[nsp-sec] Multiple DDoS attacks (More outbound bot IP calls)
YoungBaek Kim
ybkim at krcert.or.kr
Thu Jul 9 02:32:33 EDT 2009
ACK All KR IPs.
We are going to notice to the IP's user.
Thank you.
----- Original Message -----
From: "Dave Mitchell" <davem at yahoo-inc.com>
To: "Dave Mitchell" <davem at yahoo-inc.com>
Cc: <nsp-security at puck.nether.net>
Sent: Thursday, July 09, 2009 1:57 PM
Subject: Re: [nsp-sec] Multiple DDoS attacks (More outbound bot IP calls)
> ----------- nsp-security Confidential --------
>
>
--------------------------------------------------------------------------------
Hey all,
I've attached a total of 128k bot sources over since 7/4.
Format of the files is:
YYYYMMDDTHH IP COUNT ASN COUNTRY
uniq ips:
135 DE
366 JP
606 CA
771 CN
2172 US
123343 KR
128744 total
-dave
On Wed, Jul 08, 2009 at 03:05:43PM -0700, Dave Mitchell wrote:
> ----------- nsp-security Confidential --------
>
> Here are some more IP's that the bot talks to. These are more likely a
> C&C layer than the previous 3 IP's. Lets get some intel on these! :)
>
> 11.67.208.29.9500 tcp korea wizsolution co.,Ltd
>
> 116.125.35.71.8010 tcp korea skbroadband
>
> 116.42.196.95 on 33333 tcp inbound (nothing listening.... unrelated?) LG
> Powercom
>
> 118.216.107.28.8010 tcp korea skbroadband
>
> 118.216.107.31.8010 tcp korea skbroadband.... some sort of controller.
> see XML
>
> 118.223.190.117.33333 tcp korea sk
>
> 121.144.118.242.50001 tcp korea kornet.net ... tons of encrypted data
>
> 121.146.11.139.33333 tcp kornet.net
>
> 125.189.29.34.33333 tcp korea powercomm.com
>
> 168.126.68.145 on 33333 tcp inbound (nothing listening.... unrelated?)
> kornet.net
>
> 203.234.132.71.80 tcp kortnet.net
>
> 220.87.59.29.33333 tcp kortnet.net
>
> 222.122.176.56.80 tcp kortnet.net
>
> 94.75.253.209.80 tcp. tons and tons of traffic going to LeaseWeb in the
>
> Netherlands. LeaseWeb is getting to be
> +pretty notorious for hosting malware
>
> 221.139.107.248 www.auction.co.kr
> 222.122.51.92 blog.naver.com
> 121.156.115.2 www.auction.co.kr
> 121.157.108.31 banking.nonghyup.com
> 114.111.32.220 mail.naver.com
> 211.61.51.101 www.president.go.kr
> 61.110.198.149 www.auction.co.kr
> 61.110.198.25 www.auction.co.kr
> 61.74.67.111 www.hannara.or.kr
> 61.74.71.110 blog.naver.com
>
> -dave
>
> On Wed, Jul 08, 2009 at 09:23:11PM +0000, John Fraizer wrote:
> > ----------- nsp-security Confidential --------
> >
> > I'm capturing flows on 216.199.83.203.
> >
> >
> > On Wed, Jul 8, 2009 at 4:03 AM, Dave Mitchell <davem at yahoo-inc.com> wrote:
> >
> > > ----------- nsp-security Confidential --------
> > >
> > >
> > > Anyone gathering intel on?
> > >
> > > Remote Host Port Number
> > > 213.33.116.41 53
> > > 216.199.83.203 80
> > > 213.23.243.210 443
> > >
> > >
> > > http://www.threatexpert.com/report.aspx?md5=0f394734c65d44915060b36a0b1a972d
> > >
> > > The malware in those droppers seems to speak to it and I verified in a
> > > sandbox.
> > >
> > > -dave
> > >
> > >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security counter-measures.
> > _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--------------------------------------------------------------------------------
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list