[nsp-sec] The ugly on AS39823 | 92.62.96.0/20
Rob Thomas
robt at cymru.com
Mon May 4 15:31:11 EDT 2009
Hey, Steve.
> betworldwager.cn 213.163.91.93
Yeah we've seen one malware URL on 213.163.91.93.
213.163.91.93 appears to be a Linux box. It's running nginx with PHP 5.1.6.
We see the following DNS RRs pointed to 213.163.91.93.
timestamp | dns_name | ip
--------------------- --------------------------- ---------------
2009-05-01 01:55:06 | alliteautolamps.cn | 213.163.91.93
2009-05-01 03:43:25 | bestlotron.cn | 213.163.91.93
2009-05-01 01:51:21 | betbigwager.cn | 213.163.91.93
2009-05-01 00:07:03 | betstarwager.cn | 213.163.91.93
2009-05-05 03:31:41 | betworldwager.cn | 213.163.91.93
2009-05-01 01:03:40 | cheapslotplay.cn | 213.163.91.93
2009-04-04 23:35:01 | coolnameshop.cn | 213.163.91.93
2009-05-01 02:48:19 | cutlot.cn | 213.163.91.93
2009-05-05 23:18:50 | denverfilmdigitalmedia.cn | 213.163.91.93
2009-05-01 02:34:55 | diettopseek.cn | 213.163.91.93
2009-05-01 01:16:09 | dotcomnameshop.cn | 213.163.91.93
2009-05-01 09:05:05 | featherlitecarcare.cn | 213.163.91.93
2009-05-06 05:36:02 | filmlifemediaguide.cn | 213.163.91.93
2009-05-06 05:36:02 | homenameregistration.cn | 213.163.91.93
2009-05-05 03:48:26 | internetnamestore.cn | 213.163.91.93
2009-05-01 05:14:29 | lieliteautobody.cn | 213.163.91.93
2009-05-01 02:49:37 | liteautogreatestonline.cn | 213.163.91.93
2009-05-01 05:36:13 | litedownloadseek.cn | 213.163.91.93
2009-05-01 01:33:06 | litegreatestdirect.cn | 213.163.91.93
2009-05-01 02:47:41 | litetopfindworld.cn | 213.163.91.93
2009-05-05 00:04:26 | litetoplocatesite.cn | 213.163.91.93
2009-05-01 00:04:09 | litevehiclemall.cn | 213.163.91.93
2009-05-01 04:14:04 | lotante.cn | 213.163.91.93
2009-05-01 01:33:06 | lotbetworld.cn | 213.163.91.93
2009-05-01 05:48:37 | lotmachinesguide.cn | 213.163.91.93
2009-05-01 02:49:39 | lotultimatebet.cn | 213.163.91.93
2009-05-05 03:34:16 | mainnameshop.cn | 213.163.91.93
2009-05-01 06:04:16 | mediahomenamemartvideo.cn | 213.163.91.93
2009-05-01 00:07:03 | mediahousenameshopfilm.cn | 213.163.91.93
2009-05-01 00:07:02 | mixante.cn | 213.163.91.93
2009-05-01 12:18:22 | nameashop.cn | 213.163.91.93
2009-05-01 01:16:09 | namebrandmart.cn | 213.163.91.93
2009-05-01 01:19:31 | namebuypicture.cn | 213.163.91.93
2009-05-06 09:01:40 | namestorefilmlife.cn | 213.163.91.93
2009-05-01 02:49:59 | namesupermart.cn | 213.163.91.93
2009-05-01 05:36:18 | perfectnamestore.cn | 213.163.91.93
2009-05-01 01:33:06 | playbetwager.cn | 213.163.91.93
2009-05-01 03:18:54 | promixgroup.cn | 213.163.91.93
2009-05-01 07:09:00 | superbetfair.cn | 213.163.91.93
2009-05-06 15:42:47 | superliteautobest.cn | 213.163.91.93
2009-05-01 05:09:12 | superlitecarbest.cn | 213.163.91.93
2009-05-01 04:05:00 | thelotbet.cn | 213.163.91.93
Last month we saw the following DNS RRs pointed to 213.163.91.93.
