[nsp-sec] Conficker reports from the field
William Allen Simpson
william.allen.simpson at gmail.com
Fri Apr 24 11:08:37 EDT 2009
One of the daily reports that I handle is for a former upstream, AS10700.
They actively pursue the infections, and do a fair amount of customer hand
holding, as a small regional ISP.
All their Conficker reports lately are from a 500 bed county hospital that
hides itself behind a NAT. It's proving hard to purge them, as patients
and visitors bring in laptops that infect the hospital machines.
The hospital is finally allowing them to setup snooping inside the
network. Any suggestions for proactive detection that I could pass on?
(Other than the EyeChart and nmap, which I've already mentioned.)
===
So far, they report:
We are seeing a TON of Limewire (P2P) connections out of the network.
See lot of traffic to this possible C&C - 83.68.16.30
See limewire connections to these IPs/networks:
68.142.118.111
70.37.129.*
===
AS | IP | AS Name
3265 | 83.68.16.30 | XS4ALL-NL XS4ALL
AS | IP | AS Name
22822 | 68.142.118.111 | LLNW - Limelight Networks, Inc.
AS | IP | AS Name
8075 | 70.37.129.* | MICROSOFT-CORP---MSN-AS-BLOCK - Microsoft Corp
More information about the nsp-security
mailing list