[Emerging-Sigs] RBN 123.123.123.123

James McQuaid jim.mcquaid at gmail.com
Wed Oct 20 23:45:37 EDT 2010


Hello James,

123.123.123.123 is currently listed for phishing.  McAfee Trusted Source
classifies it as "High Risk":
http://www.trustedsource.org/query/123.123.123.123

The IP has a long history of malware. For example, in 2008, Olympics themed
spam linking to malware (spammed address lacked a domain: * hxxp:///
123.123.123.123/dhjeuaUhskw/special_surprise*) bombarded the West.

Back in the day, a particular vendor had a training example using the
address.  The bad guys picked up on it.

Google "123.123.123.123 + malware" if you want to learn more.

James McQuaid


> Message: 4
> Date: Wed, 20 Oct 2010 12:54:45 -0600
> From: "Lay, James" <james.lay at wincofoods.com>
> Subject: Re: [Emerging-Sigs] FP 2406011
> To: <emerging-sigs at emergingthreats.net>
> Message-ID:
>        <9CD7E26FAC8E2D4F9778A1609AE132CF21EE93 at goexchange.go.winco.local>
> Content-Type: text/plain; charset="us-ascii"
>
> Looking at the packet, investigating the port, and packet capturing
> additional, unrelated packets (netbios-ns from 192.168.0.66 looking for
> HPE8854A), lead me to believe that this is most likely a
> default/misconfigured printer driver on a Windows machine looking for an
> HP printer.  Though the rule does match the 123 network, I do not
> believe this was actually RBN traffic, so I posted it here.  Hope that
> helps.
>
>
>
> James
>
>
>
> From: emerging-sigs-bounces at emergingthreats.net
> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Michael
> Scheidell
> Sent: Wednesday, October 20, 2010 12:06 PM
> To: emerging-sigs at emergingthreats.net
> Subject: Re: [Emerging-Sigs] FP 2406011
>
>
>
> On 10/20/10 1:15 PM, Lay, James wrote:
>
> Rule hit:
>
> Oct 20 11:11:34 10.21.10.2 snort[14899]: [1:2406011:193] ET RBN Known
> Russian Business Network IP UDP (6) [Classification: Misc Attack]
> [Priority: 2] {UDP} 192.168.0.66:427 -> 123.123.123.123:427
>
>
>
> Rule:
>
> alert udp
> [122.228.201.68,122.228.201.69,122.228.201.70,122.228.201.71,122.228.201
> .72,122.228.201.73,122.228.201.74,122.228.201.75,122.70.145.130,122.70.1
> 45.135,122.70.145.140,122.70.145.146,122.70.145.148,122.70.145.184,123.1
> 23.123.123,123.172.6.202,123.201.38.247,123.236.191.162,123.30.179.163,1
> 24.109.3.135] any <> $HOME_NET any (msg:"ET RBN Known Russian Business
> Network IP UDP (6)";
> reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwo
> rk; threshold: type limit, track by_src, seconds 60, count 1;
> classtype:misc-attack; sid:2406011; rev:193;)
>
>
>
> why is this an FP?
>
> is 123.123.123.123 some internal ip address that you should not be
> using?
> do have some inside information on why this ip, on this netblock in
> china should not be listed in the RBN list?
>
>
>
>
> Packet dump:
>
> 11:11:31.480668 IP 192.168.0.66.427 > 123.123.123.123.427: UDP, length
> 44
>
>        0x0000:  4500 0048 4d25 0000 8011 359f c0a8 0042
> E..HM%....5....B
>
>        0x0010:  7b7b 7b7b 01ab 01ab 0034 50d2 0106 002c
> {{{{.....4P....,
>
>        0x0020:  0000 656e 0003 a652 0000 0018 7365 7276
> ..en...R....serv
>
>        0x0030:  6963 653a 782d 6870 6e70 2d64 6973 636f
> ice:x-hpnp-disco
>
>        0x0040:  7665 723a 0000 0000                      ver:....
>
>
>
>
>
> if you use NETWORK ROUTABLE IP ADDRESSES for your INTERNAL USE, all bets
> are off.
> threshold or bpf it.
>
>
>
> --
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
> > | SECNAP Network Security Corporation
>
> *         Certified SNORT Integrator
>
> *         2008-9 Hot Company Award Winner, World Executive Alliance
>
> *         Five-Star Partner Program 2009, VARBusiness
>
> *         Best in Email Security,2010: Network Products Guide
>
> *         King of Spam Filters, SC Magazine 2008
>
>
>
> ________________________________
>
> This email has been scanned and certified safe by SpammerTrap(r).
> For Information please see http://www.secnap.com/products/spammertrap/
>
> ________________________________
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101020/0140f327/attachment.html


More information about the Emerging-sigs mailing list