[nsp-sec] PHP Botnets are fun. C&C's discovered

Shelton, Steve sshelton at Cogentco.com
Wed Feb 6 07:43:45 EST 2008 

Dave et al,

There was quite a change in the mildnet.org zone from yesterday.  They
have become a one stop crime shop it seems and I have seen numerous
references to DOS in more than one channel as of late which is above and
beyond their normal criminal behavior.


Zone: irc.mildnet.org. Time: Tue Feb 5 16:00:11 2008

;; Answer received from 66.28.0.45 (470 bytes)
;;
;; HEADER SECTION
;; id = 1227
;; qr = 1    opcode = QUERY    aa = 0    tc = 0    rd = 1
;; ra = 1    ad = 0    cd = 0    rcode  = NOERROR
;; qdcount = 1  ancount = 14  nscount = 4  arcount = 3

;; QUESTION SECTION (1 record)
;; irc.mildnet.org.	IN	A

;; ANSWER SECTION (14 records)
irc.mildnet.org.	2416	IN	A	212.241.214.143
irc.mildnet.org.	2416	IN	A	74.53.70.115
irc.mildnet.org.	2416	IN	A	69.42.211.121
irc.mildnet.org.	2416	IN	A	66.98.156.85
irc.mildnet.org.	2416	IN	A	66.252.24.172
irc.mildnet.org.	2416	IN	A	72.249.24.98
irc.mildnet.org.	2416	IN	A	66.249.137.137
irc.mildnet.org.	2416	IN	A	204.8.218.108
irc.mildnet.org.	2416	IN	A	67.205.67.39
irc.mildnet.org.	2416	IN	A	72.10.163.194
irc.mildnet.org.	2416	IN	A	80.38.135.73
irc.mildnet.org.	2416	IN	A	66.252.1.112
irc.mildnet.org.	2416	IN	A	212.241.181.226
irc.mildnet.org.	2416	IN	A	202.9.108.44

;; AUTHORITY SECTION (4 records)
mildnet.org.	2416	IN	NS
kiozmanagedomain.mercury.orderbox-dns.com.
mildnet.org.	2416	IN	NS
kiozmanagedomain.mars.orderbox-dns.com.
mildnet.org.	2416	IN	NS
kiozmanagedomain.venus.orderbox-dns.com.
mildnet.org.	2416	IN	NS
kiozmanagedomain.earth.orderbox-dns.com.

;; ADDITIONAL SECTION (3 records)
kiozmanagedomain.venus.orderbox-dns.com.	2416	IN	A
74.54.56.231
kiozmanagedomain.venus.orderbox-dns.com.	2416	IN	A
74.54.56.236
kiozmanagedomain.venus.orderbox-dns.com.	2416	IN	A
74.54.56.227

Zone: irc.mildnet.org. Time: Wed Feb  6 04:00:02 2008

;; Answer received from 66.28.0.45 (411 bytes)
;;
;; HEADER SECTION
;; id = 1877
;; qr = 1    opcode = QUERY    aa = 0    tc = 0    rd = 1
;; ra = 1    ad = 0    cd = 0    rcode  = NOERROR
;; qdcount = 1  ancount = 1  nscount = 6  arcount = 10

;; QUESTION SECTION (1 record)
;; irc.mildnet.org.	IN	A

;; ANSWER SECTION (1 record)
irc.mildnet.org.	10000	IN	A	83.170.82.93

;; AUTHORITY SECTION (6 records)
org.	6856	IN	NS	tld2.ultradns.net.
org.	6856	IN	NS	b0.org.afilias-nst.org.
org.	6856	IN	NS	tld1.ultradns.net.
org.	6856	IN	NS	a0.org.afilias-nst.info.
org.	6856	IN	NS	d0.org.afilias-nst.org.
org.	6856	IN	NS	c0.org.afilias-nst.info.

