 |
The BotHunter Community
Repository
Botnet C&C Servers Found by BotHunter Users Visit: Malware Attack Sources Found by BotHunter Users |
 |
|
When you run BotHunter
with its
auto-update service enabled, you are
not just receiving our latest malware threat intelligence to protect
your network. You are also contributing to our world-wide
knowledge
of where Botnet Command and Control (C&C) servers and bot-infected
clients live.
The data on
this website is supplied as is, without warranty of any kind. You may
NOT redistribute this data. Use or reliance on this data is at your own
risk.
|
||
90 Day View: Last Update: Tue Mar 9 12:16:34 2010
|
Botnet C&C IP, City, Region, Country |
Domain/NetSpeed Servicer Provider |
Forensics |
Evindence Summary: Performed by the Botclient Victim |
|
216.86.155.41 (US)
CHICAGO ILLINOIS UNITED STATES |
STEADFAST.NET / DSL NOZONE INC |
Very High Details (2.2) 22 BotHunter Users 33 Infection Report 2009-12-11 to 2010-03-01 |
° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000328(1): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777008(1): Malware Scan - Detected intense malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
204.16.247.230 (US)
PITTSBURGH PENNSYLVANIA UNITED STATES |
TERASWITCH.COM / DSL G3 TECHNOLOGIES INC |
Very High Details (2.0) 2 BotHunter Users 2 Infection Report 2010-01-10 to 2010-02-05 |
° 2003330(13): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
80.70.227.112 (RU)
ST. PETERSBURG SAINT PETERSBURG CITY RUSSIAN FEDERATION |
MNS.RU / DIAL CREDOLINK ISP DIAL-UP |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-03-06 to 2010-03-06 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
122.240.11.129 (CN)
WENZHOU ZHEJIANG CHINA |
HZ.ZJ.CN / DSL CHINANET-ZJ WENZHOU NODE NETWORK |
Moderate Details (1.2) 2 BotHunter Users 2 Infection Report 2010-02-18 to 2010-02-19 |
° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007963(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Status OK ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
194.67.36.10 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
GLDN.NET / COMP SOVINTEL |
High Details (1.5) 3 BotHunter Users 5 Infection Report 2010-01-15 to 2010-01-15 |
° 7777005(10): Outbound Scan - Detected intense non-malware port scanning ° 3810007(5): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2600324(1): Attack Prep - SPYWARE-DNS DNS lookup 13 chars (.net) ° 2600338(1): Attack Prep - SPYWARE-DNS DNS lookup 3 chars (.net) ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server |
|
58.40.74.41 (CN)
BEIJING BEIJING CHINA |
ONLINE.SH.CN / DSL CHINANET SHANGHAI PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-01-28 to 2010-01-28 |
° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007963(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Status OK ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
66.150.51.0 (US)
NEW YORK NEW YORK UNITED STATES |
PNAP.NET / DSL MIVA INC |
High Details (1.5) 1 BotHunter Users 17 Infection Report 2009-12-10 to 2009-12-10 |
° 7777005(33): Outbound Scan - Detected intense non-malware port scanning ° 2003579(18): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 3(17): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008438(1): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File ° 2008576(1): Egg Download - ET TROJAN TinyPE Binary - Possibly Hostile ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host |
|
85.93.9.51 (DE)
BERLIN BERLIN GERMANY |
ULTIMATIV.ORG / DSL ROOTBASH.COM - IT SERVICES |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-25 to 2009-12-25 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
95.211.2.1 (NL)
AMSTERDAM NOORD-HOLLAND NETHERLANDS |
BLA.NL / DSL NL-LEASEWEB |
High Details (1.4) 1 BotHunter Users 1 Infection Report 2009-12-23 to 2009-12-23 |
° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2003088(2): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(2): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
200.30.252.66 (CL)
SANTIAGO REGION METROPOLITANA CHILE |
VTR.NET / DSL VTR BANDA ANCHA S.A |
Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-02-10 to 2010-02-10 |
° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 3810006(2): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
64.15.77.71 (CA)
LAVAL QUEBEC CANADA |
MIRWEB.COM / DSL MIRWEB SOLUTIONS INC |
Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-03-03 to 2010-03-03 |
° 2003330(8): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
89.149.254.17 (DE)
BERLIN BERLIN GERMANY |
INTERNETSERVICETEAM.COM / DSL NETDIREKT E.K |
High Details (1.7) 12 BotHunter Users 594 Infection Report 2009-12-29 to 2010-02-12 |
° 2000328(243): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(75): Outbound Scan - Detected intense non-malware port scanning ° 2003330(65): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(42): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2008271(33): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (1) ° 3(28): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008124(23): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 2008189(17): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin ° 2008272(15): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (2) |
|
212.77.142.96 (RU)
- - RUSSIAN FEDERATION |
RIKT.RU / DSL JSC RITC |
High Details (1.6) 1 BotHunter Users 1 Infection Report 2010-02-03 to 2010-02-03 |
° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 9906008(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (9) ° 9906021(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (22) |
|
61.4.190.206 (CN)
BEIJING BEIJING CHINA |
- / DSL BEIJING FEIHUALINGHANG TECHNOLOGY DEVELOPMENT CO. LTD |
Very High Details (2.0) 4 BotHunter Users 4 Infection Report 2010-01-05 to 2010-02-05 |
° 25(3): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 1(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(1): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
212.117.162.194 (LU)
- - LUXEMBOURG |
IP-212-117-176-10.SERVER.LU / COMP ROOT ESOLUTIONS |
High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-02-16 to 2010-02-16 |
° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
80.93.62.125 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
PETERHOST.RU / DSL PETERHOST.RU VIRTUAL HOSTING |
Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2009-12-27 to 2009-12-27 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
222.173.188.14 (CN)
JINAN SHANDONG CHINA |
163DATA.COM.CN / DSL CHINANET SHANDONG PROVINCE NETWORK |
High Details (1.8) 20 BotHunter Users 48 Infection Report 2009-12-09 to 2010-03-01 |
° 2003179(3): Egg Download - ET POLICY exe download without User Agent ° 2003438(2): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003620(2): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003219(1): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting |
|
69.72.255.8 (US)
CLIFTON NEW JERSEY UNITED STATES |
FREECHIP4YOU.COM / DSL FORTRESSITX |
Very High Details (2.0) 19 BotHunter Users 99 Infection Report 2009-12-24 to 2010-03-05 |
° 2003330(17): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2000328(15): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 25(4): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 9910014(4): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2001569(2): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
64.124.109.200 (US)
GAITHERSBURG MARYLAND UNITED STATES |
AWS.COM / COMP AWS |
High Details (1.5) 115 BotHunter Users 697 Infection Report 2009-12-09 to 2010-03-08 |
° 7777005(256): Outbound Scan - Detected intense non-malware port scanning ° 2003422(173): CandC Communication - ET MALWARE Weatherbug Command Activity ° 3300007(4): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003179(3): Egg Download - ET POLICY exe download without User Agent ° 2006434(2): Egg Download - ET POLICY Possible Ecard Trojan download ° 2008564(2): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 3810004(2): Bot Space Access - BotHunter REPO confirmed botnet control server ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 |
|
91.194.10.60 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
BSYS-NET.RU / DSL BANKING SYSTEMS LTD |
High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-01-20 to 2010-01-20 |
° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003219(1): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
188.72.200.26 (UK)
- - UNITED KINGDOM |
CAMPUSEAI.ORG / DSL EUROPEAN REGIONAL REGISTRY |
High Details (1.6) 1 BotHunter Users 1 Infection Report 2009-12-23 to 2009-12-23 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(4): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
67.43.236.29 (CA)
LAVAL QUEBEC CANADA |
INTER-SYSTEME.CA / COMP NETELLIGENT HOSTING SERVICES INC |
High Details (1.6) 1 BotHunter Users 1 Infection Report 2009-12-30 to 2009-12-30 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
92.62.98.10 (EE)
TALLINN HARJUMAA ESTONIA |
- / DSL COLLOCATION |
Maximum Details (3.0) 1 BotHunter Users 1 Infection Report 2010-02-04 to 2010-02-04 |
° 2000328(5): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2008501(1): CandC Communication - ET TROJAN Peed Report to Controller ° 2009353(1): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
74.200.220.213 (US)
CHICAGO ILLINOIS UNITED STATES |
FASTSERVERS.NET / DSL FASTSERVERS INC |
Very High Details (2.0) 75 BotHunter Users 166 Infection Report 2009-12-24 to 2010-03-07 |
° 2003330(16): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810008(10): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2008660(9): CandC Communication - ET TROJAN Torpig Infection Reporting ° 7777005(9): Outbound Scan - Detected intense non-malware port scanning ° 3(5): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9910014(5): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2009024(3): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2002167(1): Egg Download - ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related |
|
208.88.180.81 (US)
SUNNYVALE CALIFORNIA UNITED STATES |
- / DSL FRIENDFINDER NETWORKS INC |
High Details (1.5) 2 BotHunter Users 10 Infection Report 2010-02-23 to 2010-03-08 |
° 2632222(5): not found ° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001219(1): Outbound Attack - ET SCAN Potential SSH Scan (20 in 60 secs) ° 2002839(1): Egg Download - ET MALWARE My Search Spyware Config Download ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2003380(1): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) ° 2007951(1): CandC Communication - ET MALWARE Hex Encoded IP HTTP Request - Likely Malware ° 2009897(1): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send html content ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host |
|
76.167.73.224 (US)
ANAHEIM CALIFORNIA UNITED STATES |
RR.COM / DSL ROAD RUNNER HOLDCO LLC |
Maximum Details (2.3) 1 BotHunter Users 1 Infection Report 2009-12-10 to 2009-12-10 |
° 3300007(3): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003219(1): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 3810009(1): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic |
|
65.199.63.0 (US)
ROCKVILLE MARYLAND UNITED STATES |
- / DSL SMNA RIJ INTERNET 3M/SMNA |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-15 to 2009-12-15 |
° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
207.138.126.184 (US)
ELROY WISCONSIN UNITED STATES |
GBLX.NET / DSL GLOBAL CROSSING |
High Details (1.6) 2 BotHunter Users 3 Infection Report 2010-01-07 to 2010-01-26 |
° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning |
|
58.215.76.0 (CN)
BEIJING BEIJING CHINA |
163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2009-12-20 to 2009-12-20 |
° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
222.191.251.131 (CN)
WUXI JIANGSU CHINA |
163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK |
High Details (1.8) 52 BotHunter Users 210 Infection Report 2009-12-10 to 2010-03-05 |
° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 2003620(3): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host |
|
208.80.184.202 (US)
SAN FRANCISCO CALIFORNIA UNITED STATES |
KINK.COM / DSL CYBERNET ENTERTAINMENT LLC |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-02-05 to 2010-02-05 |
° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
193.231.255.77 (RO)
CLUJ-NAPOCA CLUJ ROMANIA |
OMNILOGIC.RO / DSL CODEC ELECTRONIC PRODUCTS |
Very High Details (2.1) 1 BotHunter Users 2 Infection Report 2009-12-24 to 2009-12-24 |
° 2001569(8): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(6): Malware Scan - Detected intense malware port scanning ° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
209.190.24.10 (US)
COLUMBUS OHIO UNITED STATES |
XLHOST.COM / COMP COLUMBUS NETWORK ACCESS POINT INC |
High Details (1.7) 3 BotHunter Users 4 Infection Report 2010-01-11 to 2010-02-08 |
° 25(4): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 1(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
218.61.22.10 (CN)
SHENYANG LIAONING CHINA |
DCB.LN.CN / DSL CHINA UNICOM LIAONING PROVINCE NETWORK |
High Details (1.5) 26 BotHunter Users 1721 Infection Report 2010-01-29 to 2010-02-27 |
° 2003330(29): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(15): Outbound Scan - Detected intense non-malware port scanning ° 3810005(9): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2000328(6): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2008124(5): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 9910014(5): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2002031(3): Egg Download - ET TROJAN BOT - potential update/download ° 2003380(3): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) ° 2009897(2): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send html content ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download |
|
193.124.133.217 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
STEL.RU / DSL EUNET/RELCOM |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-03 to 2010-02-03 |
° 2000328(1): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
89.149.244.22 (DE)
- - GERMANY |
INTERNETSERVICETEAM.COM / DSL NETDIREKT E.K |
Very High Details (2.2) 2 BotHunter Users 64 Infection Report 2010-02-06 to 2010-02-08 |
° 2003330(576): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2000328(503): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2001569(220): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 9910014(181): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 7777005(119): Outbound Scan - Detected intense non-malware port scanning ° 3810007(59): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(55): Malware Scan - Detected intense malware port scanning ° 2008124(50): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 3(31): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(23): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
117.69.143.225 (CN)
HEFEI ANHUI CHINA |
CNDATA.COM / DSL CHINANET ANHUI PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-14 to 2010-02-14 |
° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002974(1): CandC Communication - ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
66.40.25.237 (US)
ATLANTA GEORGIA UNITED STATES |
MAXIM.NET / DSL PEER 1 DEDICATED HOSTING |
High Details (1.6) 1 BotHunter Users 1 Infection Report 2010-02-05 to 2010-02-05 |
° 2003330(4): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
217.16.24.124 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
- / DSL ALT LINUX |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2009-12-11 to 2009-12-11 |
° 7777008(3): Malware Scan - Detected intense malware port scanning ° 2001569(2): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
81.94.29.84 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
MNS.RU / DSL CREDOLINK ISP VPN POOL |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2009-12-20 to 2009-12-20 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
98.151.235.60 (US)
CANYON COUNTRY CALIFORNIA UNITED STATES |
RR.COM / COMP ROAD RUNNER HOLDCO LLC |
Maximum Details (2.3) 1 BotHunter Users 19 Infection Report 2010-01-28 to 2010-01-28 |
° 7777005(44): Outbound Scan - Detected intense non-malware port scanning ° 3(21): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(20): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810009(19): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 3810005(6): Bot Space Access - ET ShadowServer confirmed botnet control server ° 25(5): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2008124(2): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download |
|
174.103.212.33 (US)
LINCOLN NEBRASKA UNITED STATES |
RR.COM / DSL ROAD RUNNER HOLDCO LLC |
