[nsp-sec] Bracing For Impact... MS08-067
Nicholas Ianelli
ni at cert.org
Fri Oct 24 10:33:51 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>> Bulk mode; whois.cymru.com [2008-10-23 21:06:14 +0000]
>> 4808 | 202.108.22.44 | CHINA169-BJ CNCGROUP IP network China169
>> Beijing Province Network
>> 8560 | 212.227.93.146 | ONEANDONE-AS 1&1 Internet AG
>> 9370 | 59.106.145.58 | SAKURA-B SAKURA Internet Inc.
>> 15169 | 64.233.189.147 | GOOGLE - Google Inc.
>
> anyone able to provide more details about 212.227.93.146?
> That's a shared web server ...
> The following three IPs are pinged with the payload:
>
> abcde12345fghij6789
>
> 212.227.93.146
> 64.233.189.147
> 202.108.22.44
Yes, there are some interesting IPs in that list. At this point all I
know is that the list of three IP addresses listed above get sent an
ICMP packet.
There are some ununsed branches of code within some of these files. May
be remnants of previous versions of this attack, re-purposed source code
or something else.
I would not be shocked if say two of three IPs listed under the ICMP
section were bogus or used to try and throw us off.
Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkkB3M8ACgkQi10dJIBjZIDANQCgnJQAhfpfpW8VX2dxo2aDdAAm
NrAAoNeNtXXd1y4EgQQrTQwUYrBzsl0F
=4WZl
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list