[nsp-sec] The ugly on AS39823 | 92.62.96.0/20

Rob Thomas robt at cymru.com
Mon May 4 15:16:10 EDT 2009 

Hi, Sidney.

> Looks like the primary DNS server's at 95.129.144.210, I see traffic to
> web servers at 95.129.144.144.11,13,228,229,244 and 95.129.145.242.  Is
> there anything legit here?

95.129.144.210 appears to be a Linux box.  We see a few DNS RRs pointed
to 95.129.144.210.

      timestamp      |         dns_name          |       ip
--------------------- --------------------------- ----------------
 2009-05-01 02:47:53 | ns1.freednshostserver.com | 95.129.144.210
 2009-05-05 00:12:15 | ns1.freednshostway.com    | 95.129.144.210
 2009-05-05 14:28:14 | ns1.freehostinternet.com  | 95.129.144.210
 2009-04-04 23:44:01 | zzzz.hostindianet.com     | 95.129.144.210

      timestamp      |             dns_name             |       ip
--------------------- ---------------------------------- ----------------
 2009-04-03 18:25:18 | asdasdw.hostindianet.com         | 95.129.144.210
 2009-04-03 14:07:59 | asdasf.free.hostindianet.com     | 95.129.144.210
 2009-04-04 05:32:03 | default.whois.hostindianet.com   | 95.129.144.210
 2009-04-03 22:21:49 | farm-en-12san.hostindianet.com   | 95.129.144.210
 2009-04-03 20:52:52 | free.hostindianet.com            | 95.129.144.210
 2009-04-03 22:11:23 | freehostinternet.com             | 95.129.144.210
 2009-04-03 14:43:17 | freeonlinehostguide.com          | 95.129.144.210
 2009-04-03 20:45:18 | freewebhostguide.com             | 95.129.144.210
 2009-04-03 17:50:02 | ghrgt.hostindianet.com           | 95.129.144.210
 2009-04-03 22:58:18 | hostindianet.com                 | 95.129.144.210
 2009-04-03 22:04:28 | idiandemocratcy.hostindianet.com | 95.129.144.210
 2009-04-04 05:33:35 | japanhostnet.com                 | 95.129.144.210
 2009-04-01 08:29:54 | ns1.freednshostserver.com        | 95.129.144.210
 2009-04-01 00:56:48 | ns1.freednshostway.com           | 95.129.144.210
 2009-04-03 06:42:48 | ns1.freehostinternet.com         | 95.129.144.210
 2009-04-03 06:34:39 | ns1.freeonlinehostguide.com      | 95.129.144.210
 2009-04-03 06:34:39 | ns1.freewebhostguide.com         | 95.129.144.210
 2009-04-03 06:42:49 | ns1.hostindianet.com             | 95.129.144.210
 2009-04-19 20:22:16 | ns1.lotultimatebet.cn            | 95.129.144.210
 2009-04-04 04:34:52 | sadcwed.hostindianet.com         | 95.129.144.210
 2009-04-03 19:11:03 | sdfi.hostindianet.com            | 95.129.144.210
 2009-04-03 15:47:35 | turq.whois.hostindianet.com      | 95.129.144.210
 2009-04-03 16:19:49 | whois.hostindianet.com           | 95.129.144.210
 2009-04-03 21:09:50 | www.freeonlinehostguide.com      | 95.129.144.210
 2009-04-04 01:35:54 | www.freewebhostguide.com         | 95.129.144.210
 2009-04-03 17:42:22 | www.hostindianet.com             | 95.129.144.210
 2009-04-03 21:46:40 | zzz.free.hostindianet.com        | 95.129.144.210
 2009-04-03 20:32:37 | zzz.hostindianet.com             | 95.129.144.210
 2009-04-01 00:10:33 | zzzz.hostindianet.com            | 95.129.144.210

It might have been the source of one or more SSH scans on 2009-03-15.

