[nsp-sec] IRC Controller in AS24139
Rob Thomas
robt at cymru.com
Fri Oct 17 15:59:11 EDT 2008
Hi, Dan.
Thanks for the heads-up!
> AS | IP | AS Name
> 24139 | 218.108.55.189 | CNNIC-WASU-AP WASU TV & Communication
> Holding Co.,Ltd.
The DNS RR in the malware may be rbo.ircqforum.com. This now resolves
to 65.12.238.82.
AS | IP | BGP Prefix | CC | Registry |
Allocated | AS Name
6389 | 65.12.238.82 | 65.12.192.0/18 | US | arin |
2003-12-29 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
It appears the server password was or is "saad" (no quotes).
It appears this botnet has been active since at least 2008-10-01
10:53:35 UTC. Ohhhh, wait... Correction, we first probed that one back
on 2008-05-24 16:41:33 UTC. Wow!
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list