[nsp-sec] attack against AS36666 C&C at 141.28.52.24 ? (and 88.191.65.201 AS 12322)
Mike Tancsa
mike at sentex.net
Mon Jul 11 10:54:17 EDT 2011
On 7/6/2011 10:18 PM, Tim Kleefass wrote:
> ----------- nsp-security Confidential --------
>
> On 06.07.2011 6:57 PM, Mike Tancsa wrote:
>> AS | IP | AS Name
>> 553 | 141.28.52.24 | BELWUE Landeshochschulnetz
>> Baden-Wuerttemberg (BelWue)
>
> On 07.07.2011 12:54 AM, Dave Monnier wrote:
>> I've dropped the c&c into the ddosrs and it should show up momentarily.
>
> I've blocked 141.28.52.24 tcp/8003 and notified the customer.
Thanks! Just a final note, I had a look at the infected site's weblogs.
Looks like 88.191.65.201 seems to be involved in this somehow.
Looking at historic flows into my AS from this IP, they have been doing
a lot of scanning for some time, always looking for
/myadmin/scripts/setup.php
eg
[06/Jul/2011:02:13:05 -0400]
[05/Jul/2011:03:06:58 -0400]
[02/Jul/2011:00:55:12 -0400]
[31/May/2011:23:31:21 -0400]
[31/May/2011:14:04:19 -0400]
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list