[nsp-sec] 130K+ Infected Ips on ~3600 ASNs
Scott A. McIntyre
scott at xs4all.net
Fri Oct 2 03:21:00 EDT 2009
Hi all,
> A couple of the URLs in question came from:
>
> hxxp://hotshows.org/1.exe
> hxxp://lmageshack.org/img/imgrav.jpg
We've also found customers grabbing:
hxxp:// lmageshack. org/img/imgaen.jpg
hxxp:// lmageshack. org/img/imgxoor.jpg
hxxp:// lmageshack. org/img/imglmtr.jpg
Further, the UDP packets look like so:
08:38:19.173568 IP x > 76.73.37.250.7011: UDP, length 3
0x0000: 4500 001f 04c3 0000 7d11 e9e8 525d 8a82 E.......}...R]..
0x0010: 4c49 25fa 2be8 1b63 000b 288c 80dd c000 LI%.+..c..(.....
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
08:38:19.376708 IP x > 76.73.37.250.7006: [|rx] (1)
0x0000: 4500 001d 0ecf 0000 7d11 5bdd 5064 107d E.......}.[.Pd.}
0x0010: 4c49 25fa 48bb 1b5e 0009 cb9d fd00 0000 LI%.H..^........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
08:38:19.433290 IP x > 76.73.37.250.7009: [|rx] (3)
0x0000: 4500 001f b457 0000 7c11 81f4 3efb 5744 E....W..|...>.WD
0x0010: 4c49 25fa eff3 1b61 000b 0859 80a7 6300 LI%....a...Y..c.
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
08:38:20.321911 IP x > 76.73.37.250.7010: UDP, length 1
0x0000: 4500 001d b1d8 0000 7d11 d4d5 525f f27f E.......}...R_..
0x0010: 4c49 25fa 9396 1b62 0009 dcc0 bd00 0000 LI%....b........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
Regards,
Scott A. McIntyre
XS4ALL Internet B.V.
More information about the nsp-security
mailing list