RE: Sobig has a surprise...

[Ron DuFresne <dufresne () winternet com>]

> >
> {{{sigh}}}  They've been posted here more than once.  They're on the Sophos
> website.


{{{bigger sigh}}}

> But here they are again, taken from my logs, so these are verified IPs that
> Sobig.f was contacting on 8998/UDP:
>
> /var/log/snort/special/12.158.102.205/UDP:8998-1228
> /var/log/snort/special/12.232.104.221/UDP:8998-1228
> /var/log/snort/special/218.147.164.29/UDP:8998-1228
> /var/log/snort/special/24.197.143.132/UDP:8998-1228
> /var/log/snort/special/24.202.91.43/UDP:8998-1228
> /var/log/snort/special/24.206.75.137/UDP:8998-1228
> /var/log/snort/special/24.210.182.156/UDP:8998-1228
> /var/log/snort/special/24.33.66.38/UDP:8998-1228
> /var/log/snort/special/61.38.187.59/UDP:8998-1228
> /var/log/snort/special/63.250.82.87/UDP:8998-1228
> /var/log/snort/special/65.177.240.194/UDP:8998-1228
> /var/log/snort/special/65.92.186.145/UDP:8998-1228
> /var/log/snort/special/65.92.80.218/UDP:8998-1228
> /var/log/snort/special/65.93.81.59/UDP:8998-1228
> /var/log/snort/special/65.95.193.138/UDP:8998-1228
> /var/log/snort/special/66.131.207.81/UDP:8998-1228
> /var/log/snort/special/67.73.21.6/UDP:8998-1228
> /var/log/snort/special/67.9.241.67/UDP:8998-1228
> /var/log/snort/special/68.38.159.161/UDP:8998-1228
> /var/log/snort/special/68.50.208.96/UDP:8998-1228

67.164.250.26/8998
129.244.36.194/8998
67.73.60.121/8998
218.146.139.246/8998
66.169.84.77/8998


68.50.208.96/8998
12.232.104.221/8998
218.147.164.29/8998
24.33.66.38/8998
12.158.102.205/8998
24.197.143.132/8998
24.206.75.137/8998
24.202.91.43/8998
24.210.182.156/8998
61.38.187.59/8998
65.92.80.218/8998
63.250.82.87/8998
65.92.186.145/8998

not all of these<any?, I only looked close enough to determine that some
67.xxxxx addies are not in the list provided here> are in your listing and
are the ones referenced by Jerry Heidtke.  I think you missed a few posts and mis-read me totally.
Of course, I do not claim this is Jerry's complete listing either, I tried
quickly to eliminate dupes.  but, if as Jerry reported there were at least
two variants of sobig.f, with at least two or more different address
lists, this might not be a done deal, as already said.  I merely seek info
as to whether or not Jerry's findings have been verified by anyone else,
and if so, if these addresses too had been nullified, or is there yet more
to come?

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html