[nsp-sec] Information request about upline-club.ru

Rob Thomas robt at cymru.com
Mon Jul 6 15:36:17 EDT 2009 

Hi, team.

Great stuff, Thomas, thanks!

> upline-club.ru was hosted at 217.20.118.165 - Netdirekt, Germany.

We have five samples in our malware menagerie that reference
217.20.118.165.  I didn't look back into 2008, though.

      timestamp      |                   sha1                   |
        md5                |     dst_ip     | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- ---------------- ----------
---------- ------
 2009-01-02 00:51:32 | 01c71f078aa28d9ed5181125419a0515430cce74 |
fd22a33f083f1de537ca524deb447cf0 | 217.20.118.165 |       80 |        6
|  345
 2009-05-11 03:11:10 | 085a65ea196f82c6c7a27424f19722ddd11970f1 |
fe70f7bdf769e0f0ff7a0ef584e97cfd | 217.20.118.165 |       80 |        6
|  325
 2009-02-09 13:39:45 | 47cdf7a69bbab99b9eba384039098926a3707e7d |
e8602b330aad06a6c58b509f5c268ef2 | 217.20.118.165 |       80 |        6 |
 2009-02-11 20:37:32 | 7ed358969a9b26d573bc220d4eacda024fc28276 |
513cb23489a4e58350828624fe98c6a0 | 217.20.118.165 |       80 |        6 |
 2009-02-11 01:20:42 | 9c08884e6cc6a7e019d604f8d44eb0a48ec236c6 |
0e6518b9bd4a924696f61eef09eb3c84 | 217.20.118.165 |       80 |        6 |

This appears to have been a CentOS box running Apache 2.2.3 with PHP
5.1.6, as early as 2009-01-03 UTC and as recently as 2009-05-14 UTC.

We see the HTTP C&C on 217.20.118.165 active as of 2009-02-11 10:15:00
UTC, with attacks on metasploit.com and h5.com among others.  It appears
to have gone quiet as of 2009-05-22 10:01:03 UTC (probably thanks to
Thomas' efforts).

> We managed to get this IP shut down in May and upline-club.ru
> moved to 91.212.41.252 iirc.

Was it only briefly tied to 91.212.41.252?  We have one sample in our
malware menagerie that points to this IP.

      timestamp      |                   sha1                   |
        md5                |    dst_ip     | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
 2009-06-04 03:30:36 | 01c71f078aa28d9ed5181125419a0515430cce74 |
fd22a33f083f1de537ca524deb447cf0 | 91.212.41.252 |       80 |        6 |
 399

It appears the HTTP C&C was resident on 91.212.41.252 from 2009-06-02
05:01:04 UTC until roughly 2009-06-03 11:01:04 UTC.

Nice work squishing it so quickly.

> Now it is at 67.215.231.210.

We see the DNS RR pointed there in mid 2009-06.

        stamp        |     qname      | class | type |     rdata
--------------------- ---------------- ------- ------ ----------------
 2009-06-16 15:01:25 | upline-club.ru | IN    | A    | 67.215.231.210

We see the HTTP C&C go live on or about 2009-06-21 12:01:31 UTC.  On
2009-06-21 through 2009-06-22 they attacked both www.panamoney.net and
www.panamoney.info.  Probably criminal on criminal crime in some way.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru Research NFP
https://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

More information about the nsp-security mailing list