[nsp-sec] Can someone verify this C&C: 208.73.210.28:80

David Freedman david.freedman at uk.clara.net
Mon Sep 27 20:43:52 EDT 2010 

That looks like a domainsponsor parking server,
The giveaway is the tagline "What you need, when you need it", anything
pointed to this box should render in the html like such:

stupefy:~ lochii$ telnet 208.73.210.28 80
Trying 208.73.210.28...
Connected to 208.73.210.28.
Escape character is '^]'.
GET / HTTP/1.1
host: testfoo.com

HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
nnCoection: close
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1129
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://www.dsnextgen.com/w3c/p3p.xml", CP="NOI DSP COR ADMa
OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.testfoo.com; path=/; expires=Wed,
29-Sep-2010 00:39:55 GMT
Connection: Keep-Alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<!-- turing_cluster_prod -->
<html>
  <head>
    <title>testfoo.com</title>

<etc..>

They appear to squat domains and put up parking pages advertising spam
links...

Dave.

On 28/09/2010 01:16, "Joel Rosenblatt" <joel at columbia.edu> wrote:

> ----------- nsp-security Confidential --------
> 
> Hi,
> 
> I just got 14 machine pop up on this C&C signature - I took a look at the site
> and it seems to be some kind of dating page - not the classiest site I've ever
> seen, but I don't see it trying anything funny.
> 
> Does someone have any more information, before these poor students of ours get
> to reformat their machines.
> 
> Thanks,
> Joel
> 
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> 
> 
> Related Searches
> black dating     black singles     dating service     russian woman     mail
order brides
> 
> black dating
> 
>     * Related Searches
>     *
>           o black dating
>           o black singles
>           o
>           o dating service
>           o russian woman
>           o
>           o mail order brides
>           o singles
>           o
>           o jewish dating
>           o email server
>           o
>           o russian wife
>           o russian brides
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

--

David Freedman
Group Network Engineering

david.freedman at uk.clara.net
Tel +44 (0) 20 7685 8000

Claranet Group
21 Southampton Row
London - WC1B 5HA - UK
http://www.claranet.com

Company Registration: 3152737 - Place of registration: England

All the information contained within this electronic message from Claranet
Ltd is covered by the disclaimer at http://www.claranet.co.uk/disclaimer

More information about the nsp-security mailing list