Hello, Le 30/01/2013 03:02, SiNA Rabbani a écrit : > Ok. I infected an old Windoes xp with this malware and it keeps > sending SYN requests to this hostname: awrasx10.no-ip.biz which > currently resolved to: 37.236.124.197 and is down for me.
Thank you for your work :) The hostname still resolves the same, 37.236.124.197, which is an Iraqi IP address. Maybe the port 9999 on that IP is supposed to host a C&C, I don't know. Could be worth letting it run longer, maybe the C&C only comes up sometimes? > > --SiNA > Internet Protocol Version 4, Src: 10.10.10.17 (10.10.10.17), Dst: > 37.236.124.197 (37.236.124.197) > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: > 0x00: Not-ECT (Not ECN-Capable Transport)) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..00 = Explicit Congestion Notification: Not-ECT (Not > ECN-Capable Transport) (0x00) > Total Length: 48 > Identification: 0x06b0 (1712) > Flags: 0x02 (Don't Fragment) > 0... .... = Reserved bit: Not set > .1.. .... = Don't fragment: Set > ..0. .... = More fragments: Not set > Fragment offset: 0 > Time to live: 128 > Protocol: TCP (6) > Header checksum: 0x3d4c [correct] > [Good: True] > [Bad: False] > Source: 10.10.10.17 (10.10.10.17) > Destination: 37.236.124.197 (37.236.124.197) > Transmission Control Protocol, Src Port: llsurfup-https (1184), Dst > Port: distinct (9999), Seq: 0, Len: 0 > Source port: llsurfup-https (1184) > Destination port: distinct (9999) > [Stream index: 2258] > Sequence number: 0 (relative sequence number) > Header length: 28 bytes > Flags: 0x002 (SYN) > Window size value: 65535 > [Calculated window size: 65535] > Checksum: 0xdc28 [validation disabled] > Options: (8 bytes) > KheOps
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
