Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Syrian-martyrs.com website probably compromised by virus

KheOps kheops at ceops.eu
Tue Jan 29 22:45:47 PST 2013


Hello,

Le 30/01/2013 03:02, SiNA Rabbani a écrit :
> Ok. I infected an old Windoes xp with this malware and it keeps
> sending SYN requests to this hostname: awrasx10.no-ip.biz which
> currently resolved to: 37.236.124.197 and is down for me.

Thank you for your work :) The hostname still resolves the same,
37.236.124.197, which is an Iraqi IP address.

Maybe the port 9999 on that IP is supposed to host a C&C, I don't know.

Could be worth letting it run longer, maybe the C&C only comes up sometimes?

> 
> --SiNA
> Internet Protocol Version 4, Src: 10.10.10.17 (10.10.10.17), Dst:
> 37.236.124.197 (37.236.124.197)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
> 0x00: Not-ECT (Not ECN-Capable Transport))
>         0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
>     Total Length: 48
>     Identification: 0x06b0 (1712)
>     Flags: 0x02 (Don't Fragment)
>         0... .... = Reserved bit: Not set
>         .1.. .... = Don't fragment: Set
>         ..0. .... = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 128
>     Protocol: TCP (6)
>     Header checksum: 0x3d4c [correct]
>         [Good: True]
>         [Bad: False]
>     Source: 10.10.10.17 (10.10.10.17)
>     Destination: 37.236.124.197 (37.236.124.197)
> Transmission Control Protocol, Src Port: llsurfup-https (1184), Dst
> Port: distinct (9999), Seq: 0, Len: 0
>     Source port: llsurfup-https (1184)
>     Destination port: distinct (9999)
>     [Stream index: 2258]
>     Sequence number: 0    (relative sequence number)
>     Header length: 28 bytes
>     Flags: 0x002 (SYN)
>     Window size value: 65535
>     [Calculated window size: 65535]
>     Checksum: 0xdc28 [validation disabled]
>     Options: (8 bytes)
> 

KheOps



More information about the liberationtech mailing list