[nsp-sec] One baddie kicked out: zlkon.lv / AS12553 PCEXPRESS-AS_DATORU EXPRESS SERVISS_ Ltd

Shelton, Steve sshelton at Cogentco.com
Tue Apr 28 10:21:00 EDT 2009 

Hello,

That is good news!  It seems some of the payload sites I track moved
behind two separate ASN's - networks as of late which appears to be some
sort of bifurcation.

213.182.197.23 | AS8206 | JUNIK
213.163.91.93 | AS20495 | WEDARE

Note: the following URL's were at 94.247.3.0/24 and 94.247.2.0/24 as of
late but found new homes very recently which seems to support the clean
up efforts on AS12553 PCEXPRESS-AS_DATORU EXPRESS SERVISS_ Ltd.

hxxp://hotslotpot.cn/in.cgi?income66
hotslotpot.cn [213.182.197.23]

hxxp://lotmachinesguide.cn/in.cgi?income56
lotmachinesguide.cn [213.163.91.93]

hxxp://superbetfair.cn/in.cgi?income43
superbetfair.cn [213.163.91.93]

hxxp://litecarfinestsite.cn/in.cgi?income71
litecarfinestsite.cn [213.182.197.23]

hxxp://litecartop.cn/in.cgi?income70
litecartop.cn [213.182.197.23]

hxxp://thelotbet.cn/in.cgi?income41
thelotbet.cn [213.163.91.93]

hxxp://mixante.cn/in.cgi?income52
mixante.cn [213.182.197.23]

hxxp://cutlot.cn/in.cgi?income49
cutlot.cn [213.163.91.93]

hxxp://nameashop.cn/in.cgi?income33
nameashop.cn [213.182.197.23]

The prefix 213.182.197.0/24 looks most interesting and 213.163.91.0/24
may just now beginning to populate with the ugly stuff.

Best regards,

Steve Shelton
Network Security Engineer
Cogent Communications

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Huopio Kauto
Sent: Tuesday, April 28, 2009 7:40 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] One baddie kicked out: zlkon.lv / AS12553
PCEXPRESS-AS_DATORU EXPRESS SERVISS_ Ltd

----------- nsp-security Confidential --------

This AS was removed from Internet routing this morning CET. 

If you see now 94.247.0.0/22 somewhere, instant bad traffic flag.

Why this was bad? Take a glimpse:

http://www.malwaredomainlist.com/mdl.php?search=94.247&colsearch=All&qua
ntity=500

--Kauto

Kauto Huopio - kauto.huopio at ficora.fi
Senior information security adviser
Finnish Communications Regulatory Authority  / CERT-FI
tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
CERT-FI watch desk daytime: +358-9-6966510 / http://www.cert.fi 


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list