Moderate Details (1.2) 2 BotHunter Users 7 Infection Report 2010-02-21 to 2010-02-27 |
° 7777055(8): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 2000419(3): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2632222(3): not found ° 3300007(3): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host |
|
212.67.202.83 (UK)
LONDON ENGLAND UNITED KINGDOM |
WEBFUSION.CO.UK / DSL PIPEX-HOSTED-SERVERS |
Very High Details (2.0) 25 BotHunter Users 34 Infection Report 2009-12-18 to 2010-03-05 |
° 2000328(14): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
81.94.29.53 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
MNS.RU / DSL CREDOLINK ISP VPN POOL |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-01-08 to 2010-01-08 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
195.54.111.74 (SE)
STOCKHOLM STOCKHOLMS LAN SWEDEN |
BREDBAND.COM / DSL RESIDENTAL NETWORK IN G=F6TEBORG |
High Details (1.4) 40 BotHunter Users 212 Infection Report 2009-12-09 to 2010-03-08 |
° 1(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2010007(1): Egg Download - ET TROJAN Potential Gemini Malware Download ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
200.29.0.66 (CL)
SANTIAGO REGION METROPOLITANA CHILE |
HUB.IRC.CL / DSL NETUP S.A |
High Details (1.6) 1 BotHunter Users 1 Infection Report 2009-12-30 to 2009-12-30 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
80.97.208.9 (RO)
BUCHAREST BUCURESTI ROMANIA |
ARTELECOM.NET / DSL SC ARTELECOM SA |
Maximum Details (2.3) 7 BotHunter Users 31 Infection Report 2009-12-29 to 2010-01-05 |
° 2001569(12): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2002196(8): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 7777008(8): Malware Scan - Detected intense malware port scanning ° 3(5): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2009880(4): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 2003088(2): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(2): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
124.234.72.216 (CN)
JILIN JILIN CHINA |
163DATA.COM.CN / DSL CHINANET JILIN PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 3 Infection Report 2010-02-06 to 2010-02-06 |
° 7777005(9): Outbound Scan - Detected intense non-malware port scanning ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008110(3): CandC Communication - ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound |
|
89.253.174.188 (BG)
SOFIA GRAD SOFIYA BULGARIA |
SOFIA.CABLETEL.BG / DSL CMTS CUSTOMERS IN SOFIA-EAST |
High Details (1.7) 4 BotHunter Users 6 Infection Report 2010-03-02 to 2010-03-08 |
° 3810044(3): Bot Space Access - BotHunter REPO confirmed botnet control server ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3810002(2): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
79.118.198.11 (RO)
- - ROMANIA |
RDSNET.RO / DSL RCS-RDS-FIBERLINK |
Maximum Details (2.7) 1 BotHunter Users 3 Infection Report 2010-01-03 to 2010-01-03 |
° 2000328(14): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(7): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810044(3): Bot Space Access - BotHunter REPO confirmed botnet control server ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2008189(2): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
66.147.237.116 (US)
CLIFTON PARK NEW YORK UNITED STATES |
HRWEBSERVICES.NET / DSL HOSTROCKET WEB SERVICES |
Very High Details (2.2) 10 BotHunter Users 14 Infection Report 2010-01-04 to 2010-03-05 |
° 2000328(9): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(9): Outbound Scan - Detected intense non-malware port scanning ° 3(8): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(5): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810009(2): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
72.64.146.15 (US)
CLEARWATER FLORIDA UNITED STATES |
VERIZON.NET / COMP WAROTA NETWORKS INC |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2009-12-27 to 2009-12-27 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
208.50.77.161 (US)
NEW YORK NEW YORK UNITED STATES |
GBLX.NET / DSL GLOBAL CROSSING |
Moderate Details (1.2) 1 BotHunter Users 39 Infection Report 2010-02-16 to 2010-02-16 |
° 2632222(39): not found ° 7777005(39): Outbound Scan - Detected intense non-malware port scanning ° 2003088(7): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(6): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 7777055(4): Outbound Scan - Detected intense non-malware port scanning (P2P) |
|
64.86.17.17 (CA)
BRAMPTON ONTARIO CANADA |
DICRENS.COM / DSL VELCOM |
Very High Details (2.2) 2 BotHunter Users 2 Infection Report 2009-12-25 to 2010-01-04 |
° 2003330(8): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
62.90.118.203 (IL)
TEL AVIV TEL AVIV ISRAEL |
FUJIPRINTNET.CO.IL / DSL BARAK I.T.C |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(82): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(82): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
222.208.183.183 (CN)
CHENGDU SICHUAN CHINA |
163DATA.COM.CN / DSL CHINANET SICHUAN PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-10 to 2010-02-10 |
° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
63.251.92.193 (US)
SAN JOSE CALIFORNIA UNITED STATES |
- / COMP ACTIVEVIDEO NETWORK |
High Details (1.8) 3 BotHunter Users 251 Infection Report 2010-01-26 to 2010-01-28 |
° 7777005(193): Outbound Scan - Detected intense non-malware port scanning ° 3(147): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906011(105): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (12) ° 9906015(27): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (16) ° 9906018(27): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (19) ° 25(7): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2000328(6): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 1(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906026(2): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (27) |
|
194.154.75.191 (RU)
MURMANSK MURMANSK RUSSIAN FEDERATION |
HW.RU / DSL SOVINTEL-MSK-MEDIA-MIR-RU-NET |
Moderate Details (1.2) 17 BotHunter Users 19 Infection Report 2009-12-26 to 2010-03-02 |
° 2003330(15): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(8): Outbound Scan - Detected intense non-malware port scanning ° 9910014(6): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2000328(4): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810008(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008271(1): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (1) |
|
221.181.73.216 (CN)
BEIJING BEIJING CHINA |
MINTEL.COM / DSL CHINA MOBILE COMMUNICATIONS CORPORATION |
Moderate Details (1.3) 16 BotHunter Users 53 Infection Report 2010-01-25 to 2010-03-05 |
° 3(17): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(16): Outbound Scan - Detected intense non-malware port scanning ° 2003620(12): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected |
|
98.124.198.1 (US)
BELLEVUE WASHINGTON UNITED STATES |
- / DSL ENOM INCORPORATED |
Very High Details (2.0) 285 BotHunter Users 2055 Infection Report 2009-12-09 to 2010-03-08 |
° 7777005(16): Outbound Scan - Detected intense non-malware port scanning ° 3810007(11): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(8): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000328(8): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2003088(1): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(1): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
87.117.35.77 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
DONPAC.RU / DSL NETWORK OF DIVISION OF JSC UTK ROSTOVELECTROSVIAZ |
High Details (1.8) 1 BotHunter Users 1 Infection Report 2009-12-23 to 2009-12-23 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
212.71.19.100 (BE)
HASSELT LIMBURG BELGIUM |
EDPNET.NET / DSL EXTRA IP RANGES AND COLO CUSTS |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-27 to 2009-12-27 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
85.17.148.13 (NL)
AMSTERDAM NOORD-HOLLAND NETHERLANDS |
LEASEWEB.COM / COMP LEASEWEB |
High Details (1.5) 2 BotHunter Users 2 Infection Report 2009-12-27 to 2009-12-28 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
209.217.76.43 (CA)
- ONTARIO CANADA |
ON.CA / COMP RIDEAU VALLEY CONSERVATION AUTHORITY |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(82): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(82): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
66.232.118.147 (US)
TAMPA FLORIDA UNITED STATES |
MERCURYFIND.COM / DSL NOC4HOSTS INC |
Very High Details (2.0) 2 BotHunter Users 2 Infection Report 2009-12-29 to 2010-03-04 |
° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
80.79.119.138 (EE)
TALLINN HARJUMAA ESTONIA |
TANTUM.EE / COMP TANTUM WEBHOSTING |
High Details (1.7) 3 BotHunter Users 3 Infection Report 2009-12-24 to 2010-03-05 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(1): Malware Scan - Detected intense malware port scanning |
|
79.170.40.38 (UK)
- - UNITED KINGDOM |
EXTENDCP.CO.UK / DSL HEART INTERNET NETWORK |
Very High Details (2.0) 3 BotHunter Users 4 Infection Report 2010-02-02 to 2010-02-17 |
° 2001569(7): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
64.27.5.63 (US)
ARCADIA CALIFORNIA UNITED STATES |
RAZHUNT.COM / DSL AIRLINERESERVATIONS.COM INC |
High Details (1.9) 4 BotHunter Users 7 Infection Report 2010-01-19 to 2010-01-26 |
° 2003219(3): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
77.221.149.227 (RU)
- - RUSSIAN FEDERATION |
DATAPOINT.RU / DSL COLOCATION AND VIRTUAL HOSTING |
High Details (1.4) 6 BotHunter Users 17 Infection Report 2009-12-15 to 2010-02-19 |
° 2000328(23): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2001569(17): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 9910014(7): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2007743(6): CandC Communication - ET TROJAN Dialer.qn HTTP Request - Checkin ° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 2003330(5): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
60.63.51.157 (CN)
SHANGHAI SHANGHAI CHINA |
CABLEPLUS.COM.CN / DSL ORIENTAL CABLE NETWORK CO. LTD |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-18 to 2010-02-18 |
° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007963(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Status OK ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
113.105.152.40 (CN)
GUANGZHOU GUANGDONG CHINA |
163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK |
High Details (1.7) 2 BotHunter Users 2 Infection Report 2009-12-23 to 2010-01-05 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
113.114.137.214 (CN)
GUANGZHOU GUANGDONG CHINA |
163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-01-31 to 2010-01-31 |
° 3(8): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007963(2): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Status OK ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning |
|
194.85.61.78 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
- / DSL RU NCC NETWORK |
Very High Details (2.2) 34 BotHunter Users 88 Infection Report 2010-01-13 to 2010-03-05 |
° 7777005(17): Outbound Scan - Detected intense non-malware port scanning ° 3(14): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(7): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810007(7): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(6): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2001569(5): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(3): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2000328(2): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2008189(2): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin |
|
219.109.143.45 (JP)
TOKYO TOKYO JAPAN |
DOWNLOAD.CZIP.JP / DSL SPEEDIA CO. LTD |
High Details (1.5) 4 BotHunter Users 21 Infection Report 2010-02-24 to 2010-02-24 |
° 2009024(32): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3(26): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(6): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003179(1): Egg Download - ET POLICY exe download without User Agent |
|
66.40.65.7 (US)
ATLANTA GEORGIA UNITED STATES |
MAXIM.NET / DSL PEER 1 DEDICATED HOSTING |
Maximum Details (2.7) 14 BotHunter Users 16 Infection Report 2009-12-30 to 2010-02-25 |
° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2000328(1): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
66.161.82.16 (US)
SAN CLEMENTE CALIFORNIA UNITED STATES |
- / COMP MEDICINENET |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(82): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(82): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
218.85.139.33 (CN)
SHANGHAI SHANGHAI CHINA |
163DATA.COM.CN / DSL CHINANET FUJIAN PROVINCE NETWORK |
Very High Details (2.0) 26 BotHunter Users 35 Infection Report 2009-12-26 to 2010-03-08 |
° 2000328(9): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(7): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2009024(4): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810008(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2002839(1): Egg Download - ET MALWARE My Search Spyware Config Download |
|
118.145.5.14 (CN)
BEIJING BEIJING CHINA |
- / DSL BEIJING BITONE UNITED NETWORKS |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-27 to 2010-02-27 |
° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
91.187.45.168 (CZ)
PRAGUE HLAVNI MESTO PRAHA CZECH REPUBLIC |
HITECH.CZ / DSL HITECHMEDIA SYSTEMS S.R.O |
High Details (1.8) 1 BotHunter Users 3 Infection Report 2009-12-24 to 2009-12-24 |
° 3(6): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810009(3): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download |
|
66.90.110.138 (US)
WOODSTOCK ILLINOIS UNITED STATES |
EDIGITALSTUDIOS.COM / DSL FDCSERVERS.NET |
High Details (1.5) 1 BotHunter Users 15 Infection Report 2010-01-15 to 2010-01-15 |
° 3810005(15): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2008123(2): CandC Communication - ET TROJAN Likely Bot Username in IRC (XP-..) ° 2008124(2): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) |
|
58.25.143.21 (CN)
SHANGHAI SHANGHAI CHINA |
CABLEPLUS.COM.CN / DSL ORIENTAL CABLE NETWORK CO. LTD |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-21 to 2010-02-21 |
° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2007963(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Status OK |
|
69.31.116.96 (US)
FARMINGDALE NEW YORK UNITED STATES |
CONNETRIX.COM / DSL CONNETRIX |
High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-01-26 to 2010-01-26 |
° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
67.222.5.128 (US)
- MARYLAND UNITED STATES |
FORMBUDDYDNS.COM / DSL PRIVATESYSTEMS NETWORKS |
Very High Details (2.0) 2 BotHunter Users 2 Infection Report 2010-01-21 to 2010-02-23 |
° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
82.98.86.180 (DE)
BERLIN BERLIN GERMANY |
FHE3RZ.NET / DSL SEDO DOMAIN PARKING |
High Details (1.7) 4 BotHunter Users 15 Infection Report 2010-02-18 to 2010-02-18 |
° 7777005(24): Outbound Scan - Detected intense non-malware port scanning ° 3810007(15): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
208.97.234.67 (US)
WASHINGTON DISTRICT OF COLUMBIA UNITED STATES |
- / COMP NATIONAL ASSOCIATION OF BROADCASTERS |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(17): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(17): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning |
|
94.23.199.98 (FR)
- - FRANCE |
OVH.NET / DSL OVH SAS |
High Details (1.6) 2 BotHunter Users 3 Infection Report 2009-12-23 to 2010-01-19 |
° 15165(7): CandC Communication - BACKDOOR Pushdo client communication attempt ° 2007771(7): Egg Download - ET TROJAN Pushdo Update URL Detected ° 2008501(2): CandC Communication - ET TROJAN Peed Report to Controller ° 2009353(2): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2009354(1): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (2) ° 7777008(1): Malware Scan - Detected intense malware port scanning |
|
211.189.37.105 (KR)
SEOUL SEOUL-T'UKPYOLSI KOREA, REPUBLIC OF |
- / DSL KYOBO BOOK CENTRE CO. LTD |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-02-25 to 2010-02-25 |
° 2007860(2): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(2): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning |
|
64.70.19.33 (US)
CARLSBAD CALIFORNIA UNITED STATES |
WEBSITE.WS / DSL WORLDSITE.WS |
Very High Details (2.0) 68 BotHunter Users 437 Infection Report 2009-12-22 to 2010-03-08 |
° 3(35): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(28): Outbound Scan - Detected intense non-malware port scanning ° 2003330(17): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(16): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(13): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810005(7): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2009024(4): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3810002(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
