[freifunk-public] FWD: [CB-Report#20250925-10001978] Schadprogramm-Infektionen in AS201701 [Ticket#433679]

Dieter Winkler via Freifunk Rheinland e.V. abuse at freifunk-rheinland.net
Do Sep 25 12:11:42 CEST 2025 

Hallo Freifunk-Kollegen,

mindestens einer Eurer User hat sich den Trojaner Zeus eingefangen. Vermutlich könnt Ihr den Betroffenen nicht lokalisieren, aber eventuell bei einem Eurer internen Treffen, darauf hinweisen.

Viele Grüße
Dieter
PS: Wenn Ihr diese Mail erhalten habt, lasst es mich bitte wissen.
---
Dr. Dieter Winkler
Freifunk Rheinland e. V.
Hirzenrott 2-4
52076 Aachen

[1] https://freifunk-rheinland.net
kontakt at freifunk-rheinland.net

---Anfang der weitergeleiteten Nachricht:---

> Betreff: [CB-Report#20250925-10001978] Schadprogramm-Infektionen in AS201701
> Datum: 25.09.2025 10:06
> Von: "CERT-Bund Reports"
> An: abuse at freifunk-rheinland.net
>
> [English version below]
>
> Sehr geehrte Damen und Herren,
>
> CERT-Bund hat aus vertrauenswürdigen externen Quellen Informationen
> zu IP-Adressen in Deutschland erhalten, unter denen sich mit sehr hoher
> Wahrscheinlichkeit Systeme befinden, welche mit einem Schadprogramm
> infiziert sind.
>
> Nachfolgend senden wir Ihnen eine Liste betroffener IP-Adressen
> in Ihrem Netzbereich. Neben IP-Adresse, Zeitstempel (UTC) und Bezeichnung
> der Schadprogramm-Familie sind jeweils (soweit uns diese Daten vorliegen)
> Quell-Port, Ziel-IP-Adresse, Ziel-Port, Ziel-Hostname und Protokoll zu der
> Verbindung angegeben, die vermutlich von einem Schadprogramm ausgelöst wurde,
> um Kontakt zu einem Kontrollserver der Täter aufzunehmen.
>
> Die meisten der hier gemeldeten Schadprogramme verfügen über Funktionen
> zum Identitätsdiebstahl (Ausspähen von Benutzernamen und Passwörtern)
> und/oder zur Manipulation der Kommunikation beim Online-Banking.
>
> Steckbriefe mit detaillierten Informationen zu vielen Schadprogrammen
> finden Sie unter:
> <[2] https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/
> Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/
> Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html>
>
> Wir möchten Sie bitten, den Sachverhalt umgehend zu prüfen und Maßnahmen
> zur Bereinigung der Systeme einzuleiten bzw. Ihre betroffenen Kunden
> entsprechend zu informieren.
>
> Weitere Informationen zu dieser Benachrichtigung finden Sie unter:
>
>
> Diese E-Mail ist mittels PGP digital signiert.
> Informationen zu dem verwendeten Schlüssel finden Sie unter:
>
>
> Bitte beachten Sie:
> Dies ist eine automatisch generierte Nachricht. Antworten an die
> Absenderadresse werden NICHT gelesen
> und automatisch verworfen. Bei Rückfragen wenden Sie sich bitte
> unter Beibehaltung der Ticketnummer [CB-Report#...] in der
> Betreffzeile an .
>
> !! Bitte lesen Sie zunächst unsere HOWTOs und FAQ, welche unter
> !! verfügbar sind.
>
> ======================================================================
>
> Dear Sir or Madam,
>
> from trusted external sources, CERT-Bund received information on IP addresses
> geolocated in Germany which are most likely hosting one or more systems
> infected with malware.
>
> Please find below a list of affected IP addresses on your network.
> Each record includes a timestamp (UTC) and the name of the related malware family.
> If available, the record also includes the source port, destination IP,
> destination port and destination hostname for the connection most likely triggered
> by the malware to connect to a command-and-control server.
>
> Most of the malware families reported here include functions for identity theft
> (harvesting of usernames and passwords) and/or online-banking fraud.
>
> Detailed information on many malware families is available here:
> <[8] https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/
> Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/
> Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze_node.html>
>
> We would like to ask you to check the issues reported and to take appropriate steps
> to get the infected hosts cleaned up or notify your customers accordingly.
>
> Additional information on this notification is available at:
>
>
> This message is digitally signed using PGP.
> Information on the signature key is available at:
>
>
> Please note:
> This is an automatically generated message. Replies to the
> sender address will NOT be read
> but silently be discarded. In case of questions, please contact
> and keep the ticket number [CB-Report#...]
> of this message in the subject line.
>
> !! Please make sure to consult our HOWTOs and FAQ available at
> !! first.
>
> ============================================================================
> Bitte teilen Sie uns unter mit, wenn Sie die Daten zu
> betroffenen Systemen zukünftig als Dateianhang statt inline erhalten möchten.
>
> Please let us know at if you would like to receive
> the data on affected systems as a file attachment instead of inline.
> ============================================================================
>
> Betroffene Systeme in Ihrem Netzbereich:
> Affected hosts on your networks:
>
> "asn","ip","timestamp","malware","src_port","dst_ip","dst_port","dst_host","proto"
> "201701","185.66.195.80","2025-09-24 22:48:19","android.badboxloader","40269","34.229.166.50","8899","[16] ardai.duoproxys.com","tcp"
> "201701","185.66.193.115","2025-09-24 13:10:38","android.vo1d","36233","3.250.92.156","55530","","tcp"
> "201701","185.66.193.27","2025-09-24 09:45:45","zeus","1154","3.229.117.57","80","[17] setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com","tcp"
> "201701","185.66.195.4","2025-09-24 13:07:16","android.vo1d","37690","3.250.92.156","55530","","tcp"
> "201701","185.66.193.44","2025-09-24 13:40:36","nymaim","64667","216.218.185.162","80","[18] efsxhz.org","tcp"
> "201701","185.66.193.43","2025-09-24 00:25:47","android.badbox2","60556","5.79.71.225","443","","tcp"
> "201701","185.66.195.90","2025-09-24 01:47:09","android.badbox2","47828","178.162.203.211","443","","tcp"
> "201701","185.66.193.85","2025-09-24 12:26:42","android.badbox2","45772","178.162.203.202","443","","tcp"
> "201701","185.66.195.4","2025-09-24 13:08:27","android.vo1d2","42577","5.79.71.225","55530","","tcp"
> "201701","185.66.195.80","2025-09-24 00:03:11","android.badbox2","41543","5.79.71.205","80","[19] ycxrl.com","tcp"
> "201701","185.66.194.17","2025-09-24 00:07:47","android.badbox2","38928","178.162.203.202","80","[20] apotube.com","tcp"
> "201701","185.66.193.61","2025-09-24 00:12:31","android.badbox2","35600","178.162.203.226","80","[21] ycxrl.com","tcp"
> "201701","185.66.195.94","2025-09-24 09:01:24","android.badbox2","48167","85.17.31.82","80","[22] dcylog.com","tcp"
> "201701","185.66.193.106","2025-09-24 09:16:21","android.badbox2","43908","178.162.203.226","80","[23] sc.dqmop.com","tcp"
> "201701","185.66.193.48","2025-09-24 10:04:33","android.badbox2","60512","5.79.71.225","80","[24] ycxrl.com","tcp"
> "201701","185.66.193.121","2025-09-24 15:52:28","android.badbox2","48294","5.79.71.225","80","[25] apotube.com","tcp"
> "201701","185.66.193.114","2025-09-24 19:54:45","android.badbox2","59860","5.79.71.225","80","[26] ycxrl.com","tcp"
> "201701","2a03:2260:2009::","2025-09-24 00:40:40","android.badbox2","42886","2001:470:1:332::fe","80","[27] ycxrl.com","tcp"
> "201701","2a03:2260:100c:20c:4103:a5fa:32b1:7356","2025-09-24 02:34:10","android.badbox2","48994","2001:470:1:332::fe","80","[28] apotube.com","tcp"
> "201701","2a03:2260:3017:500:8928:3566:6924:a5e","2025-09-24 03:49:22","android.badbox2","41220","2001:470:1:332::fe","80","[29] ycxrl.com","tcp"
> "201701","2a03:2260:2342:400:ec17:708b:6dec:b16d","2025-09-24 09:47:19","android.badbox2","53110","2001:470:1:332::fe","80","[30] dcylog.com","tcp"
> "201701","2a03:2260:115:6100:5416:8483:b69a:89f8","2025-09-24 08:52:11","android.badbox2","40362","2001:470:1:332::ef","80","[31] ycxrl.com","tcp"
>
> Mit freundlichen Grüßen / Kind regards
> Team CERT-Bund
>
> Bundesamt für Sicherheit in der Informationstechnik
> Federal Office for Information Security (BSI)
> CERT-Bund
> Godesberger Allee 87, 53175 Bonn, Germany

