[nsp-sec] intercage/atrivo
Chris Morrow
morrowc at ops-netman.net
Tue Sep 16 19:40:57 EDT 2008
So... I think some/a-lot of the problem with atrivo (Emil) is that he
plays the dumb-dupe very well: "Oh, another one of my customers is being
abusive? Spreading malware? Involved with ZLob? Oh, I'll terminate them
right now!"
Which most often in the past has meant:
ifconfig eth0 1.2.3.4 down
ifconfig eth0 1.2.3.5 up
"Ok, all terminated, wow thanks for the note!"
If he's not aware that his AS and the customers of his AS have been
involved with a very large and ongoing set of malware and abuse issues
he's either really, really, really dumb or deaf/blind/dumb/fingerless.
Given the last 4+ years of abuse centered around Atrivo/Intercage I just
can't believe that he's completely un-awares of the situation.
Joe St Suaver from u-Oregon may have some more/better/detailed information
on Atrivo... Spamhaus (despite my normal 'f-spamhaus' attitude) really has
a decent trove as well.
-Chris
On Tue, 16 Sep 2008, Jose Nazario wrote:
> ----------- nsp-security Confidential --------
>
> On Tue, 16 Sep 2008, Darren Grabowski wrote:
>
>> Does anyone have anything active on Atrivo? I've been told that "he is
>> innocent, this is a bunch of heresy, 95% of what is said is not true, it's
>> all the Russians" and stuff like that.
>
> very little in the past 24h.
>
> ATLAS DETAILED REPORT: 27595
>
> Generated: Tue Sep 16 23:12:18 2008 UTC
> Covers 24 hour time period through now.
>
> DENIAL OF SERVICE
> OBSERVED INBOUND ATTACKS
> Based on actual alerts gathered in our Internet statistics project.
> Start, End, Dest CIDR, Dest ASN, Dest CC, Max BPS, Max PPS
> 1221434509, 1221435786, "216.255.184.150/32", "27595", US, 163104, 51
> 1221356595, 1221434466, "216.255.184.150/32", "27595", US, 1944056, 312
>
> MALICIOUS CLIENTS
> Scans
> Based on ATLAS honeypot sensors.
> IP, Cumulative Bytes
> 67.210.4.138, 21508.0
> 67.210.3.106, 18957.0
> 67.210.4.162, 14695.0
> 67.210.3.178, 11526.0
> 67.210.3.2, 10569.0
> 67.210.4.178, 10315.0
> 67.210.3.26, 9761.0
> 67.210.3.130, 8890.0
> 67.210.3.34, 8158.0
> 216.255.176.186, 7980.0
> 67.210.3.10, 7863.0
> 67.210.3.98, 7157.0
> 67.210.3.122, 7010.0
> 67.210.4.186, 6715.0
> 67.210.3.218, 6081.0
> 67.210.3.50, 3945.0
> 67.210.3.42, 3874.0
> 67.210.4.50, 3783.0
> 67.210.4.82, 3335.0
> 67.210.3.154, 3297.0
> 67.210.3.114, 3292.0
> 67.210.3.194, 3211.0
> 67.210.4.58, 3163.0
> 67.210.4.170, 2939.0
> 67.210.3.18, 2831.0
> 67.210.4.154, 2219.0
> 67.210.3.66, 2045.0
> 67.210.4.90, 1806.0
> 67.210.4.42, 1679.0
> 67.210.3.186, 1222.0
> 67.210.3.90, 975.0
> 67.210.3.202, 826.0
> 67.210.3.58, 724.0
> 67.210.4.66, 645.0
> 67.210.4.98, 576.0
> 67.210.4.74, 432.0
> 69.50.180.34, 384.0
> other, 0
>
> MALICIOUS SERVERS
> Malicious Links
> URLs contacted by malware during automated analysis. Timestamp, CC, ASN, IP,
> URL
> 1221537600, CY, 27595, 69.50.175.194,
> "http://69.50.175.194/ca/count.php?flsh=0&pion=0&p=84626410&a=0003"
> 1221537600, US, 27595, 64.28.181.230, "http://64.28.181.230/path.txt"
>
>
>
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> security researcher, office of the CTO, arbor networks
> v: (734) 821 1427 http://asert.arbornetworks.com/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list