[nsp-sec] C&C at 91.212.41.252
Rob Thomas
robt at cymru.com
Wed Jun 3 18:09:17 EDT 2009
Hey, Tim.
Regarding 91.212.41.252, it's been an active HTTP C&C. The relevant DNS
RR is (at least):
timestamp | dns_name | ip
--------------------- ---------------- ---------------
2009-06-02 09:05:16 | upline-club.ru | 91.212.41.252
We see a few recent attacks.
timestamp | url
| ip | hostname | target_ip | target_host
| cmd
---------------------
------------------------------------------------------- ---------------
---------------- ---------------- --------------------
------------------------------------------
2009-06-02 08:01:03 |
http://upline-club.ru/dv2/counter.php?mytag=329862386 | 91.212.41.252 |
upline-club.ru | 83.222.23.166 | www.narcred.ru |
####100####http://www.narcred.ru####
2009-06-02 11:01:07 |
http://upline-club.ru/dv2/counter.php?mytag=329862386 | 91.212.41.252 |
upline-club.ru | 83.222.23.166 | www.narcred.ru |
####100####http://www.narcred.ru####
[ ... ]
2009-06-03 11:01:04 |
http://upline-club.ru/dv2/counter.php?mytag=329862386 | 91.212.41.252 |
upline-club.ru | 90.156.154.192 | www.narcred.ru |
####100####http://www.narcred.ru####
Regarding 91.212.41.0/24, there are a few other HTTP C&Cs in that network.
2009-05-05 07:25:39 | 91.212.41.85 | 44050 | botnetcc | category:
botweb url: http://91.212.41.85/backup/zv/s.php
2009-05-18 12:53:09 | 91.212.41.249 | 44050 | botnetcc | category:
botweb url: http://zctk.ru/liwe/cfg.bin
2009-05-18 09:31:14 | 91.212.41.122 | 44050 | botnetcc | category:
botweb url: http://rdcpglam.com/index.php
2009-05-19 09:31:46 | 91.212.41.240 | 44050 | botnetcc | category:
botweb url: http://www.currentlywork.com/site/isl.php
2009-05-22 22:50:05 | 91.212.41.29 | 44050 | botnetcc | category:
botweb url: http://91.212.41.29/log19.php
Malware distribution sites include:
2009-05-04 05:11:29 | 91.212.41.250 | 44050 | malwareurl |
http://basdzsdas.com/poker/loader.exe
2009-05-04 05:09:03 | 91.212.41.246 | 44050 | malwareurl |
http://keygroundc.com/download/1.exe
2009-05-04 05:08:57 | 91.212.41.245 | 44050 | malwareurl |
http://online2168.com/123/bot.exe
2009-05-04 05:11:33 | 91.212.41.85 | 44050 | malwareurl |
http://91.212.41.85/backup/zv/hook123.exe
2009-05-11 09:52:54 | 91.212.41.116 | 44050 | malwareurl |
http://mougoalivee.com/dev2/money.exe
2009-05-11 12:21:17 | 91.212.41.29 | 44050 | malwareurl |
http://91.212.41.29/l.php
2009-05-21 19:51:53 | 91.212.41.113 | 44050 | malwareurl |
http://protection-centre.com/1/adv/142/index.html
2009-05-22 09:21:16 | 91.212.41.114 | 44050 | malwareurl |
http://myplusantiviruspro.com/70072.exe
Plus a couple of phishing sites:
2009-05-15 05:46:50 | 91.212.41.105 | 44050 | phishing |
http://91.212.41.105/book/bbva/bbva.php
2009-05-16 10:09:07 | 91.212.41.237 | 44050 | phishing |
http://freak-vkontakte.org/photo34362276_127852389/
There's more if I go back further than 2009-05.
We see 268 DNS RRs pointed to hosts in 91.212.41.0/24. Let me know if
you want the list.
We have 336 samples in our malware menagerie that point to IPs in
91.212.41.0/24.
It appears to be a mix of Microsoft IIS 6.0, Apache 2, and some nginx.
