[nsp-sec] Multiple DDoS attacks (More outbound bot IP calls)
Dave Mitchell
davem at yahoo-inc.com
Wed Jul 8 18:05:43 EDT 2009
Here are some more IP's that the bot talks to. These are more likely a
C&C layer than the previous 3 IP's. Lets get some intel on these! :)
11.67.208.29.9500 tcp korea wizsolution co.,Ltd
116.125.35.71.8010 tcp korea skbroadband
116.42.196.95 on 33333 tcp inbound (nothing listening.... unrelated?) LG
Powercom
118.216.107.28.8010 tcp korea skbroadband
118.216.107.31.8010 tcp korea skbroadband.... some sort of controller.
see XML
118.223.190.117.33333 tcp korea sk
121.144.118.242.50001 tcp korea kornet.net ... tons of encrypted data
121.146.11.139.33333 tcp kornet.net
125.189.29.34.33333 tcp korea powercomm.com
168.126.68.145 on 33333 tcp inbound (nothing listening.... unrelated?)
kornet.net
203.234.132.71.80 tcp kortnet.net
220.87.59.29.33333 tcp kortnet.net
222.122.176.56.80 tcp kortnet.net
94.75.253.209.80 tcp. tons and tons of traffic going to LeaseWeb in the
Netherlands. LeaseWeb is getting to be
+pretty notorious for hosting malware
221.139.107.248 www.auction.co.kr
222.122.51.92 blog.naver.com
121.156.115.2 www.auction.co.kr
121.157.108.31 banking.nonghyup.com
114.111.32.220 mail.naver.com
211.61.51.101 www.president.go.kr
61.110.198.149 www.auction.co.kr
61.110.198.25 www.auction.co.kr
61.74.67.111 www.hannara.or.kr
61.74.71.110 blog.naver.com
-dave
On Wed, Jul 08, 2009 at 09:23:11PM +0000, John Fraizer wrote:
> ----------- nsp-security Confidential --------
>
> I'm capturing flows on 216.199.83.203.
>
>
> On Wed, Jul 8, 2009 at 4:03 AM, Dave Mitchell <davem at yahoo-inc.com> wrote:
>
> > ----------- nsp-security Confidential --------
> >
> >
> > Anyone gathering intel on?
> >
> > Remote Host Port Number
> > 213.33.116.41 53
> > 216.199.83.203 80
> > 213.23.243.210 443
> >
> >
> > http://www.threatexpert.com/report.aspx?md5=0f394734c65d44915060b36a0b1a972d
> >
> > The malware in those droppers seems to speak to it and I verified in a
> > sandbox.
> >
> > -dave
> >
> >
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090708/5b6d8d62/attachment-0001.sig>
More information about the nsp-security
mailing list