[nsp-sec] ATTN 8560 (Was ATTN AS 12553 malware hosting)
Mike Tancsa
mike at sentex.net
Mon Apr 13 11:27:32 EDT 2009
Also part of this customer compromise seems to be the IP
212.227.114.144. The attacker tried to login from that location
using the customers old credentials on 12-04-09 23:00:17 UTC.
% whois -h whois.cymru.com 212.227.114.144
AS | IP | AS Name
8560 | 212.227.114.144 | ONEANDONE-AS 1&1 Internet AG
---Mike
At 02:56 PM 4/8/2009, Mike Tancsa wrote:
>At 12:20 PM 4/8/2009, Mike Tancsa wrote:
>
>>I also found a pdf with more embedded java script as well as a
>>flash file that it sends to the visitor. None of my AV scanners
>>see anything wrong with them. If anyone is interested in passing
>>the files on, they can be found at
>>http://www.tancsa.com/94.247.2.195.zip
>
>One last note, the compromise came from 69.46.24.231 (02:30 GMT)
>today, April 8th
>
>% whois -h whois.cymru.com 69.46.24.231
>AS | IP | AS Name
>29802 | 69.46.24.231 | HVC-AS - HIVELOCITY VENTURES CORP
>
> ---Mike
More information about the nsp-security
mailing list