[nsp-sec] ACK: Re: Compromised hosts with Mebroot

[Tom Sands]

ACK 10532 and 15395

>----------- nsp-security Confidential --------
>
>The following is a list of hosts which have very likely been infected
>with Mebroot, based on POST requests to certain Mebroot-specific
>domains.  Mebroot is a rootkit which installs itself in the Master
>Boot Record (MBR) and is used to transparently inject a Torpig DLL
>into the host system shortly after boot.
>
>A companian list for Torpig-related domains will be posted shortly.
>
>The data was obtained after a concerted effort from various parties.
>Usually guidelines apply (sanitize before you share).  We can provide
>more details for individual requests we saw (Via and Host header
>fields).
>
>First column is the AS number.  Time stamps are in UTC and refer to
>the last time the IP address was seeen so far.
>




Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse at rackspace.com, and delete the original message.
Your cooperation is appreciated.