[nsp-sec] 46.252.128.63 C&C for Stolen FTP credentials ?
Carles Fragoso
cfragoso at cesicat.cat
Tue Apr 19 13:03:30 EDT 2011
Hi,
46.252.128.63 belongs to SAGADE in Latvia, a well-known Crimeware ISP that we have had incidents in the past.
We were talking with the Latvian CERT team about those issues in the past and AFAIK they were under current LEO investigation:
> http://blog.dynamoo.com/2011/03/evil-network-sagade-latvia-as52055.html
> http://blog.dynamoo.com/2010/05/evilness-sagade-ltd-atech-sagade.html
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:52055
Have you done some network captures to review that UDP traffic?
Warm regards,
-- Carlos Fragoso (CESICAT-CERT)
On Apr 19, 2011, at 5:58 PM, Mike Tancsa wrote:
>
> (Note, I had to s/46/2e on the IP as clamav sees the message as a potential phish/virus with that IP range in it (MBL_202716.UNOFFICIAL))
>
> Looking at this users login history (the host is where our users save their personal webpages) it would seem the attacker had logged in multiple times from 2e.252.128.63 (times are GMT -500)
>
>
> annadur ftp 2e.252.128.63 Mon Apr 11 07:07 - 07:07 (00:00)
> annadur ftp 2e.252.128.63 Sun Apr 10 16:04 - 16:04 (00:00)
> annadur ftp 2e.252.128.63 Sun Apr 10 16:02 - 16:03 (00:00)
> annadur ftp 2e.252.128.63 Sun Apr 10 12:23 - 12:24 (00:00)
> annadur ftp 2e.252.128.63 Sun Apr 10 12:23 - 12:23 (00:00)
> annadur ftp 2e.252.128.63 Sat Apr 9 09:11 - 09:26 (00:15)
> annadur ftp 2e.252.128.63 Sat Apr 9 09:11 - 09:11 (00:00)
> annadur ftp 2e.252.128.63 Sat Apr 9 06:17 - 06:17 (00:00)
> annadur ftp 2e.252.128.63 Sat Apr 9 06:17 - 06:17 (00:00)
>
> There also seems to be a lot of UDP communication to this IP from two of our other customers. Looking at my argus logs, a few other of my customers are initiating odd connections to that IP.
>
> Also, 2e.252.128.15 seems to be involved somehow as well. The user who had their account compromised visited 2e.252.128.15 on port 80...
>
> ra -L0 -nr 2e.252.128.63
> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
> 04-07 20:02:59.791 Ne tcp 2e.252.128.15.80 -> 206.130.91.112.1099 106 152564 FIN
> 04-09 06:17:14.636 e d tcp 2e.252.128.63.4728 -> 98.159.240.6.21 16 1130 RST
> 04-09 06:17:15.373 e tcp 2e.252.128.63.2e75 -> 98.159.240.6.21 15 1040 RST
> 04-09 07:07:28.713 Ne tcp 2e.252.128.15.80 -> 67.43.140.104.3030 4 628 FIN
> 04-09 09:11:11.523 e d tcp 2e.252.128.63.2981 -> 98.159.240.6.21 15 1123 CON
> 04-09 09:11:13.243 e d tcp 2e.252.128.63.2072 -> 98.159.240.6.21 22 1704 CON
> 04-09 09:11:15.627 e tcp 2e.252.128.63.1602 -> 98.159.240.6.49823 8 1078 FIN
> 04-09 09:11:16.806 e d tcp 2e.252.128.63.3152 -> 98.159.240.6.59423 9 1140 FIN
> 04-09 09:11:17.214 e & tcp 2e.252.128.63.2981 -> 98.159.240.6.21 19 1548 CON
> 04-09 09:11:21.755 e tcp 2e.252.128.63.3016 -> 98.159.240.6.56884 10 42e2 FIN
> 04-09 09:11:21.880 e tcp 2e.252.128.63.2072 -> 98.159.240.6.21 11 905 CON
> 04-09 09:11:22.595 e d tcp 2e.252.128.63.2981 -> 98.159.240.6.21 10 733 CON
> 04-09 09:11:22.857 e tcp 2e.252.128.63.4456 -> 98.159.240.6.55911 12 6030 FIN
> 04-09 09:11:24.860 e s tcp 2e.252.128.63.3128 -> 98.159.240.6.65063 2 124 REQ
> 04-09 09:11:27.92e e r tcp 2e.252.128.63.2072 -> 98.159.240.6.21 20 1443 RST
> 04-09 09:11:29.245 e tcp 2e.252.128.63.1182 -> 98.159.240.6.55771 8 1432 FIN
> 04-09 09:11:33.865 e s tcp 2e.252.128.63.3128 -> 98.159.240.6.65063 1 62 REQ
> 04-09 09:26:24.535 e tcp 98.159.240.6.21 <?> 2e.252.128.63.2981 3 224 FIN
> 04-09 10:29:00.757 e tcp 2e.252.128.63.2981 ?> 98.159.240.6.21 1 60 RST
> 04-10 01:59:15.82e e udp 64.7.151.134.26318 -> 2e.252.128.63.44978 1 145 INT
> 04-10 07:17:34.353 e udp 64.7.151.99.55579 <-> 2e.252.128.63.44978 2 2e3 CON
> 04-10 12:23:20.782 e r tcp 2e.252.128.63.3283 -> 98.159.240.6.21 21 1597 CON
> 04-10 12:23:24.273 e tcp 2e.252.128.63.2e80 -> 98.159.240.6.58001 8 1078 FIN
> 04-10 12:23:26.597 e d tcp 2e.252.128.63.1871 -> 98.159.240.6.21 12 923 CON
> 04-10 12:23:26.909 e d tcp 2e.252.128.63.3283 -> 98.159.240.6.21 12 923 CON
