Re: [Dshield] virus tracking

["Fergie" <fergdawg () netzero net>]

This is pretty funny.

> From the DShield list...

- ferg


-- ptds () majordomo thedacare org wrote:

I was tracking a recent virus hit, looking up some of the hosts that the 
program phoned home to.


This one was sort of amusing, this is the log I was tracking
05 15:15:04: %PIX-5-304001: 172.16.6.149 Accessed URL 
72.20.15.18:/index.php
05 16:09:06: %PIX-5-304001: 172.16.6.149 Accessed URL 
72.20.15.18:/index.php

Here's what dig says for reverse lookup.

dig -x 72.20.15.18

; <<>> DiG 9.3.1 <<>> -x 72.20.15.18
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2090
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;18.15.20.72.in-addr.arpa.      IN      PTR

;; ANSWER SECTION:
18.15.20.72.in-addr.arpa. 3288  IN      PTR     
i.have.a.botnet.cause.bill.gates.has.0security.info.

;; Query time: 84 msec
;; SERVER: 172.16.0.61#53(172.16.0.61)
;; WHEN: Thu Nov 10 19:49:57 2005
;; MSG SIZE  rcvd: 107


_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list () lists dshield org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.