To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On 19/03/06, Brian Allen <[EMAIL PROTECTED]> wrote: > > A google search on these two hostnames, irc.darkdreamz.com and > irc.isocore.biz, only turned up a few hits, but they seemed to be > related to filesharing. How can I tell if this is a few students trying > to get music, games, etc. or if these are bots connecting to a C&C?
I sympathise - I used to look after snort at a Uni, and it is hard to tell legitimate from bad traffic. Maybe someone here can tell you about the IP addresses themselves, but this is more of a snort perspective - Are you running the bleeding-rules for snort? The ircbot rule was pretty good I seem to remember, although it did tend to pick up SIP traffic. Looks like it's been split up now - this is just one of the rules: http://www.bleedingsnort.com/bleeding-all.rules alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - channel topic scan/exploit command"; flowbits:isset,is_proto_irc; flow: to_client,established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; nocase; within: 40; tag: host,300,seconds,dst; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn1))/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002029; rev:5; ) They need a bit of tuning, but they are well worth it. Often, bots try to spread at some point and they're not usually subtle about it - portscan.log used to go haywire for me. More than a certain number of entries in portscan.log on 135/137/139/445/1433/1434 etc. would send me a page. cheers, Jamie _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
