To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
On Wed, 15 Mar 2006, Brian Allen wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> It does certainly appear to be legitimate traffic to a Korean Instant
> messaging service at nate.com, so I am just trying to contact some of
> the students in question to verify that is what they are doing. Since
> it is spring break here on campus it has been difficult to track them
> down. I expect them to verify this is legit, but if not, I will post a
> follow-up to this list.
>
> A couple things threw me off like the NICKs which were random strings of
> numbers like a bot, and our IDS alerted on this spike of IRC traffic in
> the middle of a semester, not unlike when we got hit with an omgitskp
> wave of infections. I hate to post erroneous info and waste people's
> time, but I'm glad this list is available so I could get feedback in a
> hurry.
Indeed. :)
Many web based Java applet chat rooms also utilize IRC for the purpose of
chats. Usually they also have weird server keys.
Gadi.
>
> Thanks,
> -Brian
>
> -----Original Message-----
> From: Steven [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 15, 2006 6:03 AM
> To: John Draper
> Cc: Brian Allen; [email protected]
> Subject: Re: [botnets] botnet info
>
> Well apparently according to the post by Seth Hall -- these are
> legitimate
> servers used for a Korean chat service. There's a few games, chat
> services,
> and other things that also rely on IRC based commands. With the number
> of
> servers in a row here I wouldn't be surprised if he is correct and that
> is
> what it is being used for. Perhaps Brian can packet capture a little
> more
> and make sure there aren't any suspicious commands being issued to them.
>
> Steven
>
>
> ----- Original Message -----
> From: "John Draper" <[EMAIL PROTECTED]>
> To: "Steven" <[EMAIL PROTECTED]>
> Cc: "Brian Allen" <[EMAIL PROTECTED]>; <[email protected]>
> Sent: Wednesday, March 15, 2006 3:40 AM
> Subject: Re: [botnets] botnet info
>
>
> > Steven wrote:
> >
> >>To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> >>----------
> >>
> >>
> >>
> ------------------------------------------------------------------------
> >>
> >> Yea it looks like you found a large network of infected machines and
> >> probably servers that run Microsoft Exchange Chat Service. This
> seems to
> >> be one of the alternatives that people use on Windows boxes. That is
>
> >> quite a few servers there though.. I thought they'd all link back to
> the
> >> same machine but they are apparently a lot of different servers.
> >> The info before PRIVMSG is the ident and the IP address of other
> >> machines.
> >
> > If these are external IP addresses, and they were at a University,
> then
> > I'm not in the least surprised that that many machines
> > are infected. I have to admit, that's a lot, but when you get
> students
> > walking from machine to machine, sticking in their
> > Thumb drives, then anything can happen.
> >
> > John
>
>
> _______________________________________________
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law enforcement
> upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
>
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
