[nsp-sec] Packet love to AS9192
Rob Thomas
robt at cymru.com
Sun Feb 3 17:12:43 EST 2008
Hi, Alfredo.
Sorry to hear about the DDoS!
> 3221 | 193.40.0.77 | EENet Autonomous System
This IP has chatted with quite a few botnets, but the fave seems to
be a botnet on 208.98.42.69 TCP 9997, calling itself "irc.h4x0r-
s.org" (bogus). We're not certain of the channel, and the server on
208.98.42.69 might be a legitimate (or semi-legit) IRC server.
> 9758 | 211.172.232.90 | HANNET-AS Serverbank
This one is a bit more interesting. It's had a fair bit of malware
involvement.
timestamp | sha1
| md5 | dst_ip | dst_port |
protocol | size
--------------------- ------------------------------------------
---------------------------------- ---------------- ----------
---------- ------
2008-01-29 17:04:51 | 003f2e4e3c99293733d08f6859645a10d945dd36 |
e40a41890b08b93dededfdfe280fdb7e | 211.172.232.90 | 80 |
6 |
2000-01-22 12:27:30 | 5a663254c21339e107e2c99cb7e3f00ca6fb6571 |
37ace5198d1a826f1b903a1b285f5427 | 211.172.232.90 | 80 |
6 |
2008-01-08 01:03:31 | d5887876c1d40011e7cdbaa18ce0ce0a77c06db2 |
a7785d890b335150f1e302afbad8d3f8 | 211.172.232.90 | 80 |
6 |
2008-01-02 13:02:08 | f38758967d24c1cd6e6fe3f1d2898eaa5b585053 |
7b2c39293f52a7515c5d4f100712ce28 | 211.172.232.90 | 80 |
6 |
It's been a bot on at least one large, public IRC network.
> 8167 | 200.203.183.62 | TELESC - Telecomunicacoes de Santa
> Catarina SA
Not much on this one, sorry.
Let's look a bit more closely at the things these three IPs have in
common...
Ah! All three of these IPs are chatting with 193.136.212.220 on TCP
26842.
220.212.136.193.in-addr.arpa domain name pointer batman.dei.uc.pt.
AS | IP | BGP Prefix | CC | Registry |
Allocated | AS Name
1930 | 193.136.212.220 | 193.136.0.0/15 | PT | ripencc |
1993-09-01 | RCCN RCCN-NET
This is definitely a botnet. I suspect this is the font of your woes.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
More information about the nsp-security
mailing list