[nsp-sec] AS 46475 - Logging site
Rob Thomas
robt at cymru.com
Thu Jul 30 11:34:42 EDT 2009
Hi, Zane.
Thanks for the heads-up!
> g4rsu.exofire.net/fires/ IN A 69.162.76.170
This has been a naughty fellow for a while. We see it hosting a HTTP
C&C as far back as 2009-06-13 11:31:26 UTC.
h x x p : / / l2.x10hosting.com/loly/gate/gate.php
That HTTP C&C is still online as of 2009-07-07 02:29:24 UTC.
It appears to be a Linux box.
We see the following DNS RRs pointed to it last month and this month.
stamp | qname | class | type |
rdata
--------------------- -------------------------- ------- ------
---------------
2009-06-21 09:07:24 | anniedays.x10hosting.com | IN | A |
69.162.76.170
2009-06-10 03:28:55 | coolstuff.pcriot.com | IN | A |
69.162.76.170
2009-06-20 10:13:11 | dealsfair.com | IN | A |
69.162.76.170
2009-06-13 13:07:15 | jteague.x10hosting.com | IN | A |
69.162.76.170
2009-06-24 12:51:51 | kfdenterprises.com | IN | A |
69.162.76.170
2009-06-13 11:31:25 | l2.x10hosting.com | IN | A |
69.162.76.170
2009-06-26 20:34:49 | mortgagetips.co.cc | IN | A |
69.162.76.170
2009-06-16 20:21:21 | multimediadog.com | IN | A |
69.162.76.170
2009-06-15 06:51:40 | www.addingblogs.com | IN | A |
69.162.76.170
2009-06-13 13:43:25 | x10stark.x10hosting.com | IN | A |
69.162.76.170
2009-06-14 12:36:10 | x10stoli.x10hosting.com | IN | A |
69.162.76.170
2009-06-18 19:29:57 | yuruku2.x10hosting.com | IN | A |
69.162.76.170
stamp | qname | class | type
| rdata
--------------------- ----------------------------------- ------- ------
---------------
2009-07-22 20:47:51 | abhishek.dilliwal.com | IN | A
| 69.162.76.170
2009-07-18 12:36:11 | accountemail.exofire.net | IN | A
| 69.162.76.170
2009-07-17 16:18:21 | alfaclub.com.ar | IN | A
| 69.162.76.170
2009-07-18 15:06:00 | altizerbaptist.org | IN | A
| 69.162.76.170
2009-07-19 14:04:11 | analvideoonline.x10hosting.com | IN | A
| 69.162.76.170
2009-07-01 08:44:31 | anniedays.x10hosting.com | IN | A
| 69.162.76.170
2009-07-13 00:07:31 | asoit.com | IN | A
| 69.162.76.170
2009-07-17 04:52:42 | baydofus.com | IN | A
| 69.162.76.170
2009-07-23 00:57:48 | beautyproduct.co.cc | IN | A
| 69.162.76.170
2009-07-30 06:08:25 | benzoyl.x10hosting.com | IN | A
| 69.162.76.170
2009-07-25 06:37:13 | bil-jaruzelski.pl | IN | A
| 69.162.76.170
2009-07-09 04:54:01 | blog.ipodtouchforum.exofire.net | IN | A
| 69.162.76.170
2009-07-15 19:05:15 | board.fm-realism.co.cc | IN | A
| 69.162.76.170
2009-07-08 21:42:09 | boisegeeks.co.cc | IN | A
| 69.162.76.170
2009-07-16 20:36:11 | buyitnow.elementfx.com | IN | A
| 69.162.76.170
2009-07-25 12:50:30 | cacrispvs.x10hosting.com | IN | A
| 69.162.76.170
2009-07-17 20:52:25 | cerios.co.cc | IN | A
| 69.162.76.170
2009-07-24 01:36:10 | cg1bin.pcriot.com | IN | A
| 69.162.76.170
2009-07-10 22:03:12 | chungyen.com | IN | A
| 69.162.76.170
2009-07-07 05:33:46 | cilaas.x10hosting.com | IN | A
| 69.162.76.170
2009-07-20 18:58:25 | circuitdesignonline.com | IN | A
| 69.162.76.170
2009-07-01 12:08:42 | coolstuff.pcriot.com | IN | A
| 69.162.76.170
2009-07-06 19:12:55 | cpstealth.x10hosting.com | IN | A
| 69.162.76.170
2009-07-23 14:04:19 | darkcoll.ru | IN | A
| 69.162.76.170
2009-07-02 22:42:20 | davidhpaul.ws | IN | A
| 69.162.76.170
2009-07-04 14:38:01 | dealsfair.com | IN | A
| 69.162.76.170
2009-07-04 13:30:16 | deletememaybe.x10hosting.com | IN | A
| 69.162.76.170
2009-07-15 08:25:18 | dementedpants.com | IN | A
| 69.162.76.170
2009-07-09 10:42:59 | dhfola.info | IN | A
| 69.162.76.170
2009-07-23 08:39:04 | drumynet.x10hosting.com | IN | A
| 69.162.76.170
2009-07-10 10:03:52 | easypeasymoney.co.uk | IN | A
| 69.162.76.170
2009-07-23 09:08:03 | ebooks.pcriot.com | IN | A
| 69.162.76.170
2009-07-20 12:01:16 | edendreamssalon.com | IN | A
| 69.162.76.170
2009-07-04 03:41:35 | emialcash.com | IN | A
| 69.162.76.170
2009-07-19 18:49:28 | escocolumbo.org | IN | A
| 69.162.76.170
2009-07-17 18:36:01 | escuelaluzverde.com.ar | IN | A
| 69.162.76.170
2009-07-11 17:51:11 | evdemon.com.ar | IN | A
| 69.162.76.170
2009-07-19 19:01:16 | exteel.pcriot.com | IN | A
| 69.162.76.170
2009-07-15 13:17:51 | facebookgirls.pcriot.com | IN | A
| 69.162.76.170
2009-07-28 20:30:12 | facebooklogiin.x10hosting.com | IN | A
| 69.162.76.170
2009-07-24 21:30:14 | fblgn.x10hosting.com | IN | A
| 69.162.76.170
2009-07-01 15:00:40 | filipesantos.com.br | IN | A
| 69.162.76.170
2009-07-04 13:52:56 | flowmaniaticosinc.exofire.net | IN | A
| 69.162.76.170
2009-07-23 11:49:12 | flyairfares.com | IN | A
| 69.162.76.170
2009-07-26 08:57:52 | fm-realism.co.cc | IN | A
| 69.162.76.170
2009-07-01 17:56:12 | fortunaimoveis.com.br | IN | A
| 69.162.76.170
2009-07-30 05:50:27 | forum.gascomics.com | IN | A
| 69.162.76.170
2009-07-29 01:50:13 | forums.moviemakers.x10hosting.com | IN | A
| 69.162.76.170
2009-07-26 03:06:50 | forums.warcats.exofire.net | IN | A
| 69.162.76.170
2009-07-12 07:36:45 | g4rsu.exofire.net | IN | A
| 69.162.76.170
2009-07-21 08:51:24 | georgerissite.pcriot.com | IN | A
| 69.162.76.170
2009-07-21 04:17:49 | guirecords.com | IN | A
| 69.162.76.170
2009-07-28 22:10:59 | h4xgaming.exofire.net | IN | A
| 69.162.76.170
2009-07-04 22:36:23 | habbotage.elementfx.com | IN | A
| 69.162.76.170
2009-07-04 22:36:03 | habbotage.net | IN | A
| 69.162.76.170
2009-07-24 13:13:31 | hal.pcriot.com | IN | A
| 69.162.76.170
2009-07-15 04:30:55 | hartmanninc.x10hosting.com | IN | A
| 69.162.76.170
2009-07-26 23:45:46 | hassan.x10hosting.com | IN | A
| 69.162.76.170
2009-07-03 02:54:36 | healthandfitness.exofire.net | IN | A
| 69.162.76.170
2009-07-26 19:59:14 | iklanria.com | IN | A
| 69.162.76.170
2009-07-19 21:47:56 | indiansnitch.co.cc | IN | A
| 69.162.76.170
2009-07-25 22:20:10 | itsolutions.x10hosting.com | IN | A
| 69.162.76.170
2009-07-05 01:30:32 | jw.x10hosting.com | IN | A
| 69.162.76.170
2009-07-21 08:23:59 | kabaeva.co.cc | IN | A
| 69.162.76.170
2009-07-16 14:47:24 | kabaeva.org.ru | IN | A
| 69.162.76.170
2009-07-22 09:05:45 | keepmoving.exofire.net | IN | A
| 69.162.76.170
2009-07-23 19:59:12 | kevinanderson.exofire.net | IN | A
| 69.162.76.170
2009-07-22 07:36:15 | kfdenterprises.com | IN | A
| 69.162.76.170
2009-07-29 21:22:49 | korecomputer.com | IN | A
| 69.162.76.170
