[nsp-sec] VoIP scanning/abuse -> MyCERT/TTNET-MY
Rob Thomas
robt at cymru.com
Fri Jun 13 17:02:16 EDT 2008
Hi, team.
Happy Friday! :)
> While you're at it, block/flag these (from the same 124.217.240.0/20) as
> well:
Good advice, Gerard. We see a few Russian carders and DDoS
extortionists referencing IPs in that vicinity. It seems they prefer
cPanel for management, btw.
> 124.217.248.143
Yum, malware!
timestamp | ip | asn | category |
comment
--------------------- ----------------- ------ ------------
---------------------------------
2008-06-03 05:06:02 | 124.217.248.143 | 9930 | malwareurl |
hxxp://124.217.248.143/cb_1.exe
We have at least two samples in our malware menagerie that point to this IP.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- ----------------- ----------
---------- ------
2008-06-02 15:51:00 | 2e165ac16fd8de9a86f54b45fd201f8fd1c32312 |
6ddc422b91a3af967ec08e1fda56e18a | 124.217.248.143 | 80 | 6 |
2008-06-05 22:51:08 | 6bcd352db97f561e96dab895f6dd8ee46981ecfd |
07180ef0c63c520987b85496ee2012ae | 124.217.248.143 | 80 | 6 |
> 124.217.249.5
More malware and a HTTP C&C.
timestamp | ip | asn | category |
comment
--------------------- --------------- ------ ------------
---------------------------------------------------------------
2008-02-21 20:24:33 | 124.217.249.5 | 9930 | botnetcc | category:
botweb url: http://124.217.249.5/cgi-bin/pstore.cgi
2008-02-28 13:51:37 | 124.217.249.5 | 9930 | malwareurl |
http://124.217.249.5/185.exe
We have at least 17 samples in our malware menagerie that point to this IP.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
2008-06-10 18:50:02 | 06bf239738159a39f1930cb81ecc787946f10811 |
dd3778278cc473e591d2e26b2f0455d4 | 124.217.249.5 | 80 | 6 |
2008-03-21 01:21:46 | 12dbc55fa4e436d1c5e26b24a0c1f81c10e24d63 |
9b87b5a804d3399f67643b430baf7766 | 124.217.249.5 | 80 | 6 |
2008-06-06 06:32:43 | 2c89313b47356777aac4ad5c1de2feccd60fa7b3 |
c7f00ca1ab53e0006bbe8e5a394db43e | 124.217.249.5 | 80 | 6 |
2008-03-18 20:22:48 | 36dcdb47e5e42958bbf9c02a7eabc0ad51f85e84 |
d19be2ddd20a43716cf68cfa4418b7ec | 124.217.249.5 | 80 | 6 |
2008-03-12 19:22:48 | 3d634e5fe55f750c86a7e460cf454c4e81ef4a0a |
86a9ba12c8313edc8bc6ea3b64adbf34 | 124.217.249.5 | 80 | 6 |
2008-06-05 21:15:19 | 53fcb6f731158b7f19cb5b07faa07c1f59eb204a |
13818e5af44d851275f72d49d69db9db | 124.217.249.5 | 80 | 6 |
2008-04-18 06:32:23 | 54ee836afea802bbbbb841671343883686369119 |
9b5904b06c45c8e58361e94eb0d46453 | 124.217.249.5 | 80 | 6 |
2008-02-21 20:24:33 | 5dfe30f7407e9b16fbb8b50797a83bf7b38e548b |
a87af9d7e1de9cba17c333e53c434e1b | 124.217.249.5 | 80 | 6 |
2008-03-16 07:21:01 | 787d884f3fbcc7e038b8031847de4dca201046c6 |
8d35ef01f16b040d174a940380b8d7e5 | 124.217.249.5 | 80 | 6 |
2008-04-15 06:32:38 | 9957a95ecfbd4fb8ebae07f58fe3b81cb21c806d |
489a5bb292230a065327e58a4f407168 | 124.217.249.5 | 80 | 6 |
2008-05-01 04:20:52 | a8ba90c2fe983360fbb174804fa8e93a503261a1 |
8441fe0320301fbfc55df156a05bdfdf | 124.217.249.5 | 80 | 6 |
2008-04-21 21:56:21 | af3782a3773e863f207405b78c1cc671b5c45eb1 |
385b8e0189973f6b34b0a8eb2bb88fe6 | 124.217.249.5 | 80 | 6 |
318
2008-04-06 06:32:06 | d4fe7a8d34e7fff341c86485bddf9d11b60140d7 |
87058addf9800827edfa88473d990212 | 124.217.249.5 | 80 | 6 |
2008-06-13 06:32:07 | d5c0642429d30f80c4e89808b2103c6593654584 |
9fee6899415da1cf4b8614d2f86571fe | 124.217.249.5 | 80 | 6 |
2008-03-03 08:22:14 | dd1750c23263aaff4bbb82628d99a98e7ad30085 |
39548110212498379eec17af742f0ab4 | 124.217.249.5 | 80 | 6 |
2008-03-17 17:23:57 | ddc85d2a897ad82ae8af1461ff879357d09394b0 |
6fcb33697cbd06d45a844d6cf31acc73 | 124.217.249.5 | 80 | 6 |
2008-03-13 18:21:53 | e5964d7ac14da63080c37b6165fa34d7dfa2508b |
2f4909bf875e8f14611937b260417f62 | 124.217.249.5 | 80 | 6 |
It's running the BIND and open to recursion.
