[Dshield] virus tracking

ptds@majordomo.thedacare.org ptds at majordomo.thedacare.org
Fri Nov 11 01:50:32 GMT 2005


I was tracking a recent virus hit, looking up some of the hosts that the 
program phoned home to.


This one was sort of amusing, this is the log I was tracking
05 15:15:04: %PIX-5-304001: 172.16.6.149 Accessed URL 
72.20.15.18:/index.php
05 16:09:06: %PIX-5-304001: 172.16.6.149 Accessed URL 
72.20.15.18:/index.php

Here's what dig says for reverse lookup.

dig -x 72.20.15.18

; <<>> DiG 9.3.1 <<>> -x 72.20.15.18
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2090
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;18.15.20.72.in-addr.arpa.      IN      PTR

;; ANSWER SECTION:
18.15.20.72.in-addr.arpa. 3288  IN      PTR     
i.have.a.botnet.cause.bill.gates.has.0security.info.

;; Query time: 84 msec
;; SERVER: 172.16.0.61#53(172.16.0.61)
;; WHEN: Thu Nov 10 19:49:57 2005
;; MSG SIZE  rcvd: 107




More information about the list mailing list