[nsp-sec] likely Moto infected hosts --- from snort alerts... Times UTC
Russell Fulton
r.fulton at auckland.ac.nz
Sun Oct 9 21:49:31 EDT 2011
Those with 240 alerts (or close, or multiples) are almost certainly infected -- Moto appears to try 240 sessions on each target...
ASN | Src IP First time last time snort signature # alerts
1221 120.144.0.0/13 AU apnic 2008-04-09 | 120.151.30.44 2011-10-09:09:05:40 2011-10-09:10:19:59 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
1241 193.92.0.0/16 GR ripencc 1993-09-01 | 193.92.136.78 2011-10-09:19:31:18 2011-10-09:20:37:31 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
1680 212.235.0.0/17 IL ripencc 2000-08-15 | 212.235.79.181 2011-10-09:10:53:02 2011-10-09:11:31:55 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 241
3215 90.83.0.0/16 FR ripencc 2006-03-02 | 90.83.155.101 2011-10-09:17:48:22 2011-10-09:20:43:07 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
3269 94.88.0.0/15 IT ripencc 2008-06-05 | 94.89.168.3 2011-10-09:22:26:15 2011-10-09:23:11:49 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 236
3320 79.192.0.0/10 DE ripencc 2007-06-06 | 79.208.133.146 2011-10-09:16:25:44 2011-10-09:17:06:37 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
3320 79.192.0.0/10 DE ripencc 2007-06-06 | 79.238.120.205 2011-10-09:07:43:10 2011-10-09:09:51:09 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 135
3320 84.128.0.0/10 DE ripencc 2004-03-10 | 84.181.85.35 2011-10-09:07:49:04 2011-10-09:08:32:29 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 239
3320 87.128.0.0/10 DE ripencc 2005-05-03 | 87.139.111.166 2011-10-09:15:31:14 2011-10-09:16:12:03 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 241
3320 87.128.0.0/10 DE ripencc 2005-05-03 | 87.139.24.157 2011-10-09:09:38:01 2011-10-09:12:14:11 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 252
3320 87.128.0.0/10 DE ripencc 2005-05-03 | 87.168.164.42 2011-10-09:23:49:56 2011-10-10:00:27:35 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 236
3320 87.128.0.0/10 DE ripencc 2005-05-03 | 87.186.50.25 2011-10-09:19:13:08 2011-10-09:20:03:21 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 482
3320 91.0.0.0/10 DE ripencc 2006-07-03 | 91.60.228.201 2011-10-09:16:19:55 2011-10-09:17:22:16 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
3462 59.120.0.0/16 TW apnic 2004-09-09 | 59.120.180.122 2011-10-09:12:00:33 2011-10-09:12:26:48 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
3758 203.126.0.0/16 SG apnic 2000-07-13 | 203.126.217.187 2011-10-09:10:37:42 2011-10-09:11:22:33 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 241
4134 14.104.0.0/13 CN apnic 2010-08-18 | 14.110.160.187 2011-10-09:14:26:11 2011-10-09:15:03:13 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
4134 58.47.128.0/18 CN apnic 2005-03-29 | 58.47.159.235 2011-10-09:09:45:06 2011-10-09:19:36:59 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 480
4766 222.96.0.0/12 KR apnic 2003-10-27 | 222.97.238.220 2011-10-09:17:40:45 2011-10-09:18:27:39 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 239
4780 123.205.192.0/18 TW apnic 2006-12-28 | 123.205.245.145 2011-10-09:10:53:43 2011-10-09:11:23:33 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
4812 116.226.0.0/16 CN apnic 2007-04-04 | 116.226.39.89 2011-10-09:12:46:33 2011-10-09:12:46:33 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 1
4812 222.66.0.0/16 CN apnic 2003-10-24 | 222.66.61.66 2011-10-09:09:47:26 2011-10-09:10:23:01 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 238
4837 119.112.0.0/13 CN apnic 2008-02-05 | 119.113.218.91 2011-10-09:23:47:31 2011-10-10:01:01:06 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 206
4837 218.28.0.0/15 CN apnic 2001-04-12 | 218.29.142.82 2011-10-09:20:05:05 2011-10-09:20:05:05 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 1
4837 58.242.0.0/15 CN apnic 2005-06-03 | 58.242.191.210 2011-10-09:14:20:20 2011-10-09:14:52:31 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
4837 60.28.0.0/15 CN apnic 2004-04-16 | 60.29.31.197 2011-10-09:23:50:22 2011-10-10:00:49:54 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 237
4847 124.42.0.0/20 CN apnic 2006-01-09 | 124.42.2.37 2011-10-09:12:59:56 2011-10-09:13:56:53 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 249
5391 93.142.0.0/16 HR ripencc 2008-04-23 | 93.142.157.132 2011-10-09:11:59:58 2011-10-09:12:40:56 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
5610 90.176.0.0/13 CZ ripencc 2006-09-17 | 90.178.77.17 2011-10-09:23:16:15 2011-10-09:23:16:15 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 1
5617 83.24.0.0/13 PL ripencc 2003-12-03 | 83.24.144.37 2011-10-09:16:14:31 2011-10-09:17:08:44 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 69
5617 83.24.0.0/13 PL ripencc 2003-12-03 | 83.24.147.106 2011-10-09:17:09:55 2011-10-09:19:27:36 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 171
5650 50.104.0.0/13 US arin 2011-04-25 | 50.104.34.166 2011-10-10:00:23:06 2011-10-10:01:00:49 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 231
6128 108.58.0.0/16 US arin 2010-11-10 | 108.58.137.18 2011-10-09:07:43:27 2011-10-09:07:47:37 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 36
6128 75.127.128.0/17 US arin 2007-08-30 | 75.127.168.3 2011-10-09:13:50:18 2011-10-09:14:40:06 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
6389 74.160.0.0/11 US arin 2006-10-30 | 74.176.235.187 2011-10-09:21:50:43 2011-10-09:22:17:37 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 225
6389 74.160.0.0/11 US arin 2006-10-30 | 74.184.17.143 2011-10-09:07:42:03 2011-10-09:07:53:02 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 39
6412 168.187.192.0/18 EU ripencc 1994-06-01 | 168.187.214.181 2011-10-09:14:07:00 2011-10-09:15:34:59 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
6799 62.103.0.0/16 GR ripencc 2000-11-09 | 62.103.24.104 2011-10-09:08:17:39 2011-10-09:09:00:16 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
6830 80.56.0.0/15 NL ripencc 2001-05-16 | 80.56.170.183 2011-10-09:12:39:40 2011-10-09:13:33:09 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
7132 66.136.0.0/13 US arin 2001-06-05 | 66.137.244.220 2011-10-09:17:25:09 2011-10-09:17:25:10 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 2
7132 99.64.0.0/11 US arin 2008-02-25 | 99.93.157.19 2011-10-09:13:25:42 2011-10-09:13:51:07 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
7470 202.176.80.0/22 TH apnic 2003-11-27 | 202.176.83.67 2011-10-09:22:01:42 2011-10-09:22:01:42 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 1
7738 189.13.128.0/17 BR lacnic 2006-07-19 | 189.13.141.197 2011-10-09:10:42:52 2011-10-09:11:43:11 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
8585 109.228.64.0/18 ME ripencc 2010-02-04 | 109.228.107.254 2011-10-09:08:24:42 2011-10-09:09:22:21 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
9121 212.156.128.0/17 TR ripencc 1998-12-08 | 212.156.223.161 2011-10-09:10:59:12 2011-10-09:11:51:53 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 247
9121 78.172.0.0/17 TR ripencc 2007-05-01 | 78.172.109.244 2011-10-09:11:15:47 2011-10-09:11:51:56 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
9121 78.187.128.0/17 TR ripencc 2007-05-01 | 78.187.228.110 2011-10-09:22:07:34 2011-10-09:22:07:34 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 1
9121 81.214.0.0/17 TR ripencc 2002-10-15 | 81.214.87.208 2011-10-09:15:10:42 2011-10-09:15:46:32 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 241
9198 92.46.64.0/18 KZ ripencc 2007-12-20 | 92.46.126.194 2011-10-09:23:19:00 2011-10-10:00:02:06 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 232
9498 182.71.47.0/24 IN apnic 2010-02-17 | 182.71.47.85 2011-10-09:21:43:25 2011-10-09:22:36:36 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 222
9506 116.14.0.0/17 SG apnic 2007-03-27 | 116.14.53.246 2011-10-09:13:33:28 2011-10-09:13:33:28 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 1
9934 202.179.16.0/21 MN apnic 2010-08-17 | 202.179.20.27 2011-10-09:16:20:24 2011-10-09:16:57:05 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
10474 41.132.64.0/18 ZA afrinic 2009-10-19 | 41.132.65.44 2011-10-09:12:49:23 2011-10-09:14:07:50 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
