[nsp-sec] (AS33626 - upstreams AS701, AS2914, AS3356, AS27524) ns1.dsredirection.com and ns2.dsredirection.com - Might be 0wned?!??!?
Rob Thomas
robt at cymru.com
Thu May 8 19:24:17 EDT 2008
Hi, Brian.
> Address: 208.73.212.12
Yeah, looks like trouble to us:
timestamp | ip | asn | category |
comment
--------------------- --------------- ------- ------------
------------------------------------------------------------------------------------
2008-01-07 07:15:15 | 208.73.212.12 | 33626 | badurls | WebEmail
http://webmail.mai.com/ virtual
2008-01-09 01:29:56 | 208.73.212.12 | 33626 | botnetcc | category:
botweb url: http://jdEydcuYwwzstPu.com/login.php
2008-04-01 07:53:40 | 208.73.212.12 | 33626 | malwareurl |
http://searchportal.information.com/?o_id=65014&domainname=zenotecnico.com
2007-05-16 08:30:07 | 208.73.212.12 | 33626 | phishing |
http://signin.ebay.com.632764.32ewds1jkwhqa.com/sc/saw-cgi/eBayISAPI.dll/index.php
We see 22898 DNS RRs pointed to this IP, and many of them date back to
2008-01. They have interesting strings close to real sites such as
"www.wachovia-new-alert.com" etc.
We have 912 samples in our malware menagerie that point to this IP,
again many of them date back to 2008-01.
It appears to be running "Oversee Webserver v1.3.18" - whatever that is.
There are a fair number of rogue HTML start pages that exist on this box.
Yep, this one is bad news.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the nsp-security
mailing list