Re: [botnets] New Botnet or what
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --Title: [botnets] New Botnet or what From: John Holan [mailto:[EMAIL PROTECTED]Sent: Thu 10/5/2006 3:43 PMTo: botnets@whitestar.linuxbox.orgSubject: [botnets] New Botnet or what To report a botnet PRIVATELY please email: [EMAIL PROTECTED]--HiKilled a Trojan on a workstation that was constantly connecting to66.197.216.149 on port 80It uses filenames associated with Backdoor.Haxdoor but they are notdetected by any AV or Anti Spy ware software that I have tried.Unfortunately I did not trap any of the traffic it generated only thelogs. And I am still analyzing them.Any suggestions.More info192.168.10.119 Accessed URL66.197.216.149:/Ffgj3dsw/bsrv.php?lang=ENU&pal=0&bay=0&gold=0&id=¶m=16661&socksport=20454&httpport=21219&uptimem=51&uptimeh=62&uid=[5278947655522557439]&wm=0&ver=88(A)--66.197.216.149/Ffgj3dsw/bsrv.php?lang=ENU&pal=0&bay=0&gold=0&id=¶m=16661&socksport=20454&httpport=21219&uptimem=51&uptimeh=62&uid=[5278947655522557439]&wm=0&ver=88(A)-JohnIS Analyst What AV did you test with? Just curious. Thank you. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] New Botnet or what
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hello John, The target IP looks to be a webserver (obviously), probably a shared hosting setup as there is a CPanel interface there. Chances are someones virtual host got cracked and is being used for nefarious purposes. I recommend contacting the owner of that IP at: ### OrgName:Network Operations Center Inc. OrgID: NOC Address:PO Box 591 City: Scranton StateProv: PA PostalCode: 18501-0591 Country:US Comment:Abuse Dept: [EMAIL PROTECTED] RegDate:2001-04-04 Updated:2003-08-06 AdminHandle: SMA4-ARIN AdminName: Arcus, S. Matthew AdminPhone: +1-570-343-8551 AdminEmail: [EMAIL PROTECTED] ## If you have the malware files you can run them through "Virus Total" and "Norman Sandbox" to see what they contain. enjoy, bf On 10/5/06, John Holan <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > Hi > Killed a Trojan on a workstation that was constantly connecting to > 66.197.216.149 on port 80 > It uses filenames associated with Backdoor.Haxdoor but they are not > detected by any AV or Anti Spy ware software that I have tried. > Unfortunately I did not trap any of the traffic it generated only the > logs. And I am still analyzing them. > Any suggestions. > > More info > > 192.168.10.119 Accessed URL > 66.197.216.149:/Ffgj3dsw/bsrv.php?lang=ENU&pal=0&bay=0&gold=0&id=&pa > ram=16661&socksport=20454&httpport=21219&uptimem=51&uptimeh=62&uid=[5278 > 947655522557439]&wm=0&ver=88(A) > -- > 66.197.216.149/Ffgj3dsw/bsrv.php? > lang=ENU& > pal=0& > bay=0& > gold=0& > id=& > param=16661& > socksport=20454& > httpport=21219& > uptimem=51& > uptimeh=62& > uid=[5278947655522557439]& > wm=0& > ver=88(A) > - > > John > IS Analyst > > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] New Botnet or what
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi Already taken care of I also reported / send the files to the different AV companies and so on. The web server does not response like it did before. So it indicates that the service for it is dead. What is amazing though for me is the difference in response from the different AV companies. Thanks for all the response I have got. John Holan IS Analyst ASTAC Phone # (907)563-3989 Fax # (907)563-1932 -Original Message- From: bf [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 9:15 AM To: John Holan Cc: botnets@whitestar.linuxbox.org Subject: Re: [botnets] New Botnet or what Hello John, The target IP looks to be a webserver (obviously), probably a shared hosting setup as there is a CPanel interface there. Chances are someones virtual host got cracked and is being used for nefarious purposes. I recommend contacting the owner of that IP at: ### OrgName:Network Operations Center Inc. OrgID: NOC Address:PO Box 591 City: Scranton StateProv: PA PostalCode: 18501-0591 Country:US Comment:Abuse Dept: [EMAIL PROTECTED] RegDate:2001-04-04 Updated:2003-08-06 AdminHandle: SMA4-ARIN AdminName: Arcus, S. Matthew AdminPhone: +1-570-343-8551 AdminEmail: [EMAIL PROTECTED] ## If you have the malware files you can run them through "Virus Total" and "Norman Sandbox" to see what they contain. enjoy, bf On 10/5/06, John Holan <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > Hi > Killed a Trojan on a workstation that was constantly connecting to > 66.197.216.149 on port 80 > It uses filenames associated with Backdoor.Haxdoor but they are not > detected by any AV or Anti Spy ware software that I have tried. > Unfortunately I did not trap any of the traffic it generated only the > logs. And I am still analyzing them. > Any suggestions. > > More info > > 192.168.10.119 Accessed URL > 66.197.216.149:/Ffgj3dsw/bsrv.php?lang=ENU&pal=0&bay=0&gold=0&id=&pa > ram=16661&socksport=20454&httpport=21219&uptimem=51&uptimeh=62&uid=[5278 > 947655522557439]&wm=0&ver=88(A) > -- > 66.197.216.149/Ffgj3dsw/bsrv.php? > lang=ENU& > pal=0& > bay=0& > gold=0& > id=& > param=16661& > socksport=20454& > httpport=21219& > uptimem=51& > uptimeh=62& > uid=[5278947655522557439]& > wm=0& > ver=88(A) > - > > John > IS Analyst > > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] New Botnet or what
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Symantec was my first one to try on the file, I run it through several at www.virustotal.com where I also left the file for distribution. Symantec has still not included it in its AV definitions, even it is more than 24 hours since I send it to them. McAfee has the file listed since 5-23-06, so it is the same old story that the more secure the systems have become the fewer report to the AV vendors. I think they need to get I little more aggressive themselves in using honeypots and so on. John IS Analyst -Original Message- From: Thomas Raef [mailto:[EMAIL PROTECTED] Sent: Monday, October 09, 2006 4:06 AM To: John Holan; botnets@whitestar.linuxbox.org Subject: Re: [botnets] New Botnet or what From: John Holan [mailto:[EMAIL PROTECTED] Sent: Thu 10/5/2006 3:43 PM To: botnets@whitestar.linuxbox.org Subject: [botnets] New Botnet or what To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi Killed a Trojan on a workstation that was constantly connecting to 66.197.216.149 on port 80 It uses filenames associated with Backdoor.Haxdoor but they are not detected by any AV or Anti Spy ware software that I have tried. Unfortunately I did not trap any of the traffic it generated only the logs. And I am still analyzing them. Any suggestions. More info 192.168.10.119 Accessed URL 66.197.216.149:/Ffgj3dsw/bsrv.php?lang=ENU&pal=0&bay=0&gold=0&id=&pa ram=16661&socksport=20454&httpport=21219&uptimem=51&uptimeh=62&uid=[5278 947655522557439]&wm=0&ver=88(A) -- 66.197.216.149/Ffgj3dsw/bsrv.php? lang=ENU& pal=0& bay=0& gold=0& id=& param=16661& socksport=20454& httpport=21219& uptimem=51& uptimeh=62& uid=[5278947655522557439]& wm=0& ver=88(A) - John IS Analyst What AV did you test with? Just curious. Thank you. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
