Site seems down now, but see: http://urlquery.net/report.php?id=2022422
Interesting find here: http://pastebin.com/gE1sx7wT
About that mass infection here: http://malwaremustdie.blogspot.nl/2013/04/kelihos-via-redkit-infection-following.html (link authors = malware crusaders)
polonus
For one of these IDS alerted IPs see: https://www.virustotal.com/en/ip-address/86.100.248.81/information/
Dictionairy attacker - 74 bad events - http://dnsbl.inps.de/query.cgi?lang=en&ip=86.100.248.81
Unable to properly scan your site. Site empty (no content). *Cached results from more than 2 days ago.
Blacklisted: http://www.siteadvisor.com/sites/86.100.248.81
and http://siteinspector.comodo.com/public/reports/show_history?id=11141466&type=1
pol
What is "MALWARE-OTHER Double HTTP Server declared" IDS alert?have you checked snort website for info?
Hi Pondus,
My best guess is botnet related cat. other malware, Particularly for Bancos outward connection. We now, my friend Pondus, that Bancos detection wasn’t avast!'s strongest side, as Tech has reported on many occasions. Hope that situation now has improved…
polonus
If you look at a packet it shows two server headers. In this one at least there is an Apache Server and a nginx server.
…E…+…@.o./iYu…
'.-.P.P!.?..E.P…Hs…HTTP/1.1 200
Server: Apache
Content-Length: 229
Content-Type:
Last-Modified: …, 01 … 2013 23:06:45 GMT
Accept-Ranges: bytes
Server:nginx/1.2.6
Date:Thu, 01 Aug 2013 13:06:44 GMT
Last-Modified:Thu, 01 Aug 2013 13:06:45 GMT
Accept-Ranges:bytes