[nsp-sec] [C&C nodes]
Dave Mitchell
davem at yahoo-inc.com
Mon Jun 9 21:13:32 EDT 2008
Yeah, we just grab those out of mailcious php files before we kill them.
I'll have them add dns lookups to the scripts that fetch these so we
don't list the same irc server.
Thanks.
-d
On Mon, Jun 09, 2008 at 09:09:45PM -0400, Jose Nazario wrote:
> On Mon, 9 Jun 2008, Dave Mitchell wrote:
>
>> 128.39.2.28:6667
>> 195.12.59.195:6667
>> 195.12.59.196:6667
>> 213.131.156.51:6667
>> 66.225.225.66:6667
>> 83.140.172.210:6667
>> 83.140.172.211:6667
>> 83.140.172.212:6667
>
> all turn up as DNS for irc.quakenet.org. look for connections to ports
> 6667-6669.
>
>
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> security researcher, office of the CTO, arbor networks
> v: (734) 821 1427 http://asert.arbornetworks.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080609/68190bd5/attachment-0001.sig>
More information about the nsp-security
mailing list