To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
Hey all,
I originally sent this to irc-security, however it's also relevant to botnets. I'm not sure if you'll have any joy with this though since all the channels are +u (explained below).
No response from Cox after repeated complaints, anyone have any contacts at Cox?
---Firstly, apologies for the length of this post. It's a collation of everything I could glean from my logs about these guys. They've been making persistent threats of DDoS attacks against servers and they've made good on their threats - we've been hit several times. It's the usual 'unban me or I'll packet you' scenario, still you might want to keep an eye out.
All times are GMT, clock is synced. Some of the lines might wrap.We discovered one of their [probable] botnets at ip68-12-66-97.ok.ok.cox.net:6667
NetRange: 68.0.0.0 - 68.15.255.255 CIDR: 68.0.0.0/12 NetName: COX-ATLANTA NetHandle: NET-68-0-0-0-1 Parent: NET-68-0-0-0-0 [OTHER (whois.radb.net) whois information for 68.12.66.97 ] [whois.radb.net] route: 68.12.0.0/16 descr: Residential OK RDC Block origin: AS22773The 'belmonts' ident that crops up sometimes may be a coincidence, or they may be part of the Belmont Group too (see recent post: "Threats of Attacks on one of our servers"), who knows..
* kill-9 ([EMAIL PROTECTED]) * who-ha ([EMAIL PROTECTED]) [spoofed]However, all the channels are +u, so there is no way of seeing any non-opped users. The only way of getting further info AFAICS is tcpdump or the like.
[2006-03-15] 16:00 -!- Channel Users Name 16:00 -!- #nader 4 [+smntu] 16:00 -!- #lobby 5 [+smntu] 16:00 -!- End of /LIST 11:55 -!- #nader who-ha H* 0 [EMAIL PROTECTED] [Animal] 11:55 -!- #nader kill-9 H* 0 [EMAIL PROTECTED] [stfu] 16:00 -!- #lobby who-ha H*@ 0 [EMAIL PROTECTED] [Animal]16:00 -!- #lobby afk H@ 0 [EMAIL PROTECTED] [g0d]
11:47 -!- who-ha [EMAIL PROTECTED] 11:47 -!- ircname : Animal 11:47 -!- channels : @#nader 11:47 -!- server : Ralph-Nader.Gov [We're perfectly legit!] 11:47 -!- : Network Administrator 11:47 -!- : is available for help 11:47 -!- : Is The Network Owner11:47 -!- idle : 0 days 0 hours 10 mins 45 secs [signon: Wed Mar 15 11:19:36 2006]
11:47 -!- End of WHOIS 11:47 -!- kill-9 [EMAIL PROTECTED] 11:47 -!- ircname : stfu11:47 -!- channels : @#nader 11:47 -!- server : Ralph-Nader.Gov [We're perfectly legit!]
11:47 -!- : Network Administrator 11:47 -!- : is available for help 11:47 -!- : Is The Network Owner11:47 -!- idle : 0 days 0 hours 25 mins 12 secs [signon: Wed Mar 15 11:14:37 2006]
11:47 -!- End of WHOIS 12:06 -!- afk [EMAIL PROTECTED] 12:06 -!- ircname : g0d 12:06 -!- channels : @#lobby 12:06 -!- server : Ralph-Nader.Gov [We're perfectly legit!]12:06 -!- idle : 0 days 0 hours 53 mins 12 secs [signon: Wed Mar 15 11:13:23 2006]
12:06 -!- End of WHOIS [2006-03-15] 11:55 -!- Current Local Users: 295 Max: 856 11:55 -!- Current Global Users: 295 Max: 297 12:22 -!- There are 1 users and 337 invisible on 1 servers 12:22 -!- 3 operator(s) online 12:22 -!- 3 unknown connection(s) 12:22 -!- 10 channels formed 12:22 -!- I have 338 clients and 0 servers 12:22 -!- Current Local Users: 338 Max: 856 12:22 -!- Current Global Users: 338 Max: 343 14:59 -!- There are 0 users and 336 invisible on 1 servers 14:59 -!- 3 operator(s) online 14:59 -!- 2 unknown connection(s) 14:59 -!- 11 channels formed 14:59 -!- I have 336 clients and 0 servers 14:59 -!- Current Local Users: 336 Max: 856 14:59 -!- Current Global Users: 336 Max: 437 16:01 -!- There are 0 users and 227 invisible on 1 servers 16:01 -!- 3 operator(s) online 16:01 -!- 10 channels formed 16:01 -!- I have 227 clients and 0 servers 16:01 -!- Current Local Users: 227 Max: 856 16:01 -!- Current Global Users: 227 Max: 437 17:34 -!- There are 0 users and 146 invisible on 1 servers 17:34 -!- 2 operator(s) online 17:34 -!- 10 channels formed 17:34 -!- I have 146 clients and 0 servers 17:34 -!- Current Local Users: 146 Max: 856 17:34 -!- Current Global Users: 146 Max: 437 Previous activity: [2006-03-10] (After attacking one of our servers.)00:35 < inval|d> The attacks will stop when they are unbanned, that simple.
