[nsp-sec] Ping AS8001/AS36351 - possible botnet C&C
Ryan Pavely
paradox at nac.net
Wed Mar 12 11:54:47 EDT 2008
ACK 8001.
64.21.149.167 is a loopback IP for a dedicated server leased by Russians. I locked out the server and fwd'd a message off to our network/abuse staff.
In case you wanted to see some of the traffic here it is.
> 11:52:36.439268 64.21.149.167.ddm-dfm >
> adsl-pool2-220.metrotel.net.co.3289: udp 124 (DF)
> 11:52:36.440326 198.Red-83-35-54.dynamicIP.rima-tde.net.3167 >
> 64.21.149.167.ddm-dfm: udp 74
> 11:52:36.441150 dslb-084-062-170-149.pools.arcor-ip.net.4252 >
> 64.21.149.167.ddm-dfm: udp 74
> 11:52:36.441766 64.21.149.167.ddm-dfm >
> 198.Red-83-35-54.dynamicIP.rima-tde.net.3167: udp 124 (DF)
> 11:52:36.441842 64.21.149.167.ddm-dfm >
> dslb-084-062-170-149.pools.arcor-ip.net.4252: udp 124 (DF)
> 11:52:36.448839 corporat190-025236155.sta.etb.net.co.59986 >
> 64.21.149.167.ddm-dfm: udp 74
> 11:52:36.450775 64.21.149.167.ddm-dfm >
> corporat190-025236155.sta.etb.net.co.59986: udp 211 (DF)
> 11:52:36.451323 corporat190-025205142.sta.etb.net.co.54540 >
> 64.21.149.167.ddm-dfm: udp 74
> 11:52:36.453774 64.21.149.167.ddm-dfm >
> corporat190-025205142.sta.etb.net.co.54540: udp 211 (DF)
> 11:52:36.455066 catv3EC95C19.pool.t-online.hu.1090 >
> 64.21.149.167.ddm-dfm: udp 75
> 11:52:36.456701 230.pool85-58-15.dynamic.orange.es.3959 >
> 64.21.149.167.ddm-dfm: udp 74
> 11:52:36.456759 64.21.149.167.ddm-dfm >
> catv3EC95C19.pool.t-online.hu.1090: udp 124 (DF)
> 11:52:36.459772 64.21.149.167.ddm-dfm >
> 230.pool85-58-15.dynamic.orange.es.3959: udp 211 (DF)
> 11:52:36.466096 bzq-79-179-163-208.red.bezeqint.net.1050 >
> 64.21.149.167.ddm-dfm: udp 74
> 11:52:36.467191 pool-71-173-0-3.sctnpa.east.verizon.net.50892 >
> 64.21.149.167.ddm-dfm: udp 73
> 11:52:36.468755 64.21.149.167.ddm-dfm >
> bzq-79-179-163-208.red.bezeqint.net.1050: udp 124 (DF)
> 11:52:36.468820 64.21.149.167.ddm-dfm >
> pool-71-173-0-3.sctnpa.east.verizon.net.50892: udp 102 (DF)
Zoe O'Connell wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Just caught a spamming host - 87.243.198.129 - talking to the following
> IPs in the last couple of hours, on ports 447-450, UDP and TCP.
>
> Bulk mode; whois.cymru.com [2008-03-12 15:22:21 +0000]
> 8001 | 64.21.149.167 | NET-ACCESS-CORP - Net Access Corporation
> 36351 | 208.101.42.28 | SOFTLAYER - SoftLayer Technologies Inc.
> 36351 | 208.101.42.29 | SOFTLAYER - SoftLayer Technologies Inc.
> 36351 | 208.101.52.83 | SOFTLAYER - SoftLayer Technologies Inc.
> 36351 | 208.101.52.85 | SOFTLAYER - SoftLayer Technologies Inc.
> 36351 | 208.101.52.86 | SOFTLAYER - SoftLayer Technologies Inc.
> 36351 | 208.101.54.242 | SOFTLAYER - SoftLayer Technologies Inc.
> 36351 | 208.101.54.246 | SOFTLAYER - SoftLayer Technologies Inc.
>
> Blackholing these IPs caused the host to stop doing Bad Things with
> spam, and I don't see any other hosts in our network talking to these
> IPs so it seemed fairly safe to blackhole them internally. 64.21.149.167
> looks like some kind of master controller, if an IP from AS36351 is
> blocked, it talks to 64.21.149.167 on udp/447 then starts talking to
> another AS36351 IP.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkfX96UACgkQtw2uAlfTWPmvSgCglNjIafIodTl1mhKbBVxOrxBB
> qQoAn3ixV0u2pCoV7CvNdlyxHwqnLV9Z
> =NkH0
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
--
Ryan Pavely
Director Research And Development
Net Access Corporation
http://www.nac.net/ http://www.15minuteservers.com/
More information about the nsp-security
mailing list