[nsp-sec] identity theft c&c (AS 4134, 9394)
Yiming Gong
yiming.gong at xo.com
Tue May 5 17:47:00 EDT 2009
This box has been blackholed on CT's network few minutes ago.
4134 | 122.225.36.35 | CHINANET-BACKBONE No.31,Jin-rong Street
Sorry I cannot help on the second ip....
Yiming
On 05/05/2009 01:48 PM, Rob Thomas wrote:
> ----------- nsp-security Confidential --------
>
> Hey, Tom.
>
> Thanks for the details!
>
>> newcounters.cn/61.235.117.71 is still active - another variant connects
>> to 0083vorit.cn/122.225.36.35.
>
> If this helps, and likely you already have these details, we see the
> following samples in our malware menagerie pointed to 61.235.117.71.
>
> timestamp | sha1 |
> md5 | dst_ip | dst_port | protocol | size
> --------------------- ------------------------------------------
> ---------------------------------- --------------- ---------- ----------
> ------
> 2009-04-17 08:06:31 | 0e36481d49afb55e14847a25a5ae2805debaf694 |
> 7e7640e49f6cc2dd7c073c6b747f4878 | 61.235.117.71 | 80 | 6 |
> 2009-03-30 17:22:28 | 1c2e7a6c32fc6f37b9ab6a27d4c1d40d3c99cf52 |
> 814c1de4e9ea8d9acc479ed63e0d895b | 61.235.117.71 | 80 | 6 |
> 2009-03-04 06:22:03 | 2155da3ee05e53021fd97427c2dbba76b1e9477c |
> 48498e14469208e761c1838558dbac8a | 61.235.117.71 | 80 | 6 |
> 2009-04-17 03:27:22 | 23c4e5d0c7102732ead04f7f3736c71c2ac3cc68 |
> 3e1304a32c3f8c06aa0cffd948d760fb | 61.235.117.71 | 80 | 6 |
> 2009-04-05 09:22:38 | 38a76c83e07b6bbbfc23aa0ad5ddd7ba4f104aa2 |
> 47a47386a6ee72503b3afa7a5bffc65a | 61.235.117.71 | 80 | 6 |
> 2009-04-23 12:21:36 | 468d8f09fe9b8af843769031526b978c1591a84e |
> 076e1c785ea8665b8986f87c3bf74a0e | 61.235.117.71 | 80 | 6 |
> 2009-02-03 10:31:22 | 5800c7d654bce667f3a8e931261e62a61c77a7df |
> 7813daaac5243f16784f5f7e56f1b6c2 | 61.235.117.71 | 80 | 6 |
> 2009-03-06 07:01:10 | 5ce706d15af344bd75ee830d0d9ae31f0aa04aef |
> d77ddd32eea3a41a00fe52e73410de48 | 61.235.117.71 | 80 | 6 |
> 2009-04-17 08:08:30 | 83d3fb4aeb7f1d83fc81fa36cd3fcb12a493f0e9 |
> 8bb4bf785be8de35b05e58979a1e27d8 | 61.235.117.71 | 80 | 6 |
> 2009-04-05 05:16:46 | 848e5044fd1488dc319802cd04999f78529cb266 |
> 1c4dddab4e417f98000898b9485fadfc | 61.235.117.71 | 80 | 6 |
> 2009-03-16 18:31:12 | 86c7cc432aaf36c57249258f22e401d2599396d6 |
> 94e0ebe20babf110be1f9cd2d9c295b4 | 61.235.117.71 | 80 | 6 |
> 2009-04-16 12:23:18 | 8f60582a6110ced7bf1dee7d2761aea1a2f53f1f |
> d6618085f15cbabf5d078e829292e50e | 61.235.117.71 | 80 | 6 |
> 2009-04-30 22:21:38 | c801dd70348e5434e4e25d7ca1de1c2364a7ad3a |
> 65d9c086da9f95ab7b7ac791f19725b0 | 61.235.117.71 | 80 | 6 |
> 0
> 2009-03-12 16:25:57 | d3948d6c33be009194513545a110566c2f6bbb97 |
> 0de37651ab1e4c8d31a202a451d05e73 | 61.235.117.71 | 80 | 6 |
> 2009-04-17 21:26:28 | dcb6a1485c3caff7d371c75d8dc465148f8b610d |
> c5b76022e0bc01f9c3478dcff3f0a400 | 61.235.117.71 | 80 | 6 |
> 2009-03-20 10:24:03 | e37904d129e2e5e047d1e7845df6035afd45ad05 |
> 64148e5eb525089c448adf0fb59c5257 | 61.235.117.71 | 80 | 6 |
> 2009-03-20 11:24:07 | e47f5ae73c218784ca44be93b1e9b6fdaf08fd14 |
> e5e320afaef997875d628c0ef5639762 | 61.235.117.71 | 80 | 6 |
> 2009-01-23 11:01:10 | f030980da614d6f10a56c7f6697e877aa48b47c6 |
> a59c9fcf630bac0059b5c8ece24f7c5b | 61.235.117.71 | 80 | 6 |
> 2009-04-17 10:20:37 | f80b1a66b7bf7c95d0b946aad6aaa3a221c32e9c |
> 284a019f5bd1e4f64c129870b23aba5e | 61.235.117.71 | 80 | 6 |
>
>> AS | IP | AS Name
>> 4134 | 122.225.36.35 | CHINANET-BACKBONE No.31,Jin-rong Street
>
> We see three HTTP C&Cs on 122.225.36.35.
