[nsp-sec] Botnet C&C at AS44347 (188.65.49.11)

Carles Fragoso cfragoso at cesicat.cat
Mon May 3 15:58:12 EDT 2010 

Hi Donald,

We have several alerts (about 80) that apparead at the IPS of one of our customers, starting at ..

  Mon May 03 13:31:03 CEST 2010

... and ending at ...

  Mon May 03 17:27:31 CEST 2010

I can get more evidence data such as TCP flows content from alerts.

-- Carlos


________________________________________
De: Smith, Donald [Donald.Smith at qwest.com]
Enviat el: dilluns, 3 / maig / 2010 21:45
Per a: Carles Fragoso; 'nsp-security at puck.nether.net'
Tema: RE: Botnet C&C at AS44347 (188.65.49.11)

I looked for any traffic towards that IP and didn't see any since the beginning of this month?

(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Carles Fragoso
> Sent: Monday, May 03, 2010 6:36 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Botnet C&C at AS44347 (188.65.49.11)
>
> ----------- nsp-security Confidential --------
>
> Hi!
>
> There seems to be a spybot botnet C&C at SINT-AS in Russia at
> 188.65.49.11 (tcp/9595):
>
> AS      | IP               | AS Name
> 44347   | 188.65.49.11     | SINT-AS Limited Company _SiNT_
>
> .inetnum:         188.65.48.0 - 188.65.51.255
> netname:         sint-ltd-net
> descr:           Limited Company "SiNT"
> country:         ru
> org:             ORG-LC18-RIPE
> admin-c:         RCL14-RIPE
> tech-c:          AEV9-RIPE
> tech-c:          AIA7-RIPE
> status:          ASSIGNED PA
> mnt-by:          SINT-MNT
> source:          RIPE # Filtered
> organisation:    ORG-LC18-RIPE
> org-name:        Limited Company "SiNT"
> org-type:        LIR
> address:         Limited Company "SiNT"
>                 Chemali Ramazashvili
>                 Torgovyi ryad vozle GUSa, 1 m-on
>                 662150 Achinsk
>                 Russian Federation
> phone:           +73915156000
> fax-no:          +73915144550
> e-mail:          sint at achmail.ru
> mnt-ref:         RIPE-NCC-HM-MNT
> mnt-ref:         SINT-MNT
> mnt-by:          RIPE-NCC-HM-MNT
> source:          RIPE # Filtered
>
>
> route:           188.65.48.0/22
> descr:           Limited Company "SiNT"
> origin:          AS44347
> mnt-by:          SINT-MNT
> source:          RIPE # Filtered
>
> route:           188.65.48.0/21
> descr:           Limited Company "SiNT"
> origin:          AS44347
> mnt-by:          SINT-MNT
> source:          RIPE # Filtered
>
> Warm regards,
>
> -- Carlos
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list