To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
Thanks Dan, but as we're blocking the initial TCP SYN packets at our firewall, I have no session data to capture.
If it were within my remit, I could go to the remote site, spoof the IRC server, force the PC to talk to my spoofed server via routing entries, record the session, then replay the client side to the real server and see what happens. But currently, having no idea what IRC parameters it would use if it were to connect successfully, I'm unable to create a session with the server from my PC (which does have firewall permissions). I only know that it is an IRC server by running "wget" against it.
If it's any help, the servers that are still live announce themselves as m00p.org which does get hits on anti-virus sites, though none linked to the addresses I'm seeing. I also have another PC trying a different set of addresses where the server announces as still.jp, although the address owner is a US education establishment. I have not yet found any hits for this domain on A-V sites.
Regards,
Dave
_____________________
David Long
Network Analyst
Serco Solutions
01223 717582
[EMAIL PROTECTED]
www.serco.com
bringing service to life
______________________
| dan <[EMAIL PROTECTED]>
09/03/2006 22:47
|
To: [EMAIL PROTECTED] cc: [email protected] Subject: Re: [botnets] Possible Bot Controllers |
Packet Trace?
If you can fetch enough packet data, perhaps you can identify what it's
trying to do based on signatures.
-Dan
[EMAIL PROTECTED] wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
>
>
> ------------------------------------------------------------------------
>
>
> Please forgive the newbie question - I'll try to make it my only one :^)
>
> A couple of PCs here are trying to get to IRC servers on TCP port 8080.
> The traffic is blocked and logged by our firewalls, so is no immediate
> threat in itself. The destination addresses are not associated with any
> known malware (or weren't last time I looked), so I can't be absolutely
> certain that the IRC boxes are controllers (though it's difficult to
> think of an innocent reason for putting IRC servers on 8080 or for a PC
> trying the same addresses repeatedly 24 hours a day!).
>
> What is the etiquette in such a case? Should I report the IRC servers to
> the site administrator(s)? Should I report the addresses here (or
> elsewhere) even though I'm not certain that they are bot-related?
>
> Unfortunately my organisation only provides network services to our
> client, so I cannot produce any useful evidence from the PCs themselves,
> and their IT dept has neither the time nor the skills to extract any
> such evidence - if they do anything at all, it'll probably be a
> re-installation.
>
> Thanks.
>
> Regards,
>
> Dave
>
>
> ***Disclaimer****
> This e-mail and any attachments may contain confidential and/or
> privileged material; it is for the intended addressee(s) only. If you
> are not a named addressee, you must not use, retain or disclose such
> information.
> Serco cannot guarantee that the e-mail or any attachments are free from
> viruses.
> The views expressed in this e-mail are those of the originator and do
> not necessarily represent the views of Serco.
> Nothing in this e-mail shall bind Serco in any contract or obligation.
> Serco Group plc. Registered in England and Wales. No: 2048608
> Registered Office: Serco House, 16 Bartley Wood Business Park, Bartley
> Way, Hook, Hampshire, RG27 9UY, United Kingdom.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> botnets mailing list
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
_______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
