[nsp-sec] Attack on www.betinternet.com TCP 80 - C&C IN UK
Jose Nazario
jose at arbor.net
Mon Apr 6 15:12:36 EDT 2009
machbot. here's your controller:
Timestamp 2009-04-03 11:08:21
C&C IP 91.212.65.121
C&C Hostname a77e1468.biz
C&C Port 80
C&C ASN 48841
C&C CC UK
C&C Channel http:machbot
Command URL
Command Given rgttp www.betinternet.com
Target IP 83.218.15.248
Target Hostname www.betinternet.com
Target ASN 15766
Target CC UK
Report Origin Shadowserver
url is just:
hxxp://a77e1468/?data=dmVyPTUmdWlkPTMwODU3MjE4NiZjb25uPSZvcz1YUCZzb2Nrcz0maXA9MS4yLjMu
the arg there is just base64 encoded info about the bot, it can vary. hope
this helps.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
manager of security research arbor networks
v: (734) 821 1427 http://asert.arbor.net/
More information about the nsp-security
mailing list