[nsp-sec] identity theft c&c (AS 24400, 9808)

Yiming Gong yiming.gong at xo.com
Thu May 14 10:02:35 EDT 2009 

FYI, this box has been pulled off the rack.

and dig shows "no servers could be reached"

yiming at noname:~$ dig 0083vorit.cn

; <<>> DiG 9.5.1-P2 <<>> 0083vorit.cn
;; global options:  printcmd
;; connection timed out; no servers could be reached

Regards!

Yiming

On 05/11/2009 12:17 PM, Yiming Gong wrote:
> ----------- nsp-security Confidential --------
>
> I am trying to get hold of their security engineer via a contact person,
> email has been sent and will see if they can rectify the issue tomorrow
> (midnight in China now).
>
> ChinaMobil has a dedicate security team, so I would think odds are good
> they will be able to fix the problem.
>
> Yiming
>
> On 05/11/2009 10:12 AM, Tom Fischer wrote:
>> ----------- nsp-security Confidential --------
>>
>> Hi,
>>
>> On Tue, May 05, 2009 at 08:56:22AM +0200, Tom Fischer wrote:
>>> Any chance to terminate / null route the mentioned systems?
>>>
>>> Malware distribution:
>>> hxxp://0083vorit.cn/dbv4.exe
>>> AV-scan:
>>> http://www.virustotal.com/analisis/d4d366666ce212757d562c9647617354
>>
>> moved from 122.225.36.35 to 221.130.192.79
>>
>> 2009-04-07 15:35:28 2009-04-07 15:35:28 0083vorit.cn TXT "v=spf1 a mx
>> 2009-04-07 07:06:57 2009-04-24 00:11:53 0083vorit.cn SOA
>> ns1.1256hrom.cn hostmaster.0083vorit.cn 2009030300
>> 2009-03-17 07:24:07 2009-04-24 00:53:34 0083vorit.cn A 210.83.85.99
>> 2009-04-24 20:07:36 2009-05-05 21:05:49 0083vorit.cn SOA
>> ns1.1256hrom.cn hostmaster.0083vorit.cn 2009042400
>> 2009-04-24 20:07:36 2009-05-06 15:13:20 0083vorit.cn A 122.225.36.35
>> 2009-05-09 18:05:49 2009-05-10 22:11:44 0083vorit.cn SOA
>> ns1.1256hrom.cn hostmaster.0083vorit.cn 2009050900
>> 2009-04-07 07:06:57 2009-05-11 10:11:46 0083vorit.cn MX 10
>> mail.0083vorit.cn
>> 2009-03-17 07:24:06 2009-05-11 10:16:51 0083vorit.cn NS ns1.1256hrom.cn
>> 2009-05-09 17:56:38 2009-05-11 10:16:51 0083vorit.cn A 221.130.192.79
>> 2009-05-10 23:05:47 2009-05-11 10:16:55 0083vorit.cn SOA
>> ns1.1256hrom.cn hostmaster.0083vorit.cn 2009051000
>>
>> AS | IP | AS Name
>> 24400 | 221.130.192.79 | CMNET-V4SHANGHAI-AS-AP Shanghai Mobile
>> Communications Co.,Ltd.
>>
>> PEER_AS | IP | AS Name
>> 9808 | 221.130.192.79 | CMNET-GD Guangdong Mobile Communication Co.Ltd.
>>
>> btw. another alias is 1256hrom.cn
>> 2009-05-10 01:06:03 2009-05-11 08:53:08 1256hrom.cn A 221.130.192.79
>>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list