[nsp-sec] possible malware on sharlatan.ucoz.com
Rob Thomas
robt at cymru.com
Thu Jul 2 13:53:21 EDT 2009
Hey, Peter.
> wget sharlatan.ucoz.com/spaniol.tar
> wget sharlatan.ucoz.com/udp.pl
> wget sharlatan.ucoz.com/udp.plw
sharlatan.ucoz.com (ha what a name!) presently resolves to
208.100.61.101 for me.
AS | IP | BGP Prefix | CC | Registry |
Allocated | AS Name
32748 | 208.100.61.101 | 208.100.32.0/19 | US | arin |
2006-02-17 | STEADFAST - NoZone, Inc.
We see 208.100.61.101 hosting malware as far back as 2009-01-01 01:31:56
UTC (I didn't go back to 2008). It's also sourced spam and hosted
several phishing sites.
We see quite a few DNS RRs pointed to 208.100.61.101 last month.
stamp | qname | class | type |
rdata
--------------------- -------------------------- ------- ------
----------------
2009-06-10 06:00:25 | 66igor66.ucoz.ua | IN | A |
208.100.61.101
2009-06-17 10:15:26 | 911comp.ru | IN | A |
208.100.61.101
2009-06-08 14:57:09 | admiral.ucoz.com | IN | A |
208.100.61.101
2009-06-11 05:10:45 | advertising.ucoz.com | IN | A |
208.100.61.101
2009-06-12 22:05:47 | agitplakat.ru | IN | A |
208.100.61.101
2009-06-24 08:16:49 | akatsuki-mugen.ucoz.com | IN | A |
208.100.61.101
2009-06-20 01:21:36 | allwarezok.ru | IN | A |
208.100.61.101
2009-06-08 01:00:38 | almaz.ucoz.org | IN | A |
208.100.61.101
2009-06-04 07:21:02 | amboy.do.am | IN | A |
208.100.61.101
2009-06-15 07:05:13 | animemugen.ucoz.net | IN | A |
208.100.61.101
2009-06-24 07:31:55 | arhangel-mihail.ucoz.com | IN | A |
208.100.61.101
2009-06-24 07:56:41 | armin66.ucoz.com | IN | A |
208.100.61.101
2009-06-16 11:45:40 | avatar.ucoz.net | IN | A |
208.100.61.101
2009-06-15 06:26:15 | azmayesh.ucoz.com | IN | A |
208.100.61.101
2009-06-03 21:45:19 | azz.ucoz.com | IN | A |
208.100.61.101
2009-06-03 00:51:34 | bakililar.my1.ru | IN | A |
208.100.61.101
2009-06-17 17:46:51 | betaversion.ucoz.com | IN | A |
208.100.61.101
2009-06-21 10:57:29 | bia2-ironi.ucoz.com | IN | A |
208.100.61.101
2009-06-04 03:02:08 | biggames.org.ua | IN | A |
208.100.61.101
2009-06-17 16:00:43 | big.ucoz.org | IN | A |
208.100.61.101
2009-06-15 18:28:23 | bilder.ucoz.com | IN | A |
208.100.61.101
2009-06-23 07:29:37 | bir61.ucoz.ru | IN | A |
208.100.61.101
2009-06-26 17:57:09 | boyslover.ucoz.com | IN | A |
208.100.61.101
2009-06-18 09:15:37 | carbon.ucoz.com | IN | A |
208.100.61.101
2009-06-17 13:31:37 | cccp.ucoz.net | IN | A |
208.100.61.101
2009-06-16 02:00:27 | china.at.ua | IN | A |
208.100.61.101
2009-06-23 11:17:57 | cinestream.cc | IN | A |
208.100.61.101
2009-06-23 03:51:07 | CiNeSTREAM.CC | IN | A |
208.100.61.101
2009-06-23 07:34:07 | CiOStoS.orG.uA | IN | A |
208.100.61.101
2009-06-07 11:05:46 | clubber.ucoz.com | IN | A |
208.100.61.101
2009-06-04 01:20:01 | cornel.ucoz.com | IN | A |
208.100.61.101
2009-06-11 17:44:14 | csallstars.ucoz.com | IN | A |
208.100.61.101
2009-06-12 19:00:49 | cs-web.ucoz.net | IN | A |
208.100.61.101
2009-06-26 18:59:06 | dailycreative.ru | IN | A |
208.100.61.101
2009-06-23 03:57:49 | dEathkNiGHTwoW.Clan.SU | IN | A |
208.100.61.101
2009-06-15 19:57:39 | DeatHKNIGhTwOw.CLan.SU | IN | A |
208.100.61.101
2009-06-20 07:23:51 | ElekbEr.MOY.su | IN | A |
208.100.61.101
2009-06-17 17:51:28 | euro-football.ucoz.com | IN | A |
208.100.61.101
2009-06-11 17:44:17 | exileddemons.ucoz.net | IN | A |
208.100.61.101
2009-06-20 06:31:28 | eye.ucoz.com | IN | A |
208.100.61.101
2009-06-11 18:05:21 | fallout3.biz | IN | A |
208.100.61.101
2009-06-26 22:41:08 | faramob7.ucoz.com | IN | A |
208.100.61.101
2009-06-20 08:59:20 | fifULa.claN.su | IN | A |
208.100.61.101
2009-06-05 04:45:49 | forex4ua.ru | IN | A |
208.100.61.101
2009-06-30 10:06:58 | freeload.ucoz.net | IN | A |
208.100.61.101
2009-06-05 14:30:49 | funbar.ru | IN | A |
208.100.61.101
2009-06-05 09:05:56 | futurama.ucoz.org | IN | A |
208.100.61.101
2009-06-24 11:06:37 | Game-zoNe.UcOz.kZ | IN | A |
208.100.61.101
2009-06-15 19:58:19 | geOrST.cLAn.SU | IN | A |
208.100.61.101
2009-06-21 09:36:36 | getfile.ucoz.com | IN | A |
208.100.61.101
2009-06-23 03:57:33 | gIOcHaT.moY.SU | IN | A |
208.100.61.101
2009-06-15 19:57:24 | GiochAt.Moy.Su | IN | A |
208.100.61.101
2009-06-24 06:55:39 | go.sytes.net | IN | A |
208.100.61.101
2009-06-26 23:03:30 | gRavItygAmInGOnLINe.COm | IN | A |
208.100.61.101
2009-06-09 14:04:09 | haozitou.ucoz.com | IN | A |
208.100.61.101
2009-06-23 04:59:02 | jenielle.ucoz.com | IN | A |
208.100.61.101
2009-06-23 08:25:44 | jsrepk.ucoz.com | IN | A |
208.100.61.101
2009-06-09 14:47:51 | ka4alka.net | IN | A |
208.100.61.101
2009-06-24 09:53:18 | KAZAKhSOCieTY.cOM | IN | A |
208.100.61.101
2009-06-16 01:14:26 | kevinsmugen.ucoz.com | IN | A |
208.100.61.101
2009-06-19 00:41:14 | kinofilm.ucoz.net | IN | A |
208.100.61.101
2009-06-20 07:59:50 | kod-cp.ucoz.com | IN | A |
208.100.61.101
2009-06-10 17:26:05 | krochka.ucoz.com | IN | A |
208.100.61.101
2009-06-03 07:25:38 | ksa.clan.su | IN | A |
208.100.61.101
2009-06-17 14:21:31 | l-24.ru | IN | A |
208.100.61.101
2009-06-15 21:10:40 | l2dreamteam.ucoz.com | IN | A |
208.100.61.101
2009-06-24 11:03:01 | lawarez.ucoz.com | IN | A |
208.100.61.101
2009-06-21 11:45:47 | lend.ucoz.net | IN | A |
208.100.61.101
2009-06-10 10:10:45 | mail32.com | IN | A |
208.100.61.101
2009-06-04 01:45:52 | make-money.ucoz.net | IN | A |
208.100.61.101
2009-06-03 18:00:36 | manhunt.ucoz.com | IN | A |
208.100.61.101
2009-06-02 23:27:04 | maykopinfo.ru | IN | A |
208.100.61.101
