[nsp-sec] identity theft c&c (AS 24400, 9808)
Tom Fischer
tfischer at bfk.de
Mon May 11 11:12:05 EDT 2009
Hi,
On Tue, May 05, 2009 at 08:56:22AM +0200, Tom Fischer wrote:
> Any chance to terminate / null route the mentioned systems?
>
> Malware distribution:
> hxxp://0083vorit.cn/dbv4.exe
> AV-scan: http://www.virustotal.com/analisis/d4d366666ce212757d562c9647617354
moved from 122.225.36.35 to 221.130.192.79
2009-04-07 15:35:28 2009-04-07 15:35:28 0083vorit.cn TXT "v=spf1 a mx
2009-04-07 07:06:57 2009-04-24 00:11:53 0083vorit.cn SOA ns1.1256hrom.cn hostmaster.0083vorit.cn 2009030300
2009-03-17 07:24:07 2009-04-24 00:53:34 0083vorit.cn A 210.83.85.99
2009-04-24 20:07:36 2009-05-05 21:05:49 0083vorit.cn SOA ns1.1256hrom.cn hostmaster.0083vorit.cn 2009042400
2009-04-24 20:07:36 2009-05-06 15:13:20 0083vorit.cn A 122.225.36.35
2009-05-09 18:05:49 2009-05-10 22:11:44 0083vorit.cn SOA ns1.1256hrom.cn hostmaster.0083vorit.cn 2009050900
2009-04-07 07:06:57 2009-05-11 10:11:46 0083vorit.cn MX 10 mail.0083vorit.cn
2009-03-17 07:24:06 2009-05-11 10:16:51 0083vorit.cn NS ns1.1256hrom.cn
2009-05-09 17:56:38 2009-05-11 10:16:51 0083vorit.cn A 221.130.192.79
2009-05-10 23:05:47 2009-05-11 10:16:55 0083vorit.cn SOA ns1.1256hrom.cn hostmaster.0083vorit.cn 2009051000
AS | IP | AS Name
24400 | 221.130.192.79 | CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd.
PEER_AS | IP | AS Name
9808 | 221.130.192.79 | CMNET-GD Guangdong Mobile Communication Co.Ltd.
btw. another alias is 1256hrom.cn
2009-05-10 01:06:03 2009-05-11 08:53:08 1256hrom.cn A 221.130.192.79
--
Tom Fischer
BFK edv-consulting GmbH tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe fax: +49 721 962 01-99
More information about the nsp-security
mailing list