[nsp-sec] anybody tracking this domain .. ?

Chris Morrow morrowc at ops-netman.net
Tue Nov 17 16:45:14 EST 2009 


On Tue, 17 Nov 2009, Marc Kneppers wrote:

> ----------- nsp-security Confidential --------
>
> Hi
>
> Fishing for info ...
>
> We picked this up as suspcicious on our network on a research box - see the resolution list for the domain below. I am tracking info to/from these IPs as best I can on our network but would appreciate any info if you have any.
>
> There is only a single google reference to this (with a 'blocklist'):
> http://www.google.ca/search?hl=en&source=hp&q=h3i1vncrtg.com&btnG=Google+Search&meta=
>


two of the tested ips:
online.lloydstsb.co.uk.tw9qye1vpw.com -> 84.224.157.113
www.mybank.alliance-leicester.8gilta3wfm.com -> 78.129.34.87
www.mybank.alliance-leicester.1901289974.com -> 78.129.34.87
www.mybank.alliance-leicester.ggyzhp75xk.com -> 78.129.34.87
www.mybank.alliance-leicester.usp39iaq8n.com -> 78.129.34.87
ibgcx70wwa.com -> 78.129.34.87
www.mybank.alliance-leicester.k4tlp7kirk.com -> 78.129.34.87
www.mybank.alliance-leicester.s5ajleun74.com -> 78.129.34.87
www.mybank.alliance-leicester.prx55uxruy.com -> 78.129.34.87
mybank.alliance-leicester.2x0990485x.com -> 78.129.34.87
mybank.alliance-leicester.en5i2rrx7y.com -> 78.129.34.87
mybank.alliance-leicester.ngnop8r5e8.com -> 78.129.34.87

are a zeus domains... So.. avalanche sent zeus infected thingies?

> Thanks
>
> DNS query and resolution:
> =========================
> h3i1vncrtg.com. seen 9 times, 8 different
>
> 78.129.34.87    ASN:  12392 TTL: 300
> 67.173.183.57   ASN:  33491 TTL: 300
> 84.224.157.113  ASN:   8448 TTL: 300
> 198.211.205.219 ASN:  11915 TTL: 300
> 76.171.147.226  ASN:   7757 TTL: 300
> 69.254.67.43    ASN:  20214 TTL: 300
> 76.201.179.128  ASN:   7132 TTL: 300
> 173.19.26.252   ASN:   6478 TTL: 300
> 24.230.242.35   ASN:      0 TTL: 300
> 67.77.32.172    ASN:  11398 TTL: 300
>
> 66.241.173.212  ASN:  16604 TTL: 300
> 69.133.124.126  ASN:  10796 TTL: 300
> 209.226.138.122 ASN:    577 TTL: 300
> 24.89.210.161   ASN:  11260 TTL: 300
> 164.67.186.62   ASN:     52 TTL: 300
> 129.105.182.163 ASN:    103 TTL: 300
> 75.223.55.159   ASN:   6167 TTL: 300
> 188.36.129.210  ASN:    680 TTL: 300
> 84.224.157.113  ASN:   8448 TTL: 300
> 98.213.85.94    ASN:  33491 TTL: 300
>
> 173.19.26.252   ASN:   6478 TTL: 300
> 207.255.68.141  ASN:  11776 TTL: 300
> 98.213.85.94    ASN:  33491 TTL: 300
> 70.238.141.82   ASN:   7132 TTL: 300
> 84.224.157.113  ASN:   8448 TTL: 300
> 76.25.104.77    ASN:  33652 TTL: 300
> 75.223.55.159   ASN:   6167 TTL: 300
> 67.77.32.172    ASN:  11398 TTL: 300
> 201.255.111.51  ASN:  22927 TTL: 300
> 92.239.25.103   ASN:   5462 TTL: 300
>
> 69.133.124.126  ASN:  10796 TTL: 300
> 129.105.182.163 ASN:    103 TTL: 300
> 76.181.190.2    ASN:  10796 TTL: 300
> 99.154.245.44   ASN:   7132 TTL: 300
> 84.224.157.113  ASN:   8448 TTL: 300
> 89.77.29.153    ASN:   9141 TTL: 300
> 67.173.183.57   ASN:  33491 TTL: 300
> 78.129.34.87    ASN:  12392 TTL: 300
> 67.77.32.172    ASN:  11398 TTL: 300
> 92.254.231.25   ASN:  34610 TTL: 300
>
> 80.217.40.53    ASN:  39651 TTL: 300
> 164.67.186.62   ASN:     52 TTL: 300
> 69.254.67.43    ASN:  20214 TTL: 300
> 68.123.103.61   ASN:   7132 TTL: 300
> 209.226.138.122 ASN:    577 TTL: 300
> 68.112.23.184   ASN:  20115 TTL: 300
> 201.255.111.51  ASN:  22927 TTL: 300
> 24.230.242.35   ASN:      0 TTL: 300
> 198.211.205.219 ASN:  11915 TTL: 300
> 99.154.245.44   ASN:   7132 TTL: 300
>
> 190.105.23.114  ASN:  10318 TTL: 300
> 69.133.124.126  ASN:  10796 TTL: 300
> 69.254.67.43    ASN:  20214 TTL: 300
> 68.112.23.184   ASN:  20115 TTL: 300
> 207.255.68.141  ASN:  11776 TTL: 300
> 71.55.63.64     ASN:  11530 TTL: 300
> 75.223.55.159   ASN:   6167 TTL: 300
> 88.167.29.114   ASN:  12322 TTL: 300
> 76.25.104.77    ASN:  33652 TTL: 300
> 80.217.40.53    ASN:  39651 TTL: 300
>
> 71.55.63.64     ASN:  11530 TTL: 300
> 69.254.67.43    ASN:  20214 TTL: 300
> 69.133.124.126  ASN:  10796 TTL: 300
> 68.112.23.184   ASN:  20115 TTL: 300
> 201.255.111.51  ASN:  22927 TTL: 300
> 84.108.166.70   ASN:   8551 TTL: 300
> 198.211.205.219 ASN:  11915 TTL: 300
> 94.173.46.103   ASN:   5462 TTL: 300
> 24.150.120.91   ASN:   7992 TTL: 300
> 76.201.179.128  ASN:   7132 TTL: 300
>
> 198.211.205.219 ASN:  11915 TTL: 300
> 201.255.111.51  ASN:  22927 TTL: 300
> 207.255.68.141  ASN:  11776 TTL: 300
> 69.89.222.117   ASN:  27334 TTL: 300
> 69.133.124.126  ASN:  10796 TTL: 300
> 83.172.126.157  ASN:  13189 TTL: 300
> 84.108.166.70   ASN:   8551 TTL: 300
> 98.213.85.94    ASN:  33491 TTL: 300
> 99.239.86.254   ASN:    812 TTL: 300
> 174.50.132.75   ASN:   2634 TTL: 300
>
> -
> MArc Kneppers
> Security Architecture, Design Authority
> TELUS
> AS852
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list