[152377] in North American Network Operators' Group
Re: Operation Ghost Click
daemon@ATHENA.MIT.EDU (Sam Tetherow)
Fri Apr 27 13:23:20 2012
Date: Fri, 27 Apr 2012 12:22:10 -0500
From: Sam Tetherow <tetherow@shwisp.net>
To: nanog@nanog.org
In-Reply-To: <CA+qj4S9yFMCSAbuE6nOBS9QFX=em-BX-c5C4D5aZJeeROxc=xA@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 04/26/2012 05:00 PM, Andrew Latham wrote:
> On Thu, Apr 26, 2012 at 5:57 PM, Kyle Creyts<kyle.creyts@gmail.com> wrote:
>> http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
>>
>> On Apr 26, 2012 5:48 PM, "Leigh Porter"<leigh.porter@ukbroadband.com>
>> wrote:
>>>
>>> On 26 Apr 2012, at 22:47, "Andrew Latham"
>>> <lathama@gmail.com<mailto:lathama@gmail.com>> wrote:
>>>
>>>
>>> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart
>>> <jeroen@mompl.net<mailto:jeroen@mompl.net>> wrote:
>>>
>>> Yes its a major problem for the users unknowingly infected. To them
>>> it will look like their Internet connection is down. Expect ISPs to
>>> field lots of support s
>>>
>>> Is there a list of these temporary servers so I can see what customers are
>>> using them (indicating infection) and head off a support call with some
>>> contact?
>>>
>>> --
>>> Leigh
> 85.255.112.0 through 85.255.127.255
> 67.210.0.0 through 67.210.15.255
> 93.188.160.0 through 93.188.167.255
> 77.67.83.0 through 77.67.83.255
> 213.109.64.0 through 213.109.79.255
> 64.28.176.0 through 64.28.191.255
>
Or for those that don't want to do the math, here they are in CIDR notation
85.255.112.0/20
67.210.0.0/20
93.188.160.0/21
77.67.83.0/24
213.109.64.0/20
64.28.176.0/20
