[nsp-sec] Ddos controller - caatadgouk.com
jose nazario
jose at arbor.net
Fri Jun 27 09:33:10 EDT 2008
The following URLs appear to be related to a simple DDoS controller engine:
http://caatadgouk.com/ddos1.php
http://caatadgouk.com/ddos.php
http://caatadgouk.com/ddos.txt
http://ceqypawkht.com/uniq.php?id=NNNN (where NNNN looks like the IP in
32bit int format, signed, and is a registration URL)
Recent malcode includes:
http://ceqypawkht.com/progs/blymdeivw/cppthyzd
MD5: 0d770b9be2e5946b5889718249b4d5c6
SHA1: c5c97cf0ba3dc9c3afb7a6ab7d0edba20184fb7a
File type: MS Windows PE
File size: 4096 bytes
http://caatadgouk.com/ddos.txt
MD5: ee8c75b4a869d188b491150d90307237
SHA1: 8971793425e4abc4daf095978ac523220addfdcc
File type: MS Windows PE
File size: 14336 bytes
The hostname currently resolves to:
AS | IP | AS Name
44997 | 91.203.92.17 | UATELECOM-AS UATELECOM LTD.
inetnum: 91.203.92.0 - 91.203.95.255
netname: UATELECOM
descr: ISP UATelecom holding LLC.
descr: Provider local registry
country: EU
org: ORG-TG39-RIPE
admin-c: VK1347-RIPE
tech-c: unm1-RIPE
status: ASSIGNED PI
mnt-by: UATELECOM-MNT
mnt-by: UATELECOM-MNT
mnt-lower: UATELECOM-MNT
mnt-routes: UATELECOM-MNT
mnt-domains: UATELECOM-MNT
remarks: ---------------------
remarks: abuse problems (spam/malware/fraud etc.) use only abuse
mailbox: abuse at uatelecom.co.ua
remarks: technical issues use e-mail: ipadmin at uatelecom.co.ua
remarks: 24/7 NOC custumers support team: noc at uatelecom.co.ua
remarks: ---------------------
source: RIPE # Filtered
Previously, that hostname was associated with this IP:
AS | IP | AS Name
27595 | 85.255.121.195 | INTERCAGE - InterCage, Inc.
I have not filed an abuse complaint at UATelecom.
-- jose
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO
Arbor Networks
v: (734) 821 1427
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------
More information about the nsp-security
mailing list