[nsp-sec] Assistance in tracking a Command and Control (C2) server - obtaining a copy of the malware
Nicholas Ianelli
ni at centergate.net
Fri Apr 3 20:19:29 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Team,
It looks like the C2 server that is issuing a variety of DDoS commands
across the net has moved from 89.149.233.194 (port 95/TCP) to
78.109.21.136 (port 444/TCP).
41665 | 78.109.21.136 | HOSTING-AS National Hosting Provider,
Hosting.UA
Bulk mode; peer-whois.cymru.com [2009-04-03 23:41:48 +0000]
9002 | 78.109.21.136 | RETN-AS ReTN.net Autonomous System
35320 | 78.109.21.136 | ETT-AS Eurotranstelecom
I'm asking if you could please check flows to see if you have any
customers talking to 78.109.21.136. We REALLY need to get our hands on
the malware.
We would really appreciate your assistance with this. I am more than
happy to provide you with a telephone number that you can have your
customers call me on, or partake in a conference call with a member of
your organization and the customer.
We REALLY need to get our hands on the malware, ANY assistance you can
provide would be greatly appreciated.
In addition, if you have any intel on malware that operates on port
95/TCP or 444/TCP I would love to get my hands on that as well.
Cheers,
Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAknWp5AACgkQi10dJIBjZIC6bgCg5WP+JHCOrKjpQ3stxxZxdP8D
HLwAn285o91ttcIlmD1ouQWxRFSPpYoj
=WhlB
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list