[nsp-sec] Mebroot/Torpig (AS 13618, 23498, 32475)

Tom Fischer tfischer at bfk.de
Mon Mar 30 04:36:15 EDT 2009 

Hi Krista,

On Fri, Mar 27, 2009 at 04:10:47PM -0400, Krista Hickey wrote:
> Apologies for the ongoing issues with 74.213.179.173 and AS 23498 -- I
> don't mean to make excuses but AS23498 is a new acquisition of for
> Cogeco and it's being operated as a separate entity so I'm having some
> "challenges" getting things done right now but I promise I am yelling
> and screaming...I just simply do not have access to that system to do
> anything but I am working on some alternate avenues right now so please
> continue to forward me any information.

thanks for your help!

74.213.179.173 moved to 74.213.179.177
see e.g.
http://74.213.179.177/6BA7FCB5C5FF8943369CF258BE34EA/&p1=1 
to get a list of the triggers/targets ...



> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> > bounces at puck.nether.net] On Behalf Of Tom Fischer
> > Sent: Wednesday, March 25, 2009 6:30 AM
> > To: nsp-security at puck.nether.net
> > Subject: [nsp-sec] Mebroot/Torpig (AS 13618, 23498, 32475)
> > 
> > ----------- nsp-security Confidential --------
> > 
> > Hi,
> > 
> > please help to nuke/null route the following Mebroot/Torpig hosts:
> > 
> > 
> > Mebroot:
> > --------
> > bsgigeic.com
> > 2009-03-23 22:10:32 2009-03-25 10:17:56 bsgigeic.com A 65.60.42.10
> > 2009-03-23 22:10:32 2009-03-25 10:17:56 bsgigeic.com NS
> ns1.everydns.net
> > 2009-03-23 22:10:32 2009-03-25 10:17:56 bsgigeic.com NS
> ns2.everydns.net
> > 2009-03-23 22:10:32 2009-03-25 10:17:56 bsgigeic.com NS
> ns3.everydns.net
> > 2009-03-23 22:10:32 2009-03-25 10:17:56 bsgigeic.com NS
> ns4.everydns.net
> > 
> > AS      | IP               | AS Name
> > 32475   | 65.60.42.10      | SINGLEHOP-INC - SingleHop
> > 
> > PEER_AS | IP               | AS Name
> > 6461    | 65.60.42.10      | MFNX MFN - Metromedia Fiber Network
> > 23352   | 65.60.42.10      | SERVERCENTRAL - Server Central Network
> > 
> > 
> > Torpig:
> > -------
> > flippibi.com/rikora.com/pinakola.com
> > 2009-03-09 08:27:59 2009-03-25 10:01:00 flippibi.com A 69.59.26.51
> > 2009-03-09 08:27:38 2009-03-25 10:20:57 rikora.com A 69.59.26.51
> > 2009-03-09 08:27:48 2009-03-25 10:20:57 pinakola.com A 69.59.26.51
> > 
> > AS      | IP               | AS Name
> > 13618   | 69.59.26.51      | CARONET-ASN - Carolina Internet
> > 
> > PEER_AS | IP               | AS Name
> > 3356    | 69.59.26.51      | LEVEL3 Level 3 Communications
> > 4323    | 69.59.26.51      | TWTC - tw telecom holdings, inc.
> > 7018    | 69.59.26.51      | ATT-INTERNET4 - AT&T WorldNet Services
> > 
> > 
> > nvdhtram.biz
> > 2009-03-24 13:39:21 2009-03-25 10:14:05 nvdhtram.biz A 76.76.22.199
> > 2009-03-23 08:08:37 2009-03-25 10:23:17 nvdhtram.biz NS
> ns1.everydns.net
> > 2009-03-23 08:08:37 2009-03-25 10:23:17 nvdhtram.biz NS
> ns2.everydns.net
> > 2009-03-23 08:08:37 2009-03-25 10:23:17 nvdhtram.biz NS
> ns3.everydns.net
> > 2009-03-23 08:08:37 2009-03-25 10:23:17 nvdhtram.biz NS
> ns4.everydns.net
> > 
> > AS      | IP               | AS Name
> > 13618   | 76.76.22.199     | CARONET-ASN - Carolina Internet
> > 
> > PEER_AS | IP               | AS Name
> > 3356    | 76.76.22.199     | LEVEL3 Level 3 Communications
> > 4323    | 76.76.22.199     | TWTC - tw telecom holdings, inc.
> > 7018    | 76.76.22.199     | ATT-INTERNET4 - AT&T WorldNet Services
> > 
> > 
> > 74.213.179.173
> > 
> > AS      | IP               | AS Name
> > 23498   | 74.213.179.173   | CDSI - Cogeco Data Services Inc.
> > 
> > PEER_AS | IP               | AS Name
> > 852     | 74.213.179.173   | ASN852 - Telus Advanced Communications
> > 7992    | 74.213.179.173   | COGECOWAVE - Cogeco Cable
> > 19752   | 74.213.179.173   | HYDROONETELECOM - Hydro One Telecom Inc.
> > 
> > --
> > Tom Fischer
> > BFK edv-consulting GmbH                  tel: +49 721 962 01-1
> > Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> > community. Confidentiality is essential for effective Internet
> security counter-
> > measures.
> > _______________________________________________
> 
End of Excerpt of Message from Krista Hickey.

-- 
Tom Fischer
BFK edv-consulting GmbH                  tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99

More information about the nsp-security mailing list