[nsp-sec] List of bots distributing infecting iframe - ACK 855 + Details

Fri Oct 30 17:56:25 EDT 2009

Hey, Gerard.

> AS      | IP               | AS Name
> 40935   | 209.31.180.44    | RELYNET - RelyNet Inc.

209.31.180.44 appears to be a Windows box.

> 36351   | 206.217.205.156  | SOFTLAYER - SoftLayer Technologies Inc.

206.217.205.156 was serving up malware recently.

      timestamp      |       ip        |  asn  |  category  |
            comment
--------------------- ----------------- ------- ------------
-----------------------------------------------------
 2009-10-14 03:51:41 | 206.217.205.156 | 36351 | malwareurl | h x x p :
/ / linkertaguboert.com/SYU1NS0HK/5Ids4y0u4M3e0L

We see a few DNS RRs pointed to 206.217.205.156.

        stamp        |          qname          | class | type |
rdata
--------------------- ------------------------- ------- ------
-----------------
 2009-10-13 01:21:07  |  linkertaguboert.com      |  IN     |  A     |
206.217.205.156
 2009-10-13 06:42:29  |  utorgtanedoskaw.com      |  IN     |  A     |
206.217.205.156
 2009-10-15 19:05:58  |  ns4.utorgtanedoskaw.com  |  IN     |  A     |
206.217.205.156
 2009-10-15 19:05:58  |  ns3.utorgtanedoskaw.com  |  IN     |  A     |
206.217.205.156
 2009-10-20 04:35:12  |  bf.ultima2009.info       |  IN     |  A     |
206.217.205.156

206.217.205.156 appears to be a Red Hat Linux box running Apache 2.2.3
with PHP 5.1.6.

We have a few samples in our malware menagerie that point to
206.217.205.156.

