Re: [botnets] blog spammer

2007-10-03 Thread Chris Lee 
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
4 ips are currently XBL listed, one was a Storm bot for one day?!? back in June.
The Chile IPs caught my attention.  There's only 4 hosts with a PTR on the 
subnet, but nothing else funny from the whois or the last 6 months of XBL.
[EMAIL PROTECTED] ~$ for i in `seq 2 7`; do host 200.83.4.$i; done
Host 2.4.83.200.in-addr.arpa not found: 3(NXDOMAIN)
3.4.83.200.in-addr.arpa domain name pointer thebe.reb.vtr.net.
4.4.83.200.in-addr.arpa domain name pointer phoebe.reb.vtr.net.
5.4.83.200.in-addr.arpa domain name pointer dione.reb.vtr.net.
6.4.83.200.in-addr.arpa domain name pointer rhea.reb.vtr.net.
Host 7.4.83.200.in-addr.arpa not found: 3(NXDOMAIN)

I also checked for the IPs in some photo album spam records from 4/2 ~ 6/15, 
but no hits.

I would love to know what all this means together.

58.23.131.174|XIAMEN|FUJIAN|CHINA
64.59.139.153|WINNIPEG|MANITOBA|CANADA
% 64.59.139.153 2007-10-01 00:08:00 xbl.spamhaus.org127.0.0.4   
=
% 64.59.139.153 2007-10-01 00:08:00 xbl.spamhaus.org127.0.0.5   
=
65.98.103.12|RANCHO SANTA FE|CALIFORNIA|UNITED STATES|SAN DIEGO|CAS
66.122.198.87|WASHINGTON|DISTRICT OF COLUMBIA|UNITED STATES|DISTRICT OF 
COLUMBIA|DC
66.249.65.77|MOUNTAIN VIEW|CALIFORNIA|UNITED STATES|SANTA CLARA|CAN
69.231.139.157|LOS ANGELES|CALIFORNIA|UNITED STATES|LOS ANGELES|CAC
74.137.130.136|LOUISVILLE|KENTUCKY|UNITED STATES|JEFFERSON|KYW
81.177.22.221|MOSCOW|MOSKVA|RUSSIAN FEDERATION
85.255.120.66|KHARKIV|KHARKIVS'KA OBLAST'|UKRAINE
87.248.160.134|-|-|MOLDOVA, REPUBLIC OF
% 87.248.160.1342007-10-01 00:08:00 xbl.spamhaus.org
127.0.0.5   =
91.122.13.234|MOSCOW|MOSKVA|RUSSIAN FEDERATION
pcomm: 2007-06-12
% 91.122.13.234 2007-10-01 00:08:00 xbl.spamhaus.org127.0.0.4   
=
200.21.244.142|PASTO|NARINO|COLOMBIA
200.83.4.4|SANTIAGO|REGION METROPOLITANA|CHILE
200.83.4.6|SANTIAGO|REGION METROPOLITANA|CHILE
201.45.206.20|RIO DE JANEIRO|RIO DE JANEIRO|BRAZIL
% 201.45.206.20 2007-10-01 00:08:00 xbl.spamhaus.org127.0.0.4   
=
216.241.182.210|DENVER|COLORADO|UNITED STATES|JEFFERSON|CO
218.104.180.228|-|-|CHINA
% 218.104.180.228   2007-10-01 00:08:00 xbl.spamhaus.org
127.0.0.4   =
% 218.104.180.228   2007-10-01 00:08:00 xbl.spamhaus.org
127.0.0.5   =

On Wed, Oct 03, 2007 at 10:14:36AM +0200, bodik wrote:
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
hello,

just a few IPs, i strongly belives they belong to some russian botnet 
which is used to blog spamming ... their activities results in DoS on 
ouu server .. more than 250 000 comments ;)

is anyone from

netname:NETPLACE
descr:  NETPLACE professional internet services
country:RU

listening here ? ;)

regars bodik


included ips not just from netplace
-CUT-
81.177.22.221
58.23.131.174
81.177.22.221
201.45.206.20
81.177.22.221
69.231.139.157
81.177.22.221
200.21.244.142
216.241.182.210
200.83.4.4
81.177.22.221
91.122.13.234
81.177.22.221
64.59.139.153
85.255.120.66
81.177.22.221
91.122.13.234
81.177.22.221
81.177.22.221
66.249.65.77
65.98.103.12
65.98.103.12
200.83.4.6
81.177.22.221
65.98.103.12
81.177.22.221
81.177.22.221
66.122.198.87
81.177.22.221
81.177.22.221
218.104.180.228
65.98.103.12
58.23.131.174
74.137.130.136
81.177.22.221
65.98.103.12
87.248.160.134
87.248.160.134
81.177.22.221

___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] blog spammer

2007-10-03 Thread J. Oquendo 
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--bodik wrote:

 64.59.139.153

That's quite interesting. If this indeed is say an infected Google
server, I wonder if someone has found a way to infect users via say
Google's adsense. That would be scary.


[Querying whois.arin.net]
[whois.arin.net]

OrgName:Google Inc.
OrgID:  GOGL
Address:1600 Amphitheatre Parkway
City:   Mountain View
StateProv:  CA
PostalCode: 94043
Country:US

NetRange:   66.249.64.0 - 66.249.95.255
CIDR:   66.249.64.0/19



[EMAIL PROTECTED] trackback]# HEAD 64.59.139.153
400 Bad Request
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Length: 691
Content-Type: text/html; charset=utf-8
Client-Date: Wed, 03 Oct 2007 12:17:23 GMT
Client-Peer: 64.59.139.153:80
Client-Response-Num: 1
Proxy-Connection: close

[EMAIL PROTECTED] trackback]# GET 64.59.139.153
HTMLHEAD
TITLERequest Error/TITLE
/HEAD
BODY
FONT face=Helvetica
bigstrong/strong/bigBR
/FONT
blockquote
TABLE border=0 cellPadding=1 width=80%
TRTD
FONT face=Helvetica
bigRequest Error (invalid_request)/big
BR
BR
/FONT
/TD/TR
TRTD
FONT face=Helvetica
Your request could not be processed. Request could not be handled
/FONT
/TD/TR
TRTD
FONT face=Helvetica
This could be caused by a misconfiguration, or possibly a malformed request.
/FONT
/TD/TR
TRTD
FONT face=Helvetica SIZE=2
BR
For assistance, contact your network support team.
/FONT
/TD/TR
/TABLE
/blockquote
/FONT
/BODY/HTML

-- 

J. Oquendo
Excusatio non petita, accusatio manifesta

http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E
sil . infiltrated @ net http://www.infiltrated.net



smime.p7s
Description: S/MIME Cryptographic Signature
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets