To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Snort alerts show four machines on campus connecting to all of these IPs for IRC: 66.45.234.200 62.132.1.219 66.29.10.155 63.243.152.31
The five destination ports range from: 6666-7000 Each machine keeps their same NICK every time: NICK [Niger]-029 NICK [Niger]-015 NICK [Niger]-017 NICK [N]-487 I have one IRC JOIN alert: JOIN #ISOCORE JOIN #BOTLESS Leetz-R-Uz I have one IRC message alert. Here is the payload: :[EMAIL PROTECTED] PRIVMSG [Niger]-015 :.VERSION. DNS Queries for one of the machines showed it querying these two hostnames around the same time as its snort IRC alerts and some of these IPs match the ones above: IP 128.252.42.76.2713 > 128.252.43.226.53: 1372+ A? irc.darkdreamz.com. (36) IP 128.252.43.226.53 > 128.252.42.76.2713: 1372 8/4/4 A 69.50.188.94, A 82.165.190.181, A 82.165.238.210, A 83.149.98.69, A 62.132.1.219, A 66.29.10.155, A 66.45.234.200, A 69.22.163.105 (312) IP 128.252.42.76.2712 > 128.252.43.226.53: 1415+ A? irc.isocore.biz. (33) IP 128.252.43.226.53 > 128.252.42.76.2712: 1415 8/4/4 A 66.45.234.200, A 66.111.228.230, A 66.207.105.27, A 69.22.163.105, A 69.50.188.94, A 206.53.61.158, A 62.132.1.219, A 64.34.45.114 (309) A google search on these two hostnames, irc.darkdreamz.com and irc.isocore.biz, only turned up a few hits, but they seemed to be related to filesharing. How can I tell if this is a few students trying to get music, games, etc. or if these are bots connecting to a C&C? Thanks, -Brian _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
