To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Just tracked this one on an infected local host and coaxed it into replaying a login. The C&C IP has been around a couple of lists, but I haven't seen references to this particular controller, which is certainly not your typical IRCd.
contact me if you want pcaps. I haven't gotten ahold of the client binary and probably won't unless they bring it in. Jeff > CON :*** DAUM CAFE > LOGIN cbandBUZZ sNy]78bPuvm89g__ W > REGUSER 25qP8MBHAfiJ90l3R4sgxIA3g0Qlf9r4FLx5c0 0 * : > :1.21 001 cbandBUZZ_1258967^WsNy]78bPuvm89g__ :Welcome to the Daum Internet > Relay Chat Network cbandBUZZ_1258967^WsNy]78bPuvm89g__ > :cbandBUZZ_1258967^WsNy]78bPuvm89g__ MODE cbandBUZZ_1258967^WsNy]78bPuvm89g__ > :+i > JOIN #cbandBUZZ > :[EMAIL PROTECTED] JOIN :#cbandBUZZ000240 > :1.21 353 cbandBUZZ_1258967^WsNy]78bPuvm89g__ = #cbandBUZZ000240 > :cbandBUZZ_1258967^WsNy]78bPuvm89g__~25qP8MBHAfiJ90l3R4sgxIA3g0Qlf9r4FLx5c0 > cbandBUZZ_1258963^Wv[THx6S7~25BzADBgE-R650HdWm97nYzkM0YUiXLKHFe8U0 > cbandBUZZ_1258957^Wa3VzaHV6eg__~25NJ_TnQe1rtw06lIUOi5Vzzo0LnS5hP6Jzkg0 > cbandBUZZ_1258946^WsObIxri4u[e2[8fYor4_~25kcH2.gSU4NU0DTnj1exySS509b8Szfw.BR10 > cbandBUZZ_1258942^WvtPFu7y6yPGh2Q__~25Xj2DJonLfBE0ODXmRPThEKA0ZRRmJ_1zmhA0 > :1.21 353 cbandBUZZ_1258967^WsNy]78bPuvm89g__ = #cbandBUZZ000240 > :cbandBUZZ_1258921^Ws9e59r[jtfkuLrn2we4uLg__~25z4VpGqRI8RU0pbvBRuTRhKA0fV4ssL_W48g0 > > cbandBUZZ_1258844^WtOvH0LChvK259sHuuLizry4u~254nbBtHoLU8A0-yJcI9-Hax1019DSVRCLaf90 > cbandBUZZ_1258832^WsObIxLOqueS5rMDa~251f_JfxNK-oU0RRkH2hkluyM0Dv9FrlfBkEA0 > cbandBUZZ_1258805^WYXp1a2k_~25g5EKYja9hOE0lVYOzr9JKjw0XWXgdrDXiK50 > cbandBUZZ_1258756^WQ2hpX0I_~25Np4mzY_fIYA0JDWTsBgS3J90ZUlruQTgtlk0 [...etc...] > :1.21 366 cbandBUZZ_1258967^WsNy]78bPuvm89g__ #cbandBUZZ000240 :End of /NAMES > list. > :[EMAIL PROTECTED] JOIN :#cbandBUZZ000240 > :[EMAIL PROTECTED] JOIN :#cbandBUZZ000240 > :[EMAIL PROTECTED] QUIT :Remote host closed the connection [...etc...] Jeff _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
