[AusNOG] Botnet C&Cs at AS2907, AS7066, AS9929, AS4134, AS3786, AS29550, AS33651, AS39582 (AUSCERT#2007722cb)

matthew at auscert.org.au matthew at auscert.org.au
Thu Apr 5 16:29:18 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings AusNOG,

* Please let me know if this sort of information is useful / appropriate
for the list *

We've had a report of some bot-compromised hosts connecting to C&Cs on
port 8080 on:

AS      | IP               | AS Name
2907    | 133.46.244.25    | ERX-SINET-AS National Center for Science Information Systems
7066    | 208.29.54.102    | NETWORK-VIRGINIA-AS - Network Virginia
9929    | 210.83.210.252   | CNCNET-CN China Netcom Corp.
4134    | 211.148.154.130  | CHINANET-BACKBONE No.31,Jin-rong Street
3786    | 211.43.206.127   | LGDACOM LG DACOM Corporation
29550   | 217.112.95.162   | EUROCONNEX-AS Euroconnex Networks LLP
33651   | 69.181.7.244     | DNEO-OSP7 - Comcast Cable Communications, Inc.
39582   | 89.106.24.99     | GRID Grid Bilisim Teknolojileri A.S.

It may well be worth looking for flows to these IPs.  Some details to
support this (sorry if it wraps badly) data in order of oldest to latest:

  channels with per host stats:
	channel
		ip_src                 tmsg  tjoin  tping  tpong tprivmsg maxchans maxworm Server? sport/dport first_ts
	#wkd                          
		133.46.244.25          6760      0   3015   3164      581        1     57      S     8080/1092 Tue_Apr__3_00:03:33_EST_2007.irc.txt
		208.29.54.102            71      0     27     29       15        1     25      S     8080/1225 Tue_Apr__3_15:25:33_EST_2007.irc.txt
		210.83.210.252           65      0     32     27        6        1     50      S     8080/1175 Tue_Apr__3_15:43:34_EST_2007.irc.txt
		211.148.154.130         410      0    187    184       39        1     50      S     8080/1723 Tue_Apr__3_13:56:03_EST_2007.irc.txt
		217.112.95.162         2455      0   1097   1010      348        1     50      S     8080/1075 Tue_Apr__3_03:06:33_EST_2007.irc.txt
		69.181.7.244             79      0     39     34        6        1      6      S     8080/1853 Tue_Apr__3_02:28:35_EST_2007.irc.txt
		89.106.24.99            112      0     57     41       14        1     50      S     8080/1194 Tue_Apr__3_14:17:03_EST_2007.irc.txt

	#wkd                          
		133.46.244.25          7063      0   3257   3376      430        1     55      S     8080/2007 Wed_Apr__4_00:00:35_EST_2007.irc.txt
		211.43.206.127          920      0    465    421       34        1     50      S     8080/1185 Wed_Apr__4_07:11:33_EST_2007.irc.txt
		217.112.95.162         3428      0   1694   1609      125        1     66      S     8080/1120 Wed_Apr__4_00:57:02_EST_2007.irc.txt

	#afx                          
		133.46.244.25           447      0    199    246        2        1     66      S     8080/1174 Thu_Apr__5_03:40:01_EST_2007.irc.txt
		208.29.54.102           171      8     81     82        0        1      0      S     8080/1039 Thu_Apr__5_00:16:33_EST_2007.irc.txt
		210.83.210.252           33      0     18     13        2        1      7      S     8080/1500 Thu_Apr__5_10:11:32_EST_2007.irc.txt
		89.106.24.99            112      0     48     47       17        1     36      S     8080/1211 Thu_Apr__5_10:08:01_EST_2007.irc.txt

	#atw                          
		89.106.24.99            112      0     48     47       17        1     36      S     8080/1211 Thu_Apr__5_10:31:34_EST_2007.irc.txt

At least 69.181.7.244 and 211.43.206.127 have quite an interesting past:

x.anti-viral.us has address 69.181.7.244
x.anti-viral.us has address 211.43.206.127
is.wayne.brady.gonna.have.to.chokeabitch.us has address 69.181.7.244
is.wayne.brady.gonna.have.to.chokeabitch.us has address 211.43.206.127
x.rofflewaffles.us has address 69.181.7.244
x.rofflewaffles.us has address 211.43.206.127

Hope this helps,

- -- Matthew McGlashan --
Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email: auscert at auscert.org.au

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRhR1ECh9+71yA2DNAQL1JgP9E1EeZCIEVki4O9uH0KN4vXXWJdJBeAdg
RzwRytOKoQv1J3NkE9RVd8UJgXbqa/7TJHhOe4lItVQC2CBPX8wGsaY3LTuY/oNj
W9jM89i1ehggwx1i9YxMt3hK5cbSVx4gHlXJs4jAaE5hHlEBZeHTVj1L9locKXtU
/5AlUzp3fl8=
=7TWs
- -----END PGP SIGNATURE-----



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRhSXPSh9+71yA2DNAQJu4QP8Cs1w4t/IiMHQ3vi6RfeJ7avRMbZbnDHG
fMuZE0q3SZiys7WoFHPW3XDL69sFR7MJ/rMdk6nQHys9uNBo7q4k2ycIuOc5dHFE
LJGAN5Bsq/hGacTAFfDwOMdLOVz0HdIbFe7CWxHO4s52xNvCBG8sU2Z90RFpbb8N
B7NPsvUZmxE=
=M8kj
-----END PGP SIGNATURE-----

More information about the AusNOG mailing list