[nsp-sec] 130K+ Infected Ips on ~3600 ASNs
Stephen Gill
gillsr at cymru.com
Thu Oct 1 17:01:45 EDT 2009
You bet!
-- steve
On 10/1/09 12:48 PM, "Gabriel Iovino" <giovino at ren-isac.net> wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Stephen Gill wrote:
>> This password stealer head end IP appears to be quite busy:
>>
>> 76.73.37.250
>>
>> We're working w/ the ISP on takedown, however in the meantime here is a list
>> of 130K+ infected Ips seen talking to it primarily via TCP 80 (reporting
>> stolen credentials) and UDP 7006 - UDP 7012. I don't anticipate an IP
>> takedown to last forver because they can likely re-route via DNS.
>
> Can the destination IP address and ports be shared in notifications?
>
> I ask as organizations with NAT/PAT/Proxies will have a tough time with
> identification without a source port OR destination IP.
>
> Thanks
>
> Gabe
>
> - --
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x7 Watch Desk +1(317)278-6630
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkrFB4EACgkQwqygxIz+pTt3xwCgsKz1gyOMD4jxEF0p1ngvz8aP
> csoAnAzy3NePxvFGCsTnxRqnGsPXEGkK
> =ndKf
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
More information about the nsp-security
mailing list