[nsp-sec] SYN flood executed by Minecraft plugin
Barry Raveendran Greene
bgreene at senki.org
Wed Dec 5 06:41:49 EST 2018
Thanks for sharing.
> On Dec 5, 2018, at 03:16, Dominik Bay <db at rrbone.net> wrote:
>
> ----------- nsp-security Confidential --------
>
> Hey folks,
>
> thanks for your feedback.
>
> This is TLP:AMBER
>
> Payload connection goes to
> update4life(.)xyz:666 (currently resolves to 213.183.49.70)
>
> C&C connection goes to
> update4life(.)xyz:1337 (currently resolves to 213.183.49.70)
>
> If you see flows to this host, you have infected Minecraft servers in your network using this plugin: https://www.spigotmc.org/resources/autoitemreload.61142/
>
> You are likely to see SYN floods and possibly other flood attacks originated from hosts communicating with the C&C.
>
> Cheers,
> Dominik
>
>> On 12/3/18 6:45 PM, Dominik Bay wrote:
>> ----------- nsp-security Confidential --------
>> Hi,
>> a colleague found a Minecraft plugin which downloads malware payload and communicates with a C&C to at least launch SYN flood attacks.
>> Anyone around maybe even from Microsoft who knows how to handle this kind of rogue behaviour?
>> Thanks.
>> Cheers,
>> Dominik
>
> --
> rrbone GmbH - Ruhrallee 9 - 44139 Dortmund
> HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list