[nsp-sec] 66.139.78.164 = C&C?
Chris Calvert
Chris.Calvert at telus.com
Mon Apr 14 10:53:18 EDT 2008
Can anyone confirm seeing botnet C&C traffic for this host?
It shows up on a quick google as being on shun/block lists (some now, some previous to today), and on the Cymru ddos-rsv2.txt list.
http://www.emergingthreats.net/rules/bleeding-botcc.rules
alert ip $HOME_NET any ->
[64.86.25.248,64.89.27.36,65.110.62.93,65.111.168.18,65.23.153.98,65.23.154.122,65.23.154.67,65.23.156.37,65.40.27.109,66.111.35.104,66.111.36.61,66.111.37.204,66.128.48.195,66.139.78.164,66.160.135.21,66.165.177.88,66.186.60.230,66.186.63.188,66.187.148.247,66.195.252.5,66.197.241.19,66.198.80.67,6
6.207.164.29,66.212.28.20,66.220.1.52,66.220.1.66,66.225.200.20,66.225.200.30,66.225.200.81,66.225.200.93,66.225.223.109,66.225.223.112,66.225.223.115,66.225.223.52,66.225.223.70,66.225.225.225,66.225.225.66,66.226.22.45,66.235.214.116,66.240.234.77,66.246.149.4,66.249.137.137,66.252.1.109,66.252.1.
112,66.252.1.203,66.252.1.210,66.252.1.222,66.252.10.100,66.252.10.213,66.252.10.217,66.252.10.234,66.252.11.76,66.252.11.9,66.252.12.48,66.252.12.51,66.252.12.52,66.252.12.53,66.252.12.54,66.252.13.152,66.252.13.153] any (msg:"ET DROP Known Bot C&C Server Traffic (group 11) ";
reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404010; rev:1131;)
https://www.cymru.com/nsp-sec/DDoS-RS/ddos-rsv2.txt
13768 | PEER1 - Peer 1 Network Inc. | 66.139.78.164 | tcp | 9798 | 2008-04-09 21:56:58 | 2008-04-17 21:56:58 | bot | 0 | 0 | ID: DNSRR: secure.freebsd.la SERVPASS: su1c1d3
_____________________________________________________
Chris Calvert
Network Security and OSS | TELUS Network Operations
More information about the nsp-security
mailing list