Re: [botnets] botnet info

[Brian Allen]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------

Before anyone spends too much time looking at this, this may very well be a false positive.  I’ll know more tomorrow. -Brian   From: Brian Allen Sent: Monday, March 13, 2006 11:04 AM To: 'botnets@whitestar.linuxbox.org' Subject: botnet info   Using Snort over the weekend I observed a number of the machines on our campus making irc connections to the following IPs all to port 7000:   A brief review of the DNS Query Logs showed that the machines were looking up hostnames in the cyworld.nate.com domain which is owned by a group in korea.  Here is a sample:   IP 128.252.xx.xx.1222   > 128.252.120.1.53      :11648+           A? cyimg.cyworld.nate.com. (40) IP 128.252.120.1.53     > 128.252.xx.xx.1222    :11648      1/2/2 A 211.115.10.219 (124)   IP 128.252.xx.xx.1222   > 128.252.120.1.53      :15802+           A? minihp.cyworld.nate.com. (41) IP 128.252.120.1.53     > 128.252.xx.xx.1222    :15802      7/2/2 A 211.115.10.215, A 211.115.11.22, A 211.115.11.221, A 211.115.11.245, A 211.115.11.249, A 211.115.11.252, A 211.115.10.199 (221)   Here is the payload of one IRC NICK CHANGE, the others are all similar with slight variations:   128.252.xx.xx > 211.115.10.201 port 7000 MODE ISIRCX IRCX NICK NI3141134527196407497 USER 41134527CY 41134527CY 41134527CY 41134527CY

_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets