[outages] NANOG
John Sage
jsage at finchhaven.com
Mon Oct 26 10:27:49 EDT 2015
On 10/26/2015 07:13 AM, Rich Kulawiec via Outages wrote:
> On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote:
>> After the appropriate wgets and less'es those all seemed to point back to
>>
>> avazunic [dot] com
>>
>> which is registered in -- wait for it -- CN...
>
> I have noted 374 different domains (so far) in this attack and have
> analyzed them at a cursory level. Thus far, I see no pattern of
> registration, DNS, geography, hosting, etc. I strongly suspect that
> many of these, perhaps even most or all, represent web sites that have
> been breached and are being used to spread the payload.
In my OP I was referring to the domain name that the ultimate payload
contained, after the cobweb of redirects in the initial spam was
followed back to an endpoint.
But I only did six or so, early yesterday, so who knows...
#EOF
- John
--
More information about the Outages
mailing list