[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] SID 2008355 USER_AGENTS Suspicious User-Agent (angel)
From:       skysbsb () gmail ! com (David Guimaraes)
Date:       2010-07-29 17:34:47
Message-ID: AANLkTikb2pseY5zB1aNXkxtrh1-Fsm9GQ1oF2kaede+f () mail ! gmail ! com
[Download RAW message or body]

On Wed, Jul 28, 2010 at 11:24 PM, waldo kitty <wkitty42 at windstream.net> wrote:
> On 7/28/2010 19:26, David Guimaraes wrote:
> > I think anyone in my subnet would be interested to access a site
> > located in korea..
> 
> do think or don't think??
> 
> in any case, i haven't found anything more than you have so far :? :(
> 

DO NOT think.. sorry my poor english $:-)

On Thu, Jul 29, 2010 at 3:44 AM, Robert Kerr <rob at rkerr.co.uk> wrote:
> On Wed, 2010-07-28 at 20:26 -0300, David Guimaraes wrote:
> 
> > I wonder if anyone has any information that might help me clarify this
> > alert. Maybe this is a malware?
> 
> There was at one point a comment in the rules file alongside this:
> 
> #re f39d0a669ad98b95370a4f525d7d79ec, by Marcus at unsober
> 
> Based on that we can find:
> 
> http://www.threatexpert.com/report.aspx?md5=f39d0a669ad98b95370a4f525d7d79ec
> http://www.virustotal.com/analisis/54591391429967064308d1f6e7d8bd099e4d3e6ef7bdb47a6671b0dd609903db-1245777756
>  http://www.spywareterminator.com/cs/item/53919/TrojanDownloaderSmallwdu.html
> 
> The threatexpert report doesn't 100% match what you're seeing, but I'd
> imagine it might be a different variant of the same. Couple the UA and
> the suspicious nature of the domain as identified by evilghost and it's
> a pretty safe bet those systems have something up with them.
> 
> --
> Robert Kerr

Where did you found this comment?

On Wed, Jul 28, 2010 at 11:45 PM, evilghost at packetmail.net
<evilghost at packetmail.net> wrote:
> Check the site over SSL (https://cdeinaa.com), the CN/O is "cardsprocessing.net" \
> and purports to be Equifax.  Seems nefarious, though I cannot get an A record for \
> that FQDN.  It was registered through PAKNIC, also note the nameservers.  If you \
> have hosts POSTing data to this site I'd think it's safe to say it's bad-unknown \
> and if the traffic is self-generated they're infected, especially if they're using \
> a self-defined HTTP user-agent.

Hm .. interesting .. I added a new rule to verify any HTTP POST on
that ip. Thanks for suggestion.

Thanks all for the help.

-- 
David


[prev in list] [next in list] [prev in thread] [next in thread]