2009-06-07 20:16:06 | mnogobabla.ucoz.com | IN | A |
208.100.61.101
2009-06-12 01:05:20 | mobai.ucoz.com | IN | A |
208.100.61.101
2009-06-03 17:46:32 | moneyinnet.3dn.ru | IN | A |
208.100.61.101
2009-06-18 01:30:16 | moysayt.ucoz.com | IN | A |
208.100.61.101
2009-06-06 16:21:25 | mteatrtechn.ru | IN | A |
208.100.61.101
2009-06-11 17:44:16 | mumblingmadmen.ucoz.com | IN | A |
208.100.61.101
2009-06-16 05:15:56 | music4all.ucoz.net | IN | A |
208.100.61.101
2009-06-04 18:00:49 | nashefoto.spb.ru | IN | A |
208.100.61.101
2009-06-03 07:15:53 | nod4.ucoz.com | IN | A |
208.100.61.101
2009-06-10 08:45:35 | nokison.ru | IN | A |
208.100.61.101
2009-06-03 13:15:54 | nosferatu.ucoz.org | IN | A |
208.100.61.101
2009-06-24 06:01:29 | ns5.do.am | IN | A |
208.100.61.101
2009-06-21 09:34:35 | onlinezone.ge | IN | A |
208.100.61.101
2009-06-16 13:20:39 | onlybestial.com | IN | A |
208.100.61.101
2009-06-03 09:45:38 | pgh.ucoz.com | IN | A |
208.100.61.101
2009-06-07 19:00:24 | poem.ucoz.com | IN | A |
208.100.61.101
2009-06-16 09:22:25 | prokpk.ru | IN | A |
208.100.61.101
2009-06-09 14:01:23 | promotion.ucoz.com | IN | A |
208.100.61.101
2009-06-03 07:30:32 | pspfiles.ucoz.com | IN | A |
208.100.61.101
2009-06-23 03:57:19 | PSpPImPZ.clAN.su | IN | A |
208.100.61.101
2009-06-03 13:15:40 | qp.ucoz.com | IN | A |
208.100.61.101
2009-06-15 19:58:19 | QurDuli.ClAN.SU | IN | A |
208.100.61.101
2009-06-15 19:57:39 | RataViKA.mOY.SU | IN | A |
208.100.61.101
2009-06-15 07:16:41 | reymugen.ucoz.com | IN | A |
208.100.61.101
2009-06-15 07:16:32 | rysmugen.ucoz.com | IN | A |
208.100.61.101
2009-06-02 23:35:39 | s101.ucoz.net | IN | A |
208.100.61.101
2009-06-23 06:16:03 | S101.ucOZ.NeT | IN | A |
208.100.61.101
2009-06-21 10:55:12 | sak.ucoz.net | IN | A |
208.100.61.101
2009-06-07 18:15:42 | school6.ucoz.com | IN | A |
208.100.61.101
2009-06-03 23:15:28 | script.ucoz.org | IN | A |
208.100.61.101
2009-06-04 20:15:28 | seks.oo.lv | IN | A |
208.100.61.101
2009-06-06 21:00:52 | semya.ucoz.com | IN | A |
208.100.61.101
2009-06-03 16:26:00 | shadowserotica.com | IN | A |
208.100.61.101
2009-06-15 19:40:32 | sibindzure.ucoz.com | IN | A |
208.100.61.101
2009-06-21 12:45:47 | slayer.ucoz.net | IN | A |
208.100.61.101
2009-06-05 23:15:27 | sokrat.ucoz.com | IN | A |
208.100.61.101
2009-06-21 10:39:48 | songcode.ucoz.com | IN | A |
208.100.61.101
2009-06-05 08:41:48 | start.ucoz.org | IN | A |
208.100.61.101
2009-06-14 09:17:14 | stbr.biz | IN | A |
208.100.61.101
2009-06-15 21:04:21 | taktemp.ucoz.com | IN | A |
208.100.61.101
2009-06-09 07:21:04 | team-x.ucoz.com | IN | A |
208.100.61.101
2009-06-04 04:25:12 | testas.3dn.ru | IN | A |
208.100.61.101
2009-06-06 21:30:26 | tests.ucoz.net | IN | A |
