[nsp-sec] SYN flood executed by Minecraft plugin
Dominik Bay
db at rrbone.net
Wed Dec 5 03:16:12 EST 2018
Hey folks,
thanks for your feedback.
This is TLP:AMBER
Payload connection goes to
update4life(.)xyz:666 (currently resolves to 213.183.49.70)
C&C connection goes to
update4life(.)xyz:1337 (currently resolves to 213.183.49.70)
If you see flows to this host, you have infected Minecraft servers in
your network using this plugin:
https://www.spigotmc.org/resources/autoitemreload.61142/
You are likely to see SYN floods and possibly other flood attacks
originated from hosts communicating with the C&C.
Cheers,
Dominik
On 12/3/18 6:45 PM, Dominik Bay wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> a colleague found a Minecraft plugin which downloads malware payload and
> communicates with a C&C to at least launch SYN flood attacks.
>
> Anyone around maybe even from Microsoft who knows how to handle this
> kind of rogue behaviour?
>
> Thanks.
>
> Cheers,
> Dominik
>
--
rrbone GmbH - Ruhrallee 9 - 44139 Dortmund
HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
More information about the nsp-security
mailing list