11069 66.158.170.0/24 US arin 2002-09-09 | 66.158.170.138 2011-10-09:12:45:20 2011-10-09:13:50:49 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 480
11976 67.210.176.0/22 US arin 2008-10-23 | 67.210.176.19 2011-10-09:11:34:22 2011-10-09:12:01:38 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 239
12926 213.63.0.0/17 PT ripencc 2000-03-29 | 213.63.4.73 2011-10-09:10:09:53 2011-10-09:10:49:31 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
13193 213.215.0.0/18 FR ripencc 2000-02-22 | 213.215.54.122 2011-10-09:12:43:41 2011-10-09:13:15:45 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
16322 91.98.0.0/15 IR ripencc 2006-09-11 | 91.98.57.103 2011-10-09:15:20:48 2011-10-09:16:17:45 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
16913 141.164.0.0/16 US arin 1990-07-23 | 141.164.151.21 2011-10-09:14:25:32 2011-10-09:14:25:32 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 1
17552 58.8.192.0/18 TH apnic 2005-02-08 | 58.8.246.60 2011-10-09:14:38:10 2011-10-09:15:16:52 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 251
18101 115.249.0.0/16 IN apnic 2008-09-08 | 115.249.165.234 2011-10-09:22:25:42 2011-10-09:23:57:46 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 232
18403 118.70.128.0/20 VN apnic 2007-08-08 | 118.70.129.176 2011-10-09:14:00:10 2011-10-09:14:55:50 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
19262 71.160.0.0/16 US arin 2005-06-01 | 71.160.122.239 2011-10-09:11:20:00 2011-10-09:11:48:44 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
19262 96.233.192.0/20 US arin 2006-12-29 | 96.233.206.71 2011-10-09:07:51:15 2011-10-09:07:51:15 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 1
20015 200.71.192.0/20 CL lacnic 2002-07-17 | 200.71.203.142 2011-10-09:22:31:12 2011-10-09:23:09:08 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 236
20500 213.177.224.0/19 GB ripencc 2003-02-24 | 213.177.233.79 2011-10-09:19:24:42 2011-10-09:19:31:59 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 13
20731 94.159.0.0/17 RU ripencc 2008-09-04 | 94.159.2.138 2011-10-09:09:09:53 2011-10-09:09:49:33 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
21508 76.120.192.0/18 US arin 2007-01-02 | 76.120.238.119 2011-10-09:12:14:18 2011-10-09:12:39:26 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
23889 41.212.128.0/17 MU afrinic 2006-08-29 | 41.212.209.185 2011-10-09:21:17:28 2011-10-09:22:13:36 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 208
25003 80.74.102.0/23 IL ripencc 2002-06-05 | 80.74.102.98 2011-10-09:08:40:23 2011-10-09:09:28:46 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
26230 173.195.48.0/20 CA arin 2010-09-15 | 173.195.59.242 2011-10-10:00:03:48 2011-10-10:00:59:23 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 78
27699 201.0.0.0/16 BR lacnic 2003-06-18 | 201.0.163.121 2011-10-09:16:59:26 2011-10-09:16:59:26 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 1
31501 217.148.208.0/20 RU ripencc 2004-06-01 | 217.148.214.90 2011-10-09:10:52:05 2011-10-09:11:51:44 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 241
34984 212.253.130.0/23 TR ripencc 2000-02-29 | 212.253.130.163 2011-10-09:20:33:52 2011-10-09:21:11:45 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
35017 149.255.32.0/22 PL ripencc 2011-08-19 | 149.255.32.132 2011-10-09:12:37:13 2011-10-09:13:02:26 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 240
36943 41.185.0.0/16 ZA afrinic 2008-10-21 | 41.185.71.173 2011-10-09:18:31:22 2011-10-09:18:31:22 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 1
42459 79.134.32.0/19 BG ripencc 2010-10-11 | 79.134.44.40 2011-10-09:15:58:30 2011-10-09:16:00:28 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 8
44565 93.186.120.0/21 TR ripencc 2008-06-27 | 93.186.120.130 2011-10-09:15:51:03 2011-10-09:16:46:55 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 241
196758 91.214.16.0/23 UA ripencc 2009-05-08 | 91.214.17.32 2011-10-09:19:57:26 2011-10-09:21:36:14 ET TROJAN MS Terminal Server User A Login, possible Morto inbound 242
More information about the nsp-security
mailing list