
>> System
>> 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
>> 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
>> 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
>> 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
>> 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
>>
>> wwwDOTwin496.com. 10M IN A 62.21.3.212
>> wwwDOTwin496.com. 10M IN A 81.190.201.98
>> wwwDOTwin496.com. 10M IN A 78.92.73.240
>> wwwDOTwin496.com. 10M IN A 77.253.116.48
>> wwwDOTwin496.com. 10M IN A 78.152.16.102
>> wwwDOTwin496.com. 10M IN A 99.194.80.27
>> wwwDOTwin496.com. 10M IN A 83.24.132.177
>> wwwDOTwin496.com. 10M IN A 83.50.119.14
>> wwwDOTwin496.com. 10M IN A 81.190.41.4
>> wwwDOTwin496.com. 10M IN A 12.207.206.75
>> wwwDOTwin496.com. 10M IN A 62.21.81.188
>> wwwDOTwin496.com. 10M IN A 83.11.193.104
>> wwwDOTwin496.com. 10M IN A 82.143.130.48
>>
>> Bulk mode; whois.cymru.com [2008-06-04 18:21:19 +0000]
>> 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
>> Network of TDE
>> 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
>> 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
>> network
>> 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
>> network
>> 6478 | 12.207.206.75 | ATT-INTERNET3 - AT&T WorldNet Services
>> 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
>> 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
>> 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
>> 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
>> 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
>> 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
>> 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
>> 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
>>
>> UPSTREAMS
>> Bulk mode; peer-whois.cymru.com [2008-06-04 18:21:21 +0000]
>> 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
>> 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
>> 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
>> 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
>> 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
>> 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
>> 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
>> 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
>> 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
>> 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
>> 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
>> network
>> 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
>> network
>> 7018 | 12.207.206.75 | ATT-INTERNET4 - AT&T WorldNet Services
>> 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
>> 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
>> 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
>> Network
>> 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
>> System
>> 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
>> 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
>> 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
>> Services
>> 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
>> 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
>> 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
>>
>> wwwDOTtag58.com. 10M IN A 82.143.130.48
>> wwwDOTtag58.com. 10M IN A 83.50.119.14
>> wwwDOTtag58.com. 10M IN A 78.92.73.240
>> wwwDOTtag58.com. 10M IN A 78.152.16.102
>> wwwDOTtag58.com. 10M IN A 77.253.116.48
>> wwwDOTtag58.com. 10M IN A 83.24.132.177
>> wwwDOTtag58.com. 10M IN A 81.190.41.4
>> wwwDOTtag58.com. 10M IN A 99.194.80.27
>> wwwDOTtag58.com. 10M IN A 62.21.81.188
>> wwwDOTtag58.com. 10M IN A 62.21.3.212
>> wwwDOTtag58.com. 10M IN A 83.11.193.104
>> wwwDOTtag58.com. 10M IN A 81.190.201.98
>>
>> Bulk mode; whois.cymru.com [2008-06-04 18:10:22 +0000]
>> 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
>> Network of TDE
>> 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
>> 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
>> network
>> 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
>> network
>> 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
>> 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
>> 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
>> 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
>> 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
>> 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
>> 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
>> 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
>> UPSTREAMS
>> Bulk mode; peer-whois.cymru.com [2008-06-04 18:10:29 +0000]
>> 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
>> 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
>> 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
>> 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
>> 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
>> 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
>> 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
>> 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
>> 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
>> 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
>> 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
>> network
>> 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
>> network
>> 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
>> 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
>> 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
>> Network
>> 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone Autonomous
>> System
>> 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
>> 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
>> 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
>> Services
>> 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
>> 19151 | 24.196.230.18 | WVFIBER-1 - WV FIBER LLC
>> 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
>> 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
>>
>> err68.com. 10M IN A 78.152.16.102
>> err68.com. 10M IN A 65.78.241.194
>> err68.com. 10M IN A 83.242.74.153
>> err68.com. 10M IN A 81.190.201.98
>> err68.com. 10M IN A 148.81.132.211
>> err68.com. 10M IN A 81.190.41.4
>> err68.com. 10M IN A 83.24.132.177
>> err68.com. 10M IN A 84.38.90.168
>> err68.com. 10M IN A 78.130.145.225
>> err68.com. 10M IN A 77.253.116.48
>> err68.com. 10M IN A 83.11.193.104
>> err68.com. 10M IN A 62.21.81.188
>> err68.com. 10M IN A 80.200.201.15
>> err68.com. 10M IN A 99.225.66.211
>>
>> 812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable Communications
>> Inc.
>> 1887 | 148.81.132.211 | NASK-ACADEMIC NASK
>> 5432 | 80.200.201.15 | BELGACOM-SKYNET-AS Belgacom regional ASN
>> 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
>> network
>> 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
>> network
>> 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
>> 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
>> 15227 | 65.78.241.194 | WVFIBERNET - FiberNet of West Virginia
>> 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
>> 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
>> 21415 | 78.130.145.225 | INTERNETGROUP-AS-BG Internet Group Ltd.
>> 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
>> 39349 | 84.38.90.168 | TVKDIANA-AS Telewizja Kablowa Diana s.j.
>> 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
>> UPSTREAMS
>> Bulk mode; peer-whois.cymru.com [2008-06-04 18:05:28 +0000]
>> 174 | 99.225.66.211 | COGENT Cogent/PSI
>> 1239 | 65.78.241.194 | SPRINTLINK - Sprint
>> 1239 | 80.200.201.15 | SPRINTLINK - Sprint
>> 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
>> 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
>> 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
>> 3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
>> 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
>> 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
>> 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
>> network
>> 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
>> network
>> 5617 | 84.38.90.168 | TPNET Polish Telecom_s commercial IP
>> network
>> 6453 | 80.200.201.15 | GLOBEINTERNET TATA Communications
>> 6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
>> 6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
>> 6774 | 80.200.201.15 | ASN-BICS Belgacom International Carrier
>> Services
>> 7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
>> 8246 | 84.38.90.168 | GTS-POLSKA-AS GTS Polska Sp. z o.o.
>> 8501 | 148.81.132.211 | PIONIER-AS PIONIER, National Research and
>> Education Network in Poland
>> 8866 | 78.130.145.225 | BTC-AS Bulgarian Telecommunication Company
>> Plc.
>> 9070 | 78.130.145.225 | ITD ITD Network Bulgarian ISP
>> 11537 | 99.225.66.211 | ABILENE - Internet2
>> 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
>> 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
>> Network
>> 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
>> 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
>> 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
>> 20960 | 84.38.90.168 | TKTELEKOM-AS Telekomunikacja Kolejowa is an
>> ISP operating in Poland
>> 24671 | 84.38.90.168 | PILICKA-AS MNI Telecom Sp. z o.o.
>> 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
>> 34224 | 78.130.145.225 | NETERRA-AS Neterra Ltd.
>>
>> Security through obscurity WORKS against some worms and ssh attacks:)
>> Donald.Smith at qwest.com giac
>>
>>
>> This communication is the property of Qwest and may contain confidential or
>> privileged information. Unauthorized use of this communication is strictly
>> prohibited and may be unlawful. If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and destroy
>> all copies of the communication and any attachments.
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>
> --
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com <http://www.cymru.com/> | +1 312 924 4023 |
> gillsr at cymru.com
>
>
>
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list