2009-07-24 20:59:30 | kushelmex.com | IN | A
| 69.162.76.170
2009-07-01 01:41:40 | l2.x10hosting.com | IN | A
| 69.162.76.170
2009-07-20 03:26:08 | lionkingsoftware.elementfx.com | IN | A
| 69.162.76.170
2009-07-18 16:07:12 | logincgi1.pcriot.com | IN | A
| 69.162.76.170
2009-07-20 22:30:13 | lointaca.pcriot.com | IN | A
| 69.162.76.170
2009-07-30 00:30:11 | lotsofmoney1235.x10hosting.com | IN | A
| 69.162.76.170
2009-07-29 02:05:13 | lovethemoney3.x10hosting.com | IN | A
| 69.162.76.170
2009-07-23 23:27:53 | manuman.es | IN | A
| 69.162.76.170
2009-07-28 08:17:33 | metawing.com | IN | A
| 69.162.76.170
2009-07-05 16:26:03 | misterroboto.co.cc | IN | A
| 69.162.76.170
2009-07-14 20:08:40 | mortgagetips.co.cc | IN | A
| 69.162.76.170
2009-07-11 09:12:24 | mutecomics.com | IN | A
| 69.162.76.170
2009-07-15 20:46:58 | muxa.exofire.net | IN | A
| 69.162.76.170
2009-07-24 02:28:17 | naked.naturespirit.co.uk | IN | A
| 69.162.76.170
2009-07-06 03:26:59 | naturespirit.co.uk | IN | A
| 69.162.76.170
2009-07-20 02:20:31 | njustin.co.cc | IN | A
| 69.162.76.170
2009-07-20 06:46:03 | nolimitsoup.x10hosting.com | IN | A
| 69.162.76.170
2009-07-15 01:31:51 | nooxcom.es | IN | A
| 69.162.76.170
2009-07-15 02:22:29 | oagasallo.es | IN | A
| 69.162.76.170
2009-07-20 15:15:23 | onecentclicks.info | IN | A
| 69.162.76.170
2009-07-18 08:05:26 | onlinetreffer.co.cc | IN | A
| 69.162.76.170
2009-07-26 17:41:28 | oroquietacity.net | IN | A
| 69.162.76.170
2009-07-24 05:39:02 | pbycall.com | IN | A
| 69.162.76.170
2009-07-10 23:18:59 | pcdocs.co.cc | IN | A
| 69.162.76.170
2009-07-20 13:06:56 | plemnik.x10hosting.com | IN | A
| 69.162.76.170
2009-07-20 17:30:13 | ppl4sys.elementfx.com | IN | A
| 69.162.76.170
2009-07-20 03:53:58 | pqgames.exofire.net | IN | A
| 69.162.76.170
2009-07-28 06:17:45 | projectdomo.com.ar | IN | A
| 69.162.76.170
2009-07-20 13:11:26 | proxymas.co.cc | IN | A
| 69.162.76.170
2009-07-28 06:38:04 | proxymus.info | IN | A
| 69.162.76.170
2009-07-11 00:50:29 | qualizza.eu | IN | A
| 69.162.76.170
2009-07-28 23:30:13 | relogan.pcriot.com | IN | A
| 69.162.76.170
2009-07-24 09:08:12 | ricardocabral.pcriot.com | IN | A
| 69.162.76.170
2009-07-20 04:50:56 | rookiegaming.net | IN | A
| 69.162.76.170
2009-07-09 14:52:53 | sansseraphim.co.uk | IN | A
| 69.162.76.170
2009-07-22 23:39:06 | severalvector.exofire.net | IN | A
| 69.162.76.170
2009-07-04 05:11:31 | sfan7.co.cc | IN | A
| 69.162.76.170
2009-07-29 13:05:43 | sidart.x10hosting.com | IN | A
| 69.162.76.170
2009-07-17 04:05:09 | signinws.pcriot.com | IN | A
| 69.162.76.170
2009-07-15 08:33:18 | snok2.x10hosting.com | IN | A
| 69.162.76.170
2009-07-23 19:47:28 | socialmedia.pcriot.com | IN | A
| 69.162.76.170
2009-07-20 06:13:56 | socialnet.pcriot.com | IN | A
| 69.162.76.170
2009-07-21 23:47:56 | sofclan.exofire.net | IN | A
| 69.162.76.170
2009-07-29 22:37:26 | spartanpoker.org | IN | A
| 69.162.76.170
2009-07-26 23:41:23 | sportpapers.co.cc | IN | A
| 69.162.76.170
2009-07-01 17:06:48 | superseguranca.com.br | IN | A
| 69.162.76.170
2009-07-05 08:45:39 | tele7.org.ru | IN | A
| 69.162.76.170
