[nsp-sec] The ugly on AS39823 | 92.62.96.0/20

Shelton, Steve sshelton at Cogentco.com
Mon May 4 08:55:25 EDT 2009 

Guy's

Ouch, do I see ugly and nothing that appears legit!  There are quite a
few NS's there that AUTH for numerous injected urls that are on
thousands if not millions of sites aimed at payload sites within
213.163.91.0/24.

betworldwager.cn             213.163.91.93
cutlot.cn                    213.163.91.93
etc..				     213.163.91.93


The rustock C&C was living at ds27.starline.su:5191/ on the old Starline
prefix's.  Still looking for a | the potential new home for rustock on
the prefix's in question.

>From what I can tell, the entire prefix appears to be home for a
nefarious bunch of critters and routing to | from needs to be weighed
against ones sec policy.


Steve Shelton
Network Security Engineer
Cogent Communications

-----Original Message-----
From: Sidney Faber [mailto:sfaber at cert.org] 
Sent: Monday, May 04, 2009 6:38 AM
To: Shelton, Steve
Cc: Hillar Aarelaid; nsp-security at puck.nether.net
Subject: Re: [nsp-sec] The ugly on AS39823 | 92.62.96.0/20

Looks like the primary DNS server's at 95.129.144.210, I see traffic to
web servers at 95.129.144.144.11,13,228,229,244 and 95.129.145.242.  Is
there anything legit here?




Shelton, Steve wrote:
> ----------- nsp-security Confidential --------
> 
> Hiller,
> 
> Thanks for the heads up, will take a look in a few.  I'm hoping that
the
> rustock C&C does not come back up.
> 
> Steve Shelton
> Network Security Engineer
> Cogent Communications
> 
> 
> -----Original Message-----
> From: Hillar Aarelaid [mailto:hillar.aarelaid at cert.ee] 
> Sent: Monday, May 04, 2009 6:03 AM
> To: Shelton, Steve
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] The ugly on AS39823 | 92.62.96.0/20
> 
> 
> On Apr 9, 2009, at 4:42 PM, Shelton, Steve wrote:
> 
>> I've spent the better part a week investigating and negating some  
>> awful
>> - nefarious sources translating to AS39823 within 92.62.96.0/20, most
>> but not all of the ugly was on 92.62.101.0/24.  You'll find a ton of
>> Malware, C&C's and rouge security applications within the 101.0/24.
>>
>> inetnum:        92.62.101.0 - 92.62.101.255
>> netname:        STARLINE_EE
>> descr:          Starline Web Service
> 
> i have a feeling, that starline found new home at 95.129.144.0/23  
> AS48856
> 
> will look into after return from Lyon
> 
> Hillar
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-measures.
> _______________________________________________

-- 

Sid Faber
Member of the Technical Staff
CERT Software Engineering Institute
Carnegie Mellon University
sfaber at cert.org

More information about the nsp-security mailing list