69.89.31.120 (US)
PROVO UTAH UNITED STATES |
BLUEHOST.COM / DSL BLUEHOST INC |
Very High Details (2.0) 14 BotHunter Users 14 Infection Report 2010-01-10 to 2010-03-05 |
° 2003330(16): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(4): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
149.9.1.16 (US)
WASHINGTON DISTRICT OF COLUMBIA UNITED STATES |
COGENTCO.COM / DSL PSINET INC |
Moderate Details (1.3) 29 BotHunter Users 339 Infection Report 2009-12-26 to 2010-03-05 |
° 1(35): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(31): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 7777008(20): Malware Scan - Detected intense malware port scanning ° 2001569(17): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(16): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 3(6): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(6): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810001(2): Bot Space Access - BotHunter MTC confirmed botnet control server ° 2008124(1): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) |
|
69.25.11.77 (CA)
BARRIE ONTARIO CANADA |
XAXIUSHOSTING.COM / DSL XAXIUS |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(17): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(17): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning |
|
75.126.137.166 (US)
DALLAS TEXAS UNITED STATES |
HOSTS-USA.COM / COMP SOFTLAYER TECHNOLOGIES INC |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-02-09 to 2010-02-09 |
° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
217.170.67.5 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
ELTEL.NET / DSL JSC ELTEL NETWORK |
High Details (1.8) 1 BotHunter Users 5 Infection Report 2010-01-22 to 2010-01-22 |
° 2000328(16): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(9): Outbound Scan - Detected intense non-malware port scanning ° 9906026(6): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (27) ° 9906010(5): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (11) ° 9906001(4): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (2) ° 9906015(4): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (16) ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906021(2): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (22) ° 9906004(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (5) |
|
164.6.207.91 (UK)
- - UNITED KINGDOM |
- / DSL EAGLE STAR INSURANCE |
Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-02-01 to 2010-02-01 |
° 2001569(6): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
62.80.127.193 (DE)
LANDAU RHEINLAND-PFALZ GERMANY |
MEGASPACE.DE / DSL MEGASPACE |
Very High Details (2.0) 36 BotHunter Users 68 Infection Report 2009-12-16 to 2010-03-08 |
° 3(51): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(16): Outbound Scan - Detected intense non-malware port scanning ° 3810007(14): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2000328(11): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(8): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(8): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810003(4): Bot Space Access - BotHunter REPO confirmed botnet control server ° 7777008(4): Malware Scan - Detected intense malware port scanning ° 3810001(3): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
208.43.222.137 (US)
DALLAS TEXAS UNITED STATES |
SOFTLAYER.COM / DSL SOFTLAYER TECHNOLOGIES INC |
Very High Details (2.2) 1 BotHunter Users 17 Infection Report 2009-12-12 to 2009-12-12 |
° 2009024(53): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 7777005(24): Outbound Scan - Detected intense non-malware port scanning ° 3810001(11): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(11): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(10): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(8): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 |
|
116.20.11.213 (CN)
FOSHAN GUANGDONG CHINA |
163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-02-13 to 2010-02-13 |
° 2002974(2): CandC Communication - ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
221.181.73.220 (CN)
BEIJING BEIJING CHINA |
MINTEL.COM / DSL CHINA MOBILE COMMUNICATIONS CORPORATION |
Moderate Details (1.3) 29 BotHunter Users 147 Infection Report 2010-01-27 to 2010-03-08 |
° 7777005(9): Outbound Scan - Detected intense non-malware port scanning ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003620(3): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3800002(1): Bot Space Access - BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host |
|
69.162.90.138 (US)
DALLAS TEXAS UNITED STATES |
LSTN.NET / DSL LIMESTONE NETWORKS INC |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2009-12-23 to 2009-12-23 |
° 15165(3): CandC Communication - BACKDOOR Pushdo client communication attempt ° 2007771(3): Egg Download - ET TROJAN Pushdo Update URL Detected |
|
209.66.100.34 (US)
ALBUQUERQUE NEW MEXICO UNITED STATES |
SANTACRUZTECH.COM / DSL GOT-NET (GOT-DOM) |
High Details (1.7) 87 BotHunter Users 227 Infection Report 2009-12-09 to 2010-03-06 |
° 3810005(23): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3(11): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 1(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003219(2): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2009024(2): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2008189(1): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin |
|
77.244.211.60 (RU)
- - RUSSIAN FEDERATION |
RSSPNET.RU / DSL RTS NETWORK SOUTH-WEST 3RD BLOCK |
Moderate Details (1.3) 2 BotHunter Users 2 Infection Report 2010-02-03 to 2010-02-04 |
° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 9906021(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (22) ° 9906025(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (26) |
|
66.45.234.200 (US)
SECAUCUS NEW JERSEY UNITED STATES |
NACHI.ORG / DSL INTERSERVER INC |
High Details (1.6) 1 BotHunter Users 23 Infection Report 2010-02-28 to 2010-02-28 |
° 7777005(24): Outbound Scan - Detected intense non-malware port scanning ° 3810005(23): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2007625(1): CandC Communication - ET TROJAN Pitbull IRCbotnet Commands |
|
221.130.183.0 (CN)
SHANGHAI SHANGHAI CHINA |
- / DSL CHINA MOBILE COMMUNICATIONS CORPORATION - SHANGHAI |
Moderate Details (1.2) 5 BotHunter Users 210 Infection Report 2009-12-10 to 2009-12-14 |
° 7777005(25): Outbound Scan - Detected intense non-malware port scanning ° 2003620(21): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
218.74.202.79 (CN)
NINGBO ZHEJIANG CHINA |
163DATA.COM.CN / DSL CHINANET-ZJ NINGBO NODE NETWORK |
Moderate Details (1.3) 2 BotHunter Users 2 Infection Report 2009-12-30 to 2010-01-28 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
116.21.105.229 (CN)
GUANGZHOU GUANGDONG CHINA |
163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-01-08 to 2010-01-08 |
° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002974(1): CandC Communication - ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established |
|
78.46.33.111 (DE)
MUNICH BAYERN GERMANY |
YOUR-SERVER.DE / DSL HETZNER-RZ-NBG-NET |
Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2009-12-28 to 2009-12-28 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(1): Malware Scan - Detected intense malware port scanning |
|
72.20.46.115 (US)
FULLERTON CALIFORNIA UNITED STATES |
STAMINUS.NET / DSL STAMINUS COMMUNICATIONS |
High Details (1.6) 1 BotHunter Users 1 Infection Report 2009-12-29 to 2009-12-29 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
78.109.20.106 (UA)
- - UKRAINE |
- / COMP HOSTER - ALEKSANDR PAVLOV |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-01-03 to 2010-01-03 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
64.4.50.62 (US)
REDMOND WASHINGTON UNITED STATES |
HMDEVLAB.COM / DSL MS HOTMAIL |
High Details (1.8) 1 BotHunter Users 143 Infection Report 2009-12-29 to 2009-12-29 |
° 7777005(349): Outbound Scan - Detected intense non-malware port scanning ° 2003492(152): not found ° 3(107): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(73): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 1(10): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906025(6): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (26) ° 2008564(4): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download |
|
40.48.20.72 (US)
INDIANAPOLIS INDIANA UNITED STATES |
DRANOFF.COM / DSL ELI LILLY AND COMPANY |
Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-01-28 to 2010-01-28 |
° 2001569(7): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
124.217.198.74 (KR)
SEOUL SEOUL-T'UKPYOLSI KOREA, REPUBLIC OF |
HCLC.CO.KR / DSL HCLC |
Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2009-12-15 to 2009-12-15 |
° 2009024(2): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
218.60.38.14 (CN)
SHENYANG LIAONING CHINA |
ONLINE.LN.CN / DSL CHINA UNICOM LIAONING PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-09 to 2010-02-09 |
° 2008564(2): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning |
|
90.156.153.49 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
MASTERHOST.RU / DSL MASTERHOST.RU IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-02-20 to 2010-02-20 |
° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
78.47.222.220 (DE)
BERLIN BERLIN GERMANY |
YOUR-SERVER.DE / COMP YOYO SP. Z O.O |
Very High Details (2.0) 2 BotHunter Users 2 Infection Report 2010-01-21 to 2010-02-04 |
° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
203.169.138.20 (HK)
FANLING HONG KONG (SAR) HONG KONG |
HKNET.COM / DSL HKNET COMPANY LIMITED |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2009-12-10 to 2009-12-10 |
° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
209.85.51.71 (US)
BEAVERTON OREGON UNITED STATES |
THEPLANET.COM / DSL OPTICAL JUNGLE |
Maximum Details (2.3) 1 BotHunter Users 2 Infection Report 2010-01-22 to 2010-01-22 |
° 2000328(13): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9906008(2): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (9) ° 9906021(2): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (22) ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2003492(1): not found ° 9906001(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (2) ° 9906018(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (19) |
|
94.77.35.59 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
SKYLINK.RU / DSL SKYLINK-KRASNODAR |
Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-01-27 to 2010-01-27 |
° 2001569(6): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810003(2): Bot Space Access - BotHunter REPO confirmed botnet control server |
|
206.161.121.10 (US)
HERNDON VIRGINIA UNITED STATES |
PCCWGLOBAL.NET / DSL BEYOND THE NETWORK AMERICA INC |
Maximum Details (3.0) 7 BotHunter Users 7 Infection Report 2010-01-20 to 2010-03-05 |
° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 3810007(4): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000328(2): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2007669(1): CandC Communication - ET TROJAN Nulprot Checkin Response ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
63.217.31.48 (US)
MC LEAN VIRGINIA UNITED STATES |
PCCWGLOBAL.NET / DSL BEYOND THE NETWORK AMERICA INC |
Moderate Details (1.2) 8 BotHunter Users 11 Infection Report 2010-01-20 to 2010-02-05 |
° 2009024(5): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810007(4): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 |
|
82.146.55.39 (US)
NEWTON NEW JERSEY UNITED STATES |
ABRAMS.RU / DSL ISPSYSTEM AT NAC |
Very High Details (2.0) 5 BotHunter Users 5 Infection Report 2010-01-05 to 2010-03-02 |
° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810008(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
160.26.211.95 (JP)
TOYAMA TOYAMA JAPAN |
- / DSL NATIONAL UNIVERSITY CORPORATION TOYAMA UNIVERSITY |
Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-02-23 to 2010-02-23 |
° 2001569(9): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
74.208.156.109 (US)
WAYNE PENNSYLVANIA UNITED STATES |
1AND1.COM / DSL 1&1 INTERNET INC |
Maximum Details (2.7) 3 BotHunter Users 12 Infection Report 2009-12-22 to 2009-12-24 |
° 2003088(6): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(6): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 299998(1): Inbound Attack - SHELLCODE x86 inc ebx NOOP ° 2299913(1): Inbound Attack - ET SHELLCODE x86 0x90 unicode NOOP ° 3300006(1): Egg Download - BotHunter MALWARE executable upload ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning |
|
64.202.189.170 (US)
SCOTTSDALE ARIZONA UNITED STATES |
SECURESERVER.NET / COMP GODADDY.COM INC |
High Details (1.5) 17 BotHunter Users 144 Infection Report 2009-12-09 to 2010-03-05 |
° 2003088(12): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(12): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 2001569(8): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 25(4): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2000328(3): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2008859(1): CandC Communication - ET TROJAN Downloader Win32.Small.agoy Checkin |
|
93.188.161.105 (UA)
- - UKRAINE |
UKRTELEGROUP.COM.UA / DSL GEEK RACK NETWORKS |
High Details (1.8) 4 BotHunter Users 4 Infection Report 2010-02-18 to 2010-03-05 |
° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906030(1): not found |
|
194.67.46.5 (RU)
ST. PETERSBURG SAINT PETERSBURG CITY RUSSIAN FEDERATION |
- / DSL SOVINTEL ROUTED AND INTERFACE NETWORK |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-01-10 to 2010-01-10 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
218.93.205.91 (CN)
BEIJING BEIJING CHINA |
163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2009-12-28 to 2009-12-28 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
85.232.36.125 (UK)
- - UNITED KINGDOM |
TITANINTERNET.CO.UK / DSL TITANINTERNET |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(82): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(82): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
221.238.252.185 (CN)
TIANJIN TIANJIN CHINA |
163DATA.COM.CN / DSL CHINANET TIANJIN PROVINCE NETWORK |
High Details (1.6) 3 BotHunter Users 3 Infection Report 2010-02-02 to 2010-02-02 |
° 3810003(3): Bot Space Access - BotHunter REPO confirmed botnet control server ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3300003(1): Egg Download - BotHunter HTTP-based .exe Upload on backdoor port |
|
74.54.132.2 (US)
DALLAS TEXAS UNITED STATES |
THEPLANET.COM / COMP THEPLANET.COM INTERNET SERVICES INC |
Very High Details (2.0) 16 BotHunter Users 18 Infection Report 2009-12-24 to 2010-03-03 |
° 2003330(12): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2000328(10): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
85.12.43.102 (NL)
EINDHOVEN NOORD-BRABANT NETHERLANDS |
XENTRONIX.NL / DSL XENTRONIX |
High Details (1.5) 3 BotHunter Users 3 Infection Report 2009-12-09 to 2009-12-11 |
° 2009173(3): CandC Communication - ET TROJAN Possible Vundo Trojan Variant reporting to Controller ° 2009897(2): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send html content ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
66.46.183.34 (CA)
MONTREAL QUEBEC CANADA |
GROUPESEMA.COM / DSL ALLSTREAM CORP |
Very High Details (2.0) 2 BotHunter Users 2 Infection Report 2009-12-24 to 2010-02-11 |
° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
222.173.188.7 (CN)
JINAN SHANDONG CHINA |
163DATA.COM.CN / DSL CHINANET SHANDONG PROVINCE NETWORK |
Moderate Details (1.2) 27 BotHunter Users 82 Infection Report 2009-12-11 to 2010-03-03 |
° 7777005(8): Outbound Scan - Detected intense non-malware port scanning ° 2003620(6): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 3300003(1): Egg Download - BotHunter HTTP-based .exe Upload on backdoor port ° 3800002(1): Bot Space Access - BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host |
|
218.93.205.125 (CN)
BEIJING BEIJING CHINA |
163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-26 to 2009-12-26 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
113.194.163.53 (CN)
BEIJING BEIJING CHINA |
- / DSL CHINA UNICOM JIANGXI PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-01-24 to 2010-01-24 |
° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007588(2): CandC Communication - ET TROJAN Win32 Agent.ALT C&C Initial Infection Checkin |
|
208.87.242.120 (IN)
- - INDIA |
- / COMP XISTO NETWORKS |
Very High Details (2.0) 23 BotHunter Users 37 Infection Report 2010-01-08 to 2010-03-04 |
