[nsp-sec] AS 4134 injection site hosted on 60.191.239.219

Gong, Yiming yiming.gong at xo.com
Thu May 8 18:28:08 EDT 2008 

Now this IP is having a blackhole treatment on Chinatelecom backbone.

Next step will be trying to work with CT and see if they can clean this
box in the next few days.

Cheers,
 
Yiming
 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Smith, Donald
> Sent: Thursday, May 08, 2008 5:09 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] AS 4134 injection site hosted on 60.191.239.219
> 
> ----------- nsp-security Confidential --------
> 
> The handlers have been covering a set of host names that all lead to
> 60.191.239.219.
> The FWDN being injected are 
> wwwDOTririwow.cn, wwwDOTbluellDOTcn, bbsDOTjueduizuanDOTcom, and
> wwwDOTfiexin.org
> 
> Details about those sites and how it is being used as the malware
> delivery target in a MASSIVE SQL injection attack are 
> available here in
> this diary.  
> 
> http://isc.sans.org/diary.html?storyid=4393
> 
> $ whois -h whois.cymru.com 60.191.239.219
> AS      | IP               | AS Name
> 4134    | 60.191.239.219   | CHINANET-BACKBONE No.31,Jin-rong Street
> 
> $ whois -h upstream-whois.cymru.com 60.191.239.219
> PEER_AS | IP               | AS Name
> 174     | 60.191.239.219   | COGENT Cogent/PSI
> 703     | 60.191.239.219   | UUNET - MCI Communications Services, Inc.
> d/
> izon Business
> 1239    | 60.191.239.219   | SPRINTLINK - Sprint
> 2828    | 60.191.239.219   | XO-AS15 - XO Communications
> 2914    | 60.191.239.219   | NTT-COMMUNICATIONS-2914 - NTT 
> America, Inc.
> 3257    | 60.191.239.219   | TISCALI-BACKBONE Tiscali Intl Network BV
> 3320    | 60.191.239.219   | DTAG Deutsche Telekom AG
> 3549    | 60.191.239.219   | GBLX Global Crossing Ltd.
> 3561    | 60.191.239.219   | SAVVIS - Savvis
> 11164   | 60.191.239.219   | TRANSITRAIL - National LambdaRail, LLC
> 17888   | 60.191.239.219   | SINGTEL-HK SingTel Hong Kong Limited
> 
> Any help getting this taken down would be appreciated by all:)
> 
> 
> H8Hz
> Donald.Smith at qwest.com giac
> 
> 
> This communication is the property of Qwest and may contain 
> confidential or
> privileged information. Unauthorized use of this 
> communication is strictly 
> prohibited and may be unlawful.  If you have received this 
> communication 
> in error, please immediately notify the sender by reply 
> e-mail and destroy 
> all copies of the communication and any attachments.
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list