[nsp-sec] Citadel infections 18K update
Stéphane Dodeller
dodeller at ip-plus.net
Fri Mar 15 03:58:50 EDT 2013
Hi Jaap,
Ack for, and thanks from 3303
Cheers
Stéphane Dodeller
Le 14 mars 2013 à 07:28, Jaap van Ginkel <J.A.vanGinkel at uva.nl> a écrit :
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/13/2013 08:17 PM, Jaap van Ginkel wrote:
>> Dear Colleagues,
>
>
> Some DNS resolvers slipped in sorry for that, these are really
> fileterd for TCP:80 connections to 145.100.104.41,
>
> Thanks for noticing Andre and Scott
>
> Jaap
>
>>
>> We found a Citadel C&C (Proxy) on our network (thanks to
>> Spamhaus).
>>
>> Address C&C: 145.100.104.41 port 80 (proxy for another node)
>> Timezone: GMT+0100
>>
>> For those who want them I've made a list from the netflow of hosts
>> that contacted the C&C. As it is an infected experimental student
>> machine so its very unlikely to be legal traffic
>>
>> For questions you can contact cert at surfnet.nl
>>
>> Jaap
>>
>>
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlFBbiAACgkQtKCv03oMKPqtowCgro0CC5m40tf0XaJjx602jgLb
> v9wAoJVuXxk7jwU2IBDBjcT6sTjAdfCd
> =z0YO
> -----END PGP SIGNATURE-----
> <citadel-OS3-AS.zip>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list