[nsp-sec] identity theft c&c (AS 24400, 9808)
Rob Thomas
robt at cymru.com
Mon May 11 11:43:29 EDT 2009
Hey, Tom.
> moved from 122.225.36.35 to 221.130.192.79
Thanks for the heads-up! 221.130.192.79 has sourced spam as far back as
2009-01-07 14:45:26 UTC.
We see a small set of DNS RRs pointed to 221.130.192.79.
timestamp | dns_name | ip
--------------------- ------------------ ----------------
2009-05-01 13:57:31 | 0083vorit.cn | 221.130.192.79
2009-05-01 09:11:37 | 1256hrom.cn | 221.130.192.79
2009-05-04 13:59:48 | fr4nk1n.cn | 221.130.192.79
2009-05-01 03:57:30 | www.0083vorit.cn | 221.130.192.79
We have two recent samples in our malware menagerie that point to
221.130.192.79.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- ---------------- ----------
---------- ------
2009-05-11 10:26:51 | 28bc036fb9edb9c6a6581a8bab209e4666b3eea1 |
4d28651e57ef28c7b686c9b97d9cafe6 | 221.130.192.79 | 80 | 6 |
2009-05-08 09:32:01 | 4a872996491a1ec81d2d63d1fab3be5bdc8f3c23 |
d29e5e529b69bfb37e093c0fc60b7cac | 221.130.192.79 | 80 | 6 |
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list