timestamp | dns_name | ip
--------------------- --------------------------- ---------------
2009-04-03 23:02:45 | bestfindaloan.cn | 213.163.91.93
2009-04-02 21:09:14 | bestlotron.cn | 213.163.91.93
2009-04-02 12:01:08 | betbigwager.cn | 213.163.91.93
2009-04-02 14:24:13 | betstarwager.cn | 213.163.91.93
2009-04-02 15:01:21 | betworldwager.cn | 213.163.91.93
2009-04-03 14:30:17 | casinoslotbet.cn | 213.163.91.93
2009-04-02 13:25:28 | cheapslotplay.cn | 213.163.91.93
2009-04-02 17:38:28 | coolnameshop.cn | 213.163.91.93
2009-04-02 11:40:29 | cutlot.cn | 213.163.91.93
2009-04-03 14:42:52 | denverfilmdigitalmedia.cn | 213.163.91.93
2009-04-03 09:07:56 | diettopseek.cn | 213.163.91.93
2009-04-02 16:05:34 | dotcomnameshop.cn | 213.163.91.93
2009-04-03 20:32:57 | educationbigtop.cn | 213.163.91.93
2009-04-04 06:31:49 | filmlifemediaguide.cn | 213.163.91.93
2009-04-03 13:57:40 | filmlifemusicsite.cn | 213.163.91.93
2009-04-03 18:28:19 | filmtypemedia.cn | 213.163.91.93
2009-04-02 10:10:15 | findbigthinker.cn | 213.163.91.93
2009-04-04 04:11:58 | greatbethere.cn | 213.163.91.93
2009-04-03 04:09:04 | homenameregistration.cn | 213.163.91.93
2009-04-02 10:10:49 | hotslotpot.cn | 213.163.91.93
2009-04-02 17:55:55 | internetnamestore.cn | 213.163.91.93
2009-04-02 10:11:29 | lieliteautobody.cn | 213.163.91.93
2009-04-02 10:11:30 | litecarfinestsite.cn | 213.163.91.93
2009-04-02 10:11:30 | litecartop.cn | 213.163.91.93
2009-04-02 12:55:32 | litedownloadseek.cn | 213.163.91.93
2009-04-02 10:11:30 | litegreatestdirect.cn | 213.163.91.93
2009-04-02 10:33:29 | litetopfindworld.cn | 213.163.91.93
2009-04-03 07:33:38 | litetoplocatesite.cn | 213.163.91.93
2009-04-02 10:10:50 | litevehiclemall.cn | 213.163.91.93
2009-04-02 12:01:08 | lotante.cn | 213.163.91.93
2009-04-03 14:30:28 | lotbetsite.cn | 213.163.91.93
2009-04-02 13:25:15 | lotbetworld.cn | 213.163.91.93
2009-04-02 13:27:46 | lotmachinesguide.cn | 213.163.91.93
2009-04-02 10:11:32 | lotultimatebet.cn | 213.163.91.93
2009-04-03 09:41:44 | mainnameshop.cn | 213.163.91.93
2009-04-03 17:09:28 | mediahomenamemartvideo.cn | 213.163.91.93
2009-04-02 12:03:10 | mediahousenameshopfilm.cn | 213.163.91.93
2009-04-02 10:14:20 | mixante.cn | 213.163.91.93
2009-04-02 10:11:57 | nameashop.cn | 213.163.91.93
2009-04-03 13:59:56 | namebrandmart.cn | 213.163.91.93
2009-04-02 10:11:56 | namebuyline.cn | 213.163.91.93
2009-04-02 10:19:26 | namebuypicture.cn | 213.163.91.93
2009-04-03 04:09:04 | namestorefilmlife.cn | 213.163.91.93
2009-04-03 19:03:11 | namesupermart.cn | 213.163.91.93
2009-04-03 15:44:41 | nanoautofinest.cn | 213.163.91.93
2009-04-03 04:10:45 | nanotopfind.cn | 213.163.91.93
2009-04-02 16:04:04 | perfectnamestore.cn | 213.163.91.93
2009-04-02 10:12:26 | playbetwager.cn | 213.163.91.93
2009-04-02 14:24:13 | promixgroup.cn | 213.163.91.93
2009-04-02 10:13:17 | superbetfair.cn | 213.163.91.93
2009-04-02 19:16:30 | superlitecarbest.cn | 213.163.91.93
2009-04-02 22:15:19 | thelotbet.cn | 213.163.91.93
2009-04-30 17:52:34 | ultralitecar.cn | 213.163.91.93
2009-04-03 17:43:31 | www.casinoslotbet.cn | 213.163.91.93
2009-04-04 00:44:54 | www.educationbigtop.cn | 213.163.91.93
2009-04-03 21:06:02 | www.greatbethere.cn | 213.163.91.93
2009-04-04 01:13:32 | www.lieliteautobody.cn | 213.163.91.93
2009-04-04 02:08:02 | www.litebest.cn | 213.163.91.93
2009-04-04 04:50:36 | www.lotbetsite.cn | 213.163.91.93
2009-04-04 15:39:07 | yourliteseek.cn | 213.163.91.93
We see three samples in our malware menagerie that point to 213.163.91.93.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
2009-05-04 14:15:47 | 7f2fe5bb3bbffdbaa000a79c74987885a91285d1 |
b970d7c2afc3a05647c8b2285502a02b | 213.163.91.93 | 80 | 6 |
2009-05-03 17:26:20 | ef5c96046793eaff2ffd8a04d357284a32e239d2 |
1a602368e851e4b6ba515427f5c43333 | 213.163.91.93 | 80 | 6 |
2009-04-29 02:44:00 | ff6fb8445c4610710a15e3dcd3c06aaf2420b996 |
1f6783e796617f54b3709b1bfcf456a7 | 213.163.91.93 | 80 | 6 |
Let me know if you need more details on 213.163.91.0/24.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list