[nsp-sec] Botnet info? (Attn: AS30506)
Rob Thomas
robt at cymru.com
Wed Oct 22 11:06:20 EDT 2008
Hey again, Dan.
OOPS! Let's try this again. :)
Rob Thomas accidentally hit "send" while writing:
> Hey, Dan.
>
>> We're seeing some bad IRC traffic heading toward 66.249.128.230.
Looks like that one has been a C&C going back to at least 2008-07-10
22:11:38 UTC on TCP 9899. There are a few interesting DNS RRs pointed
to that IP.
timestamp | dns_name | ip
--------------------- -------------------------- ----------------
2008-07-09 08:15:01 | 1337.reipmav.net | 66.249.128.230
2008-07-09 09:15:01 | 31337.reipmav.net | 66.249.128.230
2008-07-11 05:15:01 | aw.ms6ol.net | 66.249.128.230
2008-10-21 23:35:14 | hail.dns2go.com | 66.249.128.230
2008-07-09 08:15:01 | handsome.arabicwolf.info | 66.249.128.230
2008-07-09 08:15:01 | handsome.linux-site.net | 66.249.128.230
2008-07-09 09:15:01 | nt.reipmav.net | 66.249.128.230
2008-07-11 05:15:01 | pro.ms6ol.net | 66.249.128.230
2008-07-11 05:15:01 | q8top.ms6ol.net | 66.249.128.230
2008-07-11 09:03:20 | s.reipmav.net | 66.249.128.230
2008-07-11 05:15:01 | wwff.ms6ol.net | 66.249.128.230
It's been in the ddos-rsv2.txt file for a while as:
66.249.128.230 6667/tcp bot ID: irc.priv8net.com DNSRR: 1337.reipmav.net
PORTS: 7000_9899
Ah, there are other C&C ports - 6667, 9899, and 3921. We see 12 samples
in our malware menagerie that point to this IP.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- ---------------- ----------
---------- ------
2008-08-26 18:04:05 | 2767353461f1cffa0887560df0dc5ec8e5f0bd9b |
d5ce5c23cb0f886eaaf79fb940a68183 | 66.249.128.230 | 6667 | 6
| 0
2008-08-08 02:05:56 | 39aed229269b8e3e9e24674edcddca426fef6c1b |
4b9167143d52b247a21b44d55790a306 | 66.249.128.230 | 6667 | 6
| 1324
2008-10-19 15:05:43 | 4bc8532f8c87b042a424d46d7321ecb0861b7d4b |
654eef6ff6dbe666c1d9fd1f6049d525 | 66.249.128.230 | 9899 | 6 |
2008-08-04 10:59:51 | 53288ab688b2f594aba2b2d4c9d55d9272101fd5 |
8c917ec3760c3a52eb66766eb0147139 | 66.249.128.230 | 9899 | 6
| 0
2008-08-04 11:46:45 | 70d9127360ed589af0176e530653071921499262 |
7b143e04b7764b213b2b8df45c2e4fff | 66.249.128.230 | 6667 | 6
| 0
2008-09-12 17:38:59 | 7bc0e9e458a59a7c64cb9f6028df3d0451c2815e |
cca7e00694869c77556be587d67c3388 | 66.249.128.230 | 6667 | 6 |
2008-09-19 11:00:54 | 80fac93c29a03120b262d56fce61a951bd5aceee |
711161b553dc013490350c91ca586969 | 66.249.128.230 | 6667 | 6
| 0
2008-07-22 15:37:11 | 825e8ff8cd0fb6ab673ab62d3fe0d758e052af90 |
edf5a5a865000b7d23c99bf0a71a5d4a | 66.249.128.230 | 6667 | 6 |
2008-07-11 09:05:47 | 8face877fc8a53aaeb0b5e846efd38d8832e1bcd |
4f85d49f28a1e28dcd18cee620631825 | 66.249.128.230 | 3921 | 6
| 0
2008-08-25 21:12:11 | c338c0ae748b31774da4d8838588a2e3520c6c43 |
aa4d857a8e571fd39dce6e1e067163c1 | 66.249.128.230 | 6667 | 6
| 0
2008-07-31 19:47:37 | d27ddd92de735daae2fd1c4723fbd8412ab36f67 |
ef0552cc8e493c3e06d15dfa0c83c445 | 66.249.128.230 | 9899 | 6 |
2008-07-13 15:35:25 | eb53760a445fb3c51b905b12a5b322db5bb6ce75 |
623fac43e4e3df4052b898f96eeb5a7c | 66.249.128.230 | 6667 | 6 |
Looks like this one has been an IRC bounce going back to at least
2008-07-11 02:31:16 UTC.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list