208.100.61.101
2009-06-20 08:59:16 | tUsSo.Clan.SU | IN | A |
208.100.61.101
2009-06-03 18:16:21 | ucoz.com | IN | A |
208.100.61.101
2009-06-15 11:31:06 | ucoz.net | IN | A |
208.100.61.101
2009-06-14 21:10:15 | ukr.ucoz.com | IN | A |
208.100.61.101
2009-06-02 19:00:47 | ulsat.ru | IN | A |
208.100.61.101
2009-06-03 20:31:05 | velta.ucoz.com | IN | A |
208.100.61.101
2009-06-05 11:30:25 | vse.ucoz.com | IN | A |
208.100.61.101
2009-06-23 06:15:44 | vSe.Ucoz.Com | IN | A |
208.100.61.101
2009-06-11 02:15:17 | wallpapers.ucoz.org | IN | A |
208.100.61.101
2009-06-15 16:16:03 | warriors.ucoz.com | IN | A |
208.100.61.101
2009-06-15 07:13:29 | www.animemugen.ucoz.net | IN | A |
208.100.61.101
2009-06-17 08:41:05 | www.biosoft.at.ua | IN | A |
208.100.61.101
2009-06-04 04:09:20 | www.black-lord.ucoz.com | IN | A |
208.100.61.101
2009-06-26 17:54:58 | www.boyslover.ucoz.com | IN | A |
208.100.61.101
2009-06-15 13:28:04 | www.epiclosers.com | IN | A |
208.100.61.101
2009-06-24 11:06:05 | WWW.EpiClOSErS.cOm | IN | A |
208.100.61.101
2009-06-20 07:59:37 | www.eye.ucoz.com | IN | A |
208.100.61.101
2009-06-03 01:36:40 | www.j28.ucoz.com | IN | A |
208.100.61.101
2009-06-15 19:58:19 | WwW.KALIBRa.moY.SU | IN | A |
208.100.61.101
2009-06-05 12:37:53 | www.kontaktunet.3dn.ru | IN | A |
208.100.61.101
2009-06-15 18:13:40 | www.movi-portal.at.ua | IN | A |
208.100.61.101
2009-06-24 09:08:28 | WWw.OldOBshALKA.InfO | IN | A |
208.100.61.101
2009-06-23 05:24:01 | www.omid1.ucoz.com | IN | A |
208.100.61.101
2009-06-21 09:34:42 | www.onlinezone.ge | IN | A |
208.100.61.101
2009-06-21 14:43:34 | www.onlybestial.com | IN | A |
208.100.61.101
2009-06-04 11:45:15 | www.qp.ucoz.com | IN | A |
208.100.61.101
2009-06-03 15:47:36 | www.shadowserotica.com | IN | A |
208.100.61.101
2009-06-21 12:36:32 | www.softmedia.ucoz.net | IN | A |
208.100.61.101
2009-06-15 16:51:06 | www.taktemp.ucoz.com | IN | A |
208.100.61.101
2009-06-05 17:32:02 | www.ucoz.com | IN | A |
208.100.61.101
2009-06-14 16:30:40 | www.ucoz.net | IN | A |
208.100.61.101
2009-06-03 23:45:26 | www.vai.ucoz.com | IN | A |
208.100.61.101
2009-06-20 07:54:08 | www.vertex-servers.com | IN | A |
208.100.61.101
2009-06-16 01:00:27 | www.zarabotau.at.ua | IN | A |
208.100.61.101
2009-06-12 16:10:19 | xporn.ucoz.com | IN | A |
208.100.61.101
2009-06-01 07:16:36 | xxxsite.my1.ru | IN | A |
208.100.61.101
2009-06-23 07:10:39 | yonex.ucoz.com | IN | A |
208.100.61.101
2009-06-05 00:15:25 | zarobotai.ucoz.com | IN | A |
208.100.61.101
2009-06-06 02:45:12 | znakomsya.ucoz.com | IN | A |
208.100.61.101
2009-06-19 07:21:09 | zox.at.ua | IN | A |
208.100.61.101
There are fewer DNS RRs pointed to 208.100.61.101 this month, but the
month is young yet.
