[nsp-sec] UDP/80 flows to 89.185.38.26 (update + sources)

David Freedman david.freedman at uk.clara.net
Mon Dec 26 08:25:01 EST 2011 

Our customer in France is the French National Assembly
(http://en.wikipedia.org/wiki/National_Assembly_of_France) which is the
lower 
house of Parliament, the upper house (http://www.senat.fr) is also under
attack (see http://www.mail-archive.com/frnog@frnog.org/msg17027.html),
I've just opened a line of communication with them.

Further to my previous look at the attackware, from the outset this seems
like a Turkish response to the recent
position that the Turkish government has on a bill which was passed by the
lower house on Friday and is now awaiting a vote in the Senate.
(see 
http://www.eurasiareview.com/19122011-turkey-warns-france-over-armenian-gen
ocide-law/)

 

Here are a list of sources we have so far :

558     | 67.222.10.130    | NET2EZ - Net2EZ
1239    | 63.173.8.5       | SPRINTLINK - Sprint
3340    | 195.56.45.84     | GTS-HUNGARY-AS GTS Hungary Ltd.
3595    | 64.22.125.115    | GNAXNET-AS - Global Net Access, LLC
4565    | 66.80.244.78     | MEGAPATH2-US - MegaPath Networks Inc.
5610    | 88.103.219.11    | TO2-CZECH-REPUBLIC Telefonica o2 Czech
Republic, a.s.
6130    | 209.216.205.121  | AIS-WEST - American Internet Services, LLC.
6429    | 190.54.16.211    | Telmex Chile Internet S.A.
6724    | 85.214.106.248   | STRATO STRATO AG
8151    | 187.141.246.202  | Uninet S.A. de C.V.
8151    | 201.144.8.130    | Uninet S.A. de C.V.
8267    | 149.156.185.27   | CYFRONET-AS Metropolitan Area Network
Autonomous System
8470    | 195.128.91.100   | MACOMNET CJSC Macomnet
8893    | 212.72.183.235   | ARTFILES-AS Artfiles New Media GmbH
9121    | 88.255.156.110   | TTNET Turk Telekomunikasyon Anonim Sirketi
9198    | 95.58.95.4       | KAZTELECOM-AS JSC Kazakhtelecom
10439   | 209.126.254.16   | CARINET - CariNet, Inc.
10439   | 209.126.254.199  | CARINET - CariNet, Inc.
11343   | 66.84.49.122     | 383INCCMHTOWN - 383inc
12322   | 195.154.152.86   | PROXAD Free SAS
12324   | 212.182.69.202   | LUBMAN-EDU-AS Poland, Lublin
12334   | 213.60.210.168   | AS R Cable y Telecomunicaciones Galicia S.A.
12874   | 213.156.62.145   | FASTWEB Fastweb SpA
13147   | 79.124.76.75     | NETINFO NetInfo Ltd.
13301   | 89.163.160.242   | UNITEDCOLO-AS UNITED COLO GmbH
13489   | 190.248.27.220   | EPM Telecomunicaciones S.A. E.S.P.
14242   | 208.83.30.9      | LOGICALSOLUTIONS - LogicalSolutions.net
14472   | 216.171.102.90   | ATRIA - Atria Networks LP.
15003   | 174.34.185.226   | NOBIS-TECH - Nobis Technology Group, LLC
15497   | 31.28.167.236    | COLOCALL Internet Data Center _ColoCALL_
16276   | 91.121.105.58    | OVH OVH Systems
16276   | 91.121.220.130   | OVH OVH Systems
16276   | 94.23.209.112    | OVH OVH Systems
16406   | 64.78.28.128     | AS-INTERMEDIA - Intermedia.net, Inc.
16509   | 176.34.230.122   | AMAZON-02 - Amazon.com, Inc.
18403   | 118.69.197.59    | FPT-AS-AP The Corporation for Financing &
Promoting Technology
18747   | 200.73.31.70     | IFX-NW - IFX Communication Ventures, Inc.
18747   | 200.80.25.91     | IFX-NW - IFX Communication Ventures, Inc.
18779   | 64.92.105.23     | EGIHOSTING - EGIHosting
19429   | 200.69.101.20    | ETB - Colombia
19515   | 64.18.175.228    | ORICOM-QUEBEC1 - Oricom Internet
21547   | 69.49.130.4      | OXNET - Oxford Networks
21844   | 174.120.36.156   | THEPLANET-AS - ThePlanet.com Internet
Services, Inc.
23140   | 146.83.16.130    | Universidad de Chile
23679   | 110.232.73.18    | NUSANET-AS-ID Media Antar Nusa PT.