° 1(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(4): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
67.43.226.242 (LB)
- - LEBANON |
- / COMP NADER DARA |
Very High Details (2.0) 1 BotHunter Users 9 Infection Report 2010-01-05 to 2010-01-05 |
° 2001569(36): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(29): Malware Scan - Detected intense malware port scanning ° 7777005(13): Outbound Scan - Detected intense non-malware port scanning ° 2000328(6): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3810005(5): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(5): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 1(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server |
|
97.74.144.123 (US)
SCOTTSDALE ARIZONA UNITED STATES |
JWS.COM / DSL GODADDY.COM INC |
Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 25(4): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2001569(1): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
67.225.158.18 (US)
LANSING MICHIGAN UNITED STATES |
ZFAW.COM / DSL LIQUID WEB INC |
High Details (1.4) 2 BotHunter Users 2 Infection Report 2010-01-31 to 2010-02-12 |
° 2001219(13): Outbound Attack - ET SCAN Potential SSH Scan (20 in 60 secs) ° 1(11): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
85.17.216.83 (NL)
AMSTERDAM NOORD-HOLLAND NETHERLANDS |
LEASEWEB.COM / DSL LEASEWEB |
Maximum Details (2.7) 8 BotHunter Users 16 Infection Report 2009-12-23 to 2010-01-26 |
° 2003219(2): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810009(1): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
221.181.73.214 (CN)
BEIJING BEIJING CHINA |
MINTEL.COM / DSL CHINA MOBILE COMMUNICATIONS CORPORATION |
High Details (1.4) 22 BotHunter Users 111 Infection Report 2010-01-26 to 2010-03-07 |
° 2003607(3): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003179(2): Egg Download - ET POLICY exe download without User Agent ° 2003620(2): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
85.24.148.125 (SE)
STOCKHOLM STOCKHOLMS LAN SWEDEN |
LULS.ORG / COMP SHELLFX-CSH-STERIK-NET |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2009-12-30 to 2009-12-30 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
64.71.152.147 (US)
NASHVILLE TENNESSEE UNITED STATES |
LINODE.COM / DSL SHORE NETWORK TECHNOLOGIES |
Maximum Details (2.3) 3 BotHunter Users 8 Infection Report 2010-01-21 to 2010-01-26 |
° 2003179(2): Egg Download - ET POLICY exe download without User Agent ° 2003219(1): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2007951(1): CandC Communication - ET MALWARE Hex Encoded IP HTTP Request - Likely Malware ° 3800002(1): Bot Space Access - BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
208.43.232.80 (US)
DALLAS TEXAS UNITED STATES |
SOFTLAYER.COM / COMP SOFTLAYER TECHNOLOGIES INC |
Very High Details (2.2) 4 BotHunter Users 4 Infection Report 2010-01-29 to 2010-02-18 |
° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
116.31.122.64 (CN)
ZHUHAI GUANGDONG CHINA |
163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK |
Moderate Details (1.3) 2 BotHunter Users 7 Infection Report 2010-01-30 to 2010-02-24 |
° 3810005(5): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2003422(1): CandC Communication - ET MALWARE Weatherbug Command Activity |
|
67.228.222.240 (US)
BROOKLYN NEW YORK UNITED STATES |
SOFTLAYER.COM / COMP SOFTLAYER TECHNOLOGIES INC |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-01-06 to 2010-01-06 |
° 2003330(4): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
64.29.201.96 (US)
IRVING TEXAS UNITED STATES |
DATARETURN.COM / DSL DATA RETURN |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(82): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(82): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
72.20.40.26 (US)
FULLERTON CALIFORNIA UNITED STATES |
STAMINUS.NET / DSL STAMINUS COMMUNICATIONS |
Very High Details (2.2) 8 BotHunter Users 19 Infection Report 2010-01-20 to 2010-02-06 |
° 2009024(25): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3(7): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 3810007(4): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810001(3): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(3): Bot Space Access - ET ShadowServer confirmed botnet control server ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 |
|
75.125.200.226 (US)
DALLAS TEXAS UNITED STATES |
THEPLANET.COM / DSL THEPLANET.COM INTERNET SERVICES INC |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-02-12 to 2010-02-12 |
° 2003330(10): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
92.101.186.138 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
VOLOGDA.RU / DSL ST.PETERSBURG TELEPHONE NETWORK |
Maximum Details (2.5) 1 BotHunter Users 1 Infection Report 2009-12-30 to 2009-12-30 |
° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(3): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2008124(3): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002033(1): CandC Communication - ET TROJAN BOT - potential response ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
217.107.217.27 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
JINO.RU / COMP AVGURO TECHNOLOGIES LTD. HOSTING SERVICE PROVIDER |
High Details (1.9) 2 BotHunter Users 2 Infection Report 2010-01-22 to 2010-01-26 |
° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
125.89.148.128 (CN)
GUANGZHOU GUANGDONG CHINA |
163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2009-12-20 to 2009-12-20 |
° 2002974(1): CandC Communication - ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
195.20.240.3 (DE)
- - GERMANY |
KUNDENSERVER.DE / DSL SCHLUND-CUSTOMERS |
High Details (1.7) 13 BotHunter Users 146 Infection Report 2009-12-23 to 2010-01-05 |
° 2003636(61): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 2003088(58): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2001569(57): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(36): Malware Scan - Detected intense malware port scanning ° 2009024(6): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
123.75.3.137 (CN)
BEIJING BEIJING CHINA |
JWS.COM / DSL CHINA TIETONG TELECOMMUNICATIONS CORPORATION |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2009-12-27 to 2009-12-27 |
° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2008110(1): CandC Communication - ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound |
|
80.190.246.162 (DE)
BERLIN BERLIN GERMANY |
IPXSERVER.DE / DSL IPX SERVER GMBH |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-02-04 to 2010-02-04 |
° 2003330(9): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
83.231.138.193 (UK)
LONDON ENGLAND UNITED KINGDOM |
VERIO.NET / COMP EMIRATES GROUP |
Maximum Details (2.5) 1 BotHunter Users 1 Infection Report 2010-03-01 to 2010-03-01 |
° 2000328(15): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
121.54.20.72 (PH)
BAGUIO BAGUIO PHILIPPINES |
SMARTBRO.NET / DSL SMART BROADBAND INCORPORATED |
Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-01-28 to 2010-01-28 |
° 2001569(6): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
64.40.117.19 (CA)
VANCOUVER BRITISH COLUMBIA CANADA |
ALXNET.COM / DSL NETNATION COMMUNICATIONS INC |
Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2009-12-31 to 2009-12-31 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 2009024(1): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
98.142.215.183 (US)
ATLANTA GEORGIA UNITED STATES |
SAGONET.NET / DSL WIRESIX INC |
High Details (1.5) 4 BotHunter Users 8 Infection Report 2009-12-24 to 2010-01-10 |
° 2003422(2): CandC Communication - ET MALWARE Weatherbug Command Activity ° 2632222(2): not found ° 2003179(1): Egg Download - ET POLICY exe download without User Agent |
|
205.209.137.109 (US)
FREMONT CALIFORNIA UNITED STATES |
COLOALACARTE.COM / DSL MANAGED SOLUTIONS GROUP INC |
Very High Details (2.2) 13 BotHunter Users 38 Infection Report 2010-01-04 to 2010-02-05 |
° 3810007(4): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
92.48.91.146 (UK)
- - UNITED KINGDOM |
AS29550.NET / COMP POUNDHOST CUSTOMER SERVER |
Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-02-14 to 2010-02-14 |
° 2003174(2): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected ° 2008944(2): CandC Communication - ET TROJAN TDSServ or Tidserv variant Checkin ° 2001685(1): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send an image ° 2009031(1): CandC Communication - ET TROJAN Possible Armitage Loader Request |
|
130.28.2.107 (SE)
STOCKHOLM STOCKHOLMS LAN SWEDEN |
- / DSL FEDERATION OF SWEDISH COUNTY COUNCILS |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(82): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(82): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
216.17.104.158 (US)
SAN DIEGO CALIFORNIA UNITED STATES |
PHATSERVERS.COM / DSL PHATSERVERS.NET |
Very High Details (2.1) 14 BotHunter Users 16 Infection Report 2009-12-24 to 2010-03-08 |
° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000328(3): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 15165(2): CandC Communication - BACKDOOR Pushdo client communication attempt ° 2007771(2): Egg Download - ET TROJAN Pushdo Update URL Detected ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
203.228.244.187 (KR)
SEOUL SEOUL-T'UKPYOLSI KOREA, REPUBLIC OF |
KRLINE.NET / DSL KRNIC |
High Details (1.6) 5 BotHunter Users 107 Infection Report 2010-01-28 to 2010-02-09 |
° 2008124(140): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 3(20): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(9): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 7777008(5): Malware Scan - Detected intense malware port scanning ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300003(1): Egg Download - BotHunter HTTP-based .exe Upload on backdoor port ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host |
|
113.93.174.1 (CN)
GUANGZHOU GUANGDONG CHINA |
163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 4 Infection Report 2010-02-13 to 2010-02-13 |
° 3(12): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002974(4): CandC Communication - ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning |
|
194.67.33.241 (RU)
SOCHI KRASNODAR RUSSIAN FEDERATION |
HW.RU / DSL SOVINTEL-MSK-MEDIA-MIR-NET |
High Details (1.8) 1 BotHunter Users 2 Infection Report 2010-01-22 to 2010-01-22 |
° 2000328(19): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906021(3): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (22) ° 9906001(2): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (2) ° 9906026(2): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (27) |
|
23.12.125.79 (-)
- - - |
- / - - |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-01-27 to 2010-01-27 |
° 2001569(1): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
74.220.215.56 (US)
OREM UTAH UNITED STATES |
BLUEHOST.COM / DSL BLUEHOST INC |
Maximum Details (3.0) 9 BotHunter Users 11 Infection Report 2010-01-19 to 2010-03-07 |
° 2000328(4): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2007669(1): CandC Communication - ET TROJAN Nulprot Checkin Response ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
91.197.13.211 (PL)
- - POLAND |
GADU-GADU.PL / DSL GADU-GADU S.A |
High Details (1.5) 1 BotHunter Users 4 Infection Report 2009-12-15 to 2009-12-15 |
° 2007866(4): CandC Communication - ET TROJAN Gadu-Gadu.pl Related Trojan Reporting via HTTP ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 2600150(1): Attack Prep - SPYWARE-DNS DNS lookup 6 chars (.com) |
|
59.32.232.232 (CN)
GUANGZHOU GUANGDONG CHINA |
- / COMP SHAO GUAN SHI PENG XUN KE JI FA ZHAN COMPANY |
High Details (1.7) 1 BotHunter Users 19 Infection Report 2010-02-26 to 2010-02-26 |
° 7777005(56): Outbound Scan - Detected intense non-malware port scanning ° 2008564(19): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 3(18): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003174(2): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host |
|
217.199.218.50 (RU)
- - RUSSIAN FEDERATION |
QUICKLINE.RU / DSL MASTAK.RU |
Very High Details (2.2) 13 BotHunter Users 13 Infection Report 2009-12-25 to 2010-02-24 |
° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2008189(1): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin |
|
76.10.144.86 (CA)
- - CANADA |
TEKSAVVY.COM / DSL TEKSAVVY SOLUTIONS INC |
High Details (1.8) 2 BotHunter Users 2 Infection Report 2009-12-23 to 2010-01-01 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000328(1): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
67.43.236.46 (CA)
LAVAL QUEBEC CANADA |
FASTPUPPY.NET / COMP NETELLIGENT HOSTING SERVICES INC |
High Details (1.5) 2 BotHunter Users 2 Infection Report 2009-12-30 to 2010-01-06 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 7777008(1): Malware Scan - Detected intense malware port scanning |
|
193.43.88.138 (NL)
AMSTERDAM NOORD-HOLLAND NETHERLANDS |
- / DSL EASYHOST (XHOST) |
Maximum Details (2.5) 4 BotHunter Users 5 Infection Report 2010-01-14 to 2010-01-19 |
° 2001569(6): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 25(5): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 1(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008124(2): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003088(1): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(1): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
204.137.28.0 (US)
KANSAS CITY MISSOURI UNITED STATES |
VIRTUEMAILS.COM / DSL ADKNOWLEDGE INC |
High Details (1.7) 1 BotHunter Users 27 Infection Report 2009-12-10 to 2009-12-10 |
° 7777005(55): Outbound Scan - Detected intense non-malware port scanning ° 2003579(28): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 3(17): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008438(3): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File ° 2008576(3): Egg Download - ET TROJAN TinyPE Binary - Possibly Hostile ° 3300007(3): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
213.180.199.48 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
YANDEX.RU / DSL YANDEX LLC |
Very High Details (2.2) 2 BotHunter Users 2 Infection Report 2010-01-21 to 2010-01-26 |
° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
123.123.123.123 (CN)
BEIJING BEIJING CHINA |
BTA.NET.CN / DSL CHINA UNICOM BEIJING PROVINCE NETWORK |
Maximum Details (2.8) 214 BotHunter Users 2031 Infection Report 2009-12-11 to 2010-03-08 |
° 2000328(36): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3810007(14): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(9): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 2003579(5): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 2003581(5): CandC Communication - ET MALWARE Findwhat.com Spyware (sendmedia) ° 2001569(3): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003179(1): Egg Download - ET POLICY exe download without User Agent |
|
217.199.217.9 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
UCOZ.NET / DSL UCOZ |
High Details (1.9) 8 BotHunter Users 8 Infection Report 2009-12-26 to 2010-03-04 |
° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000328(3): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
212.117.160.18 (LU)
- - LUXEMBOURG |
IP-212-117-176-10.SERVER.LU / COMP ROOT ESOLUTIONS |
High Details (1.4) 77 BotHunter Users 193 Infection Report 2010-01-04 to 2010-03-02 |
° 3(17): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(10): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2003219(6): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2009024(5): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 25(3): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002167(1): Egg Download - ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related ° 2008523(1): CandC Communication - ET TROJAN Generic Trojan Checkin |
|
98.126.25.242 (US)
ORANGE CALIFORNIA UNITED STATES |
VPLS.NET / DSL VPLS INC. D/B/A KRYPT TECHNOLOGIES |
Maximum Details (3.2) 4 BotHunter Users 244 Infection Report 2010-02-08 to 2010-02-11 |
° 2000328(25): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2001569(16): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777005(8): Outbound Scan - Detected intense non-malware port scanning ° 2008271(5): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (1) ° 2008450(5): CandC Communication - ET TROJAN Buzus.lyz Connect to CnC ° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2008124(1): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 2008272(1): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (2) |
|
212.227.111.29 (DE)
FRANKFURT HESSEN GERMANY |
KEY-SYSTEMS.NET / DSL KEY-SYSTEMS GMBH |
Very High Details (2.0) 44 BotHunter Users 186 Infection Report 2009-12-10 to 2010-03-03 |