[..] 00:40 < inval|d> How long will it take for them to be unbanned? [2006-03-09]21:49 -!- sdgtgyegmww [EMAIL PROTECTED] has joined #slackers 21:49 -!- sdgtgyegmww [EMAIL PROTECTED] has quit [Killed (r.slacked.org ([rand] Possible automated drone detected. Visit http://r.slacked.org/ b.php?id=2006309164917-1001 for further information. [ID#: 2006309164917-1001]))] 21:49 -!- ctuxtugabch [EMAIL PROTECTED] has joined #slackers
21:49 -!- hllxgqeekojw [EMAIL PROTECTED] has joined #slackers21:49 -!- tfffpuwtzzsw [EMAIL PROTECTED] has joined #slackers
21:49 -!- kpuommlsipn [EMAIL PROTECTED] has joined #slackers 21:49 -!- rpzwnlughd [EMAIL PROTECTED] has joined #slackers21:49 -!- jvtewvtrdksu [EMAIL PROTECTED] has joined #slackers
21:49 -!- bhmucfwmufqm [EMAIL PROTECTED] has joined #slackers 21:49 -!- lhprextdos [EMAIL PROTECTED] has joined #slackers21:49 -!- rpzwnlughd [EMAIL PROTECTED] has quit [Killed (r.slacked.org ([rand] Possible automated drone detected. Visit http://r.slacked.org/b.php?id=2006309
164919-1005 for further information. [ID#: 2006309164919-1005]))]21:49 -!- hllxgqeekojw [EMAIL PROTECTED] has quit [Connection reset by peer] 21:49 -!- ctuxtugabch [EMAIL PROTECTED] has quit [Connection reset by peer] 21:49 -!- kpuommlsipn [EMAIL PROTECTED] has quit [Connection reset by peer] 21:49 -!- bhmucfwmufqm [EMAIL PROTECTED] has quit [Connection reset by peer]
21:49 -!- nokxzyfdcsr [EMAIL PROTECTED] has joined #slackers21:49 -!- tfffpuwtzzsw [EMAIL PROTECTED] has quit [Connection reset by peer] 21:49 -!- jvtewvtrdksu [EMAIL PROTECTED] has quit [Connection reset by peer] 21:49 -!- nokxzyfdcsr [EMAIL PROTECTED] has quit [Connection reset by peer] 21:49 -!- lhprextdos [EMAIL PROTECTED] has quit [Connection reset by peer]
21:52 < BCTTETTHLJ> kill-9 <3z you 21:52 < CQXNLDATXX> kill-9 <3z you 21:52 < SULALWUMPR> kill-9 <3z you 21:52 < PSFGMOJDXO> kill-9 <3z you 21:52 < VSUJOKCUEO> kill-9 <3z you 21:52 < PCRKODENFO> kill-9 <3z you 21:52 < PSFGMOJDXO> kill-9 <3z you 21:52 < VSUJOKCUEO> kill-9 <3z you 21:52 < BCTTETTHLJ> kill-9 <3z you 21:52 < CQXNLDATXX> kill-9 <3z you 21:52 < PCRKODENFO> kill-9 <3z you 21:52 < SULALWUMPR> kill-9 <3z you 21:52 < PSFGMOJDXO> kill-9 <3z you 21:52 < VSUJOKCUEO> kill-9 <3z you 21:52 < PCRKODENFO> kill-9 <3z you 21:52 < BCTTETTHLJ> kill-9 <3z you 21:52 < CQXNLDATXX> kill-9 <3z you 21:52 < SULALWUMPR> kill-9 <3z you 21:52 < PSFGMOJDXO> kill-9 <3z you 21:52 < VSUJOKCUEO> kill-9 <3z you 21:52 < PCRKODENFO> kill-9 <3z you 21:52 < BCTTETTHLJ> kill-9 <3z you 21:52 < CQXNLDATXX> kill-9 <3z you [...] (21:55:47) (XKBOLHUUXF) The IRC Mafia is unstoppable [2006-02-20] 20:54 < who-ha> I'll start dropping servers. 20:55 < who-ha> I'll have 20 edu lines hitting you. [2006-02-09] 10:46 < who-ha> I think I sunk that tor proxy 10:46 < who-ha> =x 10:46 < who-ha> With only 200 bots [2006-02-06] 00:51 < who-ha> Yah. 00:51 < who-ha> And the smart ones proxy. 00:51 < who-ha> And the feared ones don't have to worry about shit 00:51 < who-ha> :D 00:51 < who-ha> Cos we're leet. 00:51 < who-ha> =o 00:51 < who-ha> Survival of the fatest botnet [2006-02-05] 04:10 < who-ha> I can if I want. 04:10 < who-ha> I have enough to sink that 100meg line 04:10 < who-ha> ;/ 04:10 < who-ha> If not, lag it to hell. Previously seen hosts: * afk ([EMAIL PROTECTED]) - afk * kill-9 ([EMAIL PROTECTED]) * kill-9 ([EMAIL PROTECTED]) - heh * kill-9 ([EMAIL PROTECTED]) * kill-9 ([EMAIL PROTECTED]) [TOR node] 208.40.218.131:131.218.40.208.in-addr.arpa. 10134 IN PTR 208-40-218-131.customer.appscorp.net.
