[nsp-sec] Romanian IP's being DNS-bad, botnet/spamnet controllers?

Dave Mitchell davem at yahoo-inc.com
Thu Jan 8 16:28:45 EST 2009 

We've been seeing these spikes for over a week and they seem to
definitely keep moving around. They do seem to correspond to spam runs,
though. I've got some managed objects going in arbor to see what more I
can find.

Our top 5 spikey DNS speakers today:

213.61.225.190.host.de.colt.net (213.61.225.190/32)	
51hoqvqb.emirates.net.ae (213.42.1.166/32)
7f19b8nm.emirates.net.ae (195.229.242.133/32)
5i0iea1h.emirates.net.ae (213.42.1.167/32)	
68.113.206.10/32

Those are all different than yesterday except for the colt.net one that
I keep hitting Nico with a stick to fix. ;)

-dave

On Thu, Jan 08, 2009 at 11:19:47AM -0500, Chris Morrow wrote:
> ----------- nsp-security Confidential --------
>
>
> On Jan 7, 2009, at 10:44 AM, Tim Wilde wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Chris Morrow wrote:
>>> ----------- nsp-security Confidential --------
>>>
>>> Howdy, would anyone else that runs largeish dns clusters have
>>> information about:
>>
>> Not from a DNS-cluster perspective, but here's what we know. :)
>>
>>> 78.96.154.147
>>
>> Bupkis on this one :|
>>
>>> 193.226.19.74
>>
>> This guy appears to have been a Stormworm node early last year, and also
>> appears to have been talking to a couple of different known C&Cs last
>> year.  More recently it appears to have been a Windows box, probably XP,
>> early this year.  No indications on its recent specifically malicious
>> activity, though.
>>
>>> 86.120.67.249
>>> 89.114.153.236
>>
>> Bupkis on these, too.  It seems whatever these guys are doing, they're
>> doing it quite under-the-radar, excepting their DNS activities.
>
> hrm, interesting.. so looking at our current data:
>
> 78.96.154.147
> 193.226.19.74
> 86.120.67.249
> 89.114.153.236
> 78.111.229.122
> 79.114.211.253
> 79.115.1.22
> 79.115.69.23
> 79.115.9.6
> 80.96.103.80
> 81.196.17.135
> 82.77.122.107
> 82.78.87.64
> 85.121.0.137
> 86.106.196.147
> 86.106.47.40
> 86.121.44.90
> 86.125.125.151
> 89.114.153.234
> 89.114.153.235
> 89.123.39.132
> 89.136.10.238
> 89.137.217.149
> 89.35.217.186
> 89.35.219.122
> 89.41.133.78
> 89.47.84.86
> 92.84.122.208
>
> and davem's data I see some overlaps... I didn't do this collection so I'm 
> not sure on the numbers, but this seems to be an ongoing problem. It'd be 
> nice to know what this is from, it LOOKS like some kind of UDP proxy in 
> action (proxying DNS at least)... or a really, really, really bad DNS 
> server doing no caching.
>
> -Chris
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090108/8a257b72/attachment-0001.sig>

More information about the nsp-security mailing list