[nsp-sec] Bot C&C at AS 6389 (BellSouth)
CASEY, JOEL J, ATTSI
joeljcasey at att.com
Wed Oct 22 10:58:29 EDT 2008
All,
I've sent this to our botnet team, they will take care of it.
Thanks for the reports.
Joel Casey
Security Manager
AT&T CSO Internet Services Security Center
joeljcasey at att.com
Desk:919-319-8115
Mobile:919-949-5058
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Daniel
Adinolfi
Sent: Wednesday, October 22, 2008 8:41 AM
To: nsp-security NSP
Subject: [nsp-sec] Bot C&C at AS 6389 (BellSouth)
----------- nsp-security Confidential --------
Folks,
We see an IRC bonet C&C server at 65.12.238.82. The malware associated
with this seems to be IRCFlood/zapchast.
82.238.12.65.in-addr.arpa domain name pointer
adsl-065-012-238-082.sip.mia.bellsouth.net.
AS | IP | AS Name
6389 | 65.12.238.82 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
PEER_AS | IP | AS Name
174 | 65.12.238.82 | COGENT Cogent/PSI
7018 | 65.12.238.82 | ATT-INTERNET4 - AT&T WorldNet Services
[ Informations about 65.12.238.82 ]
IP range : 65.0.0.0 - 65.15.255.255
Network name : BELLSNET-BLK6
Infos : BellSouth.net Inc.
Infos : 575 Morosgo Drive
Infos : Atlanta
Infos : GA
Infos : 30324
Country : United States (US)
Abuse E-mail : abuse at bellsouth.net
Source : ARIN
Network traffic looks like this:
Wed Oct 22 04:59:02 2008 (local time)
132.236.132.43:3026<--TCP-->65.12.238.82:7000
PING :clserver..:F22!TsInternetUser at admin.com PRIVMSG #m# :.login
01470147..:F22
Happy hunting.
-Dan
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list