NetRange: 208.40.208.0 - 208.40.223.255 CIDR: 208.40.208.0/20 NetName: APPSCOMM-NET1 NetHandle: NET-208-40-208-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Allocation * kill-9 ([EMAIL PROTECTED]) - stfu * nader ([EMAIL PROTECTED]) - stfu ;; ANSWER SECTION: 164.114.90.66.in-addr.arpa. 28776 IN PTR unix.m-a-f-i-a.com. ;; AUTHORITY SECTION: 114.90.66.in-addr.arpa. 28776 IN NS ns3.fdcservers.net. 114.90.66.in-addr.arpa. 28776 IN NS ns4.fdcservers.net. NetRange: 66.90.64.0 - 66.90.127.255 CIDR: 66.90.64.0/18 NetName: FDCSERVERS * who-ha ([EMAIL PROTECTED]) - <3 Samantha * who-ha ([EMAIL PROTECTED]) - Animal * who-ha ([EMAIL PROTECTED]) - who-ha * who-ha ([EMAIL PROTECTED]) [JUSTEDGE] * who-ha ([EMAIL PROTECTED]) - who-ha * who-ha ([EMAIL PROTECTED]) - who-ha ;; ANSWER SECTION:136.149.18.64.in-addr.arpa. 3600 IN PTR how.leet.could.who- ha.be.
;; AUTHORITY SECTION: 136.149.18.64.in-addr.arpa. 86385 IN NS ns2.rpgdomain.net. 136.149.18.64.in-addr.arpa. 86385 IN NS ns1.rpgdomain.net. NetRange: 64.18.128.0 - 64.18.159.255 CIDR: 64.18.128.0/19 NetName: JE-BLK-2 NetHandle: NET-64-18-128-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1.JUSTEDGE.NET NameServer: NS2.JUSTEDGE.NET [SHARKTECH/LUNARSHELLS] * who-ha ([EMAIL PROTECTED]) * who-ha ([EMAIL PROTECTED]) * who-ha ([EMAIL PROTECTED]) * who-ha ([EMAIL PROTECTED]) NetRange: 208.98.0.0 - 208.98.63.255 CIDR: 208.98.0.0/18 NetName: SHARKTECH NetHandle: NET-208-98-0-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Allocation NameServer: RDNS1.SHARKTECH.NET NameServer: RDNS2.SHARKTECH.NET Comment: RegDate: 2006-01-23 Updated: 2006-01-30 ;; ANSWER SECTION: stfu.or.i.will.hackyou.info. 8384 IN A 208.98.12.136 ;; AUTHORITY SECTION: hackyou.info. 8384 IN NS ns1.lunarshells.com. hackyou.info. 8384 IN NS ns2.lunarshells.com. hackyou.info. 8384 IN NS ns3.lunarshells.com. ;; ANSWER SECTION: you.think.your.blowup-doll.is.sexxy.biz. 8212 IN A 208.98.12.118 ;; AUTHORITY SECTION: sexxy.biz. 8212 IN NS ns2.lunarshells.com. sexxy.biz. 8212 IN NS ns3.lunarshells.com. sexxy.biz. 8212 IN NS ns1.lunarshells.com. ;; ANSWER SECTION: all.noobs.fearme.us. 8400 IN A 208.98.12.165 ;; AUTHORITY SECTION: fearme.us. 8400 IN NS ns3.lunarshells.com. fearme.us. 8400 IN NS ns1.lunarshells.com. fearme.us. 8400 IN NS ns2.lunarshells.com. * inval|d ([EMAIL PROTECTED]) * inval|d ([EMAIL PROTECTED]) [SOCKS4 proxy] * desi ([EMAIL PROTECTED]) * inval|d ([EMAIL PROTECTED]) 65.88.158.7:7.158.88.65.in-addr.arpa. 3591 IN PTR node7-158-88-65.1dial.com.
NetRange: 65.88.0.0 - 65.91.255.255 CIDR: 65.88.0.0/14 NetName: BROADWING-2BLK NetHandle: NET-65-88-0-0-1 Parent: NET-65-0-0-0-0 NetType: Direct Allocation -j
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
