[nsp-sec] AS 4134 injection site hosted on 60.191.239.219

Smith, Donald Donald.Smith at qwest.com
Fri May 9 10:14:29 EDT 2008 

Thanks!! The bad guys will have to reinject those systems to get them to point to their next malware site. That takes some time and maybe we can catch some of the sql injectors this time:)
 
 
donald.smith at qwest.com giac

________________________________

From: Gong, Yiming [mailto:yiming.gong at xo.com]
Sent: Thu 5/8/2008 4:28 PM
To: Smith, Donald; nsp-security at puck.nether.net
Subject: RE: [nsp-sec] AS 4134 injection site hosted on 60.191.239.219



Now this IP is having a blackhole treatment on Chinatelecom backbone.

Next step will be trying to work with CT and see if they can clean this
box in the next few days.

Cheers,

Yiming


> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Smith, Donald
> Sent: Thursday, May 08, 2008 5:09 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] AS 4134 injection site hosted on 60.191.239.219
>
> ----------- nsp-security Confidential --------
>
> The handlers have been covering a set of host names that all lead to
> 60.191.239.219.
> The FWDN being injected are
> wwwDOTririwow.cn, wwwDOTbluellDOTcn, bbsDOTjueduizuanDOTcom, and
> wwwDOTfiexin.org
>
> Details about those sites and how it is being used as the malware
> delivery target in a MASSIVE SQL injection attack are
> available here in
> this diary. 
>
> http://isc.sans.org/diary.html?storyid=4393
>
> $ whois -h whois.cymru.com 60.191.239.219
> AS      | IP               | AS Name
> 4134    | 60.191.239.219   | CHINANET-BACKBONE No.31,Jin-rong Street
>
> $ whois -h upstream-whois.cymru.com 60.191.239.219
> PEER_AS | IP               | AS Name
> 174     | 60.191.239.219   | COGENT Cogent/PSI
> 703     | 60.191.239.219   | UUNET - MCI Communications Services, Inc.
> d/
> izon Business
> 1239    | 60.191.239.219   | SPRINTLINK - Sprint
> 2828    | 60.191.239.219   | XO-AS15 - XO Communications
> 2914    | 60.191.239.219   | NTT-COMMUNICATIONS-2914 - NTT
> America, Inc.
> 3257    | 60.191.239.219   | TISCALI-BACKBONE Tiscali Intl Network BV
> 3320    | 60.191.239.219   | DTAG Deutsche Telekom AG
> 3549    | 60.191.239.219   | GBLX Global Crossing Ltd.
> 3561    | 60.191.239.219   | SAVVIS - Savvis
> 11164   | 60.191.239.219   | TRANSITRAIL - National LambdaRail, LLC
> 17888   | 60.191.239.219   | SINGTEL-HK SingTel Hong Kong Limited
>
> Any help getting this taken down would be appreciated by all:)
>
>
> H8Hz
> Donald.Smith at qwest.com giac
>
>
> This communication is the property of Qwest and may contain
> confidential or
> privileged information. Unauthorized use of this
> communication is strictly
> prohibited and may be unlawful.  If you have received this
> communication
> in error, please immediately notify the sender by reply
> e-mail and destroy
> all copies of the communication and any attachments.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list