[nsp-sec] C&C @ 7132
White, Gerard
Gerard.White at aliant.ca
Thu Feb 21 00:27:19 EST 2008
Already in CYMRU C&C and yes, we're fausty too...
Two primary incarnations on the go right now...
PASS oxxdull
JOIN #!msg! mmmsg
JOIN #!msg2! mmmsg
Bloody IM spreaders...
Thanks for the heads-up Patrick...
GW
855 - Bell Aliant
-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Patrick Bergen
Sent: Thursday, February 21, 2008 1:23 AM
To: NSP-SEC
Subject: [nsp-sec] C&C @ 7132
----------- nsp-security Confidential --------
7132 | 70.252.251.138 | SBIS-AS - AT&T Internet Services
Port 2007
We nabbed about 15 of these in our AS¹s
Here are the flows and some packet captures:
IRC BOT #!msg Commands [**]
02/20-09:53:12.346304 70.252.251.138:2007 -> 129.123.248.28:1084
TCP TTL:50 TOS:0x0 ID:3433 IpLen:20 DgmLen:161 DF
***AP*** Seq: 0x9E0179D6 Ack: 0xFAA3E0C5 Win: 0x16D0 TcpLen: 20
3A 78 21 6A 61 76 61 40 66 62 69 2E 67 6F 76 20 :x!java at fbi.gov
54 4F 50 49 43 20 23 21 6D 73 67 21 20 3A 21 6D TOPIC #!msg! :!m
73 6E 2E 73 74 6F 70 7C 21 6D 73 6E 2E 6D 73 67 sn.stop|!msn.msg
20 68 65 79 20 2C 20 69 74 27 73 20 72 65 61 6C hey , it's real
6C 79 20 79 6F 75 20 3F 20 3A 53 20 20 20 68 74 ly you ? :S ht
74 70 3A 2F 2F 6D 73 6E 67 61 6C 6C 65 72 79 2E tp://msngallery.
70 72 6F 68 6F 73 74 73 2E 6F 72 67 2F 76 69 65 prohosts.org/vie
77 2E 70 68 70 3F 3D 0D 0A w.php?=..
IRC BOT #!msg Commands [**]
02/20-07:12:07.313245 70.252.251.138:2007 -> 129.123.248.28:1084
TCP TTL:50 TOS:0x0 ID:63746 IpLen:20 DgmLen:169 DF
***AP*** Seq: 0x9E01682E Ack: 0xFAA3D8C9 Win: 0x16D0 TcpLen: 20
3A 78 21 6A 61 76 61 40 66 62 69 2E 67 6F 76 20 :x!java at fbi.gov
54 4F 50 49 43 20 23 21 6D 73 67 21 20 3A 21 6D TOPIC #!msg! :!m
73 6E 2E 73 74 6F 70 7C 6D 73 6E 2E 6D 73 67 20 sn.stop|msn.msg
68 65 79 20 2C 20 6C 6F 6F 6B 73 20 72 65 61 6C hey , looks real
6C 79 20 61 20 6C 6F 74 20 6C 69 6B 65 20 79 6F ly a lot like yo
75 20 6F 72 20 3F 20 3A 70 20 20 68 74 74 70 3A u or ? :p http:
2F 2F 6D 73 6E 70 69 63 2E 6D 61 64 70 61 67 65 //msnpic.madpage
2E 63 6F 6D 2F 76 69 65 77 2E 70 68 70 3F 3D 0D .com/view.php?=.
0A .
# Date Time
# MM/DD/YY HH:MM:SS SourceIP SPort DestinationIP DPort
Flows Bytes Protcol
# -------- -------- --------------- ----- --------------- -----
---------- ---------- -------
02/20/08 00:00:45 70.252.251.138 2007 129.123.248.28 1084
2 97 TCP
02/20/08 00:00:45 129.123.248.28 1084 70.252.251.138 2007
1 56 TCP
02/20/08 00:02:45 129.123.248.28 1084 70.252.251.138 2007
1 56 TCP
02/20/08 00:02:45 70.252.251.138 2007 129.123.248.28 1084
2 97 TCP
02/20/08 00:04:45 129.123.248.28 1084 70.252.251.138 2007
1 56 TCP
02/20/08 00:04:45 70.252.251.138 2007 129.123.248.28 1084
2 97 TCP
02/20/08 00:06:45 129.123.248.28 1084 70.252.251.138 2007
1 56 TCP
02/20/08 00:06:45 70.252.251.138 2007 129.123.248.28 1084
2 97 TCP
02/20/08 00:08:45 129.123.248.28 1084 70.252.251.138 2007
1 56 TCP
02/20/08 00:08:45 70.252.251.138 2007 129.123.248.28 1084
2 97 TCP
02/20/08 00:10:46 129.123.248.28 1084 70.252.251.138 2007
1 56 TCP
<SNIP>
02/20/08 09:39:08 129.123.248.28 1084 70.252.251.138 2007
1 56 TCP
02/20/08 09:41:08 129.123.248.28 1084 70.252.251.138 2007
1 56 TCP
02/20/08 09:41:08 70.252.251.138 2007 129.123.248.28 1084
--
Patrick Bergen, CISSP
Sr. Systems Security Analyst
UEN Security Office
(801) 949-0777 Cell
(801) 581-4499 Office
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list