[nsp-sec] CNCERT help here?
Yonglin ZHOU
yonglin.zhou at gmail.com
Tue May 13 20:29:32 EDT 2008
Yiming,
>
> Also Yonglin, for big issues like this, if we report them to
> cncert at cert.org, normally how long it will take to have some results?
> Thanks.
Usually, we'll send the message to relevant registrars as soon as we verify
it. However, different registrars may response differently. Some of them are
very prmpt, 1~2 working days. Some are slow event to a week. Of course,
we'll make phone calls time and time again to them. But still it depends on
the registrars.
Thanks,
Yonglin.
> >
> > > ________________________________
> > >
> > > From: Gong, Yiming [mailto:yiming.gong at xo.com]
> > > Sent: Thu 5/8/2008 4:28 PM
> > > To: Smith, Donald; nsp-security at puck.nether.net
> > > Subject: RE: [nsp-sec] AS 4134 injection site hosted
> on
> > 60.191.239.219
> > >
> > >
> > >
> > > Now this IP is having a blackhole treatment on
> Chinatelecom
> > backbone.
> > >
> > > Next step will be trying to work with CT and see if
> they can
> > > clean this
> > > box in the next few days.
> > >
> > > Cheers,
> > >
> > > Yiming
> > >
> > >
> > > > -----Original Message-----
> > > > From: nsp-security-bounces at puck.nether.net
> > > > [mailto:nsp-security-bounces at puck.nether.net] On
> Behalf Of
> > > > Smith, Donald
> > > > Sent: Thursday, May 08, 2008 5:09 PM
> > > > To: nsp-security at puck.nether.net
> > > > Subject: [nsp-sec] AS 4134 injection site hosted on
> 60.191.239.219
> > > >
> > > > ----------- nsp-security Confidential --------
> > > >
> > > > The handlers have been covering a set of host names
> that
> > all lead to
> > > > 60.191.239.219.
> > > > The FWDN being injected are
> > > > wwwDOTririwow.cn, wwwDOTbluellDOTcn,
> bbsDOTjueduizuanDOTcom, and
> > > > wwwDOTfiexin.org
> > > >
> > > > Details about those sites and how it is being used
> as the malware
> > > > delivery target in a MASSIVE SQL injection attack
> are
> > > > available here in
> > > > this diary.
> > > >
> > > > http://isc.sans.org/diary.html?storyid=4393
> > > >
> > > > $ whois -h whois.cymru.com 60.191.239.219
> > > > AS | IP | AS Name
> > > > 4134 | 60.191.239.219 | CHINANET-BACKBONE
> > No.31,Jin-rong Street
> > > >
> > > > $ whois -h upstream-whois.cymru.com 60.191.239.219
> > > > PEER_AS | IP | AS Name
> > > > 174 | 60.191.239.219 | COGENT Cogent/PSI
> > > > 703 | 60.191.239.219 | UUNET - MCI
> Communications
> > > Services, Inc.
> > > > d/
> > > > izon Business
> > > > 1239 | 60.191.239.219 | SPRINTLINK - Sprint
> > > > 2828 | 60.191.239.219 | XO-AS15 - XO
> Communications
> > > > 2914 | 60.191.239.219 | NTT-COMMUNICATIONS-2914
> - NTT
> > > > America, Inc.
> > > > 3257 | 60.191.239.219 | TISCALI-BACKBONE
> Tiscali Intl
> > > Network BV
> > > > 3320 | 60.191.239.219 | DTAG Deutsche Telekom
> AG
> > > > 3549 | 60.191.239.219 | GBLX Global Crossing
> Ltd.
> > > > 3561 | 60.191.239.219 | SAVVIS - Savvis
> > > > 11164 | 60.191.239.219 | TRANSITRAIL - National
> > LambdaRail, LLC
> > > > 17888 | 60.191.239.219 | SINGTEL-HK SingTel Hong
> Kong Limited
> > > >
> > > > Any help getting this taken down would be
> appreciated by all:)
> > > >
> > > >
> > > > H8Hz
> > > > Donald.Smith at qwest.com giac
> > > >
> > > >
> > > > This communication is the property of Qwest and may
> contain
> > > > confidential or
> > > > privileged information. Unauthorized use of this
> > > > communication is strictly
> > > > prohibited and may be unlawful. If you have
> received this
> > > > communication
> > > > in error, please immediately notify the sender by
> reply
> > > > e-mail and destroy
> > > > all copies of the communication and any attachments.
> > > >
> > > >
> > > > _______________________________________________
> > > > nsp-security mailing list
> > > > nsp-security at puck.nether.net
> > > >
> https://puck.nether.net/mailman/listinfo/nsp-security
> > > >
> > > > Please do not Forward, CC, or BCC this E-mail
> outside of the
> > > > nsp-security
> > > > community. Confidentiality is essential for
> effective
> > > > Internet security counter-measures.
