The Latest in IT Security

Something odd

08
May
2012

One of those odd things you see in proxy logs.. in this case, a load of outbound access attempts from guest machine like this:

http://69.60.122.18269.60.122.182/
http://85.25.130.1285.25.130.12/
http://89.207.129.789.207.129.7/
http://91.230.147.23191.230.147.231/
http://174.37.202.166174.37.202.166/
http://184.22.165.50184.22.165.50/
http://204.45.70.162204.45.70.162/
http://207.244.209.239207.244.209.239/
http://209.85.148.101209.85.148.101/
Obviously, these URLs are malformed because the IP address is listed twice. But one of these stands out:

http://91.230.147.23191.230.147.231/ is clearly “91.230.147.231” twice. This IP belongs to Adevir Invest in Russia, and we’ve seen that name before. The other IPs seem innocent enough, but this traffic pattern is highly suspicious and I can only assume that these IPs are some sort of C&C server.

If you want to block the correctly formed IPs then they are as follows:

69.60.122.18
85.25.130.12
89.207.129.7
91.230.147.231
174.37.202.166
184.22.165.50
204.45.70.162
207.244.209.239
209.85.148.10

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments