[Emerging-Sigs] Blackhole served via Yahoo

Martin Holste mcholste at gmail.com
Mon Dec 17 09:20:58 HAST 2012


That's definitely what's being dropped, but we haven't blocked due to so
many legit pages on that IP.  Any idea how long they've been on your
blacklist for?


On Mon, Dec 17, 2012 at 1:18 PM, Joel Esler <jesler at sourcefire.com> wrote:

> We have those IPs listed in our blacklist from 6 different sources as
> dropping zeus.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Dec 17, 2012, at 1:57 PM, Martin Holste <mcholste at gmail.com> wrote:
>
> We saw a kit alert on 98.139.135.21 and 98.139.135.22 with signatures like
> Blackhole sig 1:2015487:9.  Passive DNS is showing lots of legit sites but
> even more malicious DGA-style sites pointing to those IP's, so I'm
> wondering if this is a simple matter of abusing Yahoo's hosting, or
> something more complicated going on.  It's rare for us to see major sites
> like Yahoo hosting malicious code (usually it's more like GoDaddy, The
> Planet, etc.).  Is anyone else seeing hits for these?
>
> Thanks,
>
> Martin
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/162513fb/attachment-0001.html>


More information about the Emerging-sigs mailing list