[nsp-sec] Citadel infections 18K update
Jaap van Ginkel
J.A.vanGinkel at uva.nl
Thu Mar 14 02:28:57 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/13/2013 08:17 PM, Jaap van Ginkel wrote:
> Dear Colleagues,
Some DNS resolvers slipped in sorry for that, these are really
fileterd for TCP:80 connections to 145.100.104.41,
Thanks for noticing Andre and Scott
Jaap
>
> We found a Citadel C&C (Proxy) on our network (thanks to
> Spamhaus).
>
> Address C&C: 145.100.104.41 port 80 (proxy for another node)
> Timezone: GMT+0100
>
> For those who want them I've made a list from the netflow of hosts
> that contacted the C&C. As it is an infected experimental student
> machine so its very unlikely to be legal traffic
>
> For questions you can contact cert at surfnet.nl
>
> Jaap
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFBbiAACgkQtKCv03oMKPqtowCgro0CC5m40tf0XaJjx602jgLb
v9wAoJVuXxk7jwU2IBDBjcT6sTjAdfCd
=z0YO
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: citadel-OS3-AS.zip
Type: application/zip
Size: 237271 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20130314/34565612/attachment-0001.zip>
More information about the nsp-security
mailing list