[liberationtech] Syrian-martyrs.com website probably compromised by virus
KheOps
kheops at ceops.eu
Tue Jan 29 22:45:47 PST 2013
Hello,
Le 30/01/2013 03:02, SiNA Rabbani a écrit :
> Ok. I infected an old Windoes xp with this malware and it keeps
> sending SYN requests to this hostname: awrasx10.no-ip.biz which
> currently resolved to: 37.236.124.197 and is down for me.
Thank you for your work :) The hostname still resolves the same,
37.236.124.197, which is an Iraqi IP address.
Maybe the port 9999 on that IP is supposed to host a C&C, I don't know.
Could be worth letting it run longer, maybe the C&C only comes up sometimes?
>
> --SiNA
> Internet Protocol Version 4, Src: 10.10.10.17 (10.10.10.17), Dst:
> 37.236.124.197 (37.236.124.197)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
> 0x00: Not-ECT (Not ECN-Capable Transport))
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
> Total Length: 48
> Identification: 0x06b0 (1712)
> Flags: 0x02 (Don't Fragment)
> 0... .... = Reserved bit: Not set
> .1.. .... = Don't fragment: Set
> ..0. .... = More fragments: Not set
> Fragment offset: 0
> Time to live: 128
> Protocol: TCP (6)
> Header checksum: 0x3d4c [correct]
> [Good: True]
> [Bad: False]
> Source: 10.10.10.17 (10.10.10.17)
> Destination: 37.236.124.197 (37.236.124.197)
> Transmission Control Protocol, Src Port: llsurfup-https (1184), Dst
> Port: distinct (9999), Seq: 0, Len: 0
> Source port: llsurfup-https (1184)
> Destination port: distinct (9999)
> [Stream index: 2258]
> Sequence number: 0 (relative sequence number)
> Header length: 28 bytes
> Flags: 0x002 (SYN)
> Window size value: 65535
> [Calculated window size: 65535]
> Checksum: 0xdc28 [validation disabled]
> Options: (8 bytes)
>
KheOps
More information about the liberationtech
mailing list