95.129.144.11 has hosted both malware URLs and a HTTP C&C (at least
uplifing.cn).  The other DNS RRs pointed to 95.129.144.11 make me think
there's more on the way, or already in place.

      timestamp      |  dns_name   |      ip
--------------------- ------------- ---------------
 2009-05-02 12:21:25 | gcounter.cn | 95.129.144.11
 2009-05-01 07:38:04 | gstats.cn   | 95.129.144.11
 2009-05-01 01:36:16 | uplifing.cn | 95.129.144.11

      timestamp      |  dns_name   |      ip
--------------------- ------------- ---------------
 2009-04-01 00:20:53 | gcounter.cn | 95.129.144.11
 2009-04-02 20:24:36 | gstats.cn   | 95.129.144.11
 2009-04-04 00:10:12 | hennensi.ru | 95.129.144.11
 2009-04-03 03:57:12 | hostads.cn  | 95.129.144.11
 2009-04-03 15:29:47 | nolohing.cn | 95.129.144.11
 2009-04-01 00:44:56 | uplifing.cn | 95.129.144.11

We see at least one sample in our malware menagerie that points to
95.129.144.11.

      timestamp      |                   sha1                   |
        md5                |    dst_ip     | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
 2009-04-10 20:14:33 | 3c9bdb50a2164d8870eedf0eb0fb6aa6173a4369 |
4512405ee2d08ff9df08b729831e4b01 | 95.129.144.11 |       80 |        6 |
 534

This Linux box is running nginx, and as of 2009-04-30 00:00:01 UTC it
was last updated on 2009-03-29 23:30:07 UTC (if you believe such things).

95.129.144.13 has one malware URL it hosts (at least).  We see the
following DNS RRs pointed to 95.129.144.13.

      timestamp      |      dns_name      |      ip
--------------------- -------------------- ---------------
 2009-05-01 00:09:39 | beelposttraning.ru | 95.129.144.13

      timestamp      |       dns_name       |      ip
--------------------- ---------------------- ---------------
 2009-04-01 20:58:47 | beelposttraning.ru   | 95.129.144.13
 2009-04-01 20:58:46 | bizoplata.ru         | 95.129.144.13
 2009-04-01 07:53:58 | gianthighestfind.cn  | 95.129.144.13
 2009-04-01 07:53:58 | ns1.sevensearchon.ru | 95.129.144.13

95.129.144.13 is also running nginx.

95.129.144.228 ha several malware URLs on it.

It might be a FreeBSD 4.8 box, running nginx 0.6.35 with PHP 5.2.9.

We see only two DNS RRs pointed to 95.129.144.228.

      timestamp      |    dns_name     |       ip
--------------------- ----------------- ----------------
 2009-05-01 17:29:04 | dasretokfin.com | 95.129.144.228

      timestamp      |    dns_name     |       ip
--------------------- ----------------- ----------------
 2009-04-01 00:19:27 | 5rublei.com     | 95.129.144.228
 2009-04-01 16:43:47 | dasretokfin.com | 95.129.144.228

Ah, tochtonenado.com is another DNS RRs pointed to 95.129.144.228.

95.129.44.229, which appears to be a FreeBSD box, might be hosting
something naughty in:

   h x x p : / / 95.129.144.229/stats
   h x x p : / / 95.129.144.229/1

95.129.144.244 has hosted one malware URL on the attmyjoker.com domain.
 We see that DNS RR pointed to 95.129.144.244 last month.

      timestamp      |    dns_name    |       ip
--------------------- ---------------- ----------------
 2009-04-01 08:29:47 | attmyjoker.com | 95.129.144.244

95.129.144.244 is running nginx with PHP 5.1.6.

95.129.145.242 has one malware URL, at least.  We see one DNS RR pointed
to 95.129.145.242.

      timestamp      |    dns_name    |       ip
--------------------- ---------------- ----------------
 2009-04-03 23:40:39 | bankitrade.com | 95.129.145.242

It appears to be a FreeBSD box running Apache/2.2.11 (FreeBSD)
mod_ssl/2.2.11 OpenSSL/0.9.8e DAV/2 PHP/5.2.9 with Suhosin-Patch.

Let me know if you want me to run a query for 92.62.96.0/20 or AS39823.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

More information about the nsp-security mailing list