PaulDotCom mailing list archives

Anybody See This Before?

From: bsmith2301 at gmail.com (Brice Smith)
Date: Sun, 1 Feb 2009 15:38:35 -0600

These are logs we pull from our reporting tool that monitors user's
web surfing.  This particular report are where employees are accessing
the Internet via IP address.   Also to answer the other question, no
we do not have security suite of tools from Cox Communications.  I was
looking at another IP (206.132.122.135) which is associated with
Global Crossing.  Haven't used TCPView yet either but will be taking a
closer look at some of these workstations.

2009/2/1 Arch Angel <arch3angel at gmail.com>:

How are you pulling these logs?

On Sun, Feb 1, 2009 at 1:51 AM, Brice Smith <bsmith2301 at gmail.com> wrote:


Anybody seen this before?  Appears that it might be malware connecting
out.  The structure is the same but seeing it on multiple machines.
Always different IP but the /idle, /open, /send are constant.

hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
hxxp://70.183.191.93/open/1
hxxp://70.183.191.93/open/1
hxxp://70.183.191.93/open/1
hxxp://70.183.191.93/open/1
hxxp://70.183.191.93/open/1
hxxp://70.183.191.93/open/1
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Anybody See This Before? Brice Smith (Jan 31)
- Anybody See This Before? Adsquaired (Feb 01)
- Anybody See This Before? Arch Angel (Feb 01)
  - Anybody See This Before? Brice Smith (Feb 01)
    - Anybody See This Before? byte.bucket at 4a44.com (Feb 01)
    - Anybody See This Before? Brice Smith (Feb 01)
    - Anybody See This Before? Brian Gray (Feb 02)