[nsp-sec] Phishing page on Cogent AS174

Rob Thomas robt at cymru.com
Sun May 18 12:14:17 EDT 2008 

Hi, Seth.

>    http://www.osu.edu.upgrade.bluechiphosting.com
> 
> AS      | IP               | CC | Registry | AS Name
> 174     | 38.102.41.114    | US | arin     | COGENT Cogent/PSI

That one has hosted a couple of nasties.

      timestamp      |      ip       | asn |  category  |

                                comment
--------------------- --------------- ----- ------------
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 2008-04-02 12:44:11 | 38.102.41.114 | 174 | malwareurl |
hxxp://nguoininhthuan.li/
 2008-02-28 11:02:21 | 38.102.41.114 | 174 | phishing   |
hxxp://wellsfargo-onlinebanking.x050x.bluechiphosting.com/updating/rxzlbnqzierlyza3-bankingonline/wellsfargo-online-banking/rxzlbnqzierlyzarx3-xbankingonline/onlineservices-wellsfargo/rxzlbnqzierlyzarx3-xbanking/update-wellsfargo/login/hom.html

We see at least one sample in our malware menagerie that points to this IP.

      timestamp      |                   sha1                   |
        md5                |    dst_ip     | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
 2008-03-26 14:21:37 | 08c781230694efead8342b20a2822a4c30b2faac |
6063ce3b3f0228a14e01c403cac93ce2 | 38.102.41.114 |       20 |        6 |

Some of the DNS RRs we see pointed to that IP are a bit curious, such as
update-paypal.bluechiphosting.com.

      timestamp      |             dns_name              |      ip
--------------------- ----------------------------------- ---------------
 2008-03-02 11:23:03 | anhchung.net                      | 38.102.41.114
 2008-05-06 02:52:07 | bank-paypal.bluechiphosting.com   | 38.102.41.114
 2008-04-24 12:31:12 | hayraja.ch                        | 38.102.41.114
 2008-05-01 13:39:15 | hungviai.bluechiphosting.com      | 38.102.41.114
 2008-03-30 11:50:20 | itpleiku.com                      | 38.102.41.114
 2008-05-05 08:35:31 | ixenon.info                       | 38.102.41.114
 2008-04-27 12:28:36 | mw3d.ch                           | 38.102.41.114
 2008-04-02 12:44:11 | nguoininhthuan.li                 | 38.102.41.114
 2008-03-21 16:50:27 | nhacmoi.info                      | 38.102.41.114


 2008-03-23 01:35:30 | sda3.ch                           | 38.102.41.114
 2008-03-29 21:50:43 | sda3.li                           | 38.102.41.114
 2008-05-10 12:54:34 | shady123.bluechiphosting.com      | 38.102.41.114
 2008-04-24 16:20:11 | sirkissme.bluechiphosting.com     | 38.102.41.114
 2008-05-04 02:53:38 | update-paypal.bluechiphosting.com | 38.102.41.114
 2008-05-04 13:39:57 | valahost.com                      | 38.102.41.114
 2008-04-10 12:37:38 | www.chjp.bluechiphosting.com      | 38.102.41.114
 2008-04-30 13:08:26 | www.hayraja.ch                    | 38.102.41.114
 2008-05-17 13:11:19 | www.shady123.bluechiphosting.com  | 38.102.41.114
 2008-03-09 09:20:35 | wyltfm.com                        | 38.102.41.114

Looks like it was also the target of some criminal packet love back on
2008-03-30 on or about 19:06:24 UTC.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/

More information about the nsp-security mailing list