funsec mailing list archives
Re: [Dshield] virus tracking
From: "Fergie" <fergdawg () netzero net>
Date: Fri, 11 Nov 2005 14:07:02 GMT
This is pretty funny.
From the DShield list...
- ferg -- ptds () majordomo thedacare org wrote: I was tracking a recent virus hit, looking up some of the hosts that the program phoned home to. This one was sort of amusing, this is the log I was tracking 05 15:15:04: %PIX-5-304001: 172.16.6.149 Accessed URL 72.20.15.18:/index.php 05 16:09:06: %PIX-5-304001: 172.16.6.149 Accessed URL 72.20.15.18:/index.php Here's what dig says for reverse lookup. dig -x 72.20.15.18 ; <<>> DiG 9.3.1 <<>> -x 72.20.15.18 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2090 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;18.15.20.72.in-addr.arpa. IN PTR ;; ANSWER SECTION: 18.15.20.72.in-addr.arpa. 3288 IN PTR i.have.a.botnet.cause.bill.gates.has.0security.info. ;; Query time: 84 msec ;; SERVER: 172.16.0.61#53(172.16.0.61) ;; WHEN: Thu Nov 10 19:49:57 2005 ;; MSG SIZE rcvd: 107 _________________________________________ Using .Net? Need to know more about .Net Security? http://isc.sans.org/banner_count.php?dest=dotnet _______________________________________________ send all posts to list () lists dshield org To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: [Dshield] virus tracking Fergie (Nov 11)
- Re: Re: [Dshield] virus tracking Kevin McAleavey (Nov 11)
- Re: Re: [Dshield] virus tracking TheGesus (Nov 11)