To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- This is a legitimate Korean instant messaging program that is run on the backend over irc.
.Seth On Mar 13, 2006, at 11:06 PM, Brian Allen wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > Before anyone spends too much time looking at this, this may very > well be a false positive. I’ll know more tomorrow. > > -Brian > > > > From: Brian Allen > Sent: Monday, March 13, 2006 11:04 AM > To: '[email protected]' > Subject: botnet info > > > > Using Snort over the weekend I observed a number of the machines on > our campus making irc connections to the following IPs all to port > 7000: > > > > A brief review of the DNS Query Logs showed that the machines were > looking up hostnames in the cyworld.nate.com domain which is owned > by a group in korea. Here is a sample: > > > > IP 128.252.xx.xx.1222 > 128.252.120.1.53 :11648+ > A? cyimg.cyworld.nate.com. (40) > > IP 128.252.120.1.53 > 128.252.xx.xx.1222 :11648 1/2/2 A > 211.115.10.219 (124) > > > > IP 128.252.xx.xx.1222 > 128.252.120.1.53 :15802+ > A? minihp.cyworld.nate.com. (41) > > IP 128.252.120.1.53 > 128.252.xx.xx.1222 :15802 7/2/2 A > 211.115.10.215, A 211.115.11.22, A 211.115.11.221, A > 211.115.11.245, A 211.115.11.249, A 211.115.11.252, A > 211.115.10.199 (221) > > > > Here is the payload of one IRC NICK CHANGE, the others are all > similar with slight variations: > > > > 128.252.xx.xx > 211.115.10.201 port 7000 > > MODE ISIRCXIRCXNICK NI3141134527196407497USER 41134527CY 41134527CY > 41134527CY 41134527CY > > > > > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law > enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