No surprise that the web server is nginx.
> 124.217.249.240
Aaaand more of the same:
timestamp | ip | asn | category |
comment
--------------------- ----------------- ------ ------------
--------------------------------------------------------
2008-04-17 00:49:39 | 124.217.249.240 | 9930 | botnetcc | category:
botweb url: hxxp://tdslight.com/bot/stat.php
2008-05-20 19:52:05 | 124.217.249.240 | 9930 | malwareurl |
hxxp://av-update.in/files/10.dat
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- ----------------- ----------
---------- -------
2008-04-17 00:49:39 | 03ad6e4e992b9b86fa82c95b2d6118cf2adc4b1b |
378bc1abb03482ff606f053b3fa47b8f | 124.217.249.240 | 80 | 6
| 669
2008-05-25 06:32:09 | 09c0b7bc40bd5a9f70e59bf10bee5e51438453cc |
48f5407dabe53cf4cef4b51956d87202 | 124.217.249.240 | 80 | 6 |
2008-05-30 06:33:14 | 10b405eb0f41f4fc91bc4cec4ab8e9e6036fb67d |
0d0d55b512129fb423d5fab7fce93dd6 | 124.217.249.240 | 80 | 6 |
2008-04-29 16:08:15 | 126f7c6086f7c7c8b39817aabcf1ae512230f0ee |
f2a9d05080b4bff06c7d4a273b569098 | 124.217.249.240 | 80 | 6
| 7383
2008-05-30 06:33:14 | 2243bfbe0921a7789535deb7a1134507fe53f74d |
2df8ae30dcd119c4aaaf56d8fcad3b03 | 124.217.249.240 | 80 | 6 |
2008-04-21 10:28:43 | 2352048041556f6da93d5bf0fc1ec314ad88f725 |
47247df6019fb2f1f4a13bacd1404382 | 124.217.249.240 | 80 | 6
| 765
2008-05-30 06:33:14 | 2646381db6f6fe5c5371f6a4f24182aeb52bb682 |
382020e030b374ec2d7645613b00f2cf | 124.217.249.240 | 80 | 6
|
2008-05-31 06:31:55 | 2cb2ef5a0c85680ba2171abdb342329c5cd42ce9 |
e9207c7cc742500c9184f5c95849dea0 | 124.217.249.240 | 80 | 6
|
2008-05-31 06:31:55 | 317170a656fd75d5cd5d473748a1382010e48e7c |
8d9f74d6906d9a4485296e9e336b83d4 | 124.217.249.240 | 80 | 6
|
2008-05-30 06:33:14 | 36eac4b0f05ab4930c7baf0cf6b41597df017828 |
bedb6e8452626848e35b2934332dd039 | 124.217.249.240 | 80 | 6
|
2008-05-30 06:33:14 | 3925ed51031b05e86dfa8bc740ad304f62a85144 |
2132c8c59eff15aae401b3333d856a35 | 124.217.249.240 | 80 | 6
|
2008-05-24 11:30:23 | 3bf627b118deccededabc7bac39104090d7bb373 |
eea9f454b0df1a687587836f45106d76 | 124.217.249.240 | 80 | 6
| 53172
2008-05-24 11:41:46 | 3f54051558faa1600175df237e7656df56e1e74e |
161ca5d9cf66d72413ab3deb3e5a7416 | 124.217.249.240 | 80 | 6
| 15339
2008-05-30 06:33:14 | 43caa1f048d2e0bf18df32346fd6388dd008a67f |
2a57e37f3135bdc301b9c9487b90bb83 | 124.217.249.240 | 80 | 6
|
2008-05-30 06:33:14 | 45015161e76f6f7eab4f85e4be82f69f93bd7a7a |
d9c1a4f5c4cd228164f8caddc46ca39b | 124.217.249.240 | 80 | 6
|
2008-04-24 09:34:03 | 572a23212e7dcca0f87487de26432f7f6eb2b59b |
3505969a19474fcf3d770466fe1b8cd4 | 124.217.249.240 | 80 | 6
|
2008-05-30 06:33:14 | 62fc8a3df5acb9ac2bdc25548818aa820f238100 |
fc8574e6db98de1728b7b7b8be6ea558 | 124.217.249.240 | 80 | 6 |
2008-05-21 16:20:44 | 6b5038887605b010369a564e50f0b74c70ebe764 |
d9af50d6297271fbe20a98d4288a3e71 | 124.217.249.240 | 80 | 6 |
2008-05-20 17:20:15 | 6dc5f9bd40994a8dd3fd3caa70680a17e7277aa2 |
44e4d0b923d3b5201fe1444b358cadaa | 124.217.249.240 | 80 | 6 |
2008-05-30 06:33:14 | 7b7b0150dbfe980d399d5f4eee142c57c8fceff4 |
de5f6c6a1d48e2df07acfa63d4bf25c0 | 124.217.249.240 | 80 | 6 |
2008-06-02 06:31:47 | 84d6234887ea2c0e0ca7f871af4f23ddba6a57a3 |
dd49d1410ab01925009ca9d6660a030a | 124.217.249.240 | 80 | 6 |
2008-05-30 06:33:14 | 88af71a934e8b11e62c6e27dfb9f60a61ec41462 |
1acb58943ac4e4a8a96d78f49ee63f36 | 124.217.249.240 | 80 | 6 |
2008-05-31 06:31:55 | 9c761041a8fefd3cc0fb50a7c3058fef0538ba66 |
7021ce69c2f19407a9db127269383d0a | 124.217.249.240 | 80 | 6 |
2008-05-20 19:37:01 | 9d6c5d82fb203d2040f401abac42f6a7ead0eb3c |
0213ec41612dbb2d1a53ae183ae7f1ed | 124.217.249.240 | 80 | 6 |
2008-05-25 06:32:09 | a96c321c58dce530cb6226a3800ca5202046daa6 |
373656755318660e167a540b451f1849 | 124.217.249.240 | 80 | 6 |
2008-05-25 06:32:09 | b26fe727e2682fbba197b4701983270a30d0e07b |
28aecdfcf83706d6ce29de210480232a | 124.217.249.240 | 80 | 6 |
2008-05-30 06:33:14 | ba29f956708104b5fd8445744add566166f5d248 |
5e462d72257996a12474462981820406 | 124.217.249.240 | 80 | 6 |
2008-05-30 06:33:14 | cec55f7b0214fd0e2ca66b63745fb94a8dea8908 |
ac4a8e8d04e203fabfd2b6e1c30fd2bd | 124.217.249.240 | 80 | 6 |
2008-05-25 06:32:09 | db0f354e70c789bc42a05b4960438ae9d304b696 |
76dfc88564964733df36d7aab2f878e8 | 124.217.249.240 | 80 | 6 |
2008-05-31 06:31:55 | e707af0165d91b1129603c2b21bfde95f1a4e550 |
2e610ef6185fb650685f1006e15cbf37 | 124.217.249.240 | 80 | 6 |
2008-05-20 19:34:08 | e98010adf390c0d36a98b774cc54da074f3ef198 |
a535bd12241a22cd93ecefee74a237e0 | 124.217.249.240 | 80 | 6 |
2008-05-20 19:36:25 | eacb31d4a00f2cfa46efc1ee5a68cf7399f74c8c |
f52e7aae00707e2edec8c4ba4860f833 | 124.217.249.240 | 80 | 6 |
2008-05-31 06:31:55 | ef0d1a27a87c951293d8091391efc580692af086 |
205a94e201b05d2e8fb8c13590c11e87 | 124.217.249.240 | 80 | 6 |
2008-05-20 19:35:53 | f5f147baff234e89df5f9b3de00c416016cec322 |
11ac3b1966042f39c9945b9a187ed27b | 124.217.249.240 | 80 | 6 |
Lots of HTTP C&C activity on this IP.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the nsp-security
mailing list