Full Disclosure mailing list archives
RE: Sobig has a surprise...
From: Ron DuFresne <dufresne () winternet com>
Date: Sat, 23 Aug 2003 12:24:26 -0500 (CDT)
{{{sigh}}} They've been posted here more than once. They're on the Sophos website.
{{{bigger sigh}}}
But here they are again, taken from my logs, so these are verified IPs that Sobig.f was contacting on 8998/UDP: /var/log/snort/special/12.158.102.205/UDP:8998-1228 /var/log/snort/special/12.232.104.221/UDP:8998-1228 /var/log/snort/special/218.147.164.29/UDP:8998-1228 /var/log/snort/special/24.197.143.132/UDP:8998-1228 /var/log/snort/special/24.202.91.43/UDP:8998-1228 /var/log/snort/special/24.206.75.137/UDP:8998-1228 /var/log/snort/special/24.210.182.156/UDP:8998-1228 /var/log/snort/special/24.33.66.38/UDP:8998-1228 /var/log/snort/special/61.38.187.59/UDP:8998-1228 /var/log/snort/special/63.250.82.87/UDP:8998-1228 /var/log/snort/special/65.177.240.194/UDP:8998-1228 /var/log/snort/special/65.92.186.145/UDP:8998-1228 /var/log/snort/special/65.92.80.218/UDP:8998-1228 /var/log/snort/special/65.93.81.59/UDP:8998-1228 /var/log/snort/special/65.95.193.138/UDP:8998-1228 /var/log/snort/special/66.131.207.81/UDP:8998-1228 /var/log/snort/special/67.73.21.6/UDP:8998-1228 /var/log/snort/special/67.9.241.67/UDP:8998-1228 /var/log/snort/special/68.38.159.161/UDP:8998-1228 /var/log/snort/special/68.50.208.96/UDP:8998-1228
67.164.250.26/8998 129.244.36.194/8998 67.73.60.121/8998 218.146.139.246/8998 66.169.84.77/8998 68.50.208.96/8998 12.232.104.221/8998 218.147.164.29/8998 24.33.66.38/8998 12.158.102.205/8998 24.197.143.132/8998 24.206.75.137/8998 24.202.91.43/8998 24.210.182.156/8998 61.38.187.59/8998 65.92.80.218/8998 63.250.82.87/8998 65.92.186.145/8998 not all of these<any?, I only looked close enough to determine that some 67.xxxxx addies are not in the list provided here> are in your listing and are the ones referenced by Jerry Heidtke. I think you missed a few posts and mis-read me totally. Of course, I do not claim this is Jerry's complete listing either, I tried quickly to eliminate dupes. but, if as Jerry reported there were at least two variants of sobig.f, with at least two or more different address lists, this might not be a done deal, as already said. I merely seek info as to whether or not Jerry's findings have been verified by anyone else, and if so, if these addresses too had been nullified, or is there yet more to come? Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Sobig has a surprise..., (continued)
- Re: Sobig has a surprise... Michael Scheidell (Aug 22)
- Re: Sobig has a surprise... Paul Schmehl (Aug 22)
- Re: Sobig has a surprise... Florian Weimer (Aug 23)
- Re: Sobig has a surprise... Paul Schmehl (Aug 23)
- RE: Sobig has a surprise... Jonathan Grotegut (Aug 22)
- Re: Sobig has a surprise... Michael Scheidell (Aug 22)
- Re: Sobig has a surprise... Paul Schmehl (Aug 22)
- RE: Sobig has a surprise... Paul Schmehl (Aug 22)
- RE: Sobig has a surprise... Ron DuFresne (Aug 23)
- RE: Sobig has a surprise... Paul Schmehl (Aug 23)
- RE: Sobig has a surprise... Ron DuFresne (Aug 23)
- Re: Sobig has a surprise... Michael Scheidell (Aug 22)
- RE: Sobig has a surprise... Paul Schmehl (Aug 23)