[nsp-sec] IRC Controller in AS24139
Daniel Adinolfi
dra1 at postoffice9.mail.cornell.edu
Fri Oct 17 10:26:28 EDT 2008
Folks,
We found a number of botted hosts on campus connecting to
218.108.55.189. A sample of the traffic we're seeing is below.
(Sorry about it being truncated. It's the best we got at this time.)
Times below are EDT.
AS | IP | AS Name
24139 | 218.108.55.189 | CNNIC-WASU-AP WASU TV & Communication
Holding Co.,Ltd.
PEER_AS | IP | AS Name
4837 | 218.108.55.189 | CHINA169-BACKBONE CNCGROUP China169
Backbone
[ Informations about 218.108.55.189 ]
IP range : 218.108.55.184 - 218.108.55.191
Network name : SANYAHUAHONGFAZHAN
Infos : SanYaHuaHongFaZhan-Coltd
Infos : Gudang Scientific and Economic Park ,No.398
Infos : Tian Mu Shan Roa, Hangzhou, Zhejiang, P.R.C
Country : China (CN)
Abuse E-mail : abuse at chinahcn.com
Source : APNIC
Thu Oct 16 23:25:31 2008 (local time)
218.108.55.189:7000<--TCP-->128.253.93.137:4085
:F22!TsInternetUser at admin.com TOPIC #m# :..PING
:sales_web..:F22!TsInternetUser@
Thu Oct 16 23:25:31 2008 (local time)
218.108.55.189:7000<--TCP-->128.253.93.137:4085
Thu Oct 16 23:25:31 2008 (local time)
218.108.55.189:7000<--TCP-->128.253.93.137:4085
Thu Oct 16 23:25:31 2008 (local time)
218.108.55.189:7000<--TCP-->128.253.93.137:4085
PONG :sales_web..PRIVMSG #m# :Start flooding...PONG :sales_web..PONG
:sales_web.
Thu Oct 16 23:25:31 2008 (local time)
218.108.55.189:7000<--TCP-->128.253.93.137:4085
Thu Oct 16 23:25:31 2008 (local time)
218.108.55.189:7000<--TCP-->128.253.93.137:4085
Thu Oct 16 23:25:31 2008 (local time)
218.108.55.189:7000<--TCP-->128.253.93.137:4085
Thanks!
-Dan
_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 at cornell.edu phone: 607-255-7657
More information about the nsp-security
mailing list