° 7777005(18): Outbound Scan - Detected intense non-malware port scanning ° 3(11): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(10): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(7): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810001(6): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810003(6): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810005(6): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(6): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
193.149.47.108 (DE)
MUNICH BAYERN GERMANY |
EUROCLICK.COM / COMP MEDIA PARAGON TECHNOLOGIES LTD |
Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2009-12-09 to 2009-12-09 |
° 80808080(8): not found ° 2003579(2): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 2003422(1): CandC Communication - ET MALWARE Weatherbug Command Activity |
|
219.84.98.110 (TW)
TAIPEI T'AI-PEI TAIWAN |
SO-NET.NET.TW / DSL SONY NETWORK TAIWAN LIMITED |
Maximum Details (2.3) 1 BotHunter Users 1 Infection Report 2009-12-23 to 2009-12-23 |
° 52009201(5): Outbound Attack - ET CURRENT_EVENTS Conficker.b Shellcode ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 1(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2009024(1): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server |
|
78.107.239.134 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
CORBINA.RU / DSL STATIC IP POOL FOR BROADBAND CUSTOMERS IN MOSCOW |
Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-02-15 to 2010-02-15 |
° 25(3): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
61.50.138.244 (CN)
BEIJING BEIJING CHINA |
- / DSL CHINA NETCOM GROUP BEIJING CORPORATION |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-03-07 to 2010-03-07 |
° 2007860(2): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(2): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
120.90.103.94 (CN)
SHANGHAI SHANGHAI CHINA |
- / DSL UNION NETWORK TECHNOLOGY CO.LTD |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-02-03 to 2010-02-03 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
65.182.100.196 (US)
PHOENIX ARIZONA UNITED STATES |
BRINKSTER.COM / COMP BRINKSTER COMMUNICATIONS CORPORATION |
High Details (1.9) 1 BotHunter Users 1 Infection Report 2010-02-04 to 2010-02-04 |
° 2003219(4): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008558(1): Egg Download - ET USER_AGENTS iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper) ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
211.144.97.217 (CN)
SHANGHAI SHANGHAI CHINA |
STN.SH.CN / DSL SCIENCE & TECHNOLOGY NETWORK COMMUNICATION CO. LTD |
High Details (1.5) 5 BotHunter Users 13 Infection Report 2010-02-09 to 2010-02-16 |
° 3(8): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007963(3): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Status OK ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2003219(1): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity |
|
195.47.247.140 (DK)
COPENHAGEN KOBENHAVN DENMARK |
ONE.COM / DSL ONE.COM A/S |
High Details (1.4) 4 BotHunter Users 11 Infection Report 2009-12-09 to 2010-01-28 |
° 3810007(5): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 1(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 |
|
213.186.40.104 (FR)
PARIS ILE-DE-FRANCE FRANCE |
INGENIWEB.COM / DSL OVH SAS |
Maximum Details (2.5) 9 BotHunter Users 12 Infection Report 2009-12-28 to 2010-03-08 |
° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000328(3): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
66.211.50.207 (US)
NEW YORK NEW YORK UNITED STATES |
LIGHTCORE.NET / COMP LIGHTCORE A CENTURYTELCOMPANY |
Maximum Details (2.3) 1 BotHunter Users 2 Infection Report 2010-01-02 to 2010-01-02 |
° 2000328(33): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2009880(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
63.241.153.51 (US)
PHOENIX ARIZONA UNITED STATES |
VIANET-LLC.COM / COMP VIANET MANAGEMENT |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-09 to 2009-12-09 |
° 80808080(7): not found ° 2003579(2): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 2003422(1): CandC Communication - ET MALWARE Weatherbug Command Activity |
|
221.6.183.175 (CN)
BEIJING BEIJING CHINA |
CANADIAN-SOLAR.COM / DSL CHINA UNICOM JIANGSU PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-01-24 to 2010-01-24 |
° 2007589(1): CandC Communication - ET TROJAN Win32 Agent.ALT C&C Checkin packet 1 ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
218.93.205.86 (CN)
BEIJING BEIJING CHINA |
163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK |
High Details (1.8) 1 BotHunter Users 1 Infection Report 2009-12-23 to 2009-12-23 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
80.64.138.34 (AT)
VIENNA WIEN AUSTRIA |
CLAN-SERVER.AT / COMP GAMESERVERHOUSING/COLOCATION |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-01-01 to 2010-01-01 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
203.106.85.171 (MY)
KUALA LUMPUR WILAYAH PERSEKUTUAN MALAYSIA |
- / DSL ACER SALES & SERVICES SDN BHD |
High Details (1.8) 2 BotHunter Users 2 Infection Report 2010-01-05 to 2010-02-05 |
° 1(5): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning |
|
212.48.193.36 (RU)
ST. PETERSBURG SAINT PETERSBURG CITY RUSSIAN FEDERATION |
COD.RU / DSL ST.PETERSBURG TELEPHONE NETWORK |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-02-28 to 2010-02-28 |
° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2000427(1): Egg Download - ET POLICY PE EXE Install Windows file download ° 2632222(1): not found |
|
69.89.17.18 (US)
PROVO UTAH UNITED STATES |
BLUEHOST.COM / DSL BLUEHOST INC |
Very High Details (2.0) 8 BotHunter Users 8 Infection Report 2009-12-31 to 2010-03-05 |
° 2003330(6): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
91.207.4.138 (UA)
KHARKIV KHARKIVS'KA OBLAST' UKRAINE |
STEEPHOST.NET / DSL STEEPHOST.COM DATACENTRE ALLOCATION |
Maximum Details (2.6) 2 BotHunter Users 82 Infection Report 2010-02-06 to 2010-02-11 |
° 2000328(23): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(9): Outbound Scan - Detected intense non-malware port scanning ° 2003088(6): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(6): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 2008189(6): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin ° 2003330(5): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(4): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
70.36.100.42 (US)
LOS ANGELES CALIFORNIA UNITED STATES |
VRTSERVERS.NET / DSL VRTSERVERS INC |
High Details (1.5) 3 BotHunter Users 6 Infection Report 2009-12-23 to 2009-12-26 |
° 2007771(11): Egg Download - ET TROJAN Pushdo Update URL Detected ° 15165(7): CandC Communication - BACKDOOR Pushdo client communication attempt ° 2008189(1): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin ° 2008944(1): CandC Communication - ET TROJAN TDSServ or Tidserv variant Checkin ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
222.29.39.79 (CN)
BEIJING BEIJING CHINA |
PKU.EDU.CN / DSL PEKING UNIVERSITY NEW CAMPU NETWORK |
Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-01-20 to 2010-01-20 |
° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008110(2): CandC Communication - ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound |
|
208.43.92.68 (US)
DALLAS TEXAS UNITED STATES |
SOFTLAYER.COM / COMP SOFTLAYER TECHNOLOGIES INC |
Maximum Details (2.5) 1 BotHunter Users 1 Infection Report 2010-02-11 to 2010-02-11 |
° 2000328(6): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
72.52.210.130 (US)
LANSING MICHIGAN UNITED STATES |
LIQUIDWEB.COM / DSL LIQUID WEB INC |
Very High Details (2.2) 39 BotHunter Users 2687 Infection Report 2009-12-24 to 2010-02-25 |
° 2000328(200): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2001569(171): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3(85): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(73): Outbound Scan - Detected intense non-malware port scanning ° 3810007(57): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810001(17): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(17): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777008(15): Malware Scan - Detected intense malware port scanning ° 2008124(1): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) |
|
87.248.163.54 (MD)
CHISINAU CHISINAU MOLDOVA, REPUBLIC OF |
87-248-162-10.STARNET.MD / DSL SC STARNET SRL |
High Details (1.4) 4 BotHunter Users 5 Infection Report 2009-12-16 to 2009-12-16 |
° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 3810007(5): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 2010007(1): Egg Download - ET TROJAN Potential Gemini Malware Download |
|
125.39.78.27 (CN)
TIANJIN TIANJIN CHINA |
ONLINE.TJ.CN / DSL CHINA UNICOM TIANJIN PROVINCE NETWORK |
Moderate Details (1.2) 5 BotHunter Users 6 Infection Report 2009-12-09 to 2010-01-16 |
° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2003340(1): CandC Communication - ET MALWARE Baidu.com Spyware Bar Reporting ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host |
|
193.232.159.1 (RU)
- - RUSSIAN FEDERATION |
- / DSL AUTONOMOUS NONPROFIT ORGANIZATION |
Very High Details (2.2) 17 BotHunter Users 36 Infection Report 2009-12-26 to 2010-03-05 |
° 2003219(3): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2003581(1): CandC Communication - ET MALWARE Findwhat.com Spyware (sendmedia) ° 2009292(1): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
125.63.90.155 (IN)
NEW DELHI DELHI INDIA |
SPECTRANET.COM / DSL BROADBAND ISP INDIA |
Moderate Details (1.3) 1 BotHunter Users 4 Infection Report 2010-03-01 to 2010-03-01 |
° 2001569(8): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2008124(4): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 22000346(2): Inbound Attack - ET ATTACK RESPONSE IRC - Name response on non-std port |
|
125.116.27.94 (CN)
NINGBO ZHEJIANG CHINA |
163DATA.COM.CN / DSL CHINANET-ZJ NINGBO NODE NETWORK |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-22 to 2009-12-22 |
° 3810009(1): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 52007933(1): Outbound Attack - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability |
|
195.137.213.67 (DE)
BERLIN BERLIN GERMANY |
SERVER-HOME.NET / DSL MARKUS BACH BETRIEBS GESELLSCHAFT MBH |
High Details (1.5) 13 BotHunter Users 193 Infection Report 2009-12-31 to 2010-02-17 |
° 1(8): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(6): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 25(5): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2008124(2): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
85.196.7.112 (GR)
ATHENS ATTIKI GREECE |
NXT.GR / DSL PAPADOPOULOS IOANNIS & SIA E.E. GLOBAL NETWORKS |
High Details (1.8) 6 BotHunter Users 25 Infection Report 2009-12-24 to 2010-01-06 |
° 2002167(3): Egg Download - ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
82.17.233.10 (UK)
GLASGOW SCOTLAND UNITED KINGDOM |
NTL.COM / DSL NTL INFRASTRUCTURE - MIDDLESBROUGH |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-01-28 to 2010-01-28 |
° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
116.21.23.20 (CN)
GUANGZHOU GUANGDONG CHINA |
163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK |
Moderate Details (1.2) 2 BotHunter Users 3 Infection Report 2010-02-14 to 2010-02-15 |
° 2002974(2): CandC Communication - ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
69.59.17.202 (US)
CHARLOTTE NORTH CAROLINA UNITED STATES |
CAROHOSTING.NET / DSL CARONET MANAGED HOSTING |
Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-01-26 to 2010-01-26 |
° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2007951(1): CandC Communication - ET MALWARE Hex Encoded IP HTTP Request - Likely Malware ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
203.208.39.160 (CN)
BEIJING BEIJING CHINA |
- / DSL BEIJING GU XIANG INFORMATION TECHNOLOGY CO. LTD |
High Details (1.7) 1 BotHunter Users 2 Infection Report 2010-02-10 to 2010-02-10 |
° 2007860(6): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(6): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning |
|
202.75.36.22 (MY)
KUALA LUMPUR WILAYAH PERSEKUTUAN MALAYSIA |
TM.NET.MY / DSL TELEKOM MALAYSIA BERHAD |
Maximum Details (3.0) 280 BotHunter Users 1136 Infection Report 2009-12-31 to 2010-03-08 |
° 1(16): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(12): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2001569(11): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 25(10): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 3(6): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 3810001(3): Bot Space Access - BotHunter MTC confirmed botnet control server ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
72.20.24.28 (US)
FULLERTON CALIFORNIA UNITED STATES |
STAMINUS.NET / DSL STAMINUS COMMUNICATIONS |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-05 to 2010-01-05 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
91.124.168.60 (UA)
KIEV KYYIV UKRAINE |
UKRTEL.NET / DSL UKRTELECOM IP ACCESS NETWORK |
High Details (1.8) 3 BotHunter Users 3 Infection Report 2010-01-06 to 2010-03-01 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(1): Malware Scan - Detected intense malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
216.82.127.46 (US)
HIALEAH FLORIDA UNITED STATES |
HAPPYEMPIRE.COM / DSL HAPPY EMPIRE INC |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2009-12-27 to 2009-12-27 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
194.67.2.54 (RU)
KRASNOYARSK KRASNOYARSK RUSSIAN FEDERATION |
GLDN.NET / DSL TELEROSS |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2009-12-19 to 2009-12-19 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
124.244.11.209 (HK)
HONG KONG HONG KONG (SAR) HONG KONG |
CTINETS.COM / DSL CITY TELECOM (H.K.) LTD |
High Details (1.9) 2 BotHunter Users 3 Infection Report 2010-03-01 to 2010-03-01 |
° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810006(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810009(2): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 2002728(1): CandC Communication - ET TROJAN Ransky or variant backdoor communication ping ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P) |
|
209.51.196.242 (US)
COLUMBUS OHIO UNITED STATES |
XLHOST.COM / COMP XLHOST.COM INC |
High Details (1.7) 8 BotHunter Users 11 Infection Report 2010-02-03 to 2010-02-08 |
° 2000328(8): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
80.148.20.97 (DE)
REMSCHEID NORDRHEIN-WESTFALEN GERMANY |
- / DSL T-SYSTEMS GMBH FUER TKS TELEPOST KABEL-SERVICE KL |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-15 to 2009-12-15 |
° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 3810002(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
202.172.28.113 (JP)
TOKYO TOKYO JAPAN |
S9.CORESERVER.JP / DSL DIGIROCK INC |
Maximum Details (2.5) 1 BotHunter Users 1 Infection Report 2010-02-22 to 2010-02-22 |
° 2000328(15): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
87.118.126.87 (DE)
ERFURT THURINGEN GERMANY |
KEYMACHINE.DE / DSL KEYWEB AG IP NETWORK |
Very High Details (2.2) 5 BotHunter Users 12 Infection Report 2009-12-25 to 2010-02-12 |
° 2003330(14): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
67.43.226.154 (CA)
TORONTO ONTARIO CANADA |
GTCOMM.NET / COMP GLOBOTECH COMMUNICATIONS |
Very High Details (2.0) 35 BotHunter Users 45 Infection Report 2009-12-30 to 2010-03-07 |
° 2000328(12): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(9): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2001569(1): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2008271(1): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (1) ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
217.20.211.5 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
- / DSL INFORMTELECOM XXI LTD |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2009-12-14 to 2009-12-14 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
67.43.236.59 (CA)
WELLAND ONTARIO CANADA |
GTCOMM.NET / COMP GLOBOTECH COMMUNICATIONS |
High Details (1.6) 1 BotHunter Users 1 Infection Report 2010-01-01 to 2010-01-01 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning |
|
67.18.8.98 (US)
DALLAS TEXAS UNITED STATES |
THEPLANET.COM / DSL THEPLANET.COM INTERNET SERVICES INC |
High Details (1.5) 6 BotHunter Users 76 Infection Report 2010-03-05 to 2010-03-05 |
° 2009024(133): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3(69): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(64): Outbound Scan - Detected intense non-malware port scanning ° 3810007(16): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2632222(1): not found ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host |
|
211.233.38.117 (KR)
SEOUL SEOUL-T'UKPYOLSI KOREA, REPUBLIC OF |
- / DSL KIDC-INFRA-SERVERHOSTING-INEMPIRE |
Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-02-02 to 2010-02-02 |
° 2008260(2): CandC Communication - ET TROJAN Pointpack.kr Related Trojan Checkin ° 2009712(2): Egg Download - ET MALWARE Adware PlusDream - GET Config Download/Update ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P) |
|
204.2.133.57 (US)
SUNNYVALE CALIFORNIA UNITED STATES |
VERIO.NET / DSL NTT AMERICA INC |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-01-03 to 2010-01-03 |
° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009456(2): CandC Communication - ET USER_AGENTS Suspicious User Agent (ClickAdsByIE) ° 3300003(2): Egg Download - BotHunter HTTP-based .exe Upload on backdoor port ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2000427(1): Egg Download - ET POLICY PE EXE Install Windows file download ° 2003603(1): CandC Communication - ET TROJAN W32.Virut.A joining an IRC Channel ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 22000046(1): Inbound Attack - ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) |
|
217.170.64.5 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
ELTEL.NET / DSL JSC ELTEL NETWORK |
High Details (1.8) 1 BotHunter Users 5 Infection Report 2010-01-22 to 2010-01-22 |
° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 9906010(5): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (11) ° 2000328(4): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 9906015(4): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (16) ° 9906021(3): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (22) ° 9906026(3): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (27) ° 9906001(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (2) ° 9906005(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (6) ° 9906014(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (15) |
|
66.150.51.167 (US)
NEW YORK NEW YORK UNITED STATES |
PNAP.NET / DSL MIVA INC |
High Details (1.4) 19 BotHunter Users 58 Infection Report 2009-12-11 to 2010-02-17 |
° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 2002299(3): CandC Communication - ET MALWARE Searchfeed.com Spyware 4 ° 2002300(3): CandC Communication - ET MALWARE Searchfeed.com Spyware 5 ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2002298(1): CandC Communication - ET MALWARE Searchfeed.com Spyware 3 ° 2003179(1): Egg Download - ET POLICY exe download without User Agent |
|
61.14.175.10 (HK)
- - HONG KONG |
ASIANETCOM.NET / DSL AKAMAI-HKG-NETBLK |
Maximum Details (3.0) 5 BotHunter Users 9 Infection Report 2010-01-19 to 2010-03-08 |
° 2000328(3): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2002196(3): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2007669(1): CandC Communication - ET TROJAN Nulprot Checkin Response ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
66.118.146.67 (US)
OLDSMAR FLORIDA UNITED STATES |
SAGONET.NET / COMP PRO MEDICA |
Maximum Details (2.7) 1 BotHunter Users 1 Infection Report 2009-12-24 to 2009-12-24 |
° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000328(2): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
209.8.23.28 (US)
HERNDON VIRGINIA UNITED STATES |
PCCWGLOBAL.NET / DSL BEYOND THE NETWORK AMERICA INC |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-01-30 to 2010-01-30 |
° 2009456(2): CandC Communication - ET USER_AGENTS Suspicious User Agent (ClickAdsByIE) ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 2007743(1): CandC Communication - ET TROJAN Dialer.qn HTTP Request - Checkin ° 2008185(1): CandC Communication - ET TROJAN Win32 Cloaker Related Post Infection Checkin ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
81.177.22.144 (RU)
YAKUTSK SAKHA RUSSIAN FEDERATION |
NETPLACE.RU / DSL NETPLACE PROFESSIONAL INTERNET SERVICES |
High Details (1.4) 9 BotHunter Users 10 Infection Report 2009-12-26 to 2010-03-08 |
° 2000328(8): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
201.21.72.26 (BR)
- - BRAZIL |
STERLINGSTUDENTS.NET / DSL COMITE GESTOR DA INTERNET NO BRASIL |
Maximum Details (2.7) 1 BotHunter Users 3 Infection Report 2009-12-23 to 2009-12-23 |
° 2001569(7): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2008124(6): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 3(5): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 7777008(5): Malware Scan - Detected intense malware port scanning ° 1(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 52009201(3): Outbound Attack - ET CURRENT_EVENTS Conficker.b Shellcode ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2002033(1): CandC Communication - ET TROJAN BOT - potential response ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
203.191.149.26 (CN)
SHANGHAI SHANGHAI CHINA |
- / DSL EDONG NETWORK |
Moderate Details (1.3) 51 BotHunter Users 86 Infection Report 2009-12-11 to 2010-03-05 |
° 2000328(6): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
125.40.126.201 (CN)
BEIJING BEIJING CHINA |
KD.NY.ADSL / DSL CHINA UNICOM HENAN PROVINCE NETWORK |
High Details (1.6) 1 BotHunter Users 32 Infection Report 2009-12-29 to 2009-12-29 |
° 3810005(32): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(22): Outbound Scan - Detected intense non-malware port scanning ° 3(12): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(12): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(5): Malware Scan - Detected intense malware port scanning |
|
202.187.31.9 (MY)
KUALA LUMPUR WILAYAH PERSEKUTUAN MALAYSIA |
MEA50.JARING.MY / DSL JARING COMMUNICATIONS SDN BHD |
Moderate Details (1.2) 31 BotHunter Users 47 Infection Report 2009-12-31 to 2010-03-03 |
° 2001569(2): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
90.156.178.41 (RU)
- - RUSSIAN FEDERATION |
VEGA.RU / DSL SOVREMENNYE INTERNET TEHNOLOGII ZAO PROVIDE PUBLIC WEB SERVICES |
Very High Details (2.0) 6 BotHunter Users 25 Infection Report 2009-12-21 to 2010-03-05 |
° 7777005(15): Outbound Scan - Detected intense non-malware port scanning ° 3810003(9): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(5): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected |
|
70.38.68.137 (CA)
MONTREAL QUEBEC CANADA |
PRIVATEDNS.COM / COMP PRIVATE CUSTOMER - IWEB |
Moderate Details (1.3) 3 BotHunter Users 27 Infection Report 2010-01-03 to 2010-01-06 |
° 15165(18): CandC Communication - BACKDOOR Pushdo client communication attempt ° 2007771(18): Egg Download - ET TROJAN Pushdo Update URL Detected ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
64.211.203.91 (US)
- - UNITED STATES |
GBLX.NET / DSL GLOBAL CROSSING |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-01-09 to 2010-01-09 |
° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
74.222.190.34 (US)
ORANGE CALIFORNIA UNITED STATES |
VPLS.NET / DSL VPLS INC. D/B/A KRYPT TECHNOLOGIES |
Maximum Details (3.1) 1 BotHunter Users 8 Infection Report 2010-02-15 to 2010-02-15 |
° 2000328(27): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(14): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(9): Outbound Scan - Detected intense non-malware port scanning ° 2008450(8): CandC Communication - ET TROJAN Buzus.lyz Connect to CnC ° 9910014(5): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2008124(1): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
61.235.117.80 (CN)
SHENZHEN GUANGDONG CHINA |
- / DSL CHINA RAILCOM GUANGDONG SHENZHEN SUBBRANCH |
High Details (1.5) 18 BotHunter Users 53 Infection Report 2009-12-27 to 2010-03-01 |
° 7777005(11): Outbound Scan - Detected intense non-malware port scanning ° 25(10): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2001569(9): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810002(7): Bot Space Access - BotHunter MTC confirmed botnet control server ° 1(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810008(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 2003088(1): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) |
|
69.65.48.208 (US)
NEW YORK NEW YORK UNITED STATES |
LOUISIANADYNAMICS.COM / COMP GIGENET |
High Details (1.9) 2 BotHunter Users 28 Infection Report 2009-12-23 to 2009-12-24 |
° 2000328(116): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2008784(74): CandC Communication - ET TROJAN Lighty Variant or UltimateDefender POST ° 7777005(58): Outbound Scan - Detected intense non-malware port scanning ° 2008593(53): CandC Communication - ET TROJAN Ultimate Defender Fake AV Checkin ° 3(36): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008189(17): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin ° 3810007(8): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 22351(3): Inbound Attack - REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode ° 2299913(3): Inbound Attack - ET SHELLCODE x86 0x90 unicode NOOP |
|
128.121.4.11 (US)
ENGLEWOOD COLORADO UNITED STATES |
VERIO.NET / DSL NTT AMERICA INC |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-01-07 to 2010-01-07 |
° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
195.13.58.57 (FR)
PARIS ILE-DE-FRANCE FRANCE |
OXYD.NET / DSL OXYD HOSTING SERVICES IP SUBNET |
Maximum Details (2.7) 2 BotHunter Users 3 Infection Report 2009-12-26 to 2010-01-01 |
° 2000328(4): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
69.162.92.162 (US)
DALLAS TEXAS UNITED STATES |
LSTN.NET / DSL LIMESTONE NETWORKS INC |
Very High Details (2.2) 10 BotHunter Users 113 Infection Report 2009-12-11 to 2010-02-08 |
° 2003330(11): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2000328(7): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 9910014(4): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 15165(2): CandC Communication - BACKDOOR Pushdo client communication attempt ° 2007771(2): Egg Download - ET TROJAN Pushdo Update URL Detected ° 2008124(1): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
89.47.237.52 (RO)
- - ROMANIA |
EDOMENII.RO / DSL SC GLOBE HOSTING SRL |
Very High Details (2.0) 8 BotHunter Users 21 Infection Report 2009-12-24 to 2010-01-04 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
72.20.25.194 (US)
FULLERTON CALIFORNIA UNITED STATES |
STAMINUS.NET / DSL STAMINUS COMMUNICATIONS |
Moderate Details (1.3) 1 BotHunter Users 5 Infection Report 2009-12-28 to 2009-12-28 |
° 3810005(6): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2009031(1): CandC Communication - ET TROJAN Possible Armitage Loader Request |
|
62.109.19.71 (RU)
- - RUSSIAN FEDERATION |
ISPSYSTEM.NET / DSL ISPSYSTEM AT MSM |
High Details (1.9) 1 BotHunter Users 1 Infection Report 2009-12-24 to 2009-12-24 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
206.63.81.87 (US)
NEW YORK NEW YORK UNITED STATES |
CONCEPTCABLE.COM / DSL CUTTING EDGE COMMUNICATIONS INC |
High Details (1.5) 2 BotHunter Users 2 Infection Report 2009-12-24 to 2009-12-26 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
209.62.85.110 (US)
BEAVERTON OREGON UNITED STATES |
THEPLANET.COM / DSL OPTICAL JUNGLE |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2009-12-31 to 2009-12-31 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
208.87.242.130 (US)
WALNUT CALIFORNIA UNITED STATES |
PSYCHZ.NET / COMP PSYCHZ NETWORKS |
Very High Details (2.2) 4 BotHunter Users 4 Infection Report 2009-12-27 to 2010-02-03 |
° 2001569(3): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777008(1): Malware Scan - Detected intense malware port scanning |
|
199.237.199.54 (US)
ENGLEWOOD COLORADO UNITED STATES |
MODACODA.COM.BR / DSL NTT AMERICA INC |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(82): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(82): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
122.139.57.37 (CN)
JILIN JILIN CHINA |
NEW218.JL.CN / DSL CHINA UNICOM JILIN PROVINCE NETWORK |
Very High Details (2.0) 1 BotHunter Users 9 Infection Report 2010-02-10 to 2010-02-10 |
° 2003492(22): not found ° 7777005(20): Outbound Scan - Detected intense non-malware port scanning ° 3(13): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3300007(7): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2008429(2): Egg Download - ET USER_AGENTS Suspicious User-Agent (HttpDownload) ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected |
|
91.213.94.0 (UK)
- - UNITED KINGDOM |
NACKSYSTEM.NET / DSL EU-ZZ |
High Details (1.8) 3 BotHunter Users 129 Infection Report 2009-12-10 to 2009-12-12 |
° 7777005(95): Outbound Scan - Detected intense non-malware port scanning ° 2002854(48): CandC Communication - ET TROJAN Gozi/Orderjack Reporting User Activity ° 3(16): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906025(3): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (26) ° 2002400(1): not found ° 2008501(1): CandC Communication - ET TROJAN Peed Report to Controller |
|
74.53.76.34 (US)
DALLAS TEXAS UNITED STATES |
THEPLANET.COM / COMP THEPLANET.COM INTERNET SERVICES INC |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2009-12-24 to 2009-12-24 |
° 15165(1): CandC Communication - BACKDOOR Pushdo client communication attempt ° 2007771(1): Egg Download - ET TROJAN Pushdo Update URL Detected |
|
91.197.130.19 (UA)
KIEV KYYIV UKRAINE |
DATA-XATA.NET / DSL TOV DATA-XATA |
High Details (1.9) 3 BotHunter Users 8 Infection Report 2009-12-25 to 2010-01-20 |
° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
206.59.139.195 (US)
AUSTIN TEXAS UNITED STATES |
WAYPORT.NET / DSL WAYPORT INC |
Moderate Details (1.3) 11 BotHunter Users 449 Infection Report 2009-12-12 to 2010-01-03 |
° 2000419(3): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2008124(3): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2000352(1): Attack Prep - ET ATTACK RESPONSE IRC - dns request on non-std port ° 2000427(1): Egg Download - ET POLICY PE EXE Install Windows file download ° 2001685(1): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send an image ° 2001894(1): Egg Download - ET MALWARE ToolbarPartner Spyware Agent Partner Install ° 2003603(1): CandC Communication - ET TROJAN W32.Virut.A joining an IRC Channel ° 2632222(1): not found |
|
83.222.3.170 (RU)
- - RUSSIAN FEDERATION |
MASTERHOST.RU / DSL MASTERHOST IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION |
High Details (1.8) 1 BotHunter Users 3 Infection Report 2010-01-22 to 2010-01-22 |
° 2000328(29): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 9906001(6): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (2) ° 9906026(6): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (27) ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 9906021(3): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (22) ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906015(2): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (16) ° 9906008(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (9) ° 9906018(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (19) |
|
210.51.58.103 (CN)
SHANGHAI SHANGHAI CHINA |
ASIACORP.NET / DSL SHANGHAI CAOHEJING IDC OF CHINA NETCOM |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2009-12-30 to 2009-12-30 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
72.20.54.124 (US)
FULLERTON CALIFORNIA UNITED STATES |
STAMINUS.NET / DSL STAMINUS COMMUNICATIONS |
High Details (1.6) 1 BotHunter Users 1 Infection Report 2009-12-24 to 2009-12-24 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
88.214.202.105 (UK)
- - UNITED KINGDOM |
- / DSL REAL INTERNATIONAL BUSINESS CORP |
High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-02-17 to 2010-02-17 |
° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
85.190.0.3 (DE)
- - GERMANY |
FREENODE.NET / DSL PROBE NETWORKS COLO3-TELECITY FFM |
Maximum Details (2.6) 2 BotHunter Users 2 Infection Report 2010-02-24 to 2010-02-25 |
° 25(4): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2000352(1): Attack Prep - ET ATTACK RESPONSE IRC - dns request on non-std port ° 2000427(1): Egg Download - ET POLICY PE EXE Install Windows file download ° 3810009(1): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 22000346(1): Inbound Attack - ET ATTACK RESPONSE IRC - Name response on non-std port |
|
95.169.190.205 (RU)
- - RUSSIAN FEDERATION |
KEYWEB.DE / DSL KEYWEB ONLINE LIMITED IP NETWORK |
Moderate Details (1.2) 9 BotHunter Users 32 Infection Report 2009-12-28 to 2010-01-07 |
° 3810007(5): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2008100(3): Egg Download - ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
89.149.244.211 (DE)
- - GERMANY |
INTERNETSERVICETEAM.COM / DSL NETDIREKT E.K |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-02-23 to 2010-02-23 |
° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008501(1): CandC Communication - ET TROJAN Peed Report to Controller ° 2009353(1): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) ° 2009354(1): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (2) ° 2009388(1): Egg Download - ET TROJAN Bredolab Downloader Response Binaries from Controller ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
213.171.218.95 (UK)
