[nsp-sec] dlink router worm or dlink compromise leads to infected PCs?
Smith, Donald
Donald.Smith at qwest.com
Fri Mar 21 13:09:41 EDT 2008
Yesterday I received information about a possible Dlink based router worm.
I suspect this is NOT a router worm but rather a router compromise followed by consumer pc compromise.
So I think the consumer's system is responsible for the actual propagation however that is yet to be determined.
What details I have are available here plus I have a set of attacking ip addresses.
I am running another netflow report based on these source ip addresses.
http://isc2.sans.org/diary.html?storyid=4175
I don't have time stamps but this was from the last 24 hours or so.
Bulk mode; whois.cymru.com [2008-03-21 17:01:45 +0000]
71 | 15.195.195.254 | HP-INTERNET-AS Hewlett-Packard Company
1257 | 80.170.139.145 | TELE2
1257 | 83.181.200.217 | TELE2
1257 | 83.181.209.252 | TELE2
1257 | 83.184.126.189 | TELE2
1257 | 83.184.192.106 | TELE2
1257 | 83.184.92.201 | TELE2
1257 | 83.187.253.84 | TELE2
1257 | 83.189.212.113 | TELE2
1257 | 83.190.79.176 | TELE2
1267 | 151.53.229.27 | ASN-INFOSTRADA Infostrada S.p.A.
1680 | 212.235.28.86 | NetVision Ltd.
2529 | 80.176.129.160 | DEMON-INTERNET Demon Internet
2529 | 83.104.60.69 | DEMON-INTERNET Demon Internet
2529 | 83.105.18.217 | DEMON-INTERNET Demon Internet
2856 | 217.34.39.69 | BT-UK-AS BTnet UK Regional network
2856 | 217.43.201.237 | BT-UK-AS BTnet UK Regional network
2856 | 217.43.238.3 | BT-UK-AS BTnet UK Regional network
2856 | 81.133.222.134 | BT-UK-AS BTnet UK Regional network
3215 | 80.11.190.195 | AS3215 France Telecom - Orange
3215 | 80.13.2.66 | AS3215 France Telecom - Orange
3215 | 83.193.38.81 | AS3215 France Telecom - Orange
3215 | 83.195.174.118 | AS3215 France Telecom - Orange
3215 | 83.205.192.234 | AS3215 France Telecom - Orange
3215 | 90.45.113.160 | AS3215 France Telecom - Orange
3243 | 82.155.58.173 | TELEPAC PT.Com - Comunicacoes Interactivas, S.A.
3352 | 80.35.43.195 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.35.133.157 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.36.237.88 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.38.16.201 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.39.228.4 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.50.117.249 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.53.191.90 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.53.93.100 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
5388 | 62.136.136.197 | ENERGIS-AS Energis UK
5413 | 81.179.33.22 | AS5413 PIPEX Communications
5413 | 81.179.38.94 | AS5413 PIPEX Communications
5413 | 81.86.128.183 | AS5413 PIPEX Communications
5413 | 83.67.147.246 | AS5413 PIPEX Communications
5413 | 83.67.44.57 | AS5413 PIPEX Communications
5432 | 80.200.63.204 | BELGACOM-SKYNET-AS Belgacom regional ASN
5466 | 83.71.137.137 | EIRCOM Eircom
5466 | 83.71.139.153 | EIRCOM Eircom
5466 | 83.71.196.225 | EIRCOM Eircom
5610 | 83.208.4.166 | CZECHTELECOM CZECH TELECOM, a.s
5610 | 85.70.83.108 | CZECHTELECOM CZECH TELECOM, a.s
5617 | 83.11.210.64 | TPNET Polish Telecom_s commercial IP network
5617 | 83.21.14.106 | TPNET Polish Telecom_s commercial IP network
5617 | 83.21.189.111 | TPNET Polish Telecom_s commercial IP network
5617 | 83.23.215.61 | TPNET Polish Telecom_s commercial IP network
5617 | 83.24.50.65 | TPNET Polish Telecom_s commercial IP network
5617 | 83.27.214.222 | TPNET Polish Telecom_s commercial IP network
5617 | 83.31.201.252 | TPNET Polish Telecom_s commercial IP network
5617 | 83.5.137.236 | TPNET Polish Telecom_s commercial IP network
6661 | 83.99.59.217 | EPT-LU Entreprise des P. et T. Luxembourg
6849 | 91.124.13.65 | UKRTELNET JSC UKRTELECOM,
8362 | 81.20.209.238 | NordNet Autonomous System
8452 | 41.232.160.243 | TEDATA TEDATA
8452 | 41.232.95.92 | TEDATA TEDATA
8452 | 41.233.144.248 | TEDATA TEDATA
8452 | 41.233.155.38 | TEDATA TEDATA
8452 | 41.233.173.8 | TEDATA TEDATA
8452 | 41.233.204.127 | TEDATA TEDATA
8452 | 41.233.73.85 | TEDATA TEDATA
8452 | 41.234.49.246 | TEDATA TEDATA
8452 | 41.235.174.78 | TEDATA TEDATA
8452 | 41.235.65.143 | TEDATA TEDATA
8586 | 84.252.228.62 | REDNET-AS REDNET Ltd
8612 | 217.133.14.15 | TISCALI-IT Tiscali Italia SpA.
8612 | 217.133.80.94 | TISCALI-IT Tiscali Italia SpA.
8612 | 62.10.58.251 | TISCALI-IT Tiscali Italia SpA.
8897 | 217.154.28.86 | MISTRAL Mistral Internet Group Limited
9105 | 88.111.86.88 | TISCALI-UK Tiscali UK
9911 | 202.27.17.28 | CONNECTPLUS-AP Singapore Telecom
9911 | 202.27.17.71 | CONNECTPLUS-AP Singapore Telecom
12493 | 62.112.24.136 | AS12493 be.mobistar Autonomous System
12513 | 82.152.136.9 | ECLIPSE Eclipse Internet
12513 | 82.153.209.45 | ECLIPSE Eclipse Internet
12883 | 62.221.61.122 | FARLEP-AS Farlep-Internet ISP
13037 | 217.155.210.62 | ZEN-AS Zen Internet
13037 | 217.155.37.47 | ZEN-AS Zen Internet
13037 | 217.155.59.142 | ZEN-AS Zen Internet
15475 | 217.52.230.193 | NOL
15475 | 217.54.240.12 | NOL
15589 | 212.110.15.238 | AS15589 Eutelia S.p.A. Backbone AS
15589 | 83.211.128.64 | AS15589 Eutelia S.p.A. Backbone AS
15589 | 83.211.162.181 | AS15589 Eutelia S.p.A. Backbone AS
16338 | 62.175.49.94 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 62.175.91.124 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 62.175.91.172 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 80.174.13.119 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 80.174.13.164 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 80.174.245.116 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 80.174.59.73 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 80.224.30.72 | AUNA_TELECOM-AS Cableuropa - ONO
16629 | 200.54.72.58 | CTC. CORP S.A. (TELEFONICA EMPRESAS)
20500 | 83.148.175.14 | GRIFFIN Griffin Internet European Network
20858 | 62.139.206.215 | EGYNET-AS
20858 | 84.36.4.16 | EGYNET-AS
20928 | 217.139.36.60 | NOOR-AS
21479 | 83.221.206.83 | ROSTOV-TELEGRAF-AS Autonomous system of
24863 | 196.205.114.242 | LINKdotNET-AS
24863 | 196.205.196.104 | LINKdotNET-AS
24863 | 41.196.253.195 | LINKdotNET-AS
24863 | 41.196.57.48 | LINKdotNET-AS
24863 | 62.135.92.123 | LINKdotNET-AS
24863 | 62.135.92.53 | LINKdotNET-AS
24863 | 82.201.174.108 | LINKdotNET-AS
24863 | 82.201.191.165 | LINKdotNET-AS
24863 | 82.201.206.168 | LINKdotNET-AS
24863 | 82.201.206.78 | LINKdotNET-AS
24863 | 82.201.207.137 | LINKdotNET-AS
24863 | 82.201.219.104 | LINKdotNET-AS
25515 | 89.109.239.73 | CTCNET-AS Joint-Stock Central Telecommunication Com
pany Autonomous System
31319 | 83.149.152.171 | CONSIAGNET-AS CONSIAGNET S.P.A.
35425 | 80.68.82.102 | BYTEMARK-AS Bytemark Computer Consulting Ltd
35425 | 80.68.82.181 | BYTEMARK-AS Bytemark Computer Consulting Ltd
44038 | 83.77.30.6 | BLUEWIN-AS Swisscom Fixnet AG
> cat /tmp/dlink2.asn
Bulk mode; whois.cymru.com [2008-03-21 17:01:45 +0000]
71 | 15.195.195.254 | HP-INTERNET-AS Hewlett-Packard Company
1257 | 80.170.139.145 | TELE2
1257 | 83.181.200.217 | TELE2
1257 | 83.181.209.252 | TELE2
1257 | 83.184.126.189 | TELE2
1257 | 83.184.192.106 | TELE2
1257 | 83.184.92.201 | TELE2
1257 | 83.187.253.84 | TELE2
1257 | 83.189.212.113 | TELE2
1257 | 83.190.79.176 | TELE2
1267 | 151.53.229.27 | ASN-INFOSTRADA Infostrada S.p.A.
1680 | 212.235.28.86 | NetVision Ltd.
2529 | 80.176.129.160 | DEMON-INTERNET Demon Internet
2529 | 83.104.60.69 | DEMON-INTERNET Demon Internet
2529 | 83.105.18.217 | DEMON-INTERNET Demon Internet
2856 | 217.34.39.69 | BT-UK-AS BTnet UK Regional network
2856 | 217.43.201.237 | BT-UK-AS BTnet UK Regional network
2856 | 217.43.238.3 | BT-UK-AS BTnet UK Regional network
2856 | 81.133.222.134 | BT-UK-AS BTnet UK Regional network
3215 | 80.11.190.195 | AS3215 France Telecom - Orange
3215 | 80.13.2.66 | AS3215 France Telecom - Orange
3215 | 83.193.38.81 | AS3215 France Telecom - Orange
3215 | 83.195.174.118 | AS3215 France Telecom - Orange
3215 | 83.205.192.234 | AS3215 France Telecom - Orange
3215 | 90.45.113.160 | AS3215 France Telecom - Orange
3243 | 82.155.58.173 | TELEPAC PT.Com - Comunicacoes Interactivas, S.A.
3352 | 80.35.43.195 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.35.133.157 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.36.237.88 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.38.16.201 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.39.228.4 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.50.117.249 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.53.191.90 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
3352 | 83.53.93.100 | TELEFONICA-DATA-ESPANA Internet Access Network of T
DE
5388 | 62.136.136.197 | ENERGIS-AS Energis UK
5413 | 81.179.33.22 | AS5413 PIPEX Communications
5413 | 81.179.38.94 | AS5413 PIPEX Communications
5413 | 81.86.128.183 | AS5413 PIPEX Communications
5413 | 83.67.147.246 | AS5413 PIPEX Communications
5413 | 83.67.44.57 | AS5413 PIPEX Communications
5432 | 80.200.63.204 | BELGACOM-SKYNET-AS Belgacom regional ASN
5466 | 83.71.137.137 | EIRCOM Eircom
5466 | 83.71.139.153 | EIRCOM Eircom
5466 | 83.71.196.225 | EIRCOM Eircom
5610 | 83.208.4.166 | CZECHTELECOM CZECH TELECOM, a.s
5610 | 85.70.83.108 | CZECHTELECOM CZECH TELECOM, a.s
5617 | 83.11.210.64 | TPNET Polish Telecom_s commercial IP network
5617 | 83.21.14.106 | TPNET Polish Telecom_s commercial IP network
5617 | 83.21.189.111 | TPNET Polish Telecom_s commercial IP network
5617 | 83.23.215.61 | TPNET Polish Telecom_s commercial IP network
5617 | 83.24.50.65 | TPNET Polish Telecom_s commercial IP network
5617 | 83.27.214.222 | TPNET Polish Telecom_s commercial IP network
5617 | 83.31.201.252 | TPNET Polish Telecom_s commercial IP network
5617 | 83.5.137.236 | TPNET Polish Telecom_s commercial IP network
6661 | 83.99.59.217 | EPT-LU Entreprise des P. et T. Luxembourg
6849 | 91.124.13.65 | UKRTELNET JSC UKRTELECOM,
8362 | 81.20.209.238 | NordNet Autonomous System
8452 | 41.232.160.243 | TEDATA TEDATA
8452 | 41.232.95.92 | TEDATA TEDATA
8452 | 41.233.144.248 | TEDATA TEDATA
8452 | 41.233.155.38 | TEDATA TEDATA
8452 | 41.233.173.8 | TEDATA TEDATA
8452 | 41.233.204.127 | TEDATA TEDATA
8452 | 41.233.73.85 | TEDATA TEDATA
8452 | 41.234.49.246 | TEDATA TEDATA
8452 | 41.235.174.78 | TEDATA TEDATA
8452 | 41.235.65.143 | TEDATA TEDATA
8586 | 84.252.228.62 | REDNET-AS REDNET Ltd
8612 | 217.133.14.15 | TISCALI-IT Tiscali Italia SpA.
8612 | 217.133.80.94 | TISCALI-IT Tiscali Italia SpA.
8612 | 62.10.58.251 | TISCALI-IT Tiscali Italia SpA.
8897 | 217.154.28.86 | MISTRAL Mistral Internet Group Limited
9105 | 88.111.86.88 | TISCALI-UK Tiscali UK
9911 | 202.27.17.28 | CONNECTPLUS-AP Singapore Telecom
9911 | 202.27.17.71 | CONNECTPLUS-AP Singapore Telecom
12493 | 62.112.24.136 | AS12493 be.mobistar Autonomous System
12513 | 82.152.136.9 | ECLIPSE Eclipse Internet
12513 | 82.153.209.45 | ECLIPSE Eclipse Internet
12883 | 62.221.61.122 | FARLEP-AS Farlep-Internet ISP
13037 | 217.155.210.62 | ZEN-AS Zen Internet
13037 | 217.155.37.47 | ZEN-AS Zen Internet
13037 | 217.155.59.142 | ZEN-AS Zen Internet
15475 | 217.52.230.193 | NOL
15475 | 217.54.240.12 | NOL
15589 | 212.110.15.238 | AS15589 Eutelia S.p.A. Backbone AS
15589 | 83.211.128.64 | AS15589 Eutelia S.p.A. Backbone AS
15589 | 83.211.162.181 | AS15589 Eutelia S.p.A. Backbone AS
16338 | 62.175.49.94 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 62.175.91.124 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 62.175.91.172 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 80.174.13.119 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 80.174.13.164 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 80.174.245.116 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 80.174.59.73 | AUNA_TELECOM-AS Cableuropa - ONO
16338 | 80.224.30.72 | AUNA_TELECOM-AS Cableuropa - ONO
16629 | 200.54.72.58 | CTC. CORP S.A. (TELEFONICA EMPRESAS)
20500 | 83.148.175.14 | GRIFFIN Griffin Internet European Network
20858 | 62.139.206.215 | EGYNET-AS
20858 | 84.36.4.16 | EGYNET-AS
20928 | 217.139.36.60 | NOOR-AS
21479 | 83.221.206.83 | ROSTOV-TELEGRAF-AS Autonomous system of
24863 | 196.205.114.242 | LINKdotNET-AS
24863 | 196.205.196.104 | LINKdotNET-AS
24863 | 41.196.253.195 | LINKdotNET-AS
24863 | 41.196.57.48 | LINKdotNET-AS
24863 | 62.135.92.123 | LINKdotNET-AS
24863 | 62.135.92.53 | LINKdotNET-AS
24863 | 82.201.174.108 | LINKdotNET-AS
24863 | 82.201.191.165 | LINKdotNET-AS
24863 | 82.201.206.168 | LINKdotNET-AS
24863 | 82.201.206.78 | LINKdotNET-AS
24863 | 82.201.207.137 | LINKdotNET-AS
24863 | 82.201.219.104 | LINKdotNET-AS
25515 | 89.109.239.73 | CTCNET-AS Joint-Stock Central Telecommunication Com
pany Autonomous System
31319 | 83.149.152.171 | CONSIAGNET-AS CONSIAGNET S.P.A.
35425 | 80.68.82.102 | BYTEMARK-AS Bytemark Computer Consulting Ltd
35425 | 80.68.82.181 | BYTEMARK-AS Bytemark Computer Consulting Ltd
44038 | 83.77.30.6 | BLUEWIN-AS Swisscom Fixnet AG
donald.smith at qwest.com giac
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list