Japied

Well-Known Member
Joined
Feb 24, 2009
Messages
405
Anyone notice that DSTV and SuperSport websites is also down or un-accessible?
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
I would honestly be worried about some of the gov sites having port 3306 wide open with default userid/password. Had I known this sooner, then I would not have needed 13 attempts and 10 years in getting my first ID book. Just looking at Sita's ASN (note to Sita lawyers: this is not hacking) shows some shocking results.

If Sita engineers are still looking - here is my take:

IP Address ###.###.###.### is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-04-30 10:00 GMT (+/- 30 minutes), approximately 2 hours ago.

This IP address is infected with, or is NATting for a machine infected with the ZeuS trojan, also known as "Zbot" and "WSNPoem".

ZeuS is a malicious software (malware) used by cybercriminals to commit ebanking fraud and steal sensitive personal data, such as credentials (username, password) for online services (email, webmail, etc.).

The infection was detected by observing this IP address attempting to make contact to a ZeuS Command and Control server (C&C), a central server used by the criminals to control with ZeuS infected computers (bots).

^^^ You all know what is running within the Sita network - so goodbye your data and a pity that POPI is still not active and ECT gets ignored by government institutions.

Hint:
Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 192.42.119.41 or host name sellersa.in on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 192.42.119.41 or sellersa.in. Ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

And a bit of Bitcoin mining going on also:
IP Address ###.###.###.### is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-04-28 00:00 GMT (+/- 30 minutes), approximately 2 days, 12 hours ago.

This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef. It is most often used for bitcoin mining or click fraud, but as it contains a downloader portion, it can do anything.

If this IP address is a NAT gateway, it should be possible to find which computer on your internal network is infected by implementing a filter on your firewall to detect and log attempts to send UDP packets to the Internet with a destination port number of 16470.
 
Last edited:
Top