[nsp-sec] ACK: 41,000+ likely Bifrose infections
Rodolfo Baader
rbaader at arcert.gov.ar
Thu Jun 4 14:13:33 EDT 2009
Hi!
ACK for AR ASNs: 7303, 7908, 10318, 10481, 10834, 11664, 20207, 22927, 27747
Notifications were sent to the abuse/noc departments.
Details:
#TOTAL ASN Argentina: 9
#TOTAL IPS Argentina: 32 total
11 22927
7 7303
4 10318
3 27747
2 11664
2 10834
1 7908
1 20207
1 10481
R.
Paul Dokas wrote:
> ----------- nsp-security Confidential --------
>
> One of our users complained last Friday about an inbound DoS attack against
> one of their web servers (https://128.101.65.204/). Looking over the logs,
> we found that tons of hosts from all over the world were hitting the HTTPS
> front page, but not trying to login at all. Thanks to RobT and his remarkable
> malware database, he was able to tell me that there are variants of Bifrose
> that are using this site to check for Internet connectivity.
>
> I pulled our flows for midnight -> 4am June 01 local time (GMT-5) and found
> the following list of 41,000+ IPs. I suspect that there is a good chance that
> all of these hosts have some form of malware on them.
>
> https://asn.cymru.com/nsp-sec/upload/1243876952.whois.txt
>
> Like I said, the times are all GMT-5 (Central US). The number after the
> timestamp is the count of flows seen over that time period.
>
>
> Paul
More information about the nsp-security
mailing list