[nsp-sec] UDP love against AS5539
Gert Doering
gert at greenie.muc.de
Fri Dec 23 08:45:51 EST 2011
Hi,
On Fri, Dec 23, 2011 at 09:43:19AM +0100, Gert Doering wrote:
> So, what I'd like you to do is to check your telemetry for flows
> to
> dst ip = 194.97.147.57
> proto = udp
> dst port = 27660
>
> ... if you see any of this, it's not legit. This is a web server, it has
> nothing but tcp/80 and tcp/443.
1&1 reported back that they frequenty saw 79.96.6.110 in dumping traffic
from their offenders (no additional specifics), so if you investigate
offenders on your network, please check whether you see traffic to that
IP as well - might be the C&C server.
gert
--
Gert Doering
SpaceNet AG, AS 5539, gert at space.net. PGP-KeyID: 0x65514975
Also reachable via gert at greenie.muc.de and gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20111223/3feffdde/attachment-0001.sig>
More information about the nsp-security
mailing list