Re: [botnets] another irc client
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Kettlewell, Larry [KO] wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > Think this came up once before (Cox connection) and one individual here > said he'd not gotten any response from them. I intervened with Cox and > sent them the info, but as with other large NOCs, they're not very > engaging. So to echo Brack's comment...I dunno...either. > > Larry > if anybody doesn't get a response from cox, please let me know. I have a way to go right to the top. cox strives to be one of the best when it comes to dealing with issues, so I know they would love to hear about any issues you guys are having with getting ahold of somebody. Kyle ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] another irc client
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Think this came up once before (Cox connection) and one individual here said he'd not gotten any response from them. I intervened with Cox and sent them the info, but as with other large NOCs, they're not very engaging. So to echo Brack's comment...I dunno...either. Larry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 06, 2006 6:20 PM To: bf Cc: botnets@whitestar.linuxbox.org Subject: Re: [botnets] another irc client To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- > What's the associate with "Plesk" admin pages. I see those included > often is the server being whacked through a Plesk sploit and being > used for spreading or is the attacker hosting something there or what? > I think someone there watches this list yes? yes, but I always thought it was bad manners to answer a list posting with 'I dunno'. yet, at the risk of being rude I dunno. b - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] another irc client
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- > What's the associate with "Plesk" admin pages. I see those included > often is the server being whacked through a Plesk sploit and being > used for spreading or is the attacker hosting something there or what? > I think someone there watches this list yes? yes, but I always thought it was bad manners to answer a list posting with 'I dunno'. yet, at the risk of being rude I dunno. b - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] another irc client
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Sorry for the repost, just to clarify the question: I think Plesk is the admin utility for a shared hosting webserver and mayhaps one of the sites hosted thereon was compromised to hold the attackers code. So there may be no direct connection to Plesk other than that it is a widely used admin tool for webservers. Is this correct? thanks, bf On 4/6/06, bf <[EMAIL PROTECTED]> wrote: > /snip > > > 70.168.74.193/strange <<-- downloader > > > > Looks like something our good friend LordNikon might be behind. > /snip > > What's the associate with "Plesk" admin pages. I see those included > often is the server being whacked through a Plesk sploit and being > used for spreading or is the attacker hosting something there or what? > > Btw: > That Plesk page belongs to COX in ATL: > Cox Communications Inc. NETBLK-COX-ATLANTA-10 (NET-70-160-0-0-1) > 70.160.0.0 - 70.191.255.255 > Cox Communications Inc. NETBLK-RI-OHFC-70-168-72-0 (NET-70-168-72-0-1) > 70.168.72.0 - 70.168.79.255 > > I think someone there watches this list yes? > > thanks, > bf > > On 4/5/06, PinkFreud <[EMAIL PROTECTED]> wrote: > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > -- > > On Wed, Apr 05, 2006 at 06:55:33AM -0500, [EMAIL PROTECTED] babbled thus: > > > I just don;t have time to look at it right now, so here is the link to > > > another botnet irc client: > > > > > > http://210.3.4.193/cmd.txt <<-- defacer > > > > Indeed. > > > > > 70.168.74.193/strange <<-- downloader > > > > Looks like something our good friend LordNikon might be behind. > > > > > 207.90.211.54/arts <<-- actual client > > > > 404 > > > > > http://72.34.42.241/~dancing/bash <<-- spreader > > > > Actually, this is a Kaiten, which doesn't spread on it's own. > > Judging from strings in the usual places, it appears this beast > > connects to 205.237.246.203 and joins #aseasii with a key of aseasi > > > > The ip this thing connects to appears to be owned by: > > OrgName:College Lionel-Groulx > > OrgID: COLLEG-23 > > Address:100 rue Duquet > > City: Sainte-Therese > > StateProv: Quebec > > PostalCode: J7E 3G6 > > Country:CA > > > > > peace out. > > > > Indeed. > > > > > > -- > > PinkFreud > > Chief of Security, Nightstar IRC network > > irc.nightstar.net | www.nightstar.net > > Server Administrator - Blargh.CA.US.Nightstar.Net > > Unsolicited advertisements sent to this address are NOT welcome. > > ___ > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > All list and server information are public and available to law enforcement > > upon request. > > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > > ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] another irc client
