[nsp-sec] Torpig/Mebroot - Assistance needed
Nicholas Ianelli
ni at centergate.net
Thu Apr 30 17:15:28 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Team,
The following hosts are acting as either Mebroot or Torpig controllers:
10316 | 69.64.75.66 | ABACUS-NET-AS - Abacus America Inc.
10439 | 66.240.243.155 | CARI - San Diego Commercial Internet Exchange
21844 | 74.54.135.194 | THEPLANET-AS - ThePlanet.com Internet
Services, Inc.
32475 | 67.212.179.130 | SINGLEHOP-INC - SingleHop
In my experience with this family of malware, the first layer of hosts
are always running NGINX proxies back to the controller. So, could you
please help me in identifying those controllers, this would be a huge
help. Peers for the above are:
174 | 66.240.243.155 | COGENT Cogent/PSI
2914 | 74.54.135.194 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3356 | 66.240.243.155 | LEVEL3 Level 3 Communications
3356 | 74.54.135.194 | LEVEL3 Level 3 Communications
3549 | 74.54.135.194 | GBLX Global Crossing Ltd.
4565 | 74.54.135.194 | MEGAPATH2-US - MegaPath Networks Inc.
6461 | 67.212.179.130 | MFNX MFN - Metromedia Fiber Network
6461 | 69.64.75.66 | MFNX MFN - Metromedia Fiber Network
6461 | 74.54.135.194 | MFNX MFN - Metromedia Fiber Network
7018 | 74.54.135.194 | ATT-INTERNET4 - AT&T WorldNet Services
11588 | 69.64.75.66 | HIGHWINDS - Highwinds Network Group, Inc.
23352 | 67.212.179.130 | SERVERCENTRAL - Server Central Network
Nick
412.951.7760
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkn6FPAACgkQi10dJIBjZIClrACgnrxKVKUbJF1vFzvrOCsu7rYt
r+kAoMT27ZE8MtAu3ejlXra/jlrMle48
=ZLvs
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list