To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Brian Allen wrote:
>To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >---------- >Snort alerts show four machines on campus connecting to all of these IPs >for IRC: >66.45.234.200 >62.132.1.219 >66.29.10.155 >63.243.152.31 > >The five destination ports range from: >6666-7000 > >Each machine keeps their same NICK every time: >NICK [Niger]-029 >NICK [Niger]-015 >NICK [Niger]-017 >NICK [N]-487 > >I have one IRC JOIN alert: >JOIN #ISOCORE >JOIN #BOTLESS Leetz-R-Uz > >I have one IRC message alert. Here is the payload: >:[EMAIL PROTECTED] PRIVMSG [Niger]-015 :.VERSION. > >DNS Queries for one of the machines showed it querying these two >hostnames around the same time as its snort IRC alerts and some of these >IPs match the ones above: > >IP 128.252.42.76.2713 > 128.252.43.226.53: 1372+ A? irc.darkdreamz.com. >(36) >IP 128.252.43.226.53 > 128.252.42.76.2713: 1372 8/4/4 A 69.50.188.94, A >82.165.190.181, A 82.165.238.210, A 83.149.98.69, A 62.132.1.219, A >66.29.10.155, A 66.45.234.200, A 69.22.163.105 (312) > >IP 128.252.42.76.2712 > 128.252.43.226.53: 1415+ A? irc.isocore.biz. >(33) >IP 128.252.43.226.53 > 128.252.42.76.2712: 1415 8/4/4 A 66.45.234.200, A >66.111.228.230, A 66.207.105.27, A 69.22.163.105, A 69.50.188.94, A >206.53.61.158, A 62.132.1.219, A 64.34.45.114 (309) > >A google search on these two hostnames, irc.darkdreamz.com and >irc.isocore.biz, only turned up a few hits, but they seemed to be >related to filesharing. How can I tell if this is a few students trying >to get music, games, etc. or if these are bots connecting to a C&C? > Do you have access to anyone in the IT department? If they have access to the machines on campus, and there is some centralized record of IP assignments, I'm sure the student could be fingered... Ahhh yes!!! "Finger" - now that brings back old memories... not to deverge from the subject, but that is ONE feature people would rather forget... :-) John _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