LONDON ENGLAND UNITED KINGDOM |
LIVEDNS.ORG.UK / DSL UK'S LARGEST WEB HOSTING COMPANY |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(82): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(82): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
64.124.109.0 (US)
SAN JOSE CALIFORNIA UNITED STATES |
ABOVE.NET / COMP ABOVENET COMMUNICATIONS INC |
Moderate Details (1.2) 2 BotHunter Users 25 Infection Report 2009-12-09 to 2009-12-10 |
° 7777005(32): Outbound Scan - Detected intense non-malware port scanning ° 2003422(18): CandC Communication - ET MALWARE Weatherbug Command Activity ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007805(1): CandC Communication - ET TROJAN Blink.com related Backdoor Checkin |
|
204.2.136.66 (US)
ENGLEWOOD COLORADO UNITED STATES |
VERIO.NET / DSL NTT AMERICA INC |
Moderate Details (1.3) 1 BotHunter Users 4 Infection Report 2010-01-26 to 2010-01-26 |
° 2002196(11): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(5): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 2007774(1): CandC Communication - ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin ° 2632222(1): not found |
|
64.85.165.21 (US)
EAST LANSING MICHIGAN UNITED STATES |
CORENETWORKS.NET / DSL GREAT LAKES COMNET INC |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2009-12-24 to 2009-12-24 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
67.43.236.119 (CA)
WELLAND ONTARIO CANADA |
GTCOMM.NET / COMP GLOBOTECH COMMUNICATIONS |
Moderate Details (1.3) 2 BotHunter Users 2 Infection Report 2009-12-26 to 2009-12-31 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
207.166.222.100 (US)
CHARDON OHIO UNITED STATES |
N2NET.NET / COMP COX CONSULTING |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(82): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(82): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
170.97.198.99 (US)
WASHINGTON DISTRICT OF COLUMBIA UNITED STATES |
HUD.GOV / DSL DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT |
Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-01-28 to 2010-01-28 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
67.215.66.132 (US)
SAN FRANCISCO CALIFORNIA UNITED STATES |
OPENDNS.COM / DSL OPENDNS LLC |
High Details (1.7) 9 BotHunter Users 14 Infection Report 2009-12-25 to 2010-03-08 |
° 3(5): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(5): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2000328(1): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) |
|
81.94.25.0 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
MNS.RU / DSL CREDOLINK ISP VPN POOL |
Very High Details (2.0) 1 BotHunter Users 22 Infection Report 2009-12-10 to 2009-12-10 |
° 7777005(55): Outbound Scan - Detected intense non-malware port scanning ° 9906025(25): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (26) ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906002(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (3) ° 9906004(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (5) ° 9906008(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (9) ° 9906021(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (22) ° 100000272(1): not found ° 100000274(1): not found |
|
208.109.177.30 (US)
SCOTTSDALE ARIZONA UNITED STATES |
SECURESERVER.NET / DSL GODADDY.COM INC |
Maximum Details (3.3) 10 BotHunter Users 72 Infection Report 2010-01-05 to 2010-01-22 |
° 2003088(15): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(15): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 2001569(8): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 25(7): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2003179(2): Egg Download - ET POLICY exe download without User Agent ° 3810001(2): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2009024(1): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting |
|
69.162.121.234 (US)
DALLAS TEXAS UNITED STATES |
LSTN.NET / DSL LIMESTONE NETWORKS INC |
High Details (1.4) 3 BotHunter Users 66 Infection Report 2009-12-22 to 2009-12-24 |
° 2007771(298): Egg Download - ET TROJAN Pushdo Update URL Detected ° 15165(293): CandC Communication - BACKDOOR Pushdo client communication attempt ° 7777005(13): Outbound Scan - Detected intense non-malware port scanning ° 2299913(8): Inbound Attack - ET SHELLCODE x86 0x90 unicode NOOP ° 22351(6): Inbound Attack - REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode ° 3810007(6): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008189(2): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin ° 2008944(2): CandC Communication - ET TROJAN TDSServ or Tidserv variant Checkin |
|
78.159.96.95 (DE)
- - GERMANY |
INTERNETSERVICETEAM.COM / DSL NETDIREKT E.K |
High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-02-26 to 2010-02-26 |
° 2007671(2): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 2007774(1): CandC Communication - ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin ° 2008232(1): CandC Communication - ET TROJAN Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely) ° 2008501(1): CandC Communication - ET TROJAN Peed Report to Controller ° 2009353(1): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) ° 2009354(1): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (2) ° 2009388(1): Egg Download - ET TROJAN Bredolab Downloader Response Binaries from Controller ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
64.235.47.65 (AU)
- - AUSTRALIA |
SERVERPOINT.COM / COMP JASON P. BOOTH |
Maximum Details (3.0) 15 BotHunter Users 52 Infection Report 2010-01-13 to 2010-03-03 |
° 3(66): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(48): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(14): Outbound Scan - Detected intense non-malware port scanning ° 2000328(8): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 1(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(4): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(4): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 25(3): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2007669(2): CandC Communication - ET TROJAN Nulprot Checkin Response |
|
90.156.153.90 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
MASTERHOST.RU / DSL MASTERHOST.RU IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION |
Very High Details (2.2) 1 BotHunter Users 5 Infection Report 2010-01-16 to 2010-01-16 |
° 2009024(13): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3810001(4): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(4): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(4): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning |
|
195.149.74.67 (DE)
- - GERMANY |
SERVER-HOME.NET / DSL MARKUS BACH BETRIEBS GESELLSCHAFT MBH |
Moderate Details (1.3) 8 BotHunter Users 231 Infection Report 2010-01-15 to 2010-02-16 |
° 2008124(151): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 3(17): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(12): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(10): Outbound Scan - Detected intense non-malware port scanning ° 7777008(4): Malware Scan - Detected intense malware port scanning ° 3300003(1): Egg Download - BotHunter HTTP-based .exe Upload on backdoor port |
|
113.65.208.110 (CN)
GUANGZHOU GUANGDONG CHINA |
163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-02-12 to 2010-02-12 |
° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 2002974(2): CandC Communication - ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established |
|
193.9.28.62 (UA)
- - UKRAINE |
- / DSL FLP KOCHENOV ALEKSEJ VLADISLAVOVICH |
High Details (1.4) 2 BotHunter Users 3 Infection Report 2009-12-27 to 2010-01-01 |
° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
115.182.49.27 (CN)
BEIJING BEIJING CHINA |
OPENTV.COM / DSL BEIJING BITONE UNITED NETWORKS TECHNOLOGY SERVICE CO. LTD |
Very High Details (2.2) 6 BotHunter Users 60 Infection Report 2009-12-14 to 2010-01-26 |
° 2003607(25): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 7777005(12): Outbound Scan - Detected intense non-malware port scanning ° 2003219(7): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 3810007(6): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2003179(5): Egg Download - ET POLICY exe download without User Agent ° 2003438(5): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
123.54.20.72 (CN)
BEIJING BEIJING CHINA |
163DATA.COM.CN / DSL CHINANET HENAN PROVINCE NETWORK |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-02-23 to 2010-02-23 |
° 2001569(3): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
221.9.253.11 (CN)
BEIJING BEIJING CHINA |
NEW218.JL.CN / DSL CHINA UNICOM JILIN PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-11 to 2010-02-11 |
° 2008564(2): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
64.211.162.168 (US)
HERMITAGE TENNESSEE UNITED STATES |
GBLX.NET / DSL GLOBAL CROSSING |
High Details (1.8) 1 BotHunter Users 7 Infection Report 2009-12-28 to 2009-12-28 |
° 2632222(7): not found ° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2003422(1): CandC Communication - ET MALWARE Weatherbug Command Activity |
|
72.20.27.204 (US)
FULLERTON CALIFORNIA UNITED STATES |
STAMINUS.NET / DSL STAMINUS COMMUNICATIONS |
Moderate Details (1.3) 2 BotHunter Users 2 Infection Report 2010-02-28 to 2010-03-06 |
° 2007625(1): CandC Communication - ET TROJAN Pitbull IRCbotnet Commands ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
121.194.0.210 (CN)
BEIJING BEIJING CHINA |
- / DSL IDCVIP |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-18 to 2010-02-18 |
° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
66.135.41.29 (US)
SAN ANTONIO TEXAS UNITED STATES |
HAJINC.COM / DSL SERVERBEACH |
Maximum Details (2.5) 130 BotHunter Users 392 Infection Report 2009-12-22 to 2010-03-08 |
° 2000328(82): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(42): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(34): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(32): Outbound Scan - Detected intense non-malware port scanning ° 9910014(26): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(16): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2009024(3): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2003179(1): Egg Download - ET POLICY exe download without User Agent |
|
218.60.1.48 (CN)
SHENYANG LIAONING CHINA |
ONLINE.LN.CN / DSL CHINA UNICOM LIAONING PROVINCE NETWORK |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-30 to 2009-12-30 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
117.87.13.111 (CN)
BEIJING BEIJING CHINA |
163DATA.COM.CN / DIAL CHINANET JIANGSU PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-10 to 2010-02-10 |
° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
195.122.131.9 (DE)
- - GERMANY |
- / DSL TERRASPACE-GMBH |
Moderate Details (1.3) 7 BotHunter Users 17 Infection Report 2009-12-28 to 2010-03-05 |
° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2003927(1): Egg Download - ET USER_AGENTS Suspicious User-Agent (HTTPTEST) - Seen used by downloaders ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 2632222(1): not found |
|
72.167.232.49 (US)
SCOTTSDALE ARIZONA UNITED STATES |
SECURESERVER.NET / DSL GODADDY.COM INC |
High Details (1.5) 1 BotHunter Users 2 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(99): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(99): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
113.34.82.17 (JP)
- - JAPAN |
STATIC.ZOOT.JP / DSL WHO-S-NEXT CO. LTD |
High Details (1.7) 8 BotHunter Users 54 Infection Report 2010-01-02 to 2010-02-21 |
° 2003179(13): Egg Download - ET POLICY exe download without User Agent ° 3810005(10): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(10): Outbound Scan - Detected intense non-malware port scanning ° 3(6): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003219(6): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2009292(6): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 3810007(5): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2003438(3): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(3): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting |
|
78.37.174.60 (RU)
ST. PETERSBURG SAINT PETERSBURG CITY RUSSIAN FEDERATION |
AVANGARDDSL.RU / DIAL OJSC NORTH-WEST TELECOM |
Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2009-12-23 to 2009-12-23 |
° 2007711(3): CandC Communication - ET TROJAN Srizbi registering with controller ° 3810006(2): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
69.64.39.201 (US)
NEW YORK NEW YORK UNITED STATES |
STARTDEDICATED.COM / DSL HOSTING SOLUTIONS INTERNATIONAL INC |
High Details (1.6) 2 BotHunter Users 2 Infection Report 2010-01-03 to 2010-01-17 |
° 2000328(12): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
90.156.178.0 (RU)
- - RUSSIAN FEDERATION |
VEGA.RU / DSL SOVREMENNYE INTERNET TEHNOLOGII ZAO PROVIDE PUBLIC WEB SERVICES |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-25 to 2010-02-25 |
° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
205.134.175.96 (US)
COLUMBIA MARYLAND UNITED STATES |
NATIVEBROADCAST.COM / DSL AINET HOSTING OPERATIONS |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(82): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(82): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
78.159.121.57 (DE)
BERLIN BERLIN GERMANY |
INTERNETSERVICETEAM.COM / DSL NETDIREKT E.K |
High Details (1.5) 2 BotHunter Users 21 Infection Report 2009-12-09 to 2009-12-10 |
° 2008271(20): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (1) ° 7777005(20): Outbound Scan - Detected intense non-malware port scanning ° 2009776(3): Egg Download - ET TROJAN Oficla Downloader Activity Observed ° 2008272(2): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (2) |
|
74.204.170.230 (US)
ASHBURN VIRGINIA UNITED STATES |
DEFENDERHOSTING.COM / DSL DEFENDER TECHNOLOGIES GROUP LLC |
Very High Details (2.0) 7 BotHunter Users 7 Infection Report 2009-12-31 to 2010-03-05 |
° 2003330(17): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2000328(10): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 9910014(4): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
199.44.235.98 (US)
TALLAHASSEE FLORIDA UNITED STATES |
THESANKENGROUP.COM / DSL NETWORK TALLAHASSEE |
High Details (1.5) 1 BotHunter Users 2 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(99): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(99): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
93.134.77.72 (DE)
PASSAU BAYERN GERMANY |
EINSUNDEINS.DE / DSL 1&1 INTERNET AG |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2009-12-09 to 2009-12-09 |
° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 3810002(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
137.83.204.123 (US)
AKRON OHIO UNITED STATES |
OMNOVA.COM / DSL GENCORP RESEARCH |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-01-27 to 2010-01-27 |
° 2001569(5): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
203.142.1.10 (MY)
KUALA LUMPUR WILAYAH PERSEKUTUAN MALAYSIA |
SHINJIRU.COM / DSL SHINJIRU TECHNOLOGY SDN. BHD |
Very High Details (2.2) 13 BotHunter Users 19 Infection Report 2010-01-05 to 2010-03-05 |
° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810008(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2009024(1): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting |
|
212.101.123.10 (TR)
ISTANBUL ISTANBUL TURKEY |
- / DSL MYNET |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-28 to 2009-12-28 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
206.161.193.131 (US)
HERNDON VIRGINIA UNITED STATES |
PCCWGLOBAL.NET / DSL BEYOND THE NETWORK AMERICA INC |
Very High Details (2.2) 56 BotHunter Users 1144 Infection Report 2009-12-22 to 2010-03-06 |
° 2000328(150): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2001569(99): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777005(58): Outbound Scan - Detected intense non-malware port scanning ° 2003330(40): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810007(27): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2008271(24): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (1) ° 2008450(23): CandC Communication - ET TROJAN Buzus.lyz Connect to CnC ° 3(18): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777008(16): Malware Scan - Detected intense malware port scanning ° 9910014(11): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
217.23.6.17 (NL)
- - NETHERLANDS |
WORLDSTREAM.NL / DSL WORLDSTREAM |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-01-05 to 2010-01-05 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
200.18.33.124 (BR)
PORTO ALEGRE RIO GRANDE DO SUL BRAZIL |
CPD.UFSM.BR / DSL COMITE GESTOR DA INTERNET NO BRASIL |
High Details (1.8) 1 BotHunter Users 1 Infection Report 2009-12-23 to 2009-12-23 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
