[nsp-sec] ACK 14618 Re: HTTP Bot C&C Hits - 2009-06-15

Dave Burke dave at amazon.com
Tue Jun 16 09:47:26 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ack 14618

thanks,
dave

Tim Wilde wrote:
> ----------- nsp-security Confidential --------
> 
> Greetings everyone!
> 
> We have received a list of approximately 120,000 IPs that were seen
> fetching a page of encrypted command and control content via HTTP from a
> major hosting provider within an approximately 36 hour period ending
> yesterday afternoon.  That provider does not want to be named, but has
> asked us to distribute this data to our contacts so that they can
> identify the bots within their networks.
> 
> We have a considerable degree of certainty that any IP hitting the page
> in question is a bot, and though the actual C&C content was disabled
> some time ago, it is likely that these IPs are continuing to hit the
> page in question.  The requests would be standard HTTP on TCP/80.
> 
> You can find individual lists of IPs for each ASN that had hits at the
> following URL:
> 
>         https://www.cymru.com/nsp-sec/Owned/httpbot-20090615/
> 
> The column after the IP address is the timestamp of the last hit seen
> from that IP at the time the sample was taken, in UTC.
> 
> Below my .signature you will find a list of the ASNs included, along
> with the number of hits for each ASN (first column is ASN, second is
> number of hits).  This file can also be found here:
> 
>         https://www.cymru.com/nsp-sec/Owned/httpbot-20090615/asnlist.txt
> 
> Please take a look at the hits for your ASN(s) and take whatever actions
> you deem appropriate.  Please let us know if you have any questions, or
> if we can attempt to get any further data from the provider in question
> that would make these reports more useful.
> 
> Best Regards,
> Tim Wilde
> 

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAko3om0ACgkQvMJ1IGjTxcEWmQCdF0NXK27D54f8PiyF66tlSxEX
cLIAoKeFoW/2ubAGQdLJpyMd7KiI/NRz
=ISrR
-----END PGP SIGNATURE-----



Amazon Data Services Ireland Limited registered office: Riverside One, Sir John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland. Registration number 390566.

More information about the nsp-security mailing list