[nsp-sec] CNCERT help here?
Yonglin ZHOU
yonglin.zhou at gmail.com
Sun May 11 22:34:38 EDT 2008
Dear all,
Actually, in the past 6 months, we have handled 310 incidents that hackers
registered domain names for malicous code distribution, under the help of
registars in China.
We can only do that when we get full url and relevant info about the samples
involve so that we can verify about it. We have to avoid making mistakes and
affect normal domains.
You can report to cncert at cert.org.cn with those domains. Or send to me when
something wrong.
Best,
Yonglin.
On 5/10/08, Gong, Yiming <yiming.gong at xo.com> wrote:
>
> ----------- nsp-security Confidential --------
>
> Just dropped an email to a CN Netcom guy and let's see if something can
> be done after this weekend.
>
> In my opinion, for cases like this, working with the corresponding dns
> provider to get the domain name shutdown might be a better solution (at
> least cost culprit more efforts, money and time, also just shifting IPs
> won't work).
>
> I just called hichina (dns provider of rirwow.cn) and was told without
> the order from law enforcement, they can not suspend any domain. I know
> CNCERT is also on this list, so could someone from CNCERT work with some
> big dns provider in China to work out some kind of solutions (like
> opening a interface for outside security group to send complain email or
> call in when there is big security issue occurring like this one)?
>
> Regards,
>
> Yiming
>
>
> > -----Original Message-----
> > From: Smith, Donald [mailto:Donald.Smith at qwest.com]
> > Sent: Friday, May 09, 2008 2:31 PM
> > To: Gong, Yiming; nsp-security at puck.nether.net
> > Subject: RE: [nsp-sec] AS 4134 injection site hosted on 221.12.88.52
> >
> > They have added ip.js to their injection and that is live. I
> > understand if we can't get the bad guy this is going to be a
> > wack a mole game. I still think there is benefit in getting
> > the malware distribution sites down since that requires them
> > to reinject. The tool they are using is only semi automated
> > so they have to have a windows system with remote gui if they
> > are not on the box. But vnc or other similar app can be used.
> >
> >
> >
> > donald.smith at qwest.com giac
> >
> > ________________________________
> >
> > From: Gong, Yiming [mailto:yiming.gong at xo.com]
> > Sent: Fri 5/9/2008 1:25 PM
> > To: Smith, Donald; nsp-security at puck.nether.net
> > Subject: RE: [nsp-sec] AS 4134 injection site hosted on 221.12.88.52
> >
> >
> >
> > Apparently the culprit found something wrong with the old box and made
> > the dns change today (see 2008050902 )
> >
> > stlmsd1.Yiming>dig ririwow.cn
> >
> > ;; AUTHORITY SECTION:
> > ririwow.cn. 3H IN SOA dns23.hichina.com.
> > hostmaster.hichina.com. (
> > 2008050902 ; serial
> > <---here
> > 6H ; refresh
> > 1H ; retry
> > 2w6d ; expiry
> > 3H ) ; minimum
> >
> > This IP belongs to China Netcom, another ISP in China, not AS 4134. I
> > will see if I can get luck on their side.
> >
> > AND this is really what I have been worrying about, as long as the guy
> > behind is at large, we are playing "catch me if you can" game, and
> > without the good help from ISP and low enforcement, this looks like a
> > never-ending game.
> >
> >
> > Regards,
> >
> > Yiming
> >
> >
> > > -----Original Message-----
> > > From: Smith, Donald [mailto:Donald.Smith at qwest.com]
> > > Sent: Friday, May 09, 2008 1:55 PM
> > > To: Gong, Yiming; nsp-security at puck.nether.net
> > > Subject: RE: [nsp-sec] AS 4134 injection site hosted on 221.12.88.52
> > >
> > > wwwDOTririwowDOTcn/jp.js is now on 221.12.88.52.
> > > jp.js appears to have been removed as I get a 404 not found.
> > > It is probably still worth having them investigate it.
> > >
> > >
> > > donald.smith at qwest.com giac
> > >
> > > ________________________________
> > >
> > > From: Gong, Yiming [mailto:yiming.gong at xo.com]
> > > Sent: Thu 5/8/2008 4:28 PM
> > > To: Smith, Donald; nsp-security at puck.nether.net
> > > Subject: RE: [nsp-sec] AS 4134 injection site hosted on
> > 60.191.239.219
> > >
> > >
> > >
> > > Now this IP is having a blackhole treatment on Chinatelecom
> > backbone.
> > >
> > > Next step will be trying to work with CT and see if they can
> > > clean this
> > > box in the next few days.
> > >
> > > Cheers,
> > >
> > > Yiming
> > >
> > >
> > > > -----Original Message-----
> > > > From: nsp-security-bounces at puck.nether.net
> > > > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> > > > Smith, Donald
> > > > Sent: Thursday, May 08, 2008 5:09 PM
> > > > To: nsp-security at puck.nether.net
> > > > Subject: [nsp-sec] AS 4134 injection site hosted on 60.191.239.219
> > > >
> > > > ----------- nsp-security Confidential --------
> > > >
> > > > The handlers have been covering a set of host names that
> > all lead to
> > > > 60.191.239.219.
> > > > The FWDN being injected are
> > > > wwwDOTririwow.cn, wwwDOTbluellDOTcn, bbsDOTjueduizuanDOTcom, and
> > > > wwwDOTfiexin.org
> > > >
> > > > Details about those sites and how it is being used as the malware
> > > > delivery target in a MASSIVE SQL injection attack are
> > > > available here in
> > > > this diary.
> > > >
> > > > http://isc.sans.org/diary.html?storyid=4393
> > > >
> > > > $ whois -h whois.cymru.com 60.191.239.219
> > > > AS | IP | AS Name
> > > > 4134 | 60.191.239.219 | CHINANET-BACKBONE
> > No.31,Jin-rong Street
> > > >
> > > > $ whois -h upstream-whois.cymru.com 60.191.239.219
> > > > PEER_AS | IP | AS Name
> > > > 174 | 60.191.239.219 | COGENT Cogent/PSI
> > > > 703 | 60.191.239.219 | UUNET - MCI Communications
> > > Services, Inc.
> > > > d/
> > > > izon Business
> > > > 1239 | 60.191.239.219 | SPRINTLINK - Sprint
> > > > 2828 | 60.191.239.219 | XO-AS15 - XO Communications
> > > > 2914 | 60.191.239.219 | NTT-COMMUNICATIONS-2914 - NTT
> > > > America, Inc.
> > > > 3257 | 60.191.239.219 | TISCALI-BACKBONE Tiscali Intl
> > > Network BV
> > > > 3320 | 60.191.239.219 | DTAG Deutsche Telekom AG
> > > > 3549 | 60.191.239.219 | GBLX Global Crossing Ltd.
> > > > 3561 | 60.191.239.219 | SAVVIS - Savvis
> > > > 11164 | 60.191.239.219 | TRANSITRAIL - National
> > LambdaRail, LLC
> > > > 17888 | 60.191.239.219 | SINGTEL-HK SingTel Hong Kong Limited
> > > >
> > > > Any help getting this taken down would be appreciated by all:)
> > > >
> > > >
> > > > H8Hz
> > > > Donald.Smith at qwest.com giac
> > > >
> > > >
> > > > This communication is the property of Qwest and may contain
> > > > confidential or
> > > > privileged information. Unauthorized use of this
> > > > communication is strictly
> > > > prohibited and may be unlawful. If you have received this
> > > > communication
> > > > in error, please immediately notify the sender by reply
> > > > e-mail and destroy
> > > > all copies of the communication and any attachments.
> > > >
> > > >
> > > > _______________________________________________
> > > > nsp-security mailing list
> > > > nsp-security at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/nsp-security
> > > >
> > > > Please do not Forward, CC, or BCC this E-mail outside of the
> > > > nsp-security
> > > > community. Confidentiality is essential for effective
> > > > Internet security counter-measures.
> > > > _______________________________________________
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
--
-------[CNCERT/CC]-----------------------------------------------
Zhou, Yonglin 【周勇林】
CNCERT/CC, P.R.China 【国家计算机网络应急技术处理协调中心】
Tel: +86 10 82990355 Fax: +86 10 82990399 Web: www.cert.org.cn
Finger Print: 9AF3 E830 A350 218D BD2C 2B65 6F60 BEFB 3962 1C64
-----------------------------------------------[CNCERT/CC]-------
More information about the nsp-security
mailing list