[nsp-sec] HTTP Bot C&C Hits - 2009-06-15
Vidar Østmo
vidar.ostmo at ventelo.no
Tue Jun 16 09:52:53 EDT 2009
Thanks , and ACK for asn 2116.
Best Regards
Vidar Østmo ‹ BaneTele/Ventelo
asn 2116/3307 - vidar.ostmo at ventelo.no - Tel:+47 47 9000 97
On 6/16/09 3:31 PM, "Tim Wilde" <twilde at cymru.com> wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings everyone!
>
> We have received a list of approximately 120,000 IPs that were seen
> fetching a page of encrypted command and control content via HTTP from a
> major hosting provider within an approximately 36 hour period ending
> yesterday afternoon. That provider does not want to be named, but has
> asked us to distribute this data to our contacts so that they can
> identify the bots within their networks.
>
> We have a considerable degree of certainty that any IP hitting the page
> in question is a bot, and though the actual C&C content was disabled
> some time ago, it is likely that these IPs are continuing to hit the
> page in question. The requests would be standard HTTP on TCP/80.
>
> You can find individual lists of IPs for each ASN that had hits at the
> following URL:
>
> https://www.cymru.com/nsp-sec/Owned/httpbot-20090615/
>
> The column after the IP address is the timestamp of the last hit seen
> from that IP at the time the sample was taken, in UTC.
>
> Below my .signature you will find a list of the ASNs included, along
> with the number of hits for each ASN (first column is ASN, second is
> number of hits). This file can also be found here:
>
> https://www.cymru.com/nsp-sec/Owned/httpbot-20090615/asnlist.txt
>
> Please take a look at the hits for your ASN(s) and take whatever actions
> you deem appropriate. Please let us know if you have any questions, or
> if we can attempt to get any further data from the provider in question
> that would make these reports more useful.
>
> Best Regards,
> Tim Wilde
>
> - --
> Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
> twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
>
More information about the nsp-security
mailing list