[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] SID 2008355 USER_AGENTS Suspicious User-Agent (angel)
From: skysbsb () gmail ! com (David Guimaraes)
Date: 2010-07-29 17:34:47
Message-ID: AANLkTikb2pseY5zB1aNXkxtrh1-Fsm9GQ1oF2kaede+f () mail ! gmail ! com
[Download RAW message or body]
On Wed, Jul 28, 2010 at 11:24 PM, waldo kitty <wkitty42 at windstream.net> wrote:
> On 7/28/2010 19:26, David Guimaraes wrote:
> > I think anyone in my subnet would be interested to access a site
> > located in korea..
>
> do think or don't think??
>
> in any case, i haven't found anything more than you have so far :? :(
>
DO NOT think.. sorry my poor english $:-)
On Thu, Jul 29, 2010 at 3:44 AM, Robert Kerr <rob at rkerr.co.uk> wrote:
> On Wed, 2010-07-28 at 20:26 -0300, David Guimaraes wrote:
>
> > I wonder if anyone has any information that might help me clarify this
> > alert. Maybe this is a malware?
>
> There was at one point a comment in the rules file alongside this:
>
> #re f39d0a669ad98b95370a4f525d7d79ec, by Marcus at unsober
>
> Based on that we can find:
>
> http://www.threatexpert.com/report.aspx?md5=f39d0a669ad98b95370a4f525d7d79ec
> http://www.virustotal.com/analisis/54591391429967064308d1f6e7d8bd099e4d3e6ef7bdb47a6671b0dd609903db-1245777756
> http://www.spywareterminator.com/cs/item/53919/TrojanDownloaderSmallwdu.html
>
> The threatexpert report doesn't 100% match what you're seeing, but I'd
> imagine it might be a different variant of the same. Couple the UA and
> the suspicious nature of the domain as identified by evilghost and it's
> a pretty safe bet those systems have something up with them.
>
> --
> Robert Kerr
Where did you found this comment?
On Wed, Jul 28, 2010 at 11:45 PM, evilghost at packetmail.net
<evilghost at packetmail.net> wrote:
> Check the site over SSL (https://cdeinaa.com), the CN/O is "cardsprocessing.net" \
> and purports to be Equifax. Seems nefarious, though I cannot get an A record for \
> that FQDN. It was registered through PAKNIC, also note the nameservers. If you \
> have hosts POSTing data to this site I'd think it's safe to say it's bad-unknown \
> and if the traffic is self-generated they're infected, especially if they're using \
> a self-defined HTTP user-agent.
Hm .. interesting .. I added a new rule to verify any HTTP POST on
that ip. Thanks for suggestion.
Thanks all for the help.
--
David
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic