[nsp] Botnet on 195.30.51.250:11026
Gert Doering
gert at greenie.muc.de
Mon Jun 2 15:08:30 EDT 2003
Hi,
as far as I can see, one of our customers' machines was compromised and
an IRC (?) server was installed.
We noticed that the machine was doing "strange" things, and took it off
the network - still, *thousands* of connection requests to TCP port 11026
came in (over 35.000 today already):
Jun 1 23:50:16 Cisco-M-IV 170453: Jun 1 21:50:15: %SEC-6-IPACCESSLOGP: list fr5out denied tcp 80.179.165.1(4245) -> 195.30.51.250(11026), 1 packet
Jun 1 23:50:18 Cisco-M-IV 170454: Jun 1 21:50:17: %SEC-6-IPACCESSLOGP: list fr5out denied tcp 211.21.74.157(3284) -> 195.30.51.250(11026), 1 packet
Jun 1 23:50:19 Cisco-M-IV 170455: Jun 1 21:50:18: %SEC-6-IPACCESSLOGP: list fr5out denied tcp 207.182.249.150(18779) -> 195.30.51.250(11026), 1 packet
(and so on)
Since it didn't stop two days after disconnecting the machine, I
routed that IP to a different host and did some "nc"'ing, to see what
kind of traffic it is:
gert at fourier2:$ nc -p 11026 -l
NICK sltnlvd
USER tkncn "tkncn.net" "195.30.51.250" :plq
join #europe
join #europe
join #europe
join #europe
join #europe
join #europe
join #europe
^C punt!
gert at fourier2:$ nc -p 11026 -l
NICK cojtf
USER yetu "yetu.net" "195.30.51.250" :eor
join #europe
^C punt!
^[kgert at fourier2:$ nc -p 11026 -l
NICK fnsot
USER ehw "ehw.net" "195.30.51.250" :xbl
join #europe
join #europe
join #europe
join #europe
join #europe
^C punt!
^[gert at fourier2:$ nc -p 11026 -l
NICK pivdimswex
USER wjdxqe "wjdxqe.net" "195.30.51.250" :ajd
join #europe
join #europe
^C punt!
gert at fourier2:$ nc -p 11026 -l
NICK tiiguo
USER pxdm "pxdm.net" "195.30.51.250" :wqc
join #europe
join #europe
^C punt!
I don't understand the IRC protocol well enough to be sure that it is IRC,
but it looks like it - correct me if I'm wrong.
In any case: if you have flows to 195.30.51.250, TCP port 11026, you have
Bot. This machine is offline, and even if it were online, it would only
be a client machine, NO server ports.
I have attached a list of hosts that have tried to connect to this machine
over the last two hours, sorted by IP address, with the number of
connection attempts (1st column). No AS lookups yet (sorry).
As you can see, it's not a long list, but as they are connecting like
crazy, I'd appreciate if you could fix your customer's machines...
gert
PS: Rob, if you feel that it might help people to find compromised
clients, feel free to bogon-announce that IP as /32. To close down
the botnet, it's not necessary, as the machine is already gone.
----------- snip ------------
2507 24.165.175.10
7816 24.200.64.164
7700 24.202.81.212
4611 24.94.33.211
3099 62.150.3.34
1052 63.174.247.12
1741 69.26.78.131
10063 80.160.119.243
2326 80.178.96.65
9705 80.199.156.152
9189 80.222.23.135
9193 80.222.52.181
8706 80.222.9.180
9418 80.5.68.108
7759 80.62.141.58
4352 81.66.60.34
10078 81.97.116.3
9342 130.232.37.140
6428 131.175.168.4
2018 195.132.66.16
642 200.185.70.228
687 200.207.190.235
642 200.27.55.227
313 200.49.232.244
104 200.60.76.27
2316 200.75.214.164
81 202.73.111.225
2089 207.17.220.159
396 207.182.249.150
1370 209.124.104.9
3119 209.131.204.98
2006 209.137.6.145
1479 209.153.135.98
6 209.99.87.185
194 210.202.23.248
226 210.202.23.249
224 210.202.23.250
226 210.202.23.251
207 210.202.23.252
190 210.202.23.253
132 210.203.184.137
1443 210.96.238.165
150 211.21.74.155
591 211.21.74.157
3969 212.194.12.182
9182 212.246.242.86
8141 212.76.239.55
129 212.98.6.238
8012 213.20.131.33
9272 213.200.162.232
9735 213.237.51.243
1247 213.36.223.205
864 213.37.176.69
7801 217.132.3.222
5122 217.232.218.37
5943 218.183.154.28
4976 218.224.42.124
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de
More information about the cisco-nsp
mailing list