This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[atlas] Is the Atlas probe hackable?

Previous message (by thread): [atlas] Is the Atlas probe hackable?
Next message (by thread): [atlas] Is the Atlas probe hackable?

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hank Nussbacher hank at efes.iucc.ac.il
Wed Jul 6 12:45:14 CEST 2016

On 06/07/2016 09:56, Daniel Karrenberg wrote:

It is indeed a FP.

There was a collision between variant of Tinba DGA and legit domain -
thinksquare.net.

As you can see it the below link, a lot of malwares samples communicated
with thinksquare.net on the exact same day.

https://www.virustotal.com/en/domain/thinksquare.net/information/


-Hank

> I am positive tinba cannot run on the probes.
>
> So either that IDS is brain damaged or some joker made a UDM that acts
> like tinba or both. What Marc said: the 'CnC' appears to be at the root
> name servers. Queue conspiracy theory .....
>
> Daniel
>
> On 5.07.16 14:15 , Hank Nussbacher wrote:
>> I received a report from one of our security monitoring systems about
>> one of our probes (#17846) - https://atlas.ripe.net/probes/17846/ which
>> appears to be infected with Tinba:
>>
>>
>>> Security incident #1 - Tinba infection
>>>         Involved internal Hosts:
>>>                 atlas-probe.cc.biu.ac.il 132.70.248.150 spotted since
>>> 2016-06-30
>>> 23:58:54 till 2016-07-01 05:01:20
>>>         Malicious activities found:
>>>                 Tinba infection
>>>                         related indication of compromise:
>>>                                  Communication with CnC
>>>                                          192.112.36.4
>>>                                          192.203.230.10
>>>                                          192.228.79.201
>>>                                          192.33.4.12
>>>                                          192.36.148.17
>>>                                          193.0.14.129
>>>                                          198.41.0.4
>>>                                          198.97.190.53
>>>                                          199.7.83.42
>>>                                          199.7.91.13
>>>                                          202.12.27.33
>>
>> Should we be worried?
>>
>>
>> Thanks,
>>
>> Hank
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/ripe-atlas/attachments/20160706/cc0d8055/attachment.html>

Previous message (by thread): [atlas] Is the Atlas probe hackable?
Next message (by thread): [atlas] Is the Atlas probe hackable?

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ripe-atlas Archives ]