[nsp-sec] The ugly on AS39823 | 92.62.96.0/20

[Sidney Faber]

Looks like the primary DNS server's at 95.129.144.210, I see traffic to
web servers at 95.129.144.144.11,13,228,229,244 and 95.129.145.242.  Is
there anything legit here?




Shelton, Steve wrote:
> ----------- nsp-security Confidential --------
> 
> Hiller,
> 
> Thanks for the heads up, will take a look in a few.  I'm hoping that the
> rustock C&C does not come back up.
> 
> Steve Shelton
> Network Security Engineer
> Cogent Communications
> 
> 
> -----Original Message-----
> From: Hillar Aarelaid [mailto:hillar.aarelaid at cert.ee] 
> Sent: Monday, May 04, 2009 6:03 AM
> To: Shelton, Steve
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] The ugly on AS39823 | 92.62.96.0/20
> 
> 
> On Apr 9, 2009, at 4:42 PM, Shelton, Steve wrote:
> 
>> I've spent the better part a week investigating and negating some  
>> awful
>> - nefarious sources translating to AS39823 within 92.62.96.0/20, most
>> but not all of the ugly was on 92.62.101.0/24.  You'll find a ton of
>> Malware, C&C's and rouge security applications within the 101.0/24.
>>
>> inetnum:        92.62.101.0 - 92.62.101.255
>> netname:        STARLINE_EE
>> descr:          Starline Web Service
> 
> i have a feeling, that starline found new home at 95.129.144.0/23  
> AS48856
> 
> will look into after return from Lyon
> 
> Hillar
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-- 

Sid Faber
Member of the Technical Staff
CERT Software Engineering Institute
Carnegie Mellon University
sfaber at cert.org