stamp | qname | class | type | rdata
--------------------- ---------------------- ------- ------ ----------------
2009-07-01 13:25:46 | cinestream.cc | IN | A | 208.100.61.101
2009-07-01 07:31:10 | clickkon.at.ua | IN | A | 208.100.61.101
2009-07-01 02:20:34 | cornel.ucoz.com | IN | A | 208.100.61.101
2009-07-01 06:58:08 | double.ucoz.com | IN | A | 208.100.61.101
2009-07-01 14:32:31 | explor.oo.lv | IN | A | 208.100.61.101
2009-07-01 06:54:35 | eye.ucoz.com | IN | A | 208.100.61.101
2009-07-01 00:51:26 | go.sytes.net | IN | A | 208.100.61.101
2009-07-01 11:01:39 | j28.ucoz.com | IN | A | 208.100.61.101
2009-07-01 01:53:08 | jenielle.ucoz.com | IN | A | 208.100.61.101
2009-07-01 14:32:17 | km-films.ucoz.lv | IN | A | 208.100.61.101
2009-07-01 05:30:38 | krochka.ucoz.com | IN | A | 208.100.61.101
2009-07-02 16:18:32 | lawarez.ucoz.com | IN | A | 208.100.61.101
2009-07-01 16:19:48 | loadmp3.ucoz.com | IN | A | 208.100.61.101
2009-07-01 07:20:24 | moneyinnet.3dn.ru | IN | A | 208.100.61.101
2009-07-01 04:15:29 | ot.ucoz.net | IN | A | 208.100.61.101
2009-07-01 05:48:38 | s101.ucoz.net | IN | A | 208.100.61.101
2009-07-01 10:41:43 | stroyka.ucoz.net | IN | A | 208.100.61.101
2009-07-01 05:57:00 | taktemp.ucoz.com | IN | A | 208.100.61.101
2009-07-01 00:49:16 | vebmarket.com | IN | A | 208.100.61.101
2009-07-01 01:45:25 | warriors.ucoz.com | IN | A | 208.100.61.101
2009-07-01 05:56:33 | www.j28.ucoz.com | IN | A | 208.100.61.101
2009-07-01 13:32:22 | www.taktemp.ucoz.com | IN | A | 208.100.61.101
We have 14 samples in our malware menagerie that reference 208.100.61.101.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- ---------------- ----------
---------- ------
2009-06-10 12:22:41 | 0c33cfe4ed90b7717a599bb8785926bb6a3005be |
39680d6ef3e3dd9067c159e77fb6eab1 | 208.100.61.101 | 21 | 6 |
2009-06-09 01:01:29 | 0cef11044ce7561fa61c8a6bd5f7117a980f49f9 |
1e458a11369e7f0bb8bf8e117ff579ed | 208.100.61.101 | 21 | 6 |
2009-04-23 20:22:38 | 16c8ca5dca9cad3db712d994a627e580538cddc4 |
cf4c129a9068903d43d3dba55a6a0dc4 | 208.100.61.101 | 21 | 6 |
2009-05-31 11:25:15 | 2139e34eca9820231b65ba35df72aa9f6dd30d45 |
0a5ba7dc8faa190b847f546cb6e574f8 | 208.100.61.101 | 21 | 6 |
2009-02-13 19:03:27 | 558f217f52337ae3d0dd2e878a5b939241565c54 |
de9d2d277b71825502928515e7030907 | 208.100.61.101 | 80 | 6 |
2009-06-04 12:20:21 | 66caf002902ff0b1c85575fb3f14bccba9ff804d |
c6b7f7c1f44298e2551706c396b06bc9 | 208.100.61.101 | 21 | 6 |
2009-06-10 11:24:55 | 74c11cda367a9c594df559ed1254b8e6b2687a17 |
4dac36137e541a7f2ce729c48b9fde78 | 208.100.61.101 | 21 | 6 |
2009-06-21 23:07:41 | 88ac802f0fb19974d97e66a528b8b50771d378a6 |
8be538f212445d7550e6efc44222fbf1 | 208.100.61.101 | 21 | 6 |
2009-06-23 14:22:23 | 9f26c2b696575854a00f0a3255eba4bcba2694d4 |
56e57ae7c5708f417289270c276901ac | 208.100.61.101 | 80 | 6 |
2009-02-11 19:42:46 | aac585d7ec96adf62330b2c087dbe1a9252719a4 |
84e6ad4caeb3364c50818b789325656d | 208.100.61.101 | 80 | 6 |
2009-05-26 02:23:10 | c8dc0077e562bcbae36770da56a4a2b9323d0338 |
4fdb79f73b12baecf38bf404b1a5d60c | 208.100.61.101 | 80 | 6 |
2009-02-27 12:26:47 | e612b65f98766710d5df0494a34d38e3baca819e |
0bcfe13a7e021a23e505ea159c940691 | 208.100.61.101 | 80 | 6 |
2009-06-10 02:26:42 | e6242ba7fd3d383d20b324dbb8539e475cd62269 |
b64bab9fed8fc30fd771e82ad971ef22 | 208.100.61.101 | 21 | 6 |
2009-06-09 12:22:29 | f5a1c169de5d5cc1069e7e21677b882518e3e929 |
e3c58892645882c03b64d677ecc2fb8f | 208.100.61.101 | 21 | 6 |
It claims to be running UcoZXSrv/1.4.9 as the web server. Google that
for some interesting links.
The last DDoS attack we see hitting 208.100.61.101 was back on
2009-03-18 14:31:43 UTC.
Thanks,
Rob.
--
Rob Thomas
Team Cymru Research NFP
https://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list