[nsp-sec] DDoS RS addition request - 91.205.17.4 port 8788/TCP botnet C2
Nicholas Ianelli
ni at centergate.net
Sat Jun 12 20:48:52 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Sorry for the delayed reply. I had this note queued up yesterday but
> had something interrupt.
>
> This IP was added to the ddosrs on 0608, and its neighbor 91.205.17.5
> (related to the same crew etc, probably same host) added on 0610.
No worries my man, thanks for taking care of this!
Yeah, same crew. Their MO is to move from one IP to the next within the
same /24. They were using 91.205.17.3 recently as well.
Here are the DNS RRs tied to some of their malware:
webdev.gpdvinc.com
emt.gatuzo.net
wbdv3.ptgdevinc.com
chat.haraldmark.com
video.jizzstars.com
talk.purplelots.com
ns01.jizzshow.com
Thanks!
Nick
- --
Nicholas Ianelli: Neustar, Inc.
Security Operations
46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkwUKvQACgkQi10dJIBjZID4IgCdHi/4fzPPOoLFQI+RknBWfwIq
QBAAn1DXcwo6Pf8O+PqA0qLWwGxFaAho
=/Bot
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list