      timestamp      |                   sha1                   |
        md5                |     dst_ip      | dst_port | protocol |  size
--------------------- ------------------------------------------
---------------------------------- ----------------- ----------
---------- --------
 2009-10-12 23:43:05 | 882368a92132b32aed88c282761c2a038f0ab0aa |
65296714dbd7515bcebb3f90657d0955 | 206.217.205.156 |       80 |        6 |
 2009-10-13 00:21:46 | bfed3bdca9990a4fa00311261db7fa8d6560be20 |
925693c15a1cbd6e1a001f1b81c7c6f3 | 206.217.205.156 |       80 |        6 |
 2009-10-13 01:20:27 | 5d4b841ab6b7472859e1e9e1cd6031c995ae975c |
ee6e29d85f96c7528902c6ec70011421 | 206.217.205.156 |       80 |        6 |
 2009-10-13 01:34:21 | c5b1992f8cb629eb98c3b74e9e8a17d1a9d19b5f |
dbb28303ce6fec087d145aa4b1070117 | 206.217.205.156 |       80 |        6 |
 2009-10-13 05:26:06 | f8ae56817430f84294f78794e28c5f8ba3827865 |
7cfb43232d2cb2442b80020f47f5eb1a | 206.217.205.156 |       80 |        6 |
 2009-10-13 08:50:49 | a71bb6c5d0f88288a1475620ac67fd8b051c623b |
4314d12182ff272684e8d590862f45fb | 206.217.205.156 |       80 |        6 |
 2009-10-13 09:36:21 | 6410819288aa13ffa836586a5bc375679ca74399 |
781b6d91725e206cd66348aa754e5b39 | 206.217.205.156 |       80 |        6 |
 2009-10-13 09:36:22 | 4307a2710b82771d29234422b173c087f249be2f |
f7d4d494273d427176639c563f2432c3 | 206.217.205.156 |       80 |        6 |
 2009-10-13 10:27:24 | b753d4c6e344c40d93ad0e0524e310ec9144d278 |
bd833567f7bf9e50982d0a7cf3e56bf0 | 206.217.205.156 |       80 |        6 |
 2009-10-13 10:29:15 | cc42fa1c510d8f8e247883a0248a0edda67b411f |
452aab2ac502327bd3420de0abefe318 | 206.217.205.156 |       80 |        6 |
 2009-10-13 10:50:05 | 3f158a8d81a7d2721538aa0b9de7b7107525d976 |
b4964ace77fd6c4d1cb800138be6037c | 206.217.205.156 |       80 |        6 |
 2009-10-13 12:35:21 | 26549302a6a4ab039d46e295d179f22192ac7e8b |
363e5e75e8c8800c6fe2daf1471a845a | 206.217.205.156 |       80 |        6 |
 2009-10-13 14:50:04 | ed567b3bab4730ec6cabf571fe534d3f2714a9d9 |
5b457939d95b0129c5031a738c9ad4d3 | 206.217.205.156 |       80 |        6 |
 2009-10-13 17:24:02 | f161c8ff4ac356f1ebf0d07823c4690d02fcd407 |
bc8f0c52c56df2252ae7d2e74eb1a240 | 206.217.205.156 |       80 |        6 |
 2009-10-13 17:33:48 | 59f605a9139bd7d1c19bf08b4ed79af5efe7f0e5 |
b895fcd2cc0288c54576a76d1cb230f4 | 206.217.205.156 |       80 |        6 |
 2009-10-13 17:34:08 | 7639096543e5ea2948882504a0832fca7755a201 |
356bdcbfddd3485f3e10e2386653a9fa | 206.217.205.156 |       80 |        6 |
 2009-10-13 18:27:47 | 2c4da2d4eadda518453b4c018a05c7cf1508cc98 |
8c01c3d6b51ee39521385f7a36c515dd | 206.217.205.156 |       80 |        6 |
 2009-10-13 18:27:57 | a9a2886d49452c0a7beeeab6dfdf7f5f96a174ca |
ebd85b5a1fa1acc0e48ca09ce4d6d56e | 206.217.205.156 |       80 |        6 |
 2009-10-13 18:35:14 | 884e0c02a64d6525e6515bf490315eed70912c09 |
f2b2701e44ee6bcfdc70066316a9cce4 | 206.217.205.156 |       80 |        6 |
 2009-10-13 18:36:30 | 582cfc5be3ce7a2c38b41073510ccbc329c93d4f |
40725059ae0f0a1301bc2622c1c4fff6 | 206.217.205.156 |       80 |        6 |
 2009-10-13 18:36:42 | 8d120b13293073467e860b83f2201a52487b7f97 |
ae6c8eb1c67ceffd6aa3f381050e5e25 | 206.217.205.156 |       80 |        6 |
 2009-10-13 18:38:12 | 7defb2ddafbe481f8df5953c8aa5f9bd8947d364 |
ab87d400dac1e3cb26290d0275af6293 | 206.217.205.156 |       80 |        6 |
 2009-10-13 18:38:14 | eee8bcaa49f575f391b520769af39b6b0bd880a4 |
9ad958c75b20abe17c88b5752f3e51d4 | 206.217.205.156 |       80 |        6 |
 2009-10-13 18:39:21 | 50bc147bbaed1abe3e19c1a478d0be1e44698fe3 |
e5006469586e4bf62a7108178a1e372a | 206.217.205.156 |       80 |        6 |
 2009-10-13 18:39:24 | b9f7caa8f08f21a761571c1a8320dd59a0bf7898 |
3d3c588f617c704231d8543658d21290 | 206.217.205.156 |       80 |        6 |
 2009-10-13 18:42:03 | 4081052985c7141f9950de721dd70d49a38fa028 |
81f6027cc5d775cebda4c21c32899e6e | 206.217.205.156 |       80 |        6 |
 2009-10-13 18:50:31 | 14cd82b260009ad882e1d6baefc1622b92cbd629 |
ceaaa2062ed9f57d30d5244c1a5e3a60 | 206.217.205.156 |       80 |        6 |
 2009-10-13 19:24:38 | 851dca659bd3c30450c35274297e4d751e121da9 |
b3c74cf18de92dcf2bd40c1b552e72ff | 206.217.205.156 |       80 |        6 |
 2009-10-13 21:21:07 | d29a92ab27572190016e26dce2bd30fee49a14f1 |
ee1aa72361fa8bd094daf7b0644d4d05 | 206.217.205.156 |       80 |        6 |
 2009-10-14 00:29:06 | 17abddadfd8fa3f361ed9a9655f7e225b5dc2f4a |
365109da3da1ca7d2c9ec998b3b8101a | 206.217.205.156 |       80 |        6
|
 2009-10-14 03:37:17 | 4fd7b386d5f9e23a3c1c756eb53b1a6720323f9c |
446ded399cb69109787acbd20e843850 | 206.217.205.156 |       80 |        6
|
 2009-10-14 09:33:18 | 76352a08860ec19d09872d9466131378739ea28c |
c6890b670058859c23b1880d1a9846ae | 206.217.205.156 |       80 |        6 |
 2009-10-14 15:26:06 | c63943fae199deb553e495533330d46598a825bf |
599e1aaa831fd3221593ade39ff5620a | 206.217.205.156 |       80 |        6 |
 2009-10-14 17:23:56 | a1c3a653c7ae95527e6e22f9348e4d759a7bfc2c |
6c54cab14c30cc6df73f77e01fa0b895 | 206.217.205.156 |       80 |        6 |
 2009-10-14 18:21:30 | 4f23f7365c20b36c00392b4f8cdf8e677828b105 |
a84b472702714c791d8e77ae61218205 | 206.217.205.156 |       80 |        6 |
 2009-10-14 18:31:00 | 670d55426b2fe412d358f9221ce7bfd8e3f0cc93 |
70d7edf93dfcaed905a546affcbe3831 | 206.217.205.156 |       80 |        6
|    353
 2009-10-14 20:20:56 | 7e1bfe3afca77e0eefebe71b85e93ef5d6b3cd60 |
06381dd75a3dd4e146e08457c234dfb6 | 206.217.205.156 |       80 |        6 |

> Happy Halloween, eh?

Yep, and that second one is a goblin!

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
https://www.team-cymru.org/
ASSERT(coffee != empty);