84.243.196.137 (NL)
- - NETHERLANDS |
DNSKA.COM / DSL PORTNAP INTERNET SERVICES |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-03-02 to 2010-03-02 |
° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
195.122.131.5 (DE)
- - GERMANY |
- / DSL TERRASPACE-GMBH |
Very High Details (2.1) 5 BotHunter Users 23 Infection Report 2010-02-23 to 2010-03-02 |
° 7777005(15): Outbound Scan - Detected intense non-malware port scanning ° 2632222(13): not found ° 1(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001219(4): Outbound Attack - ET SCAN Potential SSH Scan (20 in 60 secs) ° 3810004(3): Bot Space Access - BotHunter REPO confirmed botnet control server ° 2003219(2): CandC Communication - ET MALWARE Alexa Spyware Reporting |
|
67.43.229.74 (CA)
TERREBONNE QUEBEC CANADA |
SHELL-SOLUTION.COM / COMP COLO-SERV COMMUNICATIONS |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-22 to 2009-12-22 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
194.67.35.171 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
FAQ.RU / DSL SOVINTEL-MSK-XDSL-CLIENTNETWORK-NET |
High Details (1.6) 1 BotHunter Users 2 Infection Report 2010-02-05 to 2010-02-05 |
° 3(8): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2406001(2): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (2) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2000328(1): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2406027(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (28) ° 9906015(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (16) |
|
66.90.108.46 (US)
WOODSTOCK ILLINOIS UNITED STATES |
EDIGITALSTUDIOS.COM / DSL FDCSERVERS.NET |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-26 to 2009-12-26 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
218.93.205.38 (CN)
BEIJING BEIJING CHINA |
163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-31 to 2009-12-31 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
62.128.152.250 (UK)
LONDON ENGLAND UNITED KINGDOM |
CALNEA.COM / DSL [ NETBENEFIT DEDICATED SERVERS SOVEREIGN HOUSE] |
High Details (1.7) 2 BotHunter Users 3 Infection Report 2010-01-21 to 2010-02-20 |
° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
125.87.1.116 (CN)
CHONGQING CHONGQING CHINA |
163DATA.COM.CN / DSL CHINANET CHONGQING PROVINCE NETWORK |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2009-12-31 to 2009-12-31 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server |
|
212.77.140.246 (RU)
- - RUSSIAN FEDERATION |
RIKT.RU / DSL JSC RITC |
High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-02-02 to 2010-02-02 |
° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906008(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (9) |
|
174.132.192.187 (US)
DALLAS TEXAS UNITED STATES |
THEPLANET.COM / COMP THEPLANET.COM INTERNET SERVICES INC |
Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-02-04 to 2010-02-04 |
° 2003330(8): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
79.140.81.80 (IT)
PALERMO SICILIA ITALY |
- / DSL AKAMAI SERVERS IN TELECOM ITALIA INTERNATIONAL BACKBONE |
Moderate Details (1.2) 2 BotHunter Users 4 Infection Report 2010-02-11 to 2010-02-11 |
° 2002196(4): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3300007(3): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P) |
|
97.65.135.183 (US)
CHARLOTTE NORTH CAROLINA UNITED STATES |
TWTELECOM.NET / DSL TW TELECOM HOLDINGS INC |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2009-12-09 to 2009-12-09 |
° 80808080(7): not found ° 2003579(2): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 2003422(1): CandC Communication - ET MALWARE Weatherbug Command Activity |
|
194.109.20.90 (NL)
AMSTERDAM NOORD-HOLLAND NETHERLANDS |
XS4ALL.NET / DSL XS4ALL SERVERS |
Very High Details (2.0) 31 BotHunter Users 534 Infection Report 2009-12-10 to 2010-02-21 |
° 7777005(86): Outbound Scan - Detected intense non-malware port scanning ° 3800002(47): Bot Space Access - BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host ° 3(18): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003620(9): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2001219(3): Outbound Attack - ET SCAN Potential SSH Scan (20 in 60 secs) |
|
195.229.237.38 (AE)
DUBAI DUBAI UNITED ARAB EMIRATES |
NET.AE / DSL EMIRATES INTERNET |
Very High Details (2.2) 14 BotHunter Users 76 Infection Report 2010-01-03 to 2010-02-08 |
° 7777005(30): Outbound Scan - Detected intense non-malware port scanning ° 3810009(26): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 3(5): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(4): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(1): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2003088(1): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(1): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
61.121.247.163 (JP)
TOKYO TOKYO JAPAN |
E-FRONTIER.CO.JP / DSL LINK INCORPORATED |
High Details (1.8) 8 BotHunter Users 12 Infection Report 2010-01-29 to 2010-02-24 |
° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2009024(3): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3810006(3): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2008859(1): CandC Communication - ET TROJAN Downloader Win32.Small.agoy Checkin ° 3810004(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
145.117.12.60 (NL)
AMSTERDAM NOORD-HOLLAND NETHERLANDS |
AMC.NL / DSL ACADEMIC MEDICAL CENTRE |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-02-24 to 2010-02-24 |
° 2001569(5): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
67.228.10.28 (US)
DALLAS TEXAS UNITED STATES |
SOFTLAYER.COM / COMP SOFTLAYER TECHNOLOGIES INC |
Very High Details (2.0) 7 BotHunter Users 7 Infection Report 2009-12-29 to 2010-03-05 |
° 2000328(10): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
61.54.24.10 (CN)
BEIJING BEIJING CHINA |
HN.KD.DHCP / DSL CHINA UNICOM HENAN PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-09 to 2010-02-09 |
° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) |
|
219.144.254.208 (CN)
XIAN SHAANXI CHINA |
163DATA.COM.CN / DSL CHINANET SHANXI(SN) PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-18 to 2010-02-18 |
° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
204.16.244.222 (US)
PITTSBURGH PENNSYLVANIA UNITED STATES |
TERASWITCH.COM / DSL G3 TECHNOLOGIES INC |
Very High Details (2.0) 6 BotHunter Users 6 Infection Report 2010-01-09 to 2010-03-08 |
° 2003330(10): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(4): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
216.88.180.29 (US)
- CONNECTICUT UNITED STATES |
- / DSL THE LUTHERAN CHURCH OF MISSOURI SYNOD |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 2007860(82): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(82): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
89.149.254.182 (DE)
BERLIN BERLIN GERMANY |
INTERNETSERVICETEAM.COM / DSL NETDIREKT E.K |
High Details (1.6) 1 BotHunter Users 46 Infection Report 2010-03-02 to 2010-03-02 |
° 2008271(46): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (1) ° 7777005(39): Outbound Scan - Detected intense non-malware port scanning ° 2632222(5): not found ° 3810004(4): Bot Space Access - BotHunter REPO confirmed botnet control server ° 2002167(2): Egg Download - ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related |
|
216.245.203.122 (US)
DALLAS TEXAS UNITED STATES |
LSTN.NET / DSL LIMESTONE NETWORKS INC |
Maximum Details (2.6) 5 BotHunter Users 22 Infection Report 2009-12-11 to 2009-12-24 |
° 2007771(75): Egg Download - ET TROJAN Pushdo Update URL Detected ° 15165(70): CandC Communication - BACKDOOR Pushdo client communication attempt ° 2001569(22): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(18): Malware Scan - Detected intense malware port scanning ° 2008501(8): CandC Communication - ET TROJAN Peed Report to Controller ° 2009353(8): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) ° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 2001582(4): Outbound Attack - ET SCAN Behavioral Unusual Port 143{3|4} traffic, Potential Scan or Infection (40 in 60 secs) ° 52009201(4): Outbound Attack - ET CURRENT_EVENTS Conficker.b Shellcode ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner |
|
190.174.67.119 (AR)
BUENOS AIRES BUENOS AIRES ARGENTINA |
COM.AR / DSL TELEFONICA DE ARGENTINA |
Moderate Details (1.3) 2 BotHunter Users 5 Infection Report 2009-12-27 to 2010-01-08 |
° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3810002(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
81.95.135.178 (RU)
MOSCOW MOSCOW CITY RUSSIAN FEDERATION |
MOSTCOM.RU / DSL MOSTCOM PK JOINT STOCK COMPANY |
High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |
° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000328(3): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9906026(2): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (27) ° 9906001(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (2) ° 9906018(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (19) ° 9906021(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (22) ° 9906025(1): Bot Space Access - ET RBN Known Russian Business Network Monitored Domains (26) |
|
212.43.199.36 (FR)
PARIS ILE-DE-FRANCE FRANCE |
CLARA.NET / DSL CLARANET FRANCE NOC AND CUSTOMER NETWORK |
Very High Details (2.0) 4 BotHunter Users 4 Infection Report 2009-12-24 to 2010-02-08 |
° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
202.108.22.5 (CN)
BEIJING BEIJING CHINA |
BTA.NET.CN / DSL CHINA UNICOM BEIJING PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-14 to 2010-02-14 |
° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning |
|
221.238.27.139 (CN)
TIANJIN TIANJIN CHINA |
163DATA.COM.CN / DSL TIANJIN-WANGSUKEJI-LTD |
High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-02-18 to 2010-02-18 |
° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2000427(1): Egg Download - ET POLICY PE EXE Install Windows file download ° 2003492(1): not found ° 2008429(1): Egg Download - ET USER_AGENTS Suspicious User-Agent (HttpDownload) ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host |
|
81.26.211.130 (NL)
AMSTERDAM NOORD-HOLLAND NETHERLANDS |
AS39556.NET / DSL EASYHOSTING-EASYCOLO |
Very High Details (2.0) 4 BotHunter Users 4 Infection Report 2009-12-23 to 2010-02-23 |
° 2003330(10): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
218.93.205.100 (CN)
BEIJING BEIJING CHINA |
163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK |
Moderate Details (1.3) 2 BotHunter Users 2 Infection Report 2010-01-01 to 2010-01-02 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server |
|
168.144.248.62 (CA)
TORONTO ONTARIO CANADA |
- / DSL SOFTCOM TECHNOLOGY CONSULTING INC |
High Details (1.4) 2 BotHunter Users 6 Infection Report 2009-12-30 to 2010-01-04 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 2003088(1): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(1): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) |
|
87.242.126.153 (RU)
- - RUSSIAN FEDERATION |
VL.RU / COMP THERE ARE EIGHT 1U SERVERS FOR WEB PROJECTS. SERVERS ARE CONNECTED TO |
Maximum Details (2.5) 7 BotHunter Users 7 Infection Report 2010-01-05 to 2010-03-01 |
° 2003330(8): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2000328(3): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2009897(1): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send html content ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
60.18.66.54 (CN)
BEIJING BEIJING CHINA |
DCB.LN.CN / DSL CHINA UNICOM LIAONING PROVINCE NETWORK |
Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-02-12 to 2010-02-12 |
° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002974(1): CandC Communication - ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established |
|
67.228.53.183 (US)
MINNEAPOLIS MINNESOTA UNITED STATES |
SLAVHOST.COM / COMP NIKOLAI LIDIAEV |
Very High Details (2.0) 4 BotHunter Users 4 Infection Report 2010-01-15 to 2010-03-04 |
° 2003330(5): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
89.149.208.241 (DE)
BERLIN BERLIN GERMANY |
INTERNETSERVICETEAM.COM / DSL NETDIREKT E.K |
Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-01-05 to 2010-01-05 |
° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
70.176.110.44 (US)
TUCSON ARIZONA UNITED STATES |
COX.NET / DSL COX COMMUNICATIONS |
Maximum Details (2.5) 3 BotHunter Users 19 Infection Report 2010-02-11 to 2010-02-13 |
° 7777005(20): Outbound Scan - Detected intense non-malware port scanning ° 3(9): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(9): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2000328(5): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3810001(4): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(4): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
202.187.31.18 (MY)
KUALA LUMPUR WILAYAH PERSEKUTUAN MALAYSIA |
MEA50.JARING.MY / DSL JARING COMMUNICATIONS SDN BHD |
Very High Details (2.0) 15 BotHunter Users 26 Infection Report 2009-12-31 to 2010-02-07 |
° 1(10): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(7): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 25(5): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810001(2): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 |
|
74.222.1.115 (US)
LOS ANGELES CALIFORNIA UNITED STATES |
VRTSERVERS.NET / DSL VRTSERVERS INC |
High Details (1.5) 1 BotHunter Users 122 Infection Report 2010-01-15 to 2010-01-15 |
° 15165(187): CandC Communication - BACKDOOR Pushdo client communication attempt ° 2007771(186): Egg Download - ET TROJAN Pushdo Update URL Detected ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count |
|
64.38.232.180 (US)
CALABASAS CALIFORNIA UNITED STATES |
- / COMP DOMAIN DEVELOPMENT |
Maximum Details (3.0) 219 BotHunter Users 700 Infection Report 2009-12-09 to 2010-03-08 |
° 2002196(20): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2000419(9): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(9): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2009456(8): CandC Communication - ET USER_AGENTS Suspicious User Agent (ClickAdsByIE) ° 2009880(8): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 2003603(5): CandC Communication - ET TROJAN W32.Virut.A joining an IRC Channel ° 2000352(4): Attack Prep - ET ATTACK RESPONSE IRC - dns request on non-std port ° 2000427(4): Egg Download - ET POLICY PE EXE Install Windows file download ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning |
|
66.197.94.155 (US)
ASHBURN VIRGINIA UNITED STATES |
4PH.COM / DSL CARPATHIA HOSTING INC |
Very High Details (2.0) 34 BotHunter Users 44 Infection Report 2009-12-24 to 2010-03-08 |
° 2003330(11): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(5): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
67.228.250.128 (US)
DALLAS TEXAS UNITED STATES |
SOFTLAYER.COM / COMP SOFTLAYER TECHNOLOGIES INC |
Very High Details (2.2) 6 BotHunter Users 6 Infection Report 2009-12-25 to 2010-02-19 |
° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count |
|
84.243.197.191 (NL)
- - NETHERLANDS |
DNSKA.COM / DSL PORTNAP INTERNET SERVICES |
Maximum Details (2.5) 1 BotHunter Users 1 Infection Report 2010-02-24 to 2010-02-24 |
° 2000328(5): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain |
|
92.48.91.144 (UK)
- - UNITED KINGDOM |
AS29550.NET / COMP POUNDHOST CUSTOMER SERVER |
Very High Details (2.0) 2 BotHunter Users 5 Infection Report 2010-02-22 to 2010-03-05 |
° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3810008(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count |
|
194.150.237.120 (FR)
- - FRANCE |
HIWIT.NET / DSL AZNET SARL - HOSTING SUBNET |
Maximum Details (2.7) 3 BotHunter Users 26 Infection Report 2009-12-28 to 2010-01-26 |
° 2003179(37): Egg Download - ET POLICY exe download without User Agent ° 2009031(24): CandC Communication - ET TROJAN Possible Armitage Loader Request ° 7777005(23): Outbound Scan - Detected intense non-malware port scanning ° 2003219(15): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2009292(14): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 3(13): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(10): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2003438(7): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(7): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting |
|
24.8.252.66 (US)
ENGLEWOOD COLORADO UNITED STATES |
COMCAST.NET / DSL COMCAST CABLE COMMUNICATIONS |
Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-01-13 to 2010-01-13 |
° 2001569(2): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server |
|
64.34.165.117 (US)
SAN DIEGO CALIFORNIA UNITED STATES |
HAJINC.COM / DSL SERVERBEACH |
High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-01-22 to 2010-01-22 |