To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Gadi Evron wrote: > ---------- > On Sat, 20 May 2006, Jörg Weber wrote: >> Hi folks, >> >> I found this funny thing during the weekend: >> It connects to symantec.loves.the.cock.pheer.biz 18067 and seems to initiate >> something akin to an IRC session: >> >> USeR l l l l >> >> NiCK l5-00050c7b >> >> :a4 433 * l5-00050c7b : >> NiCK l5-00051247 >> >> :a4 001 l5-00051247 : >> USeRHOST l5-00051247 >> >> :a4 302 l5-00051247 :[EMAIL PROTECTED] >> JOiN #l5t3 dlrowymx0ri >> >> :a4 366 l5-00051247 #l5t3 : >> >> Trying to connect to that box by telnet/netcat/irc fails at times and works >> sometimes, but I couldn't get the server to spill out any useful information. >> >> Does someone have a clue what this beast is? > > Just a guess: an IRC based C&C which is either on a bad connection or very > over-loaded with bots. > > Gadi. > >> Cheers, >> >> J.
I think it is a stripped down IRC server, they removed everything that could give you data about it. The bot may use USERHOST to get its external IP and may need 366 to know that it successfully joined the command channel. It starts scanning the external IP's network after connecting to the server. File MD5 is 7dc73bfa4d78284155dd5101991eeb34. nick.. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
