[nsp-sec] ZeuS/Zbot logs.

Gabriel Iovino giovino at ren-isac.net
Tue Nov 3 16:15:41 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott A. McIntyre wrote:
> With the help of one of my customers I gained access to an Apache server
> log of a box which was being used as a ZeuS-redirector.  Looking at the
> content, about 22K IPs visited in the last day or so from a pretty
> healthy list of ASNs, which is below.

Sanitized notifications have been sent to the following:

> 18      | 128.83.78.197    | [01/Nov/2009:08:23:35 0100] | UTEXAS - University of Texas at Austin
> 27      | 129.2.164.248    | [01/Nov/2009:09:00:41 0100] | UMDNET - University of Maryland at College Park
> 55      | 128.91.127.48    | [02/Nov/2009:01:02:17 0100] | UPENN-CIS - University of Pennsylvania
> 55      | 165.123.172.92   | [01/Nov/2009:08:26:11 0100] | UPENN-CIS - University of Pennsylvania
> 55      | 165.123.209.3    | [02/Nov/2009:00:52:16 0100] | UPENN-CIS - University of Pennsylvania
> 81      | 152.20.180.18    | [01/Nov/2009:08:53:12 0100] | NCREN - MCNC
> 156     | 129.10.76.134    | [01/Nov/2009:08:31:53 0100] | NORTHEASTERN-GW-AS - Northeastern University
> 1312    | 128.173.89.44    | [01/Nov/2009:08:48:05 0100] | VA-TECH-AS - Virginia Polytechnic Institute and State Univ.
> 2037    | 129.8.201.90     | [01/Nov/2009:08:31:06 0100] | CSUFRESNO - California State University,
> 2037    | 129.8.201.90     | [02/Nov/2009:00:02:00 0100] | CSUFRESNO - California State University,
> 2055    | 130.39.127.40    | [01/Nov/2009:09:09:02 0100] | LSU-1 - Louisiana State University
> 3999    | 128.118.90.98    | [01/Nov/2009:08:48:30 0100] | PENN-STATE - The Pennsylvania State University
> 5078    | 139.78.10.132    | [01/Nov/2009:23:49:43 0100] | ONENET-AS-1 - Oklahoma Network for Education Enrichment and
> 6360    | 168.105.125.182  | [01/Nov/2009:23:20:11 0100] | UNIVHAWAII - University of Hawaii Data & Video Networks
> 6360    | 168.105.130.122  | [02/Nov/2009:01:12:38 0100] | UNIVHAWAII - University of Hawaii Data & Video Networks
> 10421   | 129.118.109.187  | [01/Nov/2009:08:57:30 0100] | TTUNET - Texas Tech University
> 11745   | 132.177.70.74    | [01/Nov/2009:22:33:35 0100] | USNH - University System of New Hampshire
> 22192   | 192.234.172.147  | [01/Nov/2009:08:41:00 0100] | SSHENET - Pennsylvania State System of Higher Education
> 23262   | 204.152.134.2    | [01/Nov/2009:08:25:36 0100] | LINCOLN-UNIVERSITY - Lincoln University
> 30703   | 139.127.220.77   | [02/Nov/2009:12:17:09 0100] | SHSC-1-AS - SUNY Health and Science Center
> 40127   | 134.174.21.2     | [01/Nov/2009:08:36:10 0100] | LMANET - Longwood Medical Area network (LMAnet)
> 40127   | 134.174.21.2     | [02/Nov/2009:00:06:41 0100] | LMANET - Longwood Medical Area network (LMAnet)

Thank you.

Gabe

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrwnX0ACgkQwqygxIz+pTsvJgCfczkDM55TZ9ymsQfp0ewoo+mm
idwAmgMChOpopX0KitMQJPAuDnNEXc0O
=Zbt7
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list