[nsp-sec] Anyone seeing any "packet love/DOS" heading for 64.75.15.144?

Thu May 7 10:55:48 EDT 2009

> 129.176.151.25

129.176.151.25 has been a Mebroot/Torpig bot since at least 2009-02-24

03:21:48 UTC.

I'm in touch with the owner of 129.176.151.25, can anyone provide more details?

Hi Nathan,

Thanks for the heads up on this issue.  Unfortunately, this IP is one of our HTTP proxy cache servers and is not a discrete host.  Can you tell us what symptoms you are seeing?  Specifically, what destination IPs are we hitting that suggest mebroot/torpig?  If you have timestamps with the destination IPs that would be helpful also.

Regards,

Nathan Janish

Level3 Security

720.888.3350

-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Rob Thomas
Sent: Wednesday, May 06, 2009 4:31 PM
To: Barry Greene
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Anyone seeing any "packet love/DOS" heading for 64.75.15.144?

----------- nsp-security Confidential --------

Hey, Barry.

> 8.18.65.21

> 8.5.245.39

Akamai, are these yours or related to you at all?

> 129.176.151.25

129.176.151.25 has been a Mebroot/Torpig bot since at least 2009-02-24

03:21:48 UTC.

It may be a NAT gateway or (possibly hacked) proxy.

> 12.36.123.2

12.36.123.2 has been a Conficker bot off and on since at least

2009-01-17 08:06:21 UTC.

> 130.13.10.227

Bupkes on 130.13.10.227, sorry.

Unfortunately no clear picture of the C&C(s) involved.

Thanks,

Rob.

--

Rob Thomas

Team Cymru

http://www.team-cymru.org/

cmn_err(CEO_PANIC, "Out of coffee!");

_______________________________________________

nsp-security mailing list

nsp-security at puck.nether.net

https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security

community. Confidentiality is essential for effective Internet security counter-measures.

_______________________________________________