[nsp-sec] spam bounces - the sending bots
Andreas Bunten
bunten at dfn-cert.de
Mon Jun 23 03:29:03 EDT 2008
Stephen Gill wrote:
> The biggest thing in common I see amongst your Ips is the fact that they are
> reaching out to this C&C on TCP 80 and TCP 443:
>
> 26780 | 208.72.169.189 | MCCOLO - McColo Corporation
>
> Here's a snapshot of some of the malware sample hashes and dnsrrs associated
> with the flows:
>
> 0b2e8bedc1db068e9f432d7e2e818d225f652bee | 7c90c3a0c57bc0794774b3aa1d42c0e3
> | 2008-05-03 10:28:45 | almbarcoz.info | 208.72.169.189 | A
(...)
> hxxp://195.93.218.28/s4/u.php
>
> Hopefully that should get you started ;).
It does - thanks! :-)
Regards,
Andreas
--
Andreas Bunten (CSIRT), +49 40 808077-555
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5897 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080623/19810594/attachment-0001.bin>
More information about the nsp-security
mailing list