[botnets] botnet info

Mon, 13 Mar 2006 17:05:34 -0800 

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------









Using Snort over the weekend I observed a number of
the machines on our campus making irc connections to the following IPs all to
port 7000:



 



211.115.10.201



211.115.10.202



211.115.10.221



211.115.10.222



211.115.11.42



211.115.11.75



211.115.11.76



211.115.11.77



211.115.11.78



211.115.11.79



211.115.11.80



211.115.11.82



211.115.11.83



211.115.11.84



211.115.11.85



211.115.11.86



211.115.11.87



211.115.11.88



211.115.11.89



211.115.11.90



211.115.11.91



211.115.11.92



211.115.11.93



211.115.11.94



211.115.11.95



211.115.11.96



211.115.11.97



211.115.11.98



211.115.11.99



211.115.11.100



211.115.11.102



211.115.11.103



211.115.11.104



211.115.11.105



211.115.11.107



211.115.11.108



211.115.11.109



211.115.11.110



211.115.11.114



211.115.11.115



 



A brief review of the DNS Query Logs showed that the
machines were looking up hostnames in the cyworld.nate.com domain which is
owned by a group in korea. 
Here is a sample:



 



IP 128.252.xx.xx.1222   >
128.252.120.1.53      :11648+           A?
cyimg.cyworld.nate.com. (40)



IP 128.252.120.1.53     >
128.252.xx.xx.1222    :11648      1/2/2 A
211.115.10.219 (124)



 



IP 128.252.xx.xx.1222   >
128.252.120.1.53      :15802+           A?
minihp.cyworld.nate.com. (41)



IP 128.252.120.1.53     >
128.252.xx.xx.1222    :15802      7/2/2 A
211.115.10.215, A 211.115.11.22, A 211.115.11.221, A 211.115.11.245, A
211.115.11.249, A 211.115.11.252, A 211.115.10.199 (221)



 



Here is the payload of one IRC NICK CHANGE, the
others are all similar with slight variations:



 



128.252.xx.xx > 211.115.10.201 port 7000



MODE ISIRCX
IRCX
NICK NI3141134527196407497
USER 41134527CY 41134527CY 41134527CY 41134527CY



 



 



There were only four IRC MESSAGE alerts:



 



211.115.11.42 > 128.252.xx.xx



:'[EMAIL PROTECTED] PRIVMSG #51255902 :&h0080FF.... ...... ..........
^^
 
211.115.11.42 > 128.252.xx.xx
:'[EMAIL PROTECTED] PRIVMSG #51255902 :&hEF5600........ ......~~ ^_^



 



211.115.11.42 > 128.252.xx.xx



:'[EMAIL PROTECTED] PRIVMSG #51255902 :&h4E00B7........



 



211.115.11.42 > 128.252.xx.xx



:'[EMAIL PROTECTED] PRIVMSG #51255902 :&h0080FF.... ...... ..........
^^



 



I have no idea what these irc messages mean, and I
don’t know what the IPs mean right before PRIVMSG.  #51255902 looks
like a channel, but for some reason it didn’t trigger the bleedingsnort
channel signature.



 



 



This is all the info I have at this time.  Let
me know if there are any questions, comments, or suggestions.



Thanks,



-Brian



 









_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Reply via email to