[nsp-sec] C&C @ 7132

Patrick Bergen pbergen at uen.org
Wed Feb 20 23:52:51 EST 2008 

7132    | 70.252.251.138   | SBIS-AS - AT&T Internet Services

Port 2007

We nabbed about 15 of these in our AS¹s

Here are the flows and some packet captures:

IRC BOT #!msg Commands [**]
02/20-09:53:12.346304 70.252.251.138:2007 -> 129.123.248.28:1084
TCP TTL:50 TOS:0x0 ID:3433 IpLen:20 DgmLen:161 DF
***AP*** Seq: 0x9E0179D6  Ack: 0xFAA3E0C5  Win: 0x16D0  TcpLen: 20
3A 78 21 6A 61 76 61 40 66 62 69 2E 67 6F 76 20  :x!java at fbi.gov
54 4F 50 49 43 20 23 21 6D 73 67 21 20 3A 21 6D  TOPIC #!msg! :!m
73 6E 2E 73 74 6F 70 7C 21 6D 73 6E 2E 6D 73 67  sn.stop|!msn.msg
20 68 65 79 20 2C 20 69 74 27 73 20 72 65 61 6C   hey , it's real
6C 79 20 79 6F 75 20 3F 20 3A 53 20 20 20 68 74  ly you ? :S   ht
74 70 3A 2F 2F 6D 73 6E 67 61 6C 6C 65 72 79 2E  tp://msngallery.
70 72 6F 68 6F 73 74 73 2E 6F 72 67 2F 76 69 65  prohosts.org/vie
77 2E 70 68 70 3F 3D 0D 0A                       w.php?=..

IRC BOT #!msg Commands [**]
02/20-07:12:07.313245 70.252.251.138:2007 -> 129.123.248.28:1084
TCP TTL:50 TOS:0x0 ID:63746 IpLen:20 DgmLen:169 DF
***AP*** Seq: 0x9E01682E  Ack: 0xFAA3D8C9  Win: 0x16D0  TcpLen: 20
3A 78 21 6A 61 76 61 40 66 62 69 2E 67 6F 76 20  :x!java at fbi.gov
54 4F 50 49 43 20 23 21 6D 73 67 21 20 3A 21 6D  TOPIC #!msg! :!m
73 6E 2E 73 74 6F 70 7C 6D 73 6E 2E 6D 73 67 20  sn.stop|msn.msg
68 65 79 20 2C 20 6C 6F 6F 6B 73 20 72 65 61 6C  hey , looks real
6C 79 20 61 20 6C 6F 74 20 6C 69 6B 65 20 79 6F  ly a lot like yo
75 20 6F 72 20 3F 20 3A 70 20 20 68 74 74 70 3A  u or ? :p  http:
2F 2F 6D 73 6E 70 69 63 2E 6D 61 64 70 61 67 65  //msnpic.madpage
2E 63 6F 6D 2F 76 69 65 77 2E 70 68 70 3F 3D 0D  .com/view.php?=.
0A                                               .

#   Date     Time
# MM/DD/YY HH:MM:SS SourceIP        SPort DestinationIP   DPort
Flows      Bytes Protcol
# -------- -------- --------------- ----- --------------- -----
---------- ---------- -------
  02/20/08 00:00:45 70.252.251.138   2007 129.123.248.28   1084
2         97     TCP
  02/20/08 00:00:45 129.123.248.28   1084 70.252.251.138   2007
1         56     TCP
  02/20/08 00:02:45 129.123.248.28   1084 70.252.251.138   2007
1         56     TCP
  02/20/08 00:02:45 70.252.251.138   2007 129.123.248.28   1084
2         97     TCP
  02/20/08 00:04:45 129.123.248.28   1084 70.252.251.138   2007
1         56     TCP
  02/20/08 00:04:45 70.252.251.138   2007 129.123.248.28   1084
2         97     TCP
  02/20/08 00:06:45 129.123.248.28   1084 70.252.251.138   2007
1         56     TCP
  02/20/08 00:06:45 70.252.251.138   2007 129.123.248.28   1084
2         97     TCP
  02/20/08 00:08:45 129.123.248.28   1084 70.252.251.138   2007
1         56     TCP
  02/20/08 00:08:45 70.252.251.138   2007 129.123.248.28   1084
2         97     TCP
  02/20/08 00:10:46 129.123.248.28   1084 70.252.251.138   2007
1         56     TCP
<SNIP>
  02/20/08 09:39:08 129.123.248.28   1084 70.252.251.138   2007
1         56     TCP
  02/20/08 09:41:08 129.123.248.28   1084 70.252.251.138   2007
1         56     TCP
  02/20/08 09:41:08 70.252.251.138   2007 129.123.248.28   1084


-- 
Patrick Bergen, CISSP
Sr. Systems Security Analyst
UEN Security Office
(801) 949-0777 Cell
(801) 581-4499 Office

More information about the nsp-security mailing list