lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0308231211580.25617-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: Sobig has a surprise...

> >
> {{{sigh}}}  They've been posted here more than once.  They're on the Sophos
> website.


{{{bigger sigh}}}

>
> But here they are again, taken from my logs, so these are verified IPs that
> Sobig.f was contacting on 8998/UDP:
>
> /var/log/snort/special/12.158.102.205/UDP:8998-1228
> /var/log/snort/special/12.232.104.221/UDP:8998-1228
> /var/log/snort/special/218.147.164.29/UDP:8998-1228
> /var/log/snort/special/24.197.143.132/UDP:8998-1228
> /var/log/snort/special/24.202.91.43/UDP:8998-1228
> /var/log/snort/special/24.206.75.137/UDP:8998-1228
> /var/log/snort/special/24.210.182.156/UDP:8998-1228
> /var/log/snort/special/24.33.66.38/UDP:8998-1228
> /var/log/snort/special/61.38.187.59/UDP:8998-1228
> /var/log/snort/special/63.250.82.87/UDP:8998-1228
> /var/log/snort/special/65.177.240.194/UDP:8998-1228
> /var/log/snort/special/65.92.186.145/UDP:8998-1228
> /var/log/snort/special/65.92.80.218/UDP:8998-1228
> /var/log/snort/special/65.93.81.59/UDP:8998-1228
> /var/log/snort/special/65.95.193.138/UDP:8998-1228
> /var/log/snort/special/66.131.207.81/UDP:8998-1228
> /var/log/snort/special/67.73.21.6/UDP:8998-1228
> /var/log/snort/special/67.9.241.67/UDP:8998-1228
> /var/log/snort/special/68.38.159.161/UDP:8998-1228
> /var/log/snort/special/68.50.208.96/UDP:8998-1228
>

67.164.250.26/8998
129.244.36.194/8998
67.73.60.121/8998
218.146.139.246/8998
66.169.84.77/8998


68.50.208.96/8998
12.232.104.221/8998
218.147.164.29/8998
24.33.66.38/8998
12.158.102.205/8998
24.197.143.132/8998
24.206.75.137/8998
24.202.91.43/8998
24.210.182.156/8998
61.38.187.59/8998
65.92.80.218/8998
63.250.82.87/8998
65.92.186.145/8998

not all of these<any?, I only looked close enough to determine that some
67.xxxxx addies are not in the list provided here> are in your listing and
are the ones referenced by Jerry Heidtke.  I think you missed a few posts and mis-read me totally.
Of course, I do not claim this is Jerry's complete listing either, I tried
quickly to eliminate dupes.  but, if as Jerry reported there were at least
two variants of sobig.f, with at least two or more different address
lists, this might not be a done deal, as already said.  I merely seek info
as to whether or not Jerry's findings have been verified by anyone else,
and if so, if these addresses too had been nullified, or is there yet more
to come?

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