[nsp-sec] Credential dropbox at AS 5413 ??
Rob Thomas
robt at cymru.com
Wed Sep 16 15:35:13 EDT 2009
Hi, team.
> Fwiw, this site evidently has been a drop box since at least 24
> August 2009 (.net and .com both resolve to the same IP address currently).
Wow it is an impressive IP! We see several phishing sites hosted on
194.154.164.82, and a total of 150 incidents (hosted badness) tied to it
for 2009.
We see 3307 DNS RRs pointed at 194.154.164.82 in 2009-08 and 2198 DNS
RRs in 2009-09. Many of them have phishy-sounding names. Examples:
stamp | qname
| class | type | rdata
---------------------
----------------------------------------------------------------------------
------- ------ ----------------
2009-08-20 00:45:57 | 100kcashprofits.com
| IN | A | 194.154.164.82
2009-08-05 08:26:54 | payecheck.com
| IN | A | 194.154.164.82
2009-08-30 05:40:49 | paypal-fr.com
| IN | A | 194.154.164.82
2009-08-21 22:05:56 | www.paypal-intle.com
| IN | A | 194.154.164.82
2009-09-03 19:26:02 | paypal-restore.com | IN
| A | 194.154.164.82
2009-08-30 19:30:13 | www.cb-citibank.com
| IN | A | 194.154.164.82
2009-08-30 19:30:56 | www.citibank-accounts.com
| IN | A | 194.154.164.82
2009-08-22 02:20:54 | www.mutebank.co.uk
| IN | A | 194.154.164.82
2009-09-08 20:27:43 | www.secure-bankofamerica-sitekey.com | IN
| A | 194.154.164.82
[ ... ]
Et cetera. If anyone would like the list, please let me know.
It appears to be running Microsoft IIS 6.0.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
ASSERT(coffee != empty);
More information about the nsp-security
mailing list