[nsp-sec] ATTN AS 12553 malware hosting
Rob Thomas
robt at cymru.com
Wed Apr 8 15:15:09 EDT 2009
Hey, Mike.
> AS | IP | AS Name
> 12553 | 94.247.2.195 | PCEXPRESS-AS _DATORU EXPRESS SERVISS_ Ltd.
This one entered our malware menagerie a couple of days ago.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- -------------- ---------- ----------
------
2009-04-06 12:50:50 | 36ffb0ca0f7eb9ae81b703c411918d2c92b3dbc0 |
cb3785f889112ffa6e12159a7579efcf | 94.247.2.195 | 80 | 6 |
It appears to be a CentOS box running Apache/2.2.3.
We see the downloads dating back to 2009-04-02 07:35:02 UTC, at least.
A related URL might be:
h x x p : / / 94.247.2.195 / news / ?id=100
As for 69.46.24.231, we're seeing a slightly increasing amount of
interesting badness tracking back to AS29802 HIVELOCITY VENTURES CORP.
Anybody have friends there?
69.46.24.231 appears to be a Linux box. We see two DNS RRs tied to it.
timestamp | dns_name | ip
--------------------- ---------------------- --------------
2009-03-01 23:20:14 | ns.freewebhosting.ws | 69.46.24.231
2009-03-05 02:35:20 | ns.web-hosting.tw | 69.46.24.231
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list