[nsp-sec] ATTN AS 12553 malware hosting

Shelton, Steve sshelton at Cogentco.com
Wed Apr 8 15:51:00 EDT 2009 

Rob et al.

I've seen other Malware issues translating to the same AS|Prefix.  One
IP as of late is 94.247.3.150.

PCEXPRESS-AS "DATORU EXPRESS SERVISS" Ltd.
coolnameshop.cn
14342 days old
	a 	94.247.3.150
nginx/0.6.35
	hs.3-150.zlkon.lv
filmtypemedia.cn
14342 days old
	a 	94.247.3.150
nginx/0.6.35
	hs.3-150.zlkon.lv
homenameregistration.cn
14342 days old
	a 	94.247.3.150
nginx/0.6.35
	hs.3-150.zlkon.lv
hs.3-150.zlkon.lv
14342 days old
	a 	94.247.3.150
nginx/0.6.35
lotante.cn
14342 days old
	a 	94.247.3.150
nginx/0.6.35
	hs.3-150.zlkon.lv

--- 04/08/09 13:47:15 Mountain Daylight Time
--- resolving IP [94.247.2.195], please wait...

 hs.2-195.zlkon.lv [94.247.2.195]

I'll be happy to work with and address any issue found or known
translating to AS29802.  I'm wondering if the specific code-content
pointing to 94.247.2.195 was via a script injection on one or more
legitimate sites hosted or translating to AS29802.  Can anybody confirm
this?  I routinely see victim-injected sites with code aimed at
94.247.3.150 and wondering if it is the case with 94.247.2.195?   

Thanks!

Steve Shelton
Security Engineer 
Cogent Communications


-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Rob Thomas
Sent: Wednesday, April 08, 2009 1:15 PM
To: Mike Tancsa
Cc: NSP-SEC List
Subject: Re: [nsp-sec] ATTN AS 12553 malware hosting

----------- nsp-security Confidential --------

Hey, Mike.

> AS      | IP               | AS Name
> 12553   | 94.247.2.195     | PCEXPRESS-AS _DATORU EXPRESS SERVISS_
Ltd.

This one entered our malware menagerie a couple of days ago.

      timestamp      |                   sha1                   |
        md5                |    dst_ip    | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- -------------- ---------- ----------
------
 2009-04-06 12:50:50 | 36ffb0ca0f7eb9ae81b703c411918d2c92b3dbc0 |
cb3785f889112ffa6e12159a7579efcf | 94.247.2.195 |       80 |        6 |

It appears to be a CentOS box running Apache/2.2.3.

We see the downloads dating back to 2009-04-02 07:35:02 UTC, at least.
A related URL might be:

   h x x p : / / 94.247.2.195 / news / ?id=100

As for 69.46.24.231, we're seeing a slightly increasing amount of
interesting badness tracking back to AS29802 HIVELOCITY VENTURES CORP.
Anybody have friends there?

69.46.24.231 appears to be a Linux box.  We see two DNS RRs tied to it.

      timestamp      |       dns_name       |      ip
--------------------- ---------------------- --------------
 2009-03-01 23:20:14 | ns.freewebhosting.ws | 69.46.24.231
 2009-03-05 02:35:20 | ns.web-hosting.tw    | 69.46.24.231

Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list