[nsp-sec] Hlux/Kelihos p2p botnet sinkhole ... some results - part one

Gabriel Iovino giovino at ren-isac.net
Mon Oct 3 17:55:19 EDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/3/2011 4:25 PM, Wim Biemolt wrote:
> Attached part one (asn <= 12334) of the hosts that showed up on the
> Hlux/Kelihos p2p botnet sinkhole. The machines are all infected with
> the Hlux bot and should be cleaned. The timestamps are in GMT, with
> nanosecond resolution.

ACK:

> 17      | 128.46.211.92    | 3876 [2011-09-27 20:50:14.49252] | PURDUE - Purdue University
> 802     | 130.63.214.137   | 1429 [2011-09-28 23:46:44.67971] | YORKU-AS - York University
> 2152    | 137.164.164.28   | 39015 [2011-09-28 04:17:06.70400] | CSUNET-NW - California State University Network
> 2572    | 204.184.47.253   | 61870 [2011-09-28 20:41:22.71137] | MORENET - University of Missouri - dba the Missouri Research and Education Network (MOREnet)
> 3479    | 130.254.172.26   | 1617 [2011-09-26 15:33:32.75300] | PEACHNET-AS1 - Kennesaw State University
> 5719    | 129.49.189.99    | 3617 [2011-09-29 14:00:55.46730] | SUNYSB - SUNY at Stony Brook
> 7925    | 157.182.105.1    | 48097 [2011-09-29 13:18:26.93124] | WVNET - West Virginia Network for Educational Telecomputing
> 11686   | 165.139.17.14    | 33638 [2011-09-29 13:52:13.81203] | ENA - Education Networks of America
> 12118   | 157.182.105.1    | 48097 [2011-09-29 13:18:26.93124] | WVU - West Virginia University
> 40944   | 76.191.49.254    | 15396 [2011-09-27 19:32:29.14480] | MASSCOL - Mass College of Liberal Arts
> 40944   | 76.191.57.254    | 59719 [2011-09-27 19:32:27.76925] | MASSCOL - Mass College of Liberal Arts

Please pass along my gratitude to everyone involved in making this data
available for remediation.

p.s. I confirmed off list that the number before the time stamp is
indeed the source port.

Thank you!

Gabe

- -- 
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAk6KLzUACgkQwqygxIz+pTtyigCfQh7pUzfmB15q8yUo6KJqF/i9
UNgAnii5xTP/N7R2fu5d2S+WDjgI5hoi
=KNqu
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list