[nsp-sec] ACK: HTTP Bot C&C Hits - 2009-06-15
Rodolfo Baader
rbaader at arcert.gov.ar
Tue Jun 16 17:55:22 EDT 2009
Hi!
ACK for AR ASNs:
3449
7303
10318
10481
11664
16814
19037
22927
27747
Notifications were sent to the abuse/noc departments.
*--------------------------------
Details:
#TOTAL ASN Argentina: 9
#TOTAL IPS Argentina: 26 total
9 7303
6 22927
4 10318
2 10481
1 3449
1 11664
1 16814
1 19037
1 27747
*--------------------------------
R.
Tim Wilde wrote:
> ----------- nsp-security Confidential --------
>
> Greetings everyone!
>
> We have received a list of approximately 120,000 IPs that were seen
> fetching a page of encrypted command and control content via HTTP from a
> major hosting provider within an approximately 36 hour period ending
> yesterday afternoon. That provider does not want to be named, but has
> asked us to distribute this data to our contacts so that they can
> identify the bots within their networks.
>
> We have a considerable degree of certainty that any IP hitting the page
> in question is a bot, and though the actual C&C content was disabled
> some time ago, it is likely that these IPs are continuing to hit the
> page in question. The requests would be standard HTTP on TCP/80.
>
> You can find individual lists of IPs for each ASN that had hits at the
> following URL:
>
> https://www.cymru.com/nsp-sec/Owned/httpbot-20090615/
>
> The column after the IP address is the timestamp of the last hit seen
> from that IP at the time the sample was taken, in UTC.
>
> Below my .signature you will find a list of the ASNs included, along
> with the number of hits for each ASN (first column is ASN, second is
> number of hits). This file can also be found here:
>
> https://www.cymru.com/nsp-sec/Owned/httpbot-20090615/asnlist.txt
>
> Please take a look at the hits for your ASN(s) and take whatever actions
> you deem appropriate. Please let us know if you have any questions, or
> if we can attempt to get any further data from the provider in question
> that would make these reports more useful.
>
> Best Regards,
> Tim Wilde
>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list