This netblock has scored poorly in our reputation analysis.
timestamp | netblock | avg_score | max_score | rank |
asn | cc
--------------------- ---------------- ----------- ----------- ------
------- ----
2009-04-26 06:30:02 | 91.212.41.0/24 | 4.67 | 6.00 | 340 |
29371 | RU
2009-04-27 06:30:02 | 91.212.41.0/24 | 4.57 | 6.00 | 397 |
29371 | RU
2009-04-28 06:30:02 | 91.212.41.0/24 | 4.14 | 6.00 | 628 |
29371 | RU
2009-04-29 06:30:03 | 91.212.41.0/24 | 4.29 | 6.00 | 476 |
29371 | RU
2009-04-30 06:30:03 | 91.212.41.0/24 | 4.43 | 6.00 | 396 |
29371 | RU
2009-05-01 06:30:02 | 91.212.41.0/24 | 4.57 | 6.00 | 393 |
29371 | RU
2009-05-02 06:30:02 | 91.212.41.0/24 | 4.86 | 6.00 | 330 |
29371 | RU
2009-05-03 06:30:03 | 91.212.41.0/24 | 4.43 | 6.00 | 575 |
44050 | RU
2009-05-04 06:30:03 | 91.212.41.0/24 | 4.43 | 6.00 | 557 |
44050 | RU
2009-05-05 06:30:02 | 91.212.41.0/24 | 4.43 | 6.00 | 373 |
44050 | RU
2009-05-06 06:30:03 | 91.212.41.0/24 | 4.43 | 6.00 | 339 |
44050 | RU
2009-05-07 06:30:02 | 91.212.41.0/24 | 4.43 | 6.00 | 309 |
44050 | RU
2009-05-08 06:30:02 | 91.212.41.0/24 | 4.29 | 6.00 | 312 |
44050 | RU
2009-05-09 06:30:03 | 91.212.41.0/24 | 4.14 | 5.00 | 297 |
44050 | RU
2009-05-10 06:30:02 | 91.212.41.0/24 | 4.00 | 5.00 | 256 |
44050 | RU
2009-05-11 06:30:03 | 91.212.41.0/24 | 3.86 | 5.00 | 284 |
44050 | RU
2009-05-12 06:30:03 | 91.212.41.0/24 | 3.86 | 5.00 | 338 |
44050 | RU
2009-05-13 06:30:03 | 91.212.41.0/24 | 3.57 | 5.00 | 451 |
44050 | RU
2009-05-14 06:30:03 | 91.212.41.0/24 | 3.29 | 5.00 | 674 |
44050 | RU
2009-05-15 06:30:03 | 91.212.41.0/24 | 3.57 | 6.00 | 476 |
44050 | RU
2009-05-16 06:30:03 | 91.212.41.0/24 | 3.43 | 6.00 | 563 |
44050 | RU
2009-05-17 06:30:02 | 91.212.41.0/24 | 3.71 | 6.00 | 409 |
44050 | RU
2009-05-18 06:30:02 | 91.212.41.0/24 | 3.29 | 6.00 | 694 |
44050 | RU
2009-05-19 06:30:03 | 91.212.41.0/24 | 3.43 | 6.00 | 589 |
44050 | RU
2009-05-20 06:30:02 | 91.212.41.0/24 | 3.57 | 6.00 | 563 |
44050 | RU
2009-05-21 06:30:03 | 91.212.41.0/24 | 3.14 | 6.00 | 973 |
44050 | RU
2009-05-22 06:30:03 | 91.212.41.0/24 | 2.86 | 4.00 | 1423 |
44050 | RU
2009-05-23 06:30:02 | 91.212.41.0/24 | 3.00 | 5.00 | 1206 |
44050 | RU
2009-05-24 06:30:02 | 91.212.41.0/24 | 3.00 | 5.00 | 1179 |
44050 | RU
2009-05-25 06:30:03 | 91.212.41.0/24 | 3.71 | 5.00 | 527 |
44050 | RU
2009-05-26 06:30:02 | 91.212.41.0/24 | 4.00 | 6.00 | 423 |
44050 | RU
2009-05-27 06:30:03 | 91.212.41.0/24 | 4.29 | 6.00 | 304 |
44050 | RU
2009-05-28 06:30:03 | 91.212.41.0/24 | 4.86 | 6.00 | 177 |
44050 | RU
2009-05-29 06:30:02 | 91.212.41.0/24 | 4.29 | 6.00 | 326 |
44050 | RU
2009-05-30 06:30:02 | 91.212.41.0/24 | 4.43 | 6.00 | 252 |
44050 | RU
2009-05-31 06:30:02 | 91.212.41.0/24 | 4.71 | 6.00 | 181 |
44050 | RU
2009-06-01 06:32:00 | 91.212.41.0/24 | 4.43 | 6.00 | 198 |
44050 | RU
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list