[nsp-sec] Ddos controller - caatadgouk.com
Rob Thomas
robt at cymru.com
Fri Jun 27 12:26:02 EDT 2008
Hey, Jose.
Nice spot, thanks for sharing!
> http://caatadgouk.com/ddos1.php
This is a real nasty one. It appears to be a Linux box (Fedora, I'd
wager), running Apache 2.28 with PHP 5.2.4.
Other malevolent URLs include:
timestamp | ip | asn | category |
comment
--------------------- -------------- ------- ------------
-----------------------------------------------------
2008-05-29 22:21:01 | 91.203.92.17 | 44997 | malwareurl |
http://dbkcozrqme.net/progs/blymdeivw/tuhvzqdrv.php
It has several interesting DNS RRs pointed to it:
timestamp | dns_name | ip
--------------------- ---------------- --------------
2008-05-31 12:21:46 | aarmrgdxrv.com | 91.203.92.17
2008-06-06 12:08:56 | abmmrvthjr.com | 91.203.92.17
2008-05-30 12:11:28 | acdedblshd.com | 91.203.92.17
2008-06-01 12:25:20 | adtctqypoa.com | 91.203.92.17
2008-05-30 16:58:50 | aevqritikn.com | 91.203.92.17
2008-06-12 12:44:59 | afhncitbkg.com | 91.203.92.17
2008-06-01 12:21:57 | agflvkgwef.com | 91.203.92.17
2008-06-07 05:03:41 | bgxhzcsfat.net | 91.203.92.17
2008-05-29 23:21:43 | caatadgouk.com | 91.203.92.17
2008-05-29 22:08:27 | cbfcygxyfn.com | 91.203.92.17
2008-05-29 23:50:52 | ccfelomvhk.com | 91.203.92.17
2008-05-31 05:12:10 | cdpuvbhfzz.com | 91.203.92.17
2008-05-30 12:48:46 | ceqypawkht.com | 91.203.92.17
2008-05-30 04:43:29 | cffhqznqzd.com | 91.203.92.17
2008-06-01 05:51:29 | cgnluarlce.com | 91.203.92.17
2008-05-30 04:51:24 | chbdvrnfag.com | 91.203.92.17
2008-06-11 12:12:07 | danacszbct.net | 91.203.92.17
2008-05-29 22:08:48 | dbkcozrqme.net | 91.203.92.17
2008-05-30 16:51:03 | dcyxwnvrek.net | 91.203.92.17
2008-06-08 08:36:44 | ddwyimcrvz.net | 91.203.92.17
2008-06-16 08:30:39 | dekaqumqmn.net | 91.203.92.17
2008-06-02 04:51:16 | dfneywxasy.net | 91.203.92.17
2008-06-16 08:32:01 | dgirsytngw.net | 91.203.92.17
2008-06-01 13:18:55 | xabmiphabh.cn | 91.203.92.17
2008-05-30 12:34:21 | xbpfkkesju.cn | 91.203.92.17
It's running the BIND and is open to recursion.
We have 606 samples in our malware menagerie that point to this IP.
Impressive! Let me know if anyone would like the MD5/SHA1 list.
> AS | IP | AS Name
> 27595 | 85.255.121.195 | INTERCAGE - InterCage, Inc.
When you find a winner, Jose, you find a WINNER. :) The malware URL
comes as no surprise.
timestamp | ip | asn | category |
comment
--------------------- ---------------- ------- ------------
-------------------------------------------------
2008-01-21 21:45:13 | 85.255.121.195 | 27595 | malwareurl |
http://xdrkzahpvq.cn/progs/arzoegr/sjujmaik.php
This one appears to be Debian Linux with Apache 2.2.6 and PHP 5.2.4-2
with "Suhosin-Patch." I'm too lazy to Google that patch, so I've no
clue what that is.
We see 12 fun DNS RRs pointed to this one.
timestamp | dns_name | ip
--------------------- ---------------- ----------------
2008-01-18 02:15:43 | aarmrgdxrv.com | 85.255.121.195
2008-01-18 02:15:44 | abmmrvthjr.com | 85.255.121.195
2008-01-18 02:15:44 | acdedblshd.com | 85.255.121.195
2008-01-26 01:41:03 | adtctqypoa.com | 85.255.121.195
2008-04-04 12:22:28 | caatadgouk.com | 85.255.121.195
2008-04-04 21:09:04 | cbfcygxyfn.com | 85.255.121.195
2008-04-09 02:36:01 | ccfelomvhk.com | 85.255.121.195
2008-04-08 12:52:29 | cdpuvbhfzz.com | 85.255.121.195
2008-01-18 02:22:49 | xabmiphabh.cn | 85.255.121.195
2008-01-18 02:22:52 | xbpfkkesju.cn | 85.255.121.195
2008-01-21 02:08:19 | xcybxandot.cn | 85.255.121.195
2008-01-18 06:07:17 | xdrkzahpvq.cn | 85.255.121.195
Again, BIND with recursion enabled.
This one wins the malware prize. We see 1634 samples in our malware
menagerie that point to this IP.
Other potential C&C URLs include:
http://abmmrvthjr.com/dl/adv450.php
http://caatadgouk.com/dl/adv434.php
http://ccfelomvhk.com/dl/adv542.php
Thanks,
Rob.
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the nsp-security
mailing list