[nsp-sec] Information request about upline-club.ru
Thomas Hungenberg
th.lab at hungenberg.net
Mon Jul 6 06:17:11 EDT 2009
Tarmo Randel schrieb:
> if anybody has information about upline-club.ru (currently used as CnC)
> I would appreciate.
I've seen malware requesting these URLs back in March:
hXXp://upline-club.ru/ldr/get_exa.php?l=English
hXXp://upline-club.ru/ldr/get_exb.php?l=English
hXXp://upline-club.ru/ldr/get_exc.php?l=English
hXXp://upline-club.ru/ldr/get_exd.php?l=English
hXXp://upline-club.ru/ldr/get_exe.php?l=English
This URL has been returning targets for DDoS attacks for a while now:
hXXp://upline-club.ru/dv2/counter.php?mytag=[8 digits]
upline-club.ru was hosted at 217.20.118.165 - Netdirekt, Germany.
We managed to get this IP shut down in May and upline-club.ru
moved to 91.212.41.252 iirc. Now it is at 67.215.231.210.
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
More information about the nsp-security
mailing list