23974   | 202.143.156.98   | MOE-EDNET-AS-AP Ministry of education
23974   | 203.172.183.73   | MOE-EDNET-AS-AP Ministry of education
24940   | 188.40.104.160   | HETZNER-AS Hetzner Online AG RZ
24940   | 78.46.98.73      | HETZNER-AS Hetzner Online AG RZ
24940   | 78.47.184.105    | HETZNER-AS Hetzner Online AG RZ
24989   | 88.84.146.79     | IXEUROPE-DE-FRANKFURT-ASN Equinix Germany
(Previously IX Europe Germany AS)
24989   | 89.110.129.54    | IXEUROPE-DE-FRANKFURT-ASN Equinix Germany
(Previously IX Europe Germany AS)
25074   | 213.203.222.54   | INETBONE-AS MESH GmbH
26347   | 173.236.133.132  | DREAMHOST-AS - New Dream Network, LLC
26347   | 173.236.171.234  | DREAMHOST-AS - New Dream Network, LLC
26347   | 173.236.210.104  | DREAMHOST-AS - New Dream Network, LLC
26347   | 208.113.134.119  | DREAMHOST-AS - New Dream Network, LLC
26347   | 208.113.134.181  | DREAMHOST-AS - New Dream Network, LLC
26347   | 67.205.28.236    | DREAMHOST-AS - New Dream Network, LLC
26347   | 67.205.29.53     | DREAMHOST-AS - New Dream Network, LLC
26347   | 67.205.43.152    | DREAMHOST-AS - New Dream Network, LLC
26347   | 67.205.49.120    | DREAMHOST-AS - New Dream Network, LLC
26347   | 67.205.62.117    | DREAMHOST-AS - New Dream Network, LLC
26347   | 67.205.7.228     | DREAMHOST-AS - New Dream Network, LLC
26347   | 69.163.139.178   | DREAMHOST-AS - New Dream Network, LLC
26347   | 69.163.150.203   | DREAMHOST-AS - New Dream Network, LLC
26347   | 69.163.164.36    | DREAMHOST-AS - New Dream Network, LLC
26347   | 69.163.171.157   | DREAMHOST-AS - New Dream Network, LLC
26347   | 69.163.178.14    | DREAMHOST-AS - New Dream Network, LLC
26347   | 69.163.178.143   | DREAMHOST-AS - New Dream Network, LLC
26347   | 69.163.222.199   | DREAMHOST-AS - New Dream Network, LLC
26496   | 68.178.155.99    | PAH-INC - GoDaddy.com, Inc.
28037   | 200.85.184.8     | Alpha 2000 Soluciones Infomaticas SRL
29134   | 217.31.49.60     | IGNUM-AS Ignum s.r.o.
29182   | 62.109.8.193     | ISPSYSTEM-AS ISPsystem Autonomous System
29863   | 64.92.209.142    | LATISYS-DENVER - Latisys-Denver, LLC
29863   | 64.92.209.226    | LATISYS-DENVER - Latisys-Denver, LLC
30058   | 204.45.254.231   | FDCSERVERS - FDCservers.net
30977   | 217.115.181.34   | UGRATEL-AS JSC _Yugra-Telecom_
31034   | 195.234.171.231  | ARUBA-ASN Aruba S.p.A. - Network
31034   | 85.235.157.105   | ARUBA-ASN Aruba S.p.A. - Network
33765   | 196.43.84.246    | TTCLDATA
33991   | 84.22.151.58     | SKALA-AS Company Skala, Ltd
34300   | 85.93.128.40     | SPACENET-AS JSC Internet-Cosmos
34932   | 89.221.166.190   | FUZION Fuzion is a Danish Internet Service
Provider
38144   | 60.253.96.9      | JALAWAVE-AS-ID PT Jalawave Cakrawala
39116   | 85.90.47.189     | TELEHOUSE Telehouse Inter. Corp. of Europe
Ltd As Number
39651   | 213.89.116.117   | COMHEM-SWEDEN Com Hem Sweden
44128   | 91.201.52.27     | INTERNET-PRO-AS Internet-Pro Ltd
44565   | 188.124.7.106    | VITAL VITAL TEKNOLOJI
45012   | 87.253.162.12    | MEDIAWEBLINE-AS media:Webline Internet
Solutions GmbH
46887   | 64.72.92.188     | LIGHTOWER - Lightower Fiber Networks
48716   | 195.210.46.116   | PS-AS PS Internet Company Ltd.
48716   | 195.210.46.18    | PS-AS PS Internet Company Ltd.
49604   | 217.146.67.128   | ZONE Zone Media Autonomous System
50672   | 109.197.24.11    | FORMULA-SVIAZY-AS Formula Sviazy CJSC
51377   | 178.238.133.178  | BURSTNETLTD BurstNET Limited
55867   | 119.46.227.18    | CHIANGMAI_INTERNET-AS-AP Chiangmai Internet

Dave.

More information about the nsp-security mailing list