[nsp-sec] Malware issue at AS45753: someone could ping me offlist
Carles Fragoso
cfragoso at cesicat.cat
Thu Mar 4 10:26:58 EST 2010
Hi José,
Yes, I know. I sent an email to NSP-SEC based on this issue on February 11st where at that point it was located at Netdirect:
Hi!
One of our customers is dealing with some malware (possible botnet C&C) located at domains....
nt004.cn<http://nt004.cn/>
nt010.cn<http://nt010.cn/>
nt202.cn<http://nt202.cn/>
... which are pointing at ...
AS | IP | AS Name
28753 | 188.72.230.28 | NETDIRECT AS NETDIRECT Frankfurt, DE
Any help there from AS28753? :)
-- Carlos Fragoso (AS39551)
Thomas from CERT-Bund answered about it when the domains started to point to 1.1.1.1.
Now it seems it has moved to 112.121.181.42.
If you can send me the sample that came in from hxxp://nt11.co.in/21 it would be great.
Thanks!
-- Carlos
On Mar 4, 2010, at 3:39 PM, jose nazario wrote:
On Mar 4, 2010, at 9:36 AM, jose nazario wrote:
i have a sample that came in from hxxp://nt11.co.in/21
FWIW this domain name used to reside in germany, on NetDirekt:
2010-02-18 20:40:39 nt11.co.in A 112.121.181.42
2010-02-11 23:22:09 nt11.co.in A 188.72.230.28
AS | IP | AS Name
28753 | 188.72.230.28 | NETDIRECT AS NETDIRECT Frankfurt, DE
_____________________________
jose nazario, ph.d. jose at arbor.net<mailto:jose at arbor.net>
manager of security research, arbor networks
http://asert.arbor.net/
More information about the nsp-security
mailing list