;; ADDITIONAL SECTION (10 records)
tld2.ultradns.net.	2923	IN	A	204.74.113.1
tld1.ultradns.net.	915	IN	A	204.74.112.1
tld1.ultradns.net.	915	IN	AAAA	2001:502:d399:0:0:0:0:1
d0.org.afilias-nst.org.	4216	IN	A	199.19.57.1
c0.org.afilias-nst.info.	1186	IN	A	199.19.53.1
c0.org.afilias-nst.info.	1186	IN	AAAA
2001:500:b:0:0:0:0:1
b0.org.afilias-nst.org.	2792	IN	A	199.19.54.1
b0.org.afilias-nst.org.	2792	IN	AAAA	2001:500:c:0:0:0:0:1
a0.org.afilias-nst.info.	3833	IN	A	199.19.56.1
a0.org.afilias-nst.info.	3833	IN	AAAA
2001:500:e:0:0:0:0:1




The following still appear to be live with services running on TCP 6001
that appeared in the zone for irc.mildnet.org on Feb 5 16:00:11 2008.

21844   | 74.53.70.115     | THEPLANET-AS - THE PLANET
17048   | 69.42.211.121    | AWKNET - Awknet Communications, LLC
13749   | 66.98.156.85     | EVERYONES-INTERNET - Everyones Internet
23522   | 66.252.24.172    | IPNAP-ES - GigeNET
14037   | 204.8.218.108    | AS-RVB-1 - RackVibe LLC
6461    | 72.10.163.194    | MFNX MFN - Metromedia Fiber Network
3352    | 80.38.135.73     | TELEFONICA-DATA-ESPANA Internet Access
Network of TDE
23522   | 66.252.1.112     | IPNAP-ES - GigeNET
5413    | 212.241.181.226  | AS5413 PIPEX Communications

~~~~

--- 02/06/08 07:22:38 Eastern Standard Time
--- reading URL 74.53.70.115:6661
--- contacting host [74.53.70.115] on port 6661

:medan.mildnet.org NOTICE AUTH :*** MILDNet Looking up your hostname...

--- 02/06/08 07:23:16 Eastern Standard Time
--- reading URL 69.42.211.121:6661
--- contacting host [69.42.211.121] on port 6661

:devilshells.mildnet.org NOTICE AUTH :*** MILDNet Looking up your
hostname...



--- 02/06/08 07:23:55 Eastern Standard Time
--- reading URL 66.98.156.85:6661
--- contacting host [66.98.156.85] on port 6661

:pekanbaru.mildnet.org NOTICE AUTH :*** MILDNet Looking up your
hostname...



--- 02/06/08 07:24:29 Eastern Standard Time
--- reading URL 66.252.24.172:6661
--- contacting host [66.252.24.172] on port 6661

:edge.mildnet.org NOTICE AUTH :*** MILDNet Looking up your hostname...




--- 02/06/08 07:21:28 Eastern Standard Time
--- reading URL 204.8.218.108:6661
--- contacting host [204.8.218.108] on port 6661

:bali.mildnet.org NOTICE AUTH :*** MILDNet Looking up your hostname...



--- 02/06/08 07:27:03 Eastern Standard Time
--- reading URL 72.10.163.194:6661
--- contacting host [72.10.163.194] on port 6661

:liteshells.mildnet.org NOTICE AUTH :*** MILDNet Looking up your
hostname...


--- 02/06/08 07:27:37 Eastern Standard Time
--- reading URL 80.38.135.73:6661
--- contacting host [80.38.135.73] on port 6661

:bogani.mildnet.org NOTICE AUTH :*** MILDNet Looking up your hostname...


--- 02/06/08 07:28:22 Eastern Standard Time
--- reading URL 66.252.1.112:6661
--- contacting host [66.252.1.112] on port 6661

:love.mildnet.org NOTICE AUTH :*** MILDNet Looking up your hostname...


--- 02/06/08 07:28:53 Eastern Standard Time
--- reading URL 212.241.181.226:6661
--- contacting host [212.241.181.226] on port 6661

:batak.mildnet.org NOTICE AUTH :*** MILDNet Looking up your hostname...



Steve Shelton
Cogent Abuse

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Dave Mitchell
Sent: Tuesday, February 05, 2008 4:16 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] PHP Botnets are fun. C&C's discovered

----------- nsp-security Confidential --------

More information about the nsp-security mailing list