[1] https://freifunk-rheinland.net
[2] https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/
[3] https://reports.cert-bund.de/schadprogramme
[4] https://reports.cert-bund.de/digitale-signatur
[5] mailto:reports at reports.cert-bund.de
[6] mailto:certbund at bsi.bund.de
[7] https://reports.cert-bund.de/
[8] https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/
[9] https://reports.cert-bund.de/en/malware
[10] https://reports.cert-bund.de/en/digital-signature
[11] mailto:reports at reports.cert-bund.de
[12] mailto:certbund at bsi.bund.de
[13] https://reports.cert-bund.de/en/
[14] mailto:certbund at bsi.bund.de
[15] mailto:certbund at bsi.bund.de
[16] http://ardai.duoproxys.com
[17] http://setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com
[18] http://efsxhz.org
[19] http://ycxrl.com
[20] http://apotube.com
[21] http://ycxrl.com
[22] http://dcylog.com
[23] http://sc.dqmop.com
[24] http://ycxrl.com
[25] http://apotube.com
[26] http://ycxrl.com
[27] http://ycxrl.com
[28] http://apotube.com
[29] http://ycxrl.com
[30] http://dcylog.com
[31] http://ycxrl.com
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://lists.hacksaar.de/pipermail/freifunk-public/attachments/20250925/0398ae49/attachment.htm>
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : file
Dateityp    : application/pgp-signature
Dateigröße  : 908 bytes
Beschreibung: nicht verfügbar
URL         : <https://lists.hacksaar.de/pipermail/freifunk-public/attachments/20250925/0398ae49/attachment.sig>

Mehr Informationen über die Mailingliste freifunk-public