[nsp-sec] 41,000+ likely Bifrose infections
David Freedman
david.freedman at uk.clara.net
Mon Jun 1 18:27:23 EDT 2009
ACK 8426
------------------------------------------------
David Freedman
Group Network Engineering
Claranet Limited
http://www.clara.net
-----Original Message-----
From: nsp-security-bounces at puck.nether.net on behalf of Paul Dokas
Sent: Mon 6/1/2009 18:31
To: NSP-SEC
Subject: [nsp-sec] 41,000+ likely Bifrose infections
----------- nsp-security Confidential --------
One of our users complained last Friday about an inbound DoS attack against
one of their web servers (https://128.101.65.204/). Looking over the logs,
we found that tons of hosts from all over the world were hitting the HTTPS
front page, but not trying to login at all. Thanks to RobT and his remarkable
malware database, he was able to tell me that there are variants of Bifrose
that are using this site to check for Internet connectivity.
I pulled our flows for midnight -> 4am June 01 local time (GMT-5) and found
the following list of 41,000+ IPs. I suspect that there is a good chance that
all of these hosts have some form of malware on them.
https://asn.cymru.com/nsp-sec/upload/1243876952.whois.txt
Like I said, the times are all GMT-5 (Central US). The number after the
timestamp is the count of flows seen over that time period.
Paul
--
Paul Dokas dokas at oitsec.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list