To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- It does certainly appear to be legitimate traffic to a Korean Instant messaging service at nate.com, so I am just trying to contact some of the students in question to verify that is what they are doing. Since it is spring break here on campus it has been difficult to track them down. I expect them to verify this is legit, but if not, I will post a follow-up to this list.
A couple things threw me off like the NICKs which were random strings of numbers like a bot, and our IDS alerted on this spike of IRC traffic in the middle of a semester, not unlike when we got hit with an omgitskp wave of infections. I hate to post erroneous info and waste people's time, but I'm glad this list is available so I could get feedback in a hurry. Thanks, -Brian -----Original Message----- From: Steven [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 15, 2006 6:03 AM To: John Draper Cc: Brian Allen; [email protected] Subject: Re: [botnets] botnet info Well apparently according to the post by Seth Hall -- these are legitimate servers used for a Korean chat service. There's a few games, chat services, and other things that also rely on IRC based commands. With the number of servers in a row here I wouldn't be surprised if he is correct and that is what it is being used for. Perhaps Brian can packet capture a little more and make sure there aren't any suspicious commands being issued to them. Steven ----- Original Message ----- From: "John Draper" <[EMAIL PROTECTED]> To: "Steven" <[EMAIL PROTECTED]> Cc: "Brian Allen" <[EMAIL PROTECTED]>; <[email protected]> Sent: Wednesday, March 15, 2006 3:40 AM Subject: Re: [botnets] botnet info > Steven wrote: > >>To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >>---------- >> >> >> ------------------------------------------------------------------------ >> >> Yea it looks like you found a large network of infected machines and >> probably servers that run Microsoft Exchange Chat Service. This seems to >> be one of the alternatives that people use on Windows boxes. That is >> quite a few servers there though.. I thought they'd all link back to the >> same machine but they are apparently a lot of different servers. >> The info before PRIVMSG is the ident and the IP address of other >> machines. > > If these are external IP addresses, and they were at a University, then > I'm not in the least surprised that that many machines > are infected. I have to admit, that's a lot, but when you get students > walking from machine to machine, sticking in their > Thumb drives, then anything can happen. > > John _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
