[nsp-sec] 37K+ Host Grum Botnet
Stephen Gill
gillsr at cymru.com
Thu Sep 24 17:21:50 EDT 2009
Yes they can.
For the record there were a couple other target Ips+ports there as well,
though considerably smaller in size.
209.160.20.34:80
209.160.72.146:80
-- steve
On 9/24/09 2:18 PM, "Gabriel Iovino" <giovino at ren-isac.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Stephen Gill wrote:
>> ----------- nsp-security Confidential --------
>>
>> Hi Team,
>>
>> Please visit the following URL for infected Ips in your network seen
>> chatting up with this Grum spam botnet head end: 209.160.73.60:80
>>
>> Timestamps in GMT, last seen times only, though there were several hits per
>> IP in the short time we received the data for.
>
> Can the destination IP address and port be shared in notifications?
>
> I ask as organizations with NAT/PAT/Proxies will have a tough time with
> identification without a source port OR destination IP.
>
> Thanks
>
> Gabe
>
> - --
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x7 Watch Desk +1(317)278-6630
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkq74icACgkQwqygxIz+pTvJJACfZrbSeR2aoqlLF/TCTB7FNCLa
> 2qcAnA9aitwkxsWeX4Ij5HjfA6QdBkcW
> =2i4A
> -----END PGP SIGNATURE-----
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
More information about the nsp-security
mailing list