2009-07-13 04:08:47 | theblackclan.co.cc | IN | A
| 69.162.76.170
2009-07-23 01:57:26 | the-korunnai.uni.cc | IN | A
| 69.162.76.170
2009-07-24 15:44:35 | thornhillgreens.x10hosting.com | IN | A
| 69.162.76.170
2009-07-25 16:24:33 | thrinityonline.x10hosting.com | IN | A
| 69.162.76.170
2009-07-24 16:24:00 | toyshokk.pcriot.com | IN | A
| 69.162.76.170
2009-07-29 10:03:41 | truskolaski.pl | IN | A
| 69.162.76.170
2009-07-24 17:07:12 | tushar.x10hosting.com | IN | A
| 69.162.76.170
2009-07-24 17:20:30 | tylerphysics.elementfx.com | IN | A
| 69.162.76.170
2009-07-21 10:36:41 | usmafia.co.uk | IN | A
| 69.162.76.170
2009-07-20 09:42:21 | veera.uni.cc | IN | A
| 69.162.76.170
2009-07-23 00:04:23 | wapbd.mobi | IN | A
| 69.162.76.170
2009-07-16 20:21:36 | wealthonline.x10hosting.com | IN | A
| 69.162.76.170
2009-07-28 15:50:39 | wixie.eu | IN | A
| 69.162.76.170
2009-07-02 00:09:22 | x10stoli.x10hosting.com | IN | A
| 69.162.76.170
2009-07-21 05:21:33 | xfrlink.com | IN | A
| 69.162.76.170
2009-07-22 02:58:26 | youincome.pcriot.com | IN | A
| 69.162.76.170
We have 10 samples in our malware menagerie that point to 69.162.76.170.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
2009-07-01 13:31:48 | 0a5337695f25df698f628dc615534eb4f3de9ea7 |
6fc6e4dd7b08c716c712ff82bd5c5645 | 69.162.76.170 | 80 | 6 |
2009-06-27 01:22:53 | 0c66634c90291140a79e5f868eb165c4ca1c93f9 |
3f1066b2ce15f6c4fa8152167cb80ad9 | 69.162.76.170 | 80 | 6 |
2009-07-06 15:22:27 | 0da25b5fab9719be81492a2082a72b9b50de0507 |
251375c89b9b602742c95f18e9af9e4b | 69.162.76.170 | 21 | 6 |
2009-06-13 11:31:25 | 0f52293de478b2ec7dece3ea406f61c4c9dbd4b8 |
f648f70b5fc8328e0f3e031aa6e2b6f1 | 69.162.76.170 | 80 | 6 |
2009-06-13 11:31:26 | 2ed5c3d76eb4414aa078fa157402f26d27ff3948 |
1bdf6dfabf46d20f269b32328e02bab2 | 69.162.76.170 | 80 | 6 |
2009-06-27 07:21:56 | b460af6b1169cd64f5a0035fe3572aab44e62fde |
6700bef8daa25e96a3c642c726cdeba6 | 69.162.76.170 | 80 | 6 |
2009-06-13 11:31:44 | d32df0d47b45aaab13359fa21c405097702000ae |
8012ae0a381c797485e7a8072518e515 | 69.162.76.170 | 80 | 6 |
2009-06-15 11:31:25 | d7fedebae98e7b791fadf3b4b48fadd1011ee502 |
34db97e5f262789cbbd2074896a85fec | 69.162.76.170 | 80 | 6 |
2009-06-27 18:26:03 | e0ebf94e285c2fd6ac205bf8dbaf6c37cb113ebd |
d8cc53c84016feb93cd46347bc7a7a4d | 69.162.76.170 | 80 | 6 |
2009-06-27 06:22:35 | f1360aadf0efff2548a91774fd905d056c967d20 |
d1af6268d2f0808487729f47580ecff0 | 69.162.76.170 | 80 | 6 |
Perhaps folks at NTT, Level3, GBLX, and TW can assist here?
PEER_AS | IP | BGP Prefix | CC | Registry |
Allocated | AS Name
2914 | 69.162.76.170 | 69.162.64.0/18 | US | arin |
2008-06-27 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3356 | 69.162.76.170 | 69.162.64.0/18 | US | arin |
2008-06-27 | LEVEL3 Level 3 Communications
3549 | 69.162.76.170 | 69.162.64.0/18 | US | arin |
2008-06-27 | GBLX Global Crossing Ltd.
4323 | 69.162.76.170 | 69.162.64.0/18 | US | arin |
2008-06-27 | TWTC - tw telecom holdings, inc.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
ASSERT(coffee != empty);
More information about the nsp-security
mailing list