[nsp-sec] Kiwibank phishing - dyndns?
Rob Thomas
robt at cymru.com
Tue Mar 11 10:51:42 EDT 2008
Hi, David.
> - -> 64.185.237.101 (Content Broadcast)
This IP appears to be connected to the botnet on billing.p3n0r.com
207.189.104.86.
It has hosted other phishing sites and malware URLs.
timestamp | ip | asn | category
|
comment
--------------------- ---------------- ------- ------------
------------------------------------------------------------------------
------------------------------------------------------------------------
---------------------------------------------------------------
2008-02-07 13:54:54 | 64.185.237.101 | 17081 | malwareurl | http://
dotready.net/contacts.html
2008-01-14 19:13:25 | 64.185.237.101 | 17081 | phishing | http://
sohailhameed.com/bhailog/chaseonline.chase/chaseonline.chase/
chaseonline.chase/chaseonline.chase.com/accountupdate/
cqr_7657tyrtyXzzzfxcvxzvds/formslogin.asp_login_users/Machine-
identification/chase/
It appears to be Apache with lots of bells and whistles running on a
Linux box. Perhaps that is how it might have been 0wned?
We see a few DNS RRs pointed to it:
timestamp | dns_name | ip
--------------------- ------------------- ----------------
2008-01-26 19:07:13 | 4greatest.com | 64.185.237.101
2008-01-15 02:50:47 | bryanhenry.com | 64.185.237.101
2008-01-19 18:20:18 | crush4sale.be | 64.185.237.101
2008-02-07 13:54:55 | dotready.net | 64.185.237.101
2008-03-10 20:50:19 | findinglogo.com | 64.185.237.101
2008-01-21 12:50:11 | slowplay.com | 64.185.237.101
2008-01-15 01:51:08 | sohailhameed.com | 64.185.237.101
2008-03-10 07:35:59 | submitfirm.com | 64.185.237.101
2008-03-11 00:31:21 | www.autoflock.com | 64.185.237.101
2008-02-26 14:16:21 | www.dotready.net | 64.185.237.101
2008-01-12 19:09:12 | www.slowplay.com | 64.185.237.101
It's running BIND and has recursion disabled.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, "Out of coffee!");
More information about the nsp-security
mailing list