[nsp-sec] Romanian IP's being DNS-bad, botnet/spamnet controllers?
Chris Morrow
morrowc at ops-netman.net
Thu Jan 8 11:19:47 EST 2009
On Jan 7, 2009, at 10:44 AM, Tim Wilde wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chris Morrow wrote:
>> ----------- nsp-security Confidential --------
>>
>> Howdy, would anyone else that runs largeish dns clusters have
>> information about:
>
> Not from a DNS-cluster perspective, but here's what we know. :)
>
>> 78.96.154.147
>
> Bupkis on this one :|
>
>> 193.226.19.74
>
> This guy appears to have been a Stormworm node early last year, and
> also
> appears to have been talking to a couple of different known C&Cs last
> year. More recently it appears to have been a Windows box, probably
> XP,
> early this year. No indications on its recent specifically malicious
> activity, though.
>
>> 86.120.67.249
>> 89.114.153.236
>
> Bupkis on these, too. It seems whatever these guys are doing, they're
> doing it quite under-the-radar, excepting their DNS activities.
hrm, interesting.. so looking at our current data:
78.96.154.147
193.226.19.74
86.120.67.249
89.114.153.236
78.111.229.122
79.114.211.253
79.115.1.22
79.115.69.23
79.115.9.6
80.96.103.80
81.196.17.135
82.77.122.107
82.78.87.64
85.121.0.137
86.106.196.147
86.106.47.40
86.121.44.90
86.125.125.151
89.114.153.234
89.114.153.235
89.123.39.132
89.136.10.238
89.137.217.149
89.35.217.186
89.35.219.122
89.41.133.78
89.47.84.86
92.84.122.208
and davem's data I see some overlaps... I didn't do this collection so
I'm not sure on the numbers, but this seems to be an ongoing problem.
It'd be nice to know what this is from, it LOOKS like some kind of UDP
proxy in action (proxying DNS at least)... or a really, really, really
bad DNS server doing no caching.
-Chris
More information about the nsp-security
mailing list