[nsp-sec] Stumbled upon some malware | domain x8f.ru - numerous A' records

Shelton, Steve sshelton at Cogentco.com
Fri Jul 31 11:12:20 EDT 2009 

Team,

While looking into the activities of 80.93.90.88/32, I found the
following servers were also facilitating the very same exploit as well
as what appears to be 100 percent widespread nefarious activity.  Please
note that all /32's were found to have nginx servers operating on port
8080.

Note: While researching, I also found references to Cutwail, rustock and
Gumblar.

hxxp://80.93.90.88:8080/cache/readme.pdf [Server: nginx]
hxxp://91.121.146.101:8080/cache/readme.pdf [Server: nginx]
hxxp://91.121.167.41:8080/cache/readme.pdf [Server: nginx]
hxxp://94.76.235.32:8080/cache/readme.pdf [Server: nginx]
hxxp://213.251.176.169:8080/cache/readme.pdf [Server: nginx]

http://wepawet.iseclab.org/view.php?hash=865a53b592bc0853282c081f052fad4
2&t=1249050293&type=js

Non-authoritative answer:
 Name:	x8f.ru
 Address: 80.93.90.88
 Name:	x8f.ru
 Address: 91.121.146.101
 Name:	x8f.ru
 Address: 91.121.167.41
 Name:	x8f.ru
 Address: 94.76.235.32
 Name:	x8f.ru
 Address: 213.251.176.169


Bulk mode; whois.cymru.com [2009-07-31 15:01:35 +0000]

16276   | 213.251.176.169  | OVH OVH
16276   | 91.121.146.101   | OVH OVH
16276   | 91.121.167.41    | OVH OVH
21409   | 80.93.90.88      | IKOULA IKOULA European Backbone AS
29550   | 94.76.235.32     | EUROCONNEX-AS Blueconnex Networks Ltd


Bulk mode; peer-whois.cymru.com [2009-07-31 15:01:35 +0000]
174     | 80.93.90.88      | COGENT Cogent/PSI
2516    | 213.251.176.169  | KDDI KDDI CORPORATION
2516    | 91.121.146.101   | KDDI KDDI CORPORATION
2516    | 91.121.167.41    | KDDI KDDI CORPORATION
2914    | 94.76.235.32     | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3257    | 94.76.235.32     | TINET-BACKBONE Tinet SpA
3549    | 213.251.176.169  | GBLX Global Crossing Ltd.
3549    | 91.121.146.101   | GBLX Global Crossing Ltd.
3549    | 91.121.167.41    | GBLX Global Crossing Ltd.
4565    | 213.251.176.169  | MEGAPATH2-US - MegaPath Networks Inc.
4565    | 91.121.146.101   | MEGAPATH2-US - MegaPath Networks Inc.
4565    | 91.121.167.41    | MEGAPATH2-US - MegaPath Networks Inc.
6453    | 213.251.176.169  | GLOBEINTERNET TATA Communications
6453    | 91.121.146.101   | GLOBEINTERNET TATA Communications
6453    | 91.121.167.41    | GLOBEINTERNET TATA Communications
8218    | 80.93.90.88      | NEO-ASN AS Confederation of Neotelecoms,
euNetworks AG and Upstreamnet gmbh
8468    | 94.76.235.32     | ENTANET ENTANET International Ltd
10310   | 213.251.176.169  | YAHOO-1 - Yahoo!
10310   | 80.93.90.88      | YAHOO-1 - Yahoo!
10310   | 91.121.146.101   | YAHOO-1 - Yahoo!
10310   | 91.121.167.41    | YAHOO-1 - Yahoo!
10310   | 94.76.235.32     | YAHOO-1 - Yahoo!
21502   | 80.93.90.88      | ASN-NUMERICABLE NUMERICABLE is a cable
network operator in France, offering TV,VOICE and Internet services

Steve Shelton
Network Security Engineer
Cogent Communications

More information about the nsp-security mailing list