[nsp-sec] DDoS RS addition request - 91.205.17.4 port 8788/TCP botnet C2
Tim Wilde
twilde at cymru.com
Mon Jun 14 14:08:48 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 6/12/2010 8:48 PM, Nicholas Ianelli wrote:
> No worries my man, thanks for taking care of this!
>
> Yeah, same crew. Their MO is to move from one IP to the next within the
> same /24. They were using 91.205.17.3 recently as well.
>
> Here are the DNS RRs tied to some of their malware:
>
> webdev.gpdvinc.com
> emt.gatuzo.net
> wbdv3.ptgdevinc.com
> chat.haraldmark.com
> video.jizzstars.com
> talk.purplelots.com
> ns01.jizzshow.com
Hey Nick,
These are some oldies but goodies - we've had talk.purplelots.com in the
DNSRR file since 2007! There were a couple here that we hadn't come
across or listed before (all pointing to emt.gatuzo.net and the same IP
today), so I've gone ahead and added them to our tracking, as well as
getting the current IP on that /24 (91.205.17.6) added to the DDoS-RS.
Note that they're currently using TCP/1311, which is the common port
we've seen on all of these RRs in the past. We'll keep tracking 'em as
they bounce around and trying to keep 'em on the list, but feel free to
send us a direct ping if you notice a change we haven't followed yet,
and we'll get it prioritized.
Thanks,
Tim
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkwWcDAACgkQluRbRini9tg+NgCfZO8ordT2aVDr1cDTfSv61PKn
hzgAn15Sx33dBz6Qq6znYa87XmJC2Vzs
=b0QL
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list