On this page... (hide)
Introduction
This report is the result of different URL's captured from botnet communications. These URL's could up updates for a botnet, a link to something that the criminals thought was interesting, or even vacation pictures of the criminals. Because it is difficult to know what value anyone may have for any specific URL, no whitelisting occurs to filter any of the information. This means that the end result of the report will include sources for criminal behavior and many times more innocent links. All of it has value in that even the innocent links might provide valuable intelligence on what the criminals are looking toward or are interested in.
Note that all timestamps are in UTC+0.
Fields
| Field | Description |
| Date | Date of the event in UTC+0 |
| Time | Time of the event in UTC+0 |
| C&C | The IP address of the Command and Control system that the URL was seen in. |
| C&C Port | The port of the C&C |
| C&C ASN | ASN of the C&C |
| C&C Geo | Country that the C&C resides in |
| Channel | The channel name that the URL was seen within |
| URL | The actual URL that was seen |
| URL ASN | ASN of the location of the URL |
| ASN GEO | Country location of the URL |
| MD5 | The MD5 of the binary that was download from that URL if there was one to be downloaded |
Sample
"Date","Time","C&C","C&C Port","C&C ASN","C&C Geo","Channel","URL","URL ASN","URL Geo","MD5" "2008-11-03","00:00:01","66.176.218.54",25999,20214,"US","##time##","http://mdprogram.com/html/commonquestions.shtml",33070,"US","" "2008-11-03","00:00:02","66.176.218.54",25999,20214,"US","##time##","http://www.am.poznan.pl/eng/index.php?strona=3_298_1072544873&am=307",9112,"PL","" "2008-11-03","00:00:04","66.176.218.54",25999,20214,"US","##time##","http://www.gfforums.com/",32244,"US","" "2008-11-03","00:00:17","71.6.216.17",6667,10439,"US","","http://www.cmwebhosting.net",10439,"US","" "2008-11-03","00:00:26","67.202.83.179",6667,32748,"US","","http://kline.rizon.net",29761,"US","" "2008-11-03","00:00:26","67.202.83.179",6667,32748,"US","","http://kline.rizon.net",29761,"US","" "2008-11-03","00:00:35","67.202.83.179",6667,32748,"US","","http://kline.rizon.net",29761,"US","" "2008-11-03","00:01:25","193.200.193.4",6667,25486,"DE","","http://www.cmwebhosting.net",10439,"US","" "2008-11-03","00:01:58","67.202.83.179",6667,32748,"US","","http://dnsbl.rizon.net/lookup.php?ip=91.93.132.62",22822,"US","" "2008-11-03","00:02:56","72.20.24.12",6667,25761,"US","#TEST","http://forums.ice-pirate.net/",0,"-","" "2008-11-03","00:14:55","148.243.143.250",6667,6503,"MX","##nohack##","http://www.myspace.com/",33739,"US","" "2008-11-03","00:14:55","148.243.143.250",6667,6503,"MX","##nohack##","ftp://pemex@63.171.93.162",1239,"US","" "2008-11-03","00:14:55","148.243.143.250",6667,6503,"MX","##nohack##","http://seafight.bigpoint.com/",15598,"DE","" "2008-11-03","00:14:56","148.243.143.250",6667,6503,"MX","##nohack##","ftp://alejandra_1012@200.57.128.172",19373,"MX","" "2008-11-03","00:14:57","148.243.143.250",6667,6503,"MX","##nohack##","http://amigos.com/go/page/standard_login.html",3561,"US","" "2008-11-03","00:14:58","148.243.143.250",6667,6503,"MX","##nohack##","http://www.metroflog.com/wendyta08",32400,"US","" "2008-11-03","00:14:58","148.243.143.250",6667,6503,"MX","##nohack##","http://35.42.42.42/PublicPort/PP-Login",237,"US",""
<< | Reports | >>
