[nsp-sec] Active DDoS CnC: ping AS47328 TRI-AS True Records Inc. (Cogent, HostVentures.com upstreams)
jose nazario
jose at arbor.net
Sun Nov 14 13:38:35 EST 2010
need a CnC knocked off line. it's an MSSQL server that's commanding
SYN floods. please help.
malware:
Filesize 700928 bytes
MD5 fcc692ed10f45df8b3627cfa141e8b91
Origin: hxxp://webmail.netvale.psi.br/program/localization/lt/
boleto.pdf.exe
CnC is 212.124.114.18 port 2433/TCP, as noted an MSSQL server. it's
actively launching attacks. i'm reaching out directly but any help
getting through would be appreciated.
AS | IP | AS Name
47328 | 212.124.114.18 | TRI-AS True Records Inc.
PEER_AS | IP | AS Name
174 | 212.124.114.18 | COGENT Cogent/PSI
15189 | 212.124.114.18 | HOSTVENTURES - HostVentures.com, Inc.
inetnum: 212.124.112.0 - 212.124.115.255
netname: DIGITALONE-NET
descr: DigitalOne AG Colocation and Dedicated Servers
remarks: --------------------------------------------------
remarks: Please, send abuse reports to abuse at digitalone.com
remarks: --------------------------------------------------
country: US
admin-c: DA440-RIPE
tech-c: DA440-RIPE
status: ASSIGNED PA
mnt-by: MNT-TRI
source: RIPE # Filtered
role: DigitalOne AG
address: 12100 Sunrise Valley Drive
address: Reston, VA 20191, United States
abuse-mailbox: abuse at digitalone.com
admin-c: SO1294-RIPE
tech-c: SO1294-RIPE
nic-hdl: DA440-RIPE
mnt-by: MNT-TRI
source: RIPE # Filtered
% Information related to '212.124.112.0/21AS47328'
route: 212.124.112.0/21
descr: True Records Inc.
remarks: ------------------------------------------------------
remarks: Routing, peering and security: noc at truerec.com
remarks: Spam reports and abuse: abuse at truerec.com
remarks: ------------------------------------------------------
origin: AS47328
mnt-by: MNT-MBNET
source: RIPE # Filtered
Thanks for any help you can provide.
______
Jose Nazario, Ph.D.
jose at arbor.net
Senior Manager of Security Research
Arbor Networks
More information about the nsp-security
mailing list