[nsp-sec] Bot C&C at AS 6389 (BellSouth)
Daniel Adinolfi
dra1 at postoffice9.mail.cornell.edu
Wed Oct 22 08:41:18 EDT 2008
Folks,
We see an IRC bonet C&C server at 65.12.238.82. The malware
associated with this seems to be IRCFlood/zapchast.
82.238.12.65.in-addr.arpa domain name pointer
adsl-065-012-238-082.sip.mia.bellsouth.net.
AS | IP | AS Name
6389 | 65.12.238.82 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
PEER_AS | IP | AS Name
174 | 65.12.238.82 | COGENT Cogent/PSI
7018 | 65.12.238.82 | ATT-INTERNET4 - AT&T WorldNet Services
[ Informations about 65.12.238.82 ]
IP range : 65.0.0.0 - 65.15.255.255
Network name : BELLSNET-BLK6
Infos : BellSouth.net Inc.
Infos : 575 Morosgo Drive
Infos : Atlanta
Infos : GA
Infos : 30324
Country : United States (US)
Abuse E-mail : abuse at bellsouth.net
Source : ARIN
Network traffic looks like this:
Wed Oct 22 04:59:02 2008 (local time)
132.236.132.43:3026<--TCP-->65.12.238.82:7000
PING :clserver..:F22!TsInternetUser at admin.com PRIVMSG #m# :.login
01470147..:F22
Happy hunting.
-Dan
More information about the nsp-security
mailing list