> > > > _______________________________________________
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of
> the nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
>
>
>
> --
> -------[CNCERT/CC]-----------------------------------------------
> Zhou, Yonglin 【周勇林】
> CNCERT/CC, P.R.China 【国家计算机网络应急技术处理协调中心】
> Tel: +86 10 82990355 Fax: +86 10 82990399 Web: www.cert.org.cn
> Finger Print: 9AF3 E830 A350 218D BD2C 2B65 6F60 BEFB 3962 1C64
> -----------------------------------------------[CNCERT/CC]-------
Regards,
>
> Yiming
>
>
>
> ________________________________
>
> From: Yonglin ZHOU [mailto:yonglin.zhou at gmail.com]
> Sent: Sunday, May 11, 2008 9:35 PM
> To: Gong, Yiming
> Cc: Smith, Donald; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] CNCERT help here?
>
>
>
> Dear all,
>
> Actually, in the past 6 months, we have handled 310 incidents that
> hackers registered domain names for malicous code distribution, under the
> help of registars in China.
>
> We can only do that when we get full url and relevant info about
> the samples involve so that we can verify about it. We have to avoid making
> mistakes and affect normal domains.
>
> You can report to cncert at cert.org.cn with those domains. Or send
> to me when something wrong.
>
> Best,
>
> Yonglin.
>
>
> On 5/10/08, Gong, Yiming <yiming.gong at xo.com> wrote:
>
> ----------- nsp-security Confidential --------
>
> Just dropped an email to a CN Netcom guy and let's see if
> something can
> be done after this weekend.
>
> In my opinion, for cases like this, working with the
> corresponding dns
> provider to get the domain name shutdown might be a better
> solution (at
> least cost culprit more efforts, money and time, also just
> shifting IPs
> won't work).
>
> I just called hichina (dns provider of rirwow.cn) and was
> told without
> the order from law enforcement, they can not suspend any
> domain. I know
> CNCERT is also on this list, so could someone from CNCERT
> work with some
> big dns provider in China to work out some kind of
> solutions (like
> opening a interface for outside security group to send
> complain email or
> call in when there is big security issue occurring like
> this one)?
>
> Regards,
>
> Yiming
>
>
> > -----Original Message-----
> > From: Smith, Donald [mailto:Donald.Smith at qwest.com]
> > Sent: Friday, May 09, 2008 2:31 PM
> > To: Gong, Yiming; nsp-security at puck.nether.net
> > Subject: RE: [nsp-sec] AS 4134 injection site hosted on
> 221.12.88.52
> >
> > They have added ip.js to their injection and that is
> live. I
> > understand if we can't get the bad guy this is going to
> be a
> > wack a mole game. I still think there is benefit in
> getting
> > the malware distribution sites down since that requires
> them
> > to reinject. The tool they are using is only semi
> automated
> > so they have to have a windows system with remote gui if
> they
> > are not on the box. But vnc or other similar app can be
> used.
> >
> >
> >
> > donald.smith at qwest.com giac
> >
> > ________________________________
> >
> > From: Gong, Yiming [mailto:yiming.gong at xo.com]
> > Sent: Fri 5/9/2008 1:25 PM
> > To: Smith, Donald; nsp-security at puck.nether.net
> > Subject: RE: [nsp-sec] AS 4134 injection site hosted on
> 221.12.88.52
> >
> >
> >
> > Apparently the culprit found something wrong with the
> old box and made
> > the dns change today (see 2008050902 )
> >
> > stlmsd1.Yiming>dig ririwow.cn
> >
> > ;; AUTHORITY SECTION:
> > ririwow.cn. 3H IN SOA
> dns23.hichina.com.
> > hostmaster.hichina.com. (
> >
> 2008050902 ; serial
> > <---here
> >
> 6H ; refresh
> >
> 1H ; retry
> >
> 2w6d ; expiry
> > 3H
> ) ; minimum
> >
> > This IP belongs to China Netcom, another ISP in China,
> not AS 4134. I
> > will see if I can get luck on their side.
> >
> > AND this is really what I have been worrying about, as
> long as the guy
> > behind is at large, we are playing "catch me if you can"
> game, and
> > without the good help from ISP and low enforcement, this
> looks like a
> > never-ending game.
> >
> >
> > Regards,
> >
> > Yiming
> >
> >
> > > -----Original Message-----
> > > From: Smith, Donald [mailto:Donald.Smith at qwest.com]
> > > Sent: Friday, May 09, 2008 1:55 PM
> > > To: Gong, Yiming; nsp-security at puck.nether.net
> > > Subject: RE: [nsp-sec] AS 4134 injection site hosted
> on 221.12.88.52
> > >
> > > wwwDOTririwowDOTcn/jp.js is now on 221.12.88.52.
> > > jp.js appears to have been removed as I get a 404 not
> found.
> > > It is probably still worth having them investigate it.
> > >
> > >
> > > donald.smith at qwest.com giac
--
-------[CNCERT/CC]-----------------------------------------------
Zhou, Yonglin 【周勇林】
CNCERT/CC, P.R.China 【国家计算机网络应急技术处理协调中心】
Tel: +86 10 82990355 Fax: +86 10 82990399 Web: www.cert.org.cn
Finger Print: 9AF3 E830 A350 218D BD2C 2B65 6F60 BEFB 3962 1C64
-----------------------------------------------[CNCERT/CC]-------
More information about the nsp-security
mailing list