Snort mailing list archives
BHv2 Mailing Campaign Gate natpay.html
From: Community Proposed <lists () packetmail net>
Date: Thu, 6 Jun 2013 11:31:28 -0500
Another BHv2 mailing campaign, all the gates at the moment are pointing to hxxp://usforclosedhomes.net/news/walls_autumns-serial.php which is /news/ BHv2 and should be covered with existing sigs. Message Subjects start with the text "Transmission Confirmation ~" We've got some good IP candidates associated with malware. ;; ANSWER SECTION: usforclosedhomes.net. 16 IN A 46.18.160.86 usforclosedhomes.net. 16 IN A 93.89.235.13 usforclosedhomes.net. 16 IN A 112.170.169.56 usforclosedhomes.net. 16 IN A 41.89.6.179 Snort Sig: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY BHv2 EK Initial Gate from NatPay Mailing Campaign"; flow:established,to_server; content:"/natpay.html?"; http_uri; classtype:trojan-activity; sid:x; rev:1;) Ran the above through my Hadoop/Hive cluster for 04/01/2013 with no FPs. Observed Gates: 212.204.194.200 hxxp://cocomobeachclub.nl/natpay.html?refid=I7FO3W39Z-JQSCF43T 212.204.194.200 hxxp://cocomobeachclub.nl/natpay.html?subj=Customer%20Report%20Question~FNQ0YNJ1~21431376 213.186.33.19 hxxp://edpp-peinture.com/natpay.html?message=Customer%20Report%20Question~PW64N6Z9~54557847 213.186.33.19 hxxp://edpp-peinture.com/natpay.html?ref=Z0J1HX60D335_ASJ2ZE6E 80.82.120.30 hxxp://grace-and-glory.com/natpay.html?action=contact&id=B4GCOX56JL_F9MIG0R3 80.82.120.30 hxxp://grace-and-glory.com/natpay.html?subject=Customer%20Report%20Question~F9MIG0R3~32549389 89.45.166.170 hxxp://hotelplutitor-deltadunarii.ro/natpay.html?ref_id=Y3CKJMYI3_B8FY111N 89.45.166.170 hxxp://hotelplutitor-deltadunarii.ro/natpay.html?subj=Customer%20Report%20Question~WOBLRJ4P~37382413 91.206.201.249 hxxp://kurortnoe.net/natpay.html?message=Customer%20Report%20Question~0P7HPPSJ~51037958 82.165.107.162 hxxp://rockundpop.info/natpay.html?contact_us=WR9EZZJ4B9_EM92D6KW 103.4.217.233 hxxp://trainingsrt.com/natpay.html?msg=Customer%20Report%20Question~GPBMQB4T~20508276 81.177.140.12 hxxp://viadolorosa.ru/natpay.html?contact=6HL38VT050_E861QJ73 81.177.140.12 hxxp://viadolorosa.ru/natpay.html?subj=Customer%20Report%20Question~PQW5CQH4~54668962 184.106.55.29 hxxp://www.mobilis.us.com/natpay.html?action=contact&id=L22OM528G8_K4M89CEY 184.106.55.29 hxxp://www.mobilis.us.com/natpay.html?contact_us=TVSXRCO7HG_4VKLH1KB 184.106.55.29 hxxp://www.mobilis.us.com/natpay.html?msg=Customer%20Report%20Question~4VKLH1KB~33052404 184.106.55.29 hxxp://www.mobilis.us.com/natpay.html?msg=Customer%20Report%20Question~K4M89CEY~24368422 184.106.55.29 hxxp://www.mobilis.us.com/natpay.html?ref=6YBG8EV5&id=4VKLH1KB 89.42.216.40 hxxp://www.pelisem.ro/natpay.html?ref=8BAF5AVDE_6LH0YGK0 79.172.241.39 hxxp://zpt.hu/natpay.html?ref_id=3U25K06E_D9ILSMP6 ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- BHv2 Mailing Campaign Gate natpay.html Community Proposed (Jun 06)