[nsp-sec] Ping AS8001/AS36351 - possible botnet C&C
Zoe O'Connell
zoe at hotchilli.com
Wed Mar 12 11:32:53 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Just caught a spamming host - 87.243.198.129 - talking to the following
IPs in the last couple of hours, on ports 447-450, UDP and TCP.
Bulk mode; whois.cymru.com [2008-03-12 15:22:21 +0000]
8001 | 64.21.149.167 | NET-ACCESS-CORP - Net Access Corporation
36351 | 208.101.42.28 | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 208.101.42.29 | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 208.101.52.83 | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 208.101.52.85 | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 208.101.52.86 | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 208.101.54.242 | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 208.101.54.246 | SOFTLAYER - SoftLayer Technologies Inc.
Blackholing these IPs caused the host to stop doing Bad Things with
spam, and I don't see any other hosts in our network talking to these
IPs so it seemed fairly safe to blackhole them internally. 64.21.149.167
looks like some kind of master controller, if an IP from AS36351 is
blocked, it talks to 64.21.149.167 on udp/447 then starts talking to
another AS36351 IP.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkfX96UACgkQtw2uAlfTWPmvSgCglNjIafIodTl1mhKbBVxOrxBB
qQoAn3ixV0u2pCoV7CvNdlyxHwqnLV9Z
=NkH0
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list