[nsp-sec] PHP bot with ddos - hosted in UK, attn AS29131, botnet in AS16276
Rob Thomas
robt at cymru.com
Thu Oct 2 18:13:58 EDT 2008
Hey, Jose.
Great stuff, thanks!
> URL "http://r3df0x.altervista.org/ddoss.txt", host
> 78.129.205.40, GB, 29131
This one has hosted a couple of these sorts of sites.
timestamp | ip | asn | category |
comment
--------------------- --------------- ------- ------------
-----------------------------------------------
2008-08-28 07:21:31 | 78.129.205.40 | 29131 | malwareurl |
hxxp://b4st4rd1d3ntr0.altervista.org/fuck.txt
2008-08-26 05:57:50 | 78.129.205.40 | 29131 | phishing |
hxxp://www.khgteam.altervista.org/
We see one sample in our malware menagerie that points to this IP.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
2008-08-25 17:28:10 | 44887ce54c25055668b7b003be420816a7aed52f |
24388cdf070d0326ce24a7da17a37471 | 78.129.205.40 | 21 | 6 |
812
Let me know if anyone wants details on the malware itself.
This host appears to be a Linux box running Apache.
> var $config = array("server"=>"91.121.86.73",
Nothing on this one, sorry.
Thanks!
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list