> 04-10 12:23:33.679 e d tcp 2e.252.128.63.3359 -> 98.159.240.6.52934 6 1826 CON
> 04-10 12:23:35.208 e tcp 2e.252.128.63.1871 -> 98.159.240.6.21 23 1796 CON
> 04-10 12:23:35.872 e tcp 2e.252.128.63.1791 -> 98.159.240.6.63319 8 1078 FIN
> 04-10 12:23:37.009 e tcp 2e.252.128.63.3283 -> 98.159.240.6.21 3 296 CON
> 04-10 12:23:37.870 e tcp 2e.252.128.63.2619 -> 98.159.240.6.52390 6 3266 CON
> 04-10 12:23:43.311 e s tcp 2e.252.128.63.3359 -> 98.159.240.6.52934 6 2765 FIN
> 04-10 12:23:43.653 e d tcp 2e.252.128.63.3283 -> 98.159.240.6.21 14 1108 CON
> 04-10 12:23:47.679 e tcp 2e.252.128.63.2619 -> 98.159.240.6.52390 6 2765 FIN
> 04-10 12:23:48.018 e d tcp 2e.252.128.63.1871 -> 98.159.240.6.21 14 1148 CON
> 04-10 12:23:48.021 e d tcp 2e.252.128.63.2933 -> 98.159.240.6.54447 10 2518 FIN
> 04-10 12:23:49.361 e tcp 2e.252.128.63.3283 -> 98.159.240.6.21 9 732 CON
> 04-10 12:23:50.528 e d tcp 2e.252.128.63.3850 -> 98.159.240.6.57156 6 2278 FIN
> 04-10 12:23:52.688 e * tcp 2e.252.128.63.4843 -> 98.159.240.6.56620 18 7027 FIN
> 04-10 12:23:53.614 e tcp 2e.252.128.63.1871 -> 98.159.240.6.21 2 193 CON
> 04-10 12:23:55.985 e i tcp 2e.252.128.63.3283 -> 98.159.240.6.21 11 784 RST
> 04-10 12:24:00.063 e d tcp 2e.252.128.63.3850 -> 98.159.240.6.57156 4 1194 FIN
> 04-10 12:24:00.393 e & tcp 2e.252.128.63.1871 -> 98.159.240.6.21 17 1263 RST
> 04-10 12:24:01.393 e d tcp 2e.252.128.63.4382 -> 98.159.240.6.60971 16 6903 FIN
> 04-10 16:02:45.210 e tcp 2e.252.128.63.182e -> 98.159.240.6.21 35 2684 CON
> 04-10 16:02:47.511 e tcp 2e.252.128.63.1930 -> 98.159.240.6.6182e 8 1078 FIN
> 04-10 16:02:49.132 e tcp 2e.252.128.63.2024 -> 98.159.240.6.60074 8 1432 FIN
> 04-10 16:02:50.434 e d tcp 2e.252.128.63.2084 -> 98.159.240.6.51797 13 6509 FIN
> 04-10 16:02:50.648 e tcp 2e.252.128.63.182e -> 98.159.240.6.21 12 890 CON
> 04-10 16:02:56.663 e tcp 2e.252.128.63.2268 -> 98.159.240.6.63123 10 4930 FIN
> 04-10 16:02:56.986 e r tcp 2e.252.128.63.182e -> 98.159.240.6.21 14 112e CON
> 04-10 16:03:01.2e6 e tcp 2e.252.128.63.2649 -> 98.159.240.6.59152 13 5241 FIN
> 04-10 16:03:02.118 e tcp 2e.252.128.63.182e -> 98.159.240.6.21 8 499 RST
> 04-10 16:04:25.822 e tcp 2e.252.128.63.2824 -> 98.159.240.6.21 15 1122 CON
> 04-10 16:04:31.163 e tcp 2e.252.128.63.2925 -> 98.159.240.6.62845 8 1078 FIN
> 04-10 16:04:31.486 e r tcp 2e.252.128.63.2824 -> 98.159.240.6.21 35 2696 CON
> 04-10 16:04:32.786 e tcp 2e.252.128.63.3144 -> 98.159.240.6.50444 8 1432 FIN
> 04-10 16:04:34.093 e tcp 2e.252.128.63.3195 -> 98.159.240.6.61077 12 5068 FIN
> 04-10 16:04:35.723 e i tcp 2e.252.128.63.3278 -> 98.159.240.6.55153 10 4941 FIN
> 04-10 16:04:36.705 e d tcp 2e.252.128.63.2824 -> 98.159.240.6.21 10 752 CON
> 04-10 16:04:38.709 e * tcp 2e.252.128.63.3386 -> 98.159.240.6.62204 17 5479 RST
> 04-10 16:04:41.879 e tcp 2e.252.128.63.2824 -> 98.159.240.6.21 11 784 RST
> 04-10 16:53:25.872 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 18:09:35.976 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 18:23:43.844 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 18:53:48.024 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 19:09:08.014 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 19:39:19.951 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 19:54:48.002 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 20:10:32.001 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 20:41:15.976 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 21:11:32.074 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 22:10:08.065 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 22:13:2e.051 Ne udp 2e.252.128.63.44978 -> 64.7.147.122.52e38 1 305 INT
> 04-10 22:39:08.203 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 23:08:32.158 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
> 04-10 23:50:32.223 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
>
>
> ---Mike
More information about the nsp-security
mailing list