[nsp-sec] 41,000+ likely Bifrose infections
Vidar Østmo
vidar.ostmo at ventelo.no
Tue Jun 2 03:01:43 EDT 2009
ACK 2116 . Forwarded to our abuse.
Best Regards
Vidar Østmo - Technology - BaneTele AS
asn 2116/3307 - vidar.ostmo at ventelo.no - Tel:+47 47 9000 97
On 6/1/09 7:31 PM, "Paul Dokas" <dokas at oitsec.umn.edu> wrote:
> ----------- nsp-security Confidential --------
>
> One of our users complained last Friday about an inbound DoS attack against
> one of their web servers (https://128.101.65.204/). Looking over the logs,
> we found that tons of hosts from all over the world were hitting the HTTPS
> front page, but not trying to login at all. Thanks to RobT and his remarkable
> malware database, he was able to tell me that there are variants of Bifrose
> that are using this site to check for Internet connectivity.
>
> I pulled our flows for midnight -> 4am June 01 local time (GMT-5) and found
> the following list of 41,000+ IPs. I suspect that there is a good chance that
> all of these hosts have some form of malware on them.
>
> https://asn.cymru.com/nsp-sec/upload/1243876952.whois.txt
>
> Like I said, the times are all GMT-5 (Central US). The number after the
> timestamp is the count of flows seen over that time period.
>
>
> Paul
More information about the nsp-security
mailing list