[nsp-sec] Botnet C&C at AS44347 (188.65.49.11)
Smith, Donald
Donald.Smith at qwest.com
Mon May 3 18:02:12 EDT 2010
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: Carles Fragoso [mailto:cfragoso at cesicat.cat]
> Sent: Monday, May 03, 2010 1:58 PM
> To: Smith, Donald
> Cc: nsp-security at puck.nether.net
> Subject: RE: Botnet C&C at AS44347 (188.65.49.11)
>
> Hi Donald,
>
> We have several alerts (about 80) that apparead at the IPS of
> one of our customers, starting at ..
>
> Mon May 03 13:31:03 CEST 2010
>
> ... and ending at ...
>
> Mon May 03 17:27:31 CEST 2010
>
> I can get more evidence data such as TCP flows content from alerts.
That is up to you. I am NOT saying its not a bot c&c just saying I didn't see anything to it.
As a spybot it may not be too widely used. They may have choosen to use it for just ONE set of ASP like intrustions.
>
> -- Carlos
>
>
> ________________________________________
> De: Smith, Donald [Donald.Smith at qwest.com]
> Enviat el: dilluns, 3 / maig / 2010 21:45
> Per a: Carles Fragoso; 'nsp-security at puck.nether.net'
> Tema: RE: Botnet C&C at AS44347 (188.65.49.11)
>
> I looked for any traffic towards that IP and didn't see any
> since the beginning of this month?
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
>
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> > Carles Fragoso
> > Sent: Monday, May 03, 2010 6:36 AM
> > To: nsp-security at puck.nether.net
> > Subject: [nsp-sec] Botnet C&C at AS44347 (188.65.49.11)
> >
> > ----------- nsp-security Confidential --------
> >
> > Hi!
> >
> > There seems to be a spybot botnet C&C at SINT-AS in Russia at
> > 188.65.49.11 (tcp/9595):
> >
> > AS | IP | AS Name
> > 44347 | 188.65.49.11 | SINT-AS Limited Company _SiNT_
> >
> > .inetnum: 188.65.48.0 - 188.65.51.255
> > netname: sint-ltd-net
> > descr: Limited Company "SiNT"
> > country: ru
> > org: ORG-LC18-RIPE
> > admin-c: RCL14-RIPE
> > tech-c: AEV9-RIPE
> > tech-c: AIA7-RIPE
> > status: ASSIGNED PA
> > mnt-by: SINT-MNT
> > source: RIPE # Filtered
> > organisation: ORG-LC18-RIPE
> > org-name: Limited Company "SiNT"
> > org-type: LIR
> > address: Limited Company "SiNT"
> > Chemali Ramazashvili
> > Torgovyi ryad vozle GUSa, 1 m-on
> > 662150 Achinsk
> > Russian Federation
> > phone: +73915156000
> > fax-no: +73915144550
> > e-mail: sint at achmail.ru
> > mnt-ref: RIPE-NCC-HM-MNT
> > mnt-ref: SINT-MNT
> > mnt-by: RIPE-NCC-HM-MNT
> > source: RIPE # Filtered
> >
> >
> > route: 188.65.48.0/22
> > descr: Limited Company "SiNT"
> > origin: AS44347
> > mnt-by: SINT-MNT
> > source: RIPE # Filtered
> >
> > route: 188.65.48.0/21
> > descr: Limited Company "SiNT"
> > origin: AS44347
> > mnt-by: SINT-MNT
> > source: RIPE # Filtered
> >
> > Warm regards,
> >
> > -- Carlos
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the
> > nsp-security
> > community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > _______________________________________________
> >
>
> This communication is the property of Qwest and may contain
> confidential or
> privileged information. Unauthorized use of this
> communication is strictly
> prohibited and may be unlawful. If you have received this
> communication
> in error, please immediately notify the sender by reply
> e-mail and destroy
> all copies of the communication and any attachments.
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list