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- /snip > > 70.168.74.193/strange <<-- downloader > > Looks like something our good friend LordNikon might be behind. /snip What's the associate with "Plesk" admin pages. I see those included often is the server being whacked through a Plesk sploit and being used for spreading or is the attacker hosting something there or what? Btw: That Plesk page belongs to COX in ATL: Cox Communications Inc. NETBLK-COX-ATLANTA-10 (NET-70-160-0-0-1) 70.160.0.0 - 70.191.255.255 Cox Communications Inc. NETBLK-RI-OHFC-70-168-72-0 (NET-70-168-72-0-1) 70.168.72.0 - 70.168.79.255 I think someone there watches this list yes? thanks, bf On 4/5/06, PinkFreud <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > On Wed, Apr 05, 2006 at 06:55:33AM -0500, [EMAIL PROTECTED] babbled thus: > > I just don;t have time to look at it right now, so here is the link to > > another botnet irc client: > > > > http://210.3.4.193/cmd.txt <<-- defacer > > Indeed. > > > 70.168.74.193/strange <<-- downloader > > Looks like something our good friend LordNikon might be behind. > > > 207.90.211.54/arts <<-- actual client > > 404 > > > http://72.34.42.241/~dancing/bash <<-- spreader > > Actually, this is a Kaiten, which doesn't spread on it's own. > Judging from strings in the usual places, it appears this beast > connects to 205.237.246.203 and joins #aseasii with a key of aseasi > > The ip this thing connects to appears to be owned by: > OrgName:College Lionel-Groulx > OrgID: COLLEG-23 > Address:100 rue Duquet > City: Sainte-Therese > StateProv: Quebec > PostalCode: J7E 3G6 > Country:CA > > > peace out. > > Indeed. > > > -- > PinkFreud > Chief of Security, Nightstar IRC network > irc.nightstar.net | www.nightstar.net > Server Administrator - Blargh.CA.US.Nightstar.Net > Unsolicited advertisements sent to this address are NOT welcome. > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] another irc client
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Looks like most of the pages have already been suspended but the 207.90.211.54 hit my honeypot a couple of days ago for "http://207.90.211.54/hey"; both seem to not be on the server anymore Looks like it came through for an ASN1 exploit on port 80...so unless someone has a capture of the "art|arts|hey" client I'm out. Jake -- Original message -- From: [EMAIL PROTECTED] > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > I just don;t have time to look at it right now, so here is the link to > another botnet irc client: > > http://210.3.4.193/cmd.txt <<-- defacer > 70.168.74.193/strange <<-- downloader > 207.90.211.54/arts <<-- actual client > http://72.34.42.241/~dancing/bash <<-- spreader > > > peace out. > > - > Email solutions, MS Exchange alternatives and extrication, > security services, systems integration. > Contact:[EMAIL PROTECTED] > > > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon > request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] another irc client
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Wed, Apr 05, 2006 at 06:55:33AM -0500, [EMAIL PROTECTED] babbled thus: > I just don;t have time to look at it right now, so here is the link to > another botnet irc client: > > http://210.3.4.193/cmd.txt <<-- defacer Indeed. > 70.168.74.193/strange <<-- downloader Looks like something our good friend LordNikon might be behind. > 207.90.211.54/arts <<-- actual client 404 > http://72.34.42.241/~dancing/bash <<-- spreader Actually, this is a Kaiten, which doesn't spread on it's own. Judging from strings in the usual places, it appears this beast connects to 205.237.246.203 and joins #aseasii with a key of aseasi The ip this thing connects to appears to be owned by: OrgName:College Lionel-Groulx OrgID: COLLEG-23 Address:100 rue Duquet City: Sainte-Therese StateProv: Quebec PostalCode: J7E 3G6 Country:CA > peace out. Indeed. -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets