[Emerging-Sigs] famatech/radmin on RBN list?

Matt Jonkman jonkman at jonkmans.com
Fri Jan 9 16:50:57 EST 2009


Pulling them off the list pending looking deeper into it. Thanks for the
report!

Matt

Michael Scheidell wrote:
> owners of the legitimate administration tool 'radmin' are not associated 
> with the RBN.  I have had good conversations with their security folk up 
> there in the past.
> 
> 01/09-16:32:53 TCP 198.63.210.130:80 
> <https://gazit.hackertrap.net/base/base_stat_ipaddr.php?ip=198.63.210.130> 
> --> 192.168.100.188:4074 
> <https://gazit.hackertrap.net/base/base_stat_ipaddr.php?ip=192.168.100.188>
> [1:2407012:101] <http://www.snort.org/pub-bin/sigs.cgi?sid=2407012> ET 
> RBN Known Russian Business Network Monitored Domains - BLOCKING (13)
> 
> host fam4.famatech.com
> fam4.famatech.com has address 198.63.210.130
> 
> I don't think they share a netblock with anyone.
> 
> anyone using radmin and trying to get an update, might get blocked for a 
> day: (and it looks like you have it in two lists?) 13 and 14?
> 
> grep 198.63.210 /etc/snort/rules/*
> /etc/snort/rules/emerging-rbn-BLOCK.rules:alert ip 
> [195.42.103.91,195.5.116.0/24,195.5.117.0/24,195.64.140.0/23,195.64.162.0/23,195.64.190.1,195.66.132.0/24,195.95.218.0/23,196.2.198.240,198.63.210.0/24] 
> any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network 
> Monitored Domains - BLOCKING (13)"; 
> reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; 
> threshold: type limit, track by_src, seconds 60, count 1; 
> classtype:misc-attack; sid:2407012; rev:101; fwsam: src, 24 hours;)
> 
> /etc/snort/rules/emerging-rbn-BLOCK.rules:alert ip 
> [198.63.210.123,198.63.211.208,198.63.211.8,199.237.229.158,200.115.160.0/20,200.155.17.172,200.46.83.245,200.63.42.136,200.63.42.141,200.63.42.81] 
> any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network 
> Monitored Domains - BLOCKING (14)"; 
> reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; 
> threshold: type limit, track by_src, seconds 60, count 1; 
> classtype:misc-attack; sid:2407013; rev:101; fwsam: src, 24 hours;)
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list