[nsp-sec] hints about DDoS against 88.80.216.114 (abuse.ch) ?
Rob Thomas
robt at cymru.com
Mon Jun 29 12:36:05 EDT 2009
Hi, Rolf.
Sorry to hear about the DDoS!
> does anyone have some intel ( especially C&C server)
> about a DDoS against abuse.ch (88.80.216.114).
We see two samples in our malware menagerie that references 88.80.216.114.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
2009-06-24 11:22:00 | 1f7cbaec722fe410490bf899e737f3167e8ca420 |
9d7c42c5fa0c65d66bd60e0cc38b1cc8 | 88.80.216.114 | 80 | 6 |
349
2009-05-22 07:02:55 | 22a83810f14ff1f177b868b01fe8489e774fee3f |
3a1bcd7a5019e5be6c316eed654dbbf4 | 88.80.216.114 | 80 | 6 |
348
The most recent one is interesting, and perhaps part of what you've
endured. It has names such as:
DPTJIOYWFW-690.pms.exe.SVD
userinit.exe
05DEA666.EXE
It performs several HTTP GETs, one of which might impact you.
GET http://dx5.biz/3/gt.php?id=44a2fac4
USERAGENT ie
GET http://crew.abnc-portal.com/tpmgs.exe
USERAGENT ie
GET http://business-networks.info/data/images/ftp.exe
USERAGENT ie
It appears the second one is tied to 88.80.216.114.
stamp | qname | class | type | rdata
--------------------- ---------------------- ------- ------ ---------------
2009-05-29 06:10:05 | alpha.abuse.ch | IN | A | 88.80.216.114
2009-05-20 14:09:25 | crew.abnc-portal.com | IN | A | 88.80.216.114
2009-06-22 20:15:39 | www.abuse.ch | IN | A | 88.80.216.114
The dx5.biz URL spits out: http://crew.abnc-portal.com/tpmgs.exe.
The tpmgs.exe file comes back as one byte "very short file (no magic),"
and the ftp.exe file is error 404.
Is your constituent aware of the crew.abnc-portal.com DNS RR and the
tpmgs.exe file?
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list