[nsp-sec] Botnet takedown - Chinese SSH Brute Force

Hank Nussbacher hank at efes.iucc.ac.il
Mon Apr 13 10:42:08 EDT 2015 

>As an aside, below is a list of infected IPs we have recently seen 
>communicating with the C2 and malware download sites.   Quite a few on 
>3356, 3549, and 4323.   So ACK!
>
>Thanks,
>
>Brett
>
>victim_ip       victim_asn      c2:tcp_port
>128.139.172.3   378     162.218.112.7:8000

Brett,

Ack for AS378.

After checking with the end user it turns out to be a honeypot system.

We saw a lot of DNS lookups from 128.139.172.3 in between Fri, 06 Mar 2015 
15:15:25 GMT till today.
What we found interesting from our pDNS logs was 2 IPs other than 8.8.8.8 
that kept popping up:

103.25.9.228 and 59.188.237.12.  I'd be interested to know what these 2 IPs 
are (didn't find them listed in either blog post).

Part of our pDNS logs are below.  If you want a fuller list, send me email 
off-list.

1425654925.272386||128.139.172.3||8.8.8.8||IN||ndns.dsaj2a.com.||A||192.126.126.64||509||1
1425654925.284904||128.139.172.3||8.8.8.8||IN||info.3000uc.com.||A||23.234.60.140||478||1
1425654930.641971||128.139.172.3||8.8.8.8||IN||ndns.hcxiaoao.com.||A||23.252.161.214||37||1
1425654935.975137||128.139.172.3||8.8.8.8||IN||ndns.dsaj2a.org.||A||66.102.253.30||278||1
1425654941.353389||128.139.172.3||8.8.8.8||IN||ndns.dsaj2a1.org.||A||23.234.22.133||258||1
1425667583.278836||128.139.172.3||8.8.8.8||IN||info.3000uc.com.||A||23.234.60.140||33||1
1425668751.388831||128.139.172.3||8.8.8.8||IN||runfromme.no-ip.info.||A||192.3.150.194||55||1
1425694484.070142||128.139.172.3||8.8.8.8||IN||ndns.dsaj2a.org.||A||66.102.253.30||40||1
1425694489.507539||128.139.172.3||8.8.8.8||IN||ndns.dsaj2a1.org.||A||23.234.22.133||376||1
1427468891.618150||128.139.172.3||103.25.9.228||IN||wangzongfacai.com.||A||107.150.37.91||358||1
1427468891.618150||128.139.172.3||103.25.9.228||IN||www.wangzongfacai.com.||CNAME||wangzongfacai.com.||3232||1
1427469094.477268||128.139.172.3||103.25.9.228||IN||gh.dsaj2a1.org.||A||66.102.253.30||380||1
1427470178.857813||128.139.172.3||103.25.9.228||IN||info.3000uc.com.||A||23.234.60.140||513||1
1427470188.869282||128.139.172.3||103.25.9.228||IN||ndns.dsaj2a.com.||A||192.126.126.64||487||1
1427470189.428258||128.139.172.3||103.25.9.228||IN||ndns.hcxiaoao.com.||A||103.240.141.54||487||1
1427470351.834235||128.139.172.3||103.25.9.228||IN||ndns.dsaj2a.org.||A||103.240.140.152||332||1
1428338850.275850||128.139.172.3||59.188.237.12||IN||www.baidu.com.||A||59.188.242.190||3600||1
1428338962.471036||128.139.172.3||59.188.237.12||IN||www.baidu.com.||A||59.188.242.190||3600||254
1428338966.353464||128.139.172.3||8.8.8.8||IN||8uc.gddos.com.||A||59.188.242.190||599||322
1428363121.457414||128.139.172.3||8.8.8.8||IN||8uc.gddos.com.||A||59.188.242.190||490||1
1428363122.376281||128.139.172.3||59.188.237.12||IN||www.baidu.com.||A||59.188.242.190||3600||1

-Hank

More information about the nsp-security mailing list