[nsp-sec] Mebroot/Torpig (AS 10316, 8001, 21844, 32475)
Rob Thomas
robt at cymru.com
Tue Apr 14 15:36:34 EDT 2009
Hey, Tom.
Thanks for the details!
> kolpinik.com. 60 IN A 174.133.5.26
This one seems to have been lively since at least 2009-04-01 01:17:01
UTC. We see a fair number of hosts connected to TCP 80 on 174.133.5.26.
We see one piece of malware in our malware menagerie that points to
174.133.5.26.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- -------------- ---------- ----------
------
2009-04-10 09:31:20 | e078e0e8c86c111d559567b7265e21307dd463a3 |
556edd2ceca5b7dea8d57acc56f0489f | 174.133.5.26 | 80 | 6 |
The box is running nginx 0.6.34, no surprise.
> @cymru: Please add the IPs to ddos-rs
Will do!
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list