[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Many more Tor users in the past week?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So here are some basic facts about the server that's distributing the
purported botnet file:
* They're running Ubuntu 9.04 & nginx 1.1.19
* OpenSSH is set up on the server
* The SSL cert is a wildcard from GoDaddy, issued for *.xecu.net,
created on 11 Feb 2013. (probably for the mail server at mail-in01.xecu.net)
* Ports 80, 22, & 25 are open. 53, 135, 139, & 445 are filtered but open
* Also hosted at this IP address is proaccvehicles.com, which may or
may not be related to the site distributing malware.
Has anyone had a chance to actually tear into the tc.c1 file yet?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJSKPaMAAoJEOMx/SmueSyXbCIP/3csiQbvLCweabRv/FDLq8R3
eY6bHsy8tM4qCS8PMF4eXCGWszg/n+Ie2xKRIGf7rhXAl1HkqtoEp2rCSXzqkTLT
IzPrITF4VI0NYNmOAbJnGPUO3NLM6axn3PvsHHU9ZCQHQwcdFA3D6PdmuuYNxad7
vugCsI6mQyONWiu7Od4YNG/z9cvCBN3Zfhq7eT5ajUO1/4lRHdTn+yd27S8HfrQN
uU2nCVOSKVfzCckWSefz88+BVka4G5YqU0wbv/BMWv3EHEBuO+VMIhi9ErNU9qiR
Pf+bykGrnPgxzpsX2PkBhVhDCROkEig2V9q06NSg4KSNXp1ONt14Z0QM7se4qm1P
H3tk3h5c678Yb+TAioRO8K+hDocgI6y94E5iCabVy1RjoAZsDFr6gFqD/6iczJpz
noElu/qbhrRq9m+DDWTYG4UmCMmJiLfTlg790tuafHgYj7uF2Ops4ImcgeAnBxxt
BOKxLv1IRN4oXQ7XHFTsUmqY1qBWqicIoFTUMLK4zsAH8+lkhG5GFTiFnF1V2wbf
7C/7oLB6ctbvWKgOd2T/Cu8ozbCLu2Hd9kpg2+RswbummD7F7UXbv7ALvJNg1sma
qPeiwnzYVOKtm9fbNiIcJugXVfkLQNBiMkdYW+LXf8iFNl+pV601L+TaRGvPfYUl
nVpyJC3fQQS4GkJE3ClM
=ntl+
-----END PGP SIGNATURE-----
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk