| View previous topic :: View next topic |
| Author |
Message |
pwillener
SRT Trainee
Premium Member
Joined: Apr 17, 2006
Posts: 1813
Location: Japan
|
 Posted: Thu Oct 11, 2007 2:30 am Post subject: Fast-flux (?) phishing |
|
|
| Code: | | http://securelogin-09668377.moneymanagergps.com.pnx42.com/Online_Form.htm |
Currently resolves to
- 24.122.6.20
- 24.67.46.85
- 58.38.79.216
- 61.223.169.169
- 70.245.70.48
- 99.243.17.236
- 122.126.10.6
- 125.243.58.21
- 190.136.73.33
- 221.207.128.125
Reported to PIRT - hope they can cope with that.
|
|
| Back to top |
|
 |
s0tet
PIRT Handler
Joined: May 21, 2005
Posts: 2945
|
| Posted: Fri Oct 12, 2007 1:43 am Post subject: |
|
|
Thank you for reporting that. Lots of IPs there, fast flux on a botnet, most likely.
|
|
| Back to top |
|
|
pwillener
SRT Trainee
Premium Member
Joined: Apr 17, 2006
Posts: 1813
Location: Japan
|
| Posted: Fri Oct 12, 2007 4:59 am Post subject: |
|
|
Here today, gone tomorrow...
Actually it's gone now 
|
|
| Back to top |
|
|
ahoier
SIRT Handler
Joined: Jan 14, 2006
Posts: 1087
Location: USA
|
| Posted: Sun Oct 14, 2007 5:14 am Post subject: |
|
|
I tried accessing some of those IPs directly,
though some turned up, operation timed out....
Some ( | Code: | | http://70.245.70.48/Online_Form.htm |
) turned up "Firefox can't establish a connection to the server at 70.245.70.48." - likely either it's offline, dynamic IP, etc..?
The other operation timed out ones...could it be possible they are still infected with the botnet software?
Have those hosts been contacted too, to get their customers cleaned up?
I'm guessing if the botnet malware is still active on those boxes, it's just one-command away to point them at a new domain?
Edit:
| Code: | | http://24.122.6.20/Online_Form.htm |
is actually responding....with a 404...
| Code: | OrgName: COGECO Cable Canada Inc.
OrgID: COQB
Address: 1630 6e rue
City: Trois-Rivieres
StateProv: QC
PostalCode: G8Y-5B8
Country: CA
NetRange: 24.122.0.0 - 24.122.255.255
CIDR: 24.122.0.0/16
NetName: RAPIDUS-02
NetHandle: NET-24-122-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.CGOCABLE.CA
NameServer: NS2.CGOCABLE.CA
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-04-18
Updated: 2006-12-18
RTechHandle: NETWO482-ARIN
RTechName: Network Administrator
RTechPhone: +1-819-379-2443
RTechEmail: Whois Privacy and Spam Prevention by DomainTools.com
OrgAbuseHandle: ABUSE616-ARIN
OrgAbuseName: Abuse Administrator
OrgAbusePhone: +1-819-379-2443
OrgAbuseEmail: Whois Privacy and Spam Prevention by DomainTools.com
OrgTechHandle: NETWO482-ARIN
OrgTechName: Network Administrator
OrgTechPhone: +1-819-379-2443
OrgTechEmail: Whois Privacy and Spam Prevention by DomainTools.com
OrgName: COGECO Cable Canada Inc.
OrgID: COQB
Address: 1630 6e rue
City: Trois-Rivieres
StateProv: QC
PostalCode: G8Y-5B8
Country: CA
NetRange: 24.122.0.0 - 24.122.63.255
CIDR: 24.122.0.0/18
NetName: COQB-TR04
NetHandle: NET-24-122-0-0-2
Parent: NET-24-122-0-0-1
NetType: Reassigned
NameServer: NS1.CGOCABLE.CA
NameServer: NS2.CGOCABLE.CA
Comment:
RegDate: 2006-01-11
Updated: 2006-01-11
OrgAbuseHandle: ABUSE616-ARIN
OrgAbuseName: Abuse Administrator
OrgAbusePhone: +1-819-379-2443
OrgAbuseEmail: Whois Privacy and Spam Prevention by DomainTools.com
OrgTechHandle: NETWO482-ARIN
OrgTechName: Network Administrator
OrgTechPhone: +1-819-379-2443
OrgTechEmail: Whois Privacy and Spam Prevention by DomainTools.com |
Interesting enough? | Code: | | http://24.122.6.20/ |
redirects to | Code: | | http://www.microsoft.com/en/us/default.aspx |
.....? lol. I wonder if the "host" took control sorta?
|
|
| Back to top |
|
|
saintau
Trooper
Joined: Jun 15, 2007
Posts: 15
|
| Posted: Wed Oct 17, 2007 1:35 am Post subject: |
|
|
you will need to change your header/ref info to make the backend respond correctly.
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