>
> h x x p : / / 0083vorit.cn/IT02/get.php
> h x x p : / / www.0083vorit.cn/IT02/get.php
> h x x p : / / 1256hrom.cn/IT02/get.php
>
> We see four DNS RRs pointed to 122.225.36.35 this month.
>
> timestamp | dns_name | ip
> --------------------- ------------------ ---------------
> 2009-04-04 23:44:29 | 0083vorit.cn | 122.225.36.35
> 2009-04-04 23:44:55 | 1256hrom.cn | 122.225.36.35
> 2009-05-02 07:02:41 | ns1.1256hrom.cn | 122.225.36.35
> 2009-05-01 00:28:21 | www.0083vorit.cn | 122.225.36.35
>
> We have ten samples in our malware menagerie that point to 122.225.36.35.
>
> timestamp | sha1 |
> md5 | dst_ip | dst_port | protocol | size
> --------------------- ------------------------------------------
> ---------------------------------- --------------- ---------- ----------
> ------
> 2009-05-02 02:03:17 | 28bc036fb9edb9c6a6581a8bab209e4666b3eea1 |
> 4d28651e57ef28c7b686c9b97d9cafe6 | 122.225.36.35 | 80 | 6 |
> 432
> 2009-05-04 06:50:02 | 298a8b7b43bc3ec2b0dfda28fb34d8f7806f18b4 |
> 21fbd7391893ce2c7ccd2ab49ab40895 | 122.225.36.35 | 80 | 6 |
> 2009-05-02 02:03:32 | 29f7cc4b6cc27a8c1458179956dc06ba9a53ba33 |
> 8040ca8bd24342fb0c74ef86159be00d | 122.225.36.35 | 80 | 6 |
> 432
> 2009-05-03 15:21:06 | 4b50c11b31655ebb5337cf0df77f0dab7912568d |
> 4e41f9b7c9f9542892cedab264d004d0 | 122.225.36.35 | 80 | 6 |
> 2009-05-04 19:21:49 | 6e7d553987844a1d8fa5d14cfee687a3ce66736e |
> b446403c2399e550db577bf0178e933e | 122.225.36.35 | 80 | 6 |
> 2009-05-03 02:22:24 | 910d0e845e4f43e01d2b94f2e394a474dde82742 |
> a2645b1ac9c2c8e8c09c387cfbb3bdeb | 122.225.36.35 | 80 | 6 |
> 432
> 2009-05-05 17:23:04 | a6ef26023b99da19980ac13fa2abe38cfd0d100a |
> 85f2c4c634c347e37f223a36b4f6d006 | 122.225.36.35 | 80 | 6 |
> 2009-05-03 02:30:52 | bbc6cb8affad00a6687a4033952284dc025d767d |
> 83a1d7945ebfca35c3cf4eb6e896f207 | 122.225.36.35 | 80 | 6 |
> 432
> 2009-04-29 16:23:36 | e0d9184926ad8e994db92c0781c7b6479c01312d |
> c8f59bb81065b0dcc8dfd8132eccb192 | 122.225.36.35 | 80 | 6 |
> 2009-04-30 02:02:19 | eb0d6498d9785f35292051f6eb40204e7ee1c5a6 |
> 54aba80a4dc1852608e410c215288554 | 122.225.36.35 | 80 | 6 |
> 432
>
> This appears to be an Apache server.
>
> Thanks,
> Rob.
More information about the nsp-security
mailing list