To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
Has anyone on this list seen these bots before? Any idea what they are?
-- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome.
--- Begin Message ---Starting on the 23rd May we started getting the following connects: [23/05/2006 02:11] Z2345678901234567890f connected [EMAIL PROTECTED]:Anonym [23/05/2006 02:49] FTZ connected [EMAIL PROTECTED]:blah [23/05/2006 03:09] L1928621149634400x connected [EMAIL PROTECTED]:blah [23/05/2006 03:05] C080171078046r connected [EMAIL PROTECTED]:C080171078046r [23/05/2006 13:21] J060240113151k connected [EMAIL PROTECTED]:J060240113151k [23/05/2006 13:29] M060240113151w connected [EMAIL PROTECTED]:M060240113151w [23/05/2006 13:35] P060240113151m connected [EMAIL PROTECTED]:P060240113151m [23/05/2006 13:41] R060240113151u connected [EMAIL PROTECTED]:R060240113151u [23/05/2006 21:47] U086083039060x connected [EMAIL PROTECTED]:U086083039060x Above seem to possibly be involved with the creation or testing of whatever bot the following nick ident gecos pattern belongs to S210213215022p [EMAIL PROTECTED]:S210213215022p T086125192184z [EMAIL PROTECTED]:T086125192184z W200120173056l [EMAIL PROTECTED]:W200120173056l W210213215022t [EMAIL PROTECTED]:W210213215022t X195250167002j [EMAIL PROTECTED]:X195250167002j A082046137067r [EMAIL PROTECTED]:A082046137067r G200115212125a [EMAIL PROTECTED]:G200115212125a I194242059131a [EMAIL PROTECTED]:I194242059131a M201011143226d [EMAIL PROTECTED]:M201011143226d O086035033141f [EMAIL PROTECTED]:O086035033141f They stem from various countries, connect but dont join channels nor give any responses to ctcp requests. allthough we have noticed a few raw 421 returns during connect. [20:45] 421 S083227237156n cends.net :Unknown command.. [20:45] 421 S083227237156n 37156n :Unknown command.. Plus the IP 60.49.172.118 seems to either be part of a vpn or running proxies following revealed via ngrep T xxx.xxx.xxx.xxx:4661 -> 60.49.172.118:80 [AP] HTTP/1.0 501 Not Implemented..Content-type: text/html..Pragma: no-cache..Date: Wed, 24 May 2006 13:08:44 GMT..Last-modified: We d, 24 May 2006 13:08:44 GMT..Accept-Ranges: bytes..Connection: close....<html>.<head>. <title>501 Not Implemented</title>.</he ad>.<body bgcolor="ffffff">. <h2>501 Not Implemented<h2>. <p>. The requested method is not implemented by this server..</body>.</html>. T xxx.xxx.xxx.xxx:4661 -> 60.49.172.118:80 [AP] POST http://140.186.181.106:6667/ HTTP/1.0..Content-type: text/plain..Content-length: 5....quit.... T 60.49.172.118:80 -> xxx.xxx.xxx.xxx:4661 [AFP] HTTP/1.0 400 Bad Request..Content-type: text/html..Pragma: no-cache..Date: Wed, 24 May 2006 13:08:44 GMT..Last-modified: Wed, 2 4 May 2006 13:08:44 GMT..Accept-Ranges: bytes..Connection: close....<html>.<head>. <title>400 Bad Request</title>.</head>.<bod y bgcolor="ffffff">. <h2>400 Bad Request<h2>. <p>. Your request has bad syntax or is inherently impossible to satisfy..</bod y>.</html>. We are asking that anyone on List who is aware of a user with host "d093010.adsl.hansenet.de" . Could they please advise List as it seems they are a key factor be it a coder/scripter/tester of the above botnet. As of now we are still in the dark regards methods being used to spread this, nor aware of what its function/capabilities are. Anyone with any further info please advise asap KeRnoW Ascends.net _______________________________________________ irc-security mailing list [EMAIL PROTECTED] http://lists.irc-unity.org/mailman/listinfo/irc-security
--- End Message ---
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
