Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie! Win32/Kuluoz.B CnC list..
- // FakeAV spreader, Spam campaign attachment (mostly zips)
- // Within a week we took three takes for grabbing these CnC
- // Usually used port 8080 is not written
- // block these IP's 8080 or 993 is a way on mitigation
- // For cleanup purpose, I will keep on adding these..
- // Service signature (header)
- // ngnix proxies, i.e.:
- Server: nginx/1.2.6
- Date: Mon, 08 Jul 2013 07:56:51 GMT
- Content-Type: text/html
- Content-Length: 20
- Connection: close
- X-Powered-By: PHP/5.4.4-7
- Vary: Accept-Encoding
- Content-Encoding: gzip
- // take one..
- 178.208.35.190
- 186.112.214.158 <---- old
- 95.140.42.27
- 203.146.208.180:
- 202.29.229.232
- 77.92.140.241
- // take two..
- 149.210.130.18 (993)
- 95.140.42.27
- 186.112.214.158 <----- old
- 77.92.140.241
- 202.29.229.232
- 178.208.35.190
- 62.113.200.95 (993)
- // take three..
- 149.210.130.18 (993)
- 186.112.214.158 <----- old
- 202.29.229.232
- 178.208.35.190
- 64.76.19.241
- 95.173.186.184
- 176.122.224.62
- 82.192.91.224
- //CnC data from config(decrypted)
- // CnC data extracted from spam config:
- 188.138.23.51:8080
- 213.180.70.141:8080
- 46.45.170.13:8080
- 50.57.228.220:8080
- 68.169.55.248:8090
- 80.78.245.96:8080
- 59.147.251.35
- // Unique historical:
- 178.208.35.190
- 186.112.214.158
- 95.140.42.27
- 203.146.208.180
- 202.29.229.232
- 77.92.140.241
- 149.210.130.18
- 62.113.200.95
- 64.76.19.241
- 95.173.186.184
- 176.122.224.62
- 82.192.91.224
- 188.138.23.51
- 213.180.70.141
- 46.45.170.13
- 50.57.228.220
- 68.169.55.248
- 80.78.245.96
- 59.147.251.35
- // up and alive PoC:
- Nmap scan report for 178.208.35.190.static.hosted.by.combell.com (178.208.35.190)
- Host is up (0.27s latency).
- Nmap scan report for 186.112.214.158
- Host is up (0.25s latency).
- Nmap scan report for server01.liveport.hu (95.140.42.27)
- Host is up (0.30s latency).
- Nmap scan report for 203.146.208.180
- Host is up (0.13s latency).
- Nmap scan report for 202.29.229.232
- Host is up (0.12s latency).
- Nmap scan report for mail.nusozluk.com (77.92.140.241)
- Host is up (0.34s latency).
- Nmap scan report for 149-210-130-18.colo.transip.net (149.210.130.18)
- Host is up (0.28s latency).
- Nmap scan report for 62.113.200.95
- Host is up (0.28s latency).
- Nmap scan report for boromir.mauriciofrappa.com.ar (64.76.19.241)
- Host is up (0.33s latency).
- Nmap scan report for 1844604uw.ni.net.tr (95.173.186.184)
- Host is up (0.36s latency).
- Nmap scan report for 176.122.224.62
- Host is up (0.31s latency).
- Nmap scan report for voip6.brite-voice.com (82.192.91.224)
- Host is up (0.28s latency).
- Nmap scan report for static-ip-188-138-23-51.inaddr.ip-pool.com (188.138.23.51)
- Host is up (0.30s latency).
- Nmap scan report for 213.180.70.141
- Host is up (0.32s latency).
- Nmap scan report for 46-45-170-13.turkrdns.com (46.45.170.13)
- Host is up (0.32s latency).
- Nmap scan report for 50-57-228-220.static.cloud-ips.com (50.57.228.220)
- Host is up (0.20s latency).
- Nmap scan report for entrevistasdeunhada.com (68.169.55.248)
- Host is up (0.20s latency).
- Nmap scan report for vm3990.vps.agava.net (80.78.245.96)
- Host is up (0.34s latency).
- Nmap scan report for 59.147.251.35 [host down]
- Nmap done: 19 IP addresses (18 hosts up) scanned in 3.87 seconds
- // Scan the proxies use in 8080:
- Scanning 18 hosts [1 port/host]
- Discovered open port 8080/tcp on 202.29.229.232
- Discovered open port 8080/tcp on 186.112.214.158
- Discovered open port 8080/tcp on 64.76.19.241
- Discovered open port 8080/tcp on 46.45.170.13
- Discovered open port 8080/tcp on 80.78.245.96
- Discovered open port 8080/tcp on 178.208.35.190
- Discovered open port 8080/tcp on 213.180.70.141
- Discovered open port 8080/tcp on 188.138.23.51
- Discovered open port 8080/tcp on 68.169.55.248
- Discovered open port 8080/tcp on 50.57.228.220
- Discovered open port 8080/tcp on 95.173.186.184
- // Scan ports 993...
- Discovered open port 993/tcp on 77.92.140.241
- Discovered open port 993/tcp on 82.192.91.224
- Discovered open port 993/tcp on 64.76.19.241
- Discovered open port 993/tcp on 46.45.170.13
- Discovered open port 993/tcp on 62.113.200.95
- Discovered open port 993/tcp on 68.169.55.248
- Discovered open port 993/tcp on 149.210.130.18
- Discovered open port 993/tcp on 213.180.70.141
- #MalwareMustDie!
- $ date
- Mon Jul 10 15:00:02 JST 2013
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement