[nsp-sec] Flashback C&C ?

[Krista Hickey]

Hi Mike

I would suggest you (and others receiving these reports) contact CCIRC for further information, if you're having any problems getting a response I can help out as I know some trusted folks there.

Krista
7992

-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Mike Tancsa
Sent: Monday, April 16, 2012 4:33 PM
To: Eric Ziegast
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Flashback C&C ?

----------- nsp-security Confidential --------

On 4/16/2012 4:22 PM, Eric Ziegast wrote:
> ----------- nsp-security Confidential --------
> 
> About CCIRC: I know that CCIRC is a real organization run by Public
> Safety Canada.  If you got a notice, they probably think you're a
> Canadian organization in their notification domain.  You might have a
> canadian ISP as one of your uplinks. 

Thanks for the info.  We are actually a Canadian ISP :)

> 
> For anyone disseminating information, it may help those notified to
> include time stamps and source port numbers along with the IP
> addresses so that the affected organization can do some better
> attribution to the correct client in case there are NAT or DHCP issues.

Yes a few sites in my network that contacted that host are large orgs
with many internal hosts. So accurate time data and ephemeral ports
would be very handy.

	---Mike

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________