To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Hi,
last night this one hit my nepenthes host:
sandbox.norman.no:
nepenthes-2a7218f3fbeb57d4383f42e5bfc5456b-wkssvc.exe : [SANDBOX] contains a
security risk - W32/Malware (Signature: NO_VIRUS)
[ Network services ]
* Looks for an Internet connection.
* Connects to "morphine.i-am-leet.com" on port 8202 (TCP).
* Connects to IRC Server.
* IRC: Uses nickname EliteIRC|59138XXX.
* IRC: Uses username EliteIRC|59138XXX.
* IRC: Joins channel ###insuline### with password elitecrew.
=======================================================================
;; QUESTION SECTION:
;morphine.i-am-leet.com. IN A
;; ANSWER SECTION:
morphine.i-am-leet.com. 3600 IN A 84.244.15.214
morphine.i-am-leet.com. 3600 IN A 85.25.42.173
morphine.i-am-leet.com. 3600 IN A 62.75.168.239
;; AUTHORITY SECTION:
i-am-leet.com. 3600 IN NS ns1.eurodns.com.
i-am-leet.com. 3600 IN NS ns2.eurodns.com.
=======================================================================
inetnum: 84.244.0.0 - 84.244.39.255
netname: LYCOS-VDS-1
descr: Spray Network Services AB
country: SE
admin-c: JS5687-RIPE
tech-c: SH2596-RIPE
tech-c: KD849-RIPE
=======================================================================
inetnum: 85.25.32.0 - 85.25.63.255
netname: VSERVER-1
descr: vSERVER - Virtual dedicated Server-Hosting
descr: http://www.vserver.de
country: DE
org: ORG-BSBS1-RIPE
admin-c: OD376-RIPE
tech-c: IT1309-RIPE
rev-srv: ns1.plusserver.de
rev-srv: ns2.plusserver.de
=======================================================================
inetnum: 62.75.168.0 - 62.75.171.255
netname: VSERVER-1
descr: vSERVER - Virtual dedicated Server-Hosting
descr: http://www.vserver.de
country: DE
org: ORG-BSBS1-RIPE
admin-c: OD376-RIPE
tech-c: IT1309-RIPE
rev-srv: ns1.plusserver.de
rev-srv: ns2.plusserver.de
=======================================================================
:hub.hub.mesra.dal.net 001 [F]EliteIRC|90650XXX :Welcome to the CC-Cards IRC
Network [F]EliteIRC|[EMAIL PROTECTED]
:hub.hub.mesra.dal.net 002 [F]EliteIRC|90650XXX :Your host is
hub.hub.mesra.dal.net, running version Unreal3.2.4.
:hub.hub.mesra.dal.net 003 [F]EliteIRC|90650XXX :This server was created Mon
Apr 3 2006 at 17:34:55 BST.
:hub.hub.mesra.dal.net 004 [F]EliteIRC|90650XXX hub.hub.mesra.dal.net
Unreal3.2.4 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj.
:hub.hub.mesra.dal.net 005 [F]EliteIRC|90650XXX CMDS=KNOCK,MAP,DCCALLOW,USERIP
SAFELIST HCN MAXCHANNELS=15 CHANLIMIT=#:15 MAXLIST=b:60,e:60,I:60 NICKLEN=30
CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS :are
supported by this server.
:hub.hub.mesra.dal.net 005 [F]EliteIRC|90650XXX WATCH=128 SILENCE=15 MODES=12
CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beIqa,kfL,lj,psmntirRcOAQKVCuzNSMTG
NETWORK=CC-Cards CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT [EMAIL PROTECTED]
EXCEPTS INVEX :are supported by this server.
:hub.hub.mesra.dal.net 251 [F]EliteIRC|90650XXX :There are 1 users and 675
invisible on 6 servers.
:hub.hub.mesra.dal.net 253 [F]EliteIRC|90650XXX 1 :unknown connection(s).
:hub.hub.mesra.dal.net 254 [F]EliteIRC|90650XXX 16 :channels formed.
:hub.hub.mesra.dal.net 255 [F]EliteIRC|90650XXX :I have 98 clients and 5
servers.
:hub.hub.mesra.dal.net 265 [F]EliteIRC|90650XXX :Current Local Users: 98 Max:
937.
:hub.hub.mesra.dal.net 266 [F]EliteIRC|90650XXX :Current Global Users: 676
Max: 2078.
:hub.hub.mesra.dal.net 422 [F]EliteIRC|90650XXX :MOTD File is missing.
:hub.hub.mesra.dal.net 455 [F]EliteIRC|90650XXX :Your username [F]EliteI
contained the invalid character(s) [] and has been changed to FEliteI. Please
use only the characters 0-9 a-z A-Z _ - or . in your username. Your username is
the part before the @ in your email address..
USERHOST [F]EliteIRC|90650XXX.
JOIN ###insuline### elitecrew.
:[F]EliteIRC|[EMAIL PROTECTED] JOIN :###insuline###.
:hub.hub.mesra.dal.net 332 [F]EliteIRC|90650XXX ###insuline### :.foh-start
dcass 100 5 0 -b -r -e.
:hub.hub.mesra.dal.net 333 [F]EliteIRC|90650XXX ###insuline### RoystoN
1144170885.
:hub.hub.mesra.dal.net 353 [F]EliteIRC|90650XXX @ ###insuline###
:[F]EliteIRC|90650XXX [M]EliteIRC|69778582 [M][F]EliteIRC|89899571
EliteIRC|68806288 EliteIRC|33258064 EliteIRC|40891655 EliteIRC|01813826 RoystoN
[M][F]EliteIRC|71072122 EliteIRC|55986520 [M]EliteIRC|25332152
[M]EliteIRC|25664514
EliteIRC|00402439 [M]EliteIRC|30439199 EliteIRC|40857081 EliteIRC|72197007
EliteIRC|09746545 EliteIRC|18574406 [M]EliteIRC|29499127 EliteIRC|81828444
[M][F]EliteIRC|58378042 .
:hub.hub.mesra.dal.net 353 [F]EliteIRC|90650XXX @ ###insuline###
:[M][F]EliteIRC|09794831 EliteIRC|65490148 EliteIRC|67349946 EliteIRC|95598120
EliteIRC|88297135 EliteIRC|10338830 EliteIRC|51275237 [F]EliteIRC|87738290
EliteIRC|41268357 EliteIRC|27471720 [F]EliteIRC|63358609 EliteIRC|20769054
[M]EliteIRC|70051231 EliteIRC|06606931 [M]EliteIRC|89428032 EliteIRC|46280352
EliteIRC|42728878 [F]EliteIRC|94561664 EliteIRC|39095185 EliteIRC|51526915
[F]EliteIRC|92914804 .
:hub.hub.mesra.dal.net 366 [F]EliteIRC|90650XXX ###insuline### :End of /NAMES
list..
PRIVMSG ###insuline### :[SCAN]: Random Port Scan started on 192.168.x.x:445
with a delay of 5 seconds for 0 minutes using 100 threads..
:hub.hub.mesra.dal.net 302 [F]EliteIRC|90650XXX :[F]EliteIRC|[EMAIL PROTECTED]
.
:hub.hub.mesra.dal.net 404 [F]EliteIRC|90650XXX ###insuline### :You must have a
registered nick (+r) to talk on this channel (###insuline###).
=======================================================================
*** RoystoN is [EMAIL PROTECTED] (Mos Boni GAF TA HIQNI KET BNC SE NA CAT
MENDEREN!)
*** on channels: @#x# @##rx ###insuline### #xfivex @#exp#
*** on irc via server hub.hub.mesra.dal.net (12Powered by cc-cards.net)
*** RoystoN has been idle 86 minutes, signed on at Fri Apr 7 01:35:43 2006
*** RoystoN : End of /WHOIS list.
=======================================================================
*** [EMAIL PROTECTED]
=======================================================================
*** RoystoN was [EMAIL PROTECTED] (Mos Boni GAF TA HIQNI KET BNC SE NA CAT
MENDEREN!)
*** on irc via server mesra3.dal.net (Fri Apr 7 00:31:34 2006)
*** RoystoN : End of WHOWAS
=======================================================================
*** Channel Users Topic
*** #exp# 1
*** #forbt 1
*** #x# 1
*** ##rx 1
*** #ricky# 2
*** #xfivex 5
*** #t0si 1
*** End of /LIST
=======================================================================
*** Administrative info about hub.hub.mesra.dal.net
*** 12 TheFive IRC Chat Network
*** 12 TheFive
*** 12 [EMAIL PROTECTED]
*** brain.hub.mesra.dal.net hub.hub.mesra.dal.net 1 12Powered by cc-cards.net
*** mesra3.dal.net hub.hub.mesra.dal.net 1 12Powered by cc-cards.net
*** mesra2.dal.net hub.hub.mesra.dal.net 1 12Powered by cc-cards.net
*** mesra1.dal.net hub.hub.mesra.dal.net 1 12Powered by cc-cards.net
*** mesra.dal.net hub.hub.mesra.dal.net 1 12Powered by cc-cards.net
*** hub.hub.mesra.dal.net hub.hub.mesra.dal.net 0 12Powered by cc-cards.net
*** * : End of /LINKS list.
=======================================================================
*** hub.hub.mesra.dal.net (93) 102
*** |-brain.hub.mesra.dal.net (67) 112
*** |-mesra3.dal.net (136) 110
*** |-mesra2.dal.net (103) 108
*** |-mesra1.dal.net (78) 106
*** `-mesra.dal.net (137) 104
*** End of /MAP
=======================================================================
*** I have 140 clients and 1 servers (from mesra3.dal.net)
*** Current Local Users: 140 Max: 535 (from mesra3.dal.net)
*** I have 98 clients and 1 servers (from mesra2.dal.net)
*** Current Local Users: 98 Max: 481 (from mesra2.dal.net)
*** I have 76 clients and 1 servers (from mesra1.dal.net)
*** Current Local Users: 76 Max: 401 (from mesra1.dal.net)
*** I have 138 clients and 1 servers (from mesra.dal.net)
*** Current Local Users: 138 Max: 323 (from mesra.dal.net)
*** I have 63 clients and 1 servers (from brain.hub.mesra.dal.net)
*** Current Local Users: 63 Max: 233 (from brain.hub.mesra.dal.net)
*** I have 97 clients and 5 servers (from hub.hub.mesra.dal.net)
*** Current Local Users: 97 Max: 937 (from hub.hub.mesra.dal.net)
=======================================================================
nick..
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
