[nsp-sec] FW: Eircom issues

Rob Thomas robt at cymru.com
Mon Jul 13 16:29:39 EDT 2009 

Hi, Sid.

Feel free to pass this along to the Eircom.net folks.  You can introduce
us directly if you prefer.

> The 'main' IP address of our concern is 69.64.147.243.

We see HTTP C&Cs hosted on 69.64.147.242 as far back as 2009-04-28
06:37:47 UTC and as recently as 2009-05-12 09:30:18 UTC.

We see 974 DNS RRs pointed to 69.64.147.243 this month, and 517 DNS RRs
last month.  Some of them are noteworthy, such as www.yoututube.com.
Let me know if you want the lists.

We have 16 samples in our malware menagerie that point to 69.64.147.243.

      timestamp      |                   sha1                   |
        md5                |    dst_ip     | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
-------
 2009-02-25 08:47:00 | 15d84123f602deda871d21b807feb07e8a14cf3b |
4c3a14e470d744a801088f29693513d0 | 69.64.147.243 |       80 |        6 |
 2009-02-22 04:06:01 | 21b431b5bc26d37747fa0dc27f8a8ac669b2228b |
eb09d700c56ebebe8568f1ee1d295da0 | 69.64.147.243 |       80 |        6 |
 2009-05-12 09:30:18 | 2499b0e0e2339d727b041bfc996465545632db66 |
0a8a491bdce93005745b5da8a8f9e3cd | 69.64.147.243 |       80 |        6 |
 1898
 2009-02-11 18:39:59 | 2ae0ec9011f8cd69ae69ad485491c36762729237 |
df8a3c557f7fc5a4352a3f0ac3800154 | 69.64.147.243 |       80 |        6 |
 2009-05-24 20:00:40 | 34b6be398193e4936dafa3794e6e3076a3aa737e |
4fb860243150b1a5c7535d4e2c5912f5 | 69.64.147.243 |       80 |        6 |
25620
 2009-04-14 14:11:27 | 3c2269922773a788e2909e7b0cadd44c89f4fb05 |
241786632360c52a9c4d7eb7498d4bd2 | 69.64.147.243 |     8080 |        6 |
    0
 2009-04-23 12:24:24 | 4813fe5015f6790e0cadf0d74df5e06b66b4dc76 |
5c61cbafcf17ce383ae0575b66e2330a | 69.64.147.243 |       80 |        6 |
 2009-07-05 07:20:33 | 685c492c150536cff8867254902c297e4c528e9c |
6fe3ff0c0855a7c0759db2f6ad5f7aa1 | 69.64.147.243 |       80 |        6 |
 2009-03-04 07:33:57 | 79c8abecb2608820ddf81c860a91ea5cd21ab0fe |
aea65321323ac29229184513e100431c | 69.64.147.243 |       80 |        6 |
 2009-02-27 05:34:25 | 80a938b42780e4a472e8961ec5d3d4ea382a17ad |
6e1f4e7135700a6a7860d5a3816c8e76 | 69.64.147.243 |       80 |        6 |
 2009-07-05 07:20:32 | 84274b1927aa205c5202e2b247bf543312998635 |
dc4f3587e3a80f4214798b7ac8da62d9 | 69.64.147.243 |       80 |        6 |
 2009-03-31 21:26:24 | 9e9f0761a6af6caa1b966f54c767cb6e85a17c3c |
11e946d8723542aa05e6299c55ef18ce | 69.64.147.243 |       80 |        6 |
 2009-02-28 06:11:27 | a858cb48bc8e70c8afa91a8f4b384483c2dcfba7 |
d1c473082ade6d9dcacf9c4996b62dcf | 69.64.147.243 |       80 |        6 |
 2009-03-18 06:20:13 | b79226cca1ebea49501a9551cbfe7003a5bff460 |
a7a13a619693ea0fbb80d00af24a8474 | 69.64.147.243 |       25 |        6 |
 2009-02-08 20:40:14 | f4e9c0a16f4ffc1fd842c43c29f8ee619adf9d34 |
b5935d2822f5cada8fd32ece591533a5 | 69.64.147.243 |       80 |        6 |
 1084
 2009-04-03 01:23:49 | f92d1b9729efa85f40b13eeb472ba09f32eab9a5 |
0b869b2235122ea80033d634a5980b9f | 69.64.147.243 |       25 |        6 |

69.64.147.243 appears to be a Microsoft IIS 6.0 server, at least as far
back as 2009-01-13 UTC and as recently as 2009-07-12 UTC.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru Research NFP
https://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

More information about the nsp-security mailing list