[nsp-sec] Fast flux or Botnet - Facebook Phish | malware - ns1.castlebin.com | 8.12.160.183 - AS40935 RELYNET - RelyNet Inc

Shelton, Steve sshelton at Cogentco.com
Wed Mar 11 16:04:31 EDT 2009 

All,

I just spotted what appears to be a fast flux - botnet serving up
Phished | malware sites referencing Facebook.

We had a customer with an exploited server that was auth for
centredownloadpatch.com and needplaeradobe.com for a short stint. Both
domains have numerous A' records and very low TTL, so this is likely
fastflux or botnet related.

Note that ns2.castlebin.com appears to be pointed at a DOD network /32,
which is lame delegation and once I impacted the routing for what was
ns1.castlebin.com on our end, 8.12.160.183 took up the slack with a
matter of minutes it seemed.

03/11/09 13:49:19 whois ns1.castlebin.com at whois.internic.net

whois -h whois.internic.net ns1.castlebin.com ...

Whois Server Version 2.0

   Server Name: NS1.CASTLEBIN.COM
   IP Address: 8.12.160.183
   Registrar: BIZCN.COM, INC.


Wed Mar 11 20:38:54 2009

centredownloadpatch.com. 202	IN	A	76.122.72.90
centredownloadpatch.com. 202	IN	A	66.138.7.3
centredownloadpatch.com. 202	IN	A	68.220.37.205
centredownloadpatch.com. 202	IN	A	69.234.146.136
centredownloadpatch.com. 202	IN	A	75.57.61.217

Wed Mar 11 20:47:06 2009

needplaeradobe.com.	1800	IN	A	66.138.7.3
needplaeradobe.com.	1800	IN	A	69.234.146.136
needplaeradobe.com.	1800	IN	A	75.57.61.217
needplaeradobe.com.	1800	IN	A	75.118.162.91
needplaeradobe.com.	1800	IN	A	76.122.72.90


Some current URL[s] I see are:

hxxp://facebook.shared.cebmainservlet.personalid-o2pirj9c8.logon.centred
ownloadpatch.com/home.htm?/permissions/application=5639sgmlqzd4mrb

Or

hxxp://facebook.shared.cebmainservlet.personalid-o2pirj9c8.logon.centred
ownloadpatch.com/../Adobe_Player11.exe


6389    | 68.220.37.205    | BELLSOUTH-NET-BLK - BellSouth.net Inc.
7132    | 69.234.146.136   | SBIS-AS - AT&T Internet Services
7132    | 75.57.61.217     | SBIS-AS - AT&T Internet Services
7725    | 76.122.72.90     | CCH-AS7 - Comcast Cable Communications
Holdings, Inc
13368   | 66.138.7.3       | JCP - James Cable Partners
29895   | 75.118.162.91    | WOW-INTERNET-COL - WideOpenWest Finance LLC
40935   | 8.12.160.183     | RELYNET - RelyNet Inc.

Steve Shelton
Network Security Engineer
Cogent Communications

More information about the nsp-security mailing list