[nsp-sec] Botnet info? (Attn: AS30506)

[Jose Nazario]

>> We're seeing some bad IRC traffic heading toward 66.249.128.230.

ddos botnet.

Host detail for 66.249.128.230

Related DNS Queries
AML ID	Query	Answer
335738 	handsome.arabicwolf.info 	66.249.128.230
374740 	s.reipmav.net 	66.249.128.230
380716 	msws.ms6ol.net 	66.249.128.230

Recet DDoS (limited to past day; been active as a DDoS controller since at 
least 2008-07-12)

66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 00:24:53 	96.249.241.187 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#kis# 
2008-10-19 00:24:59 	96.249.241.187 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 00:27:54 	98.122.100.82 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#kis# 
2008-10-19 00:28:01 	98.122.100.82 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 01:09:42 	72.74.229.177 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#kis# 
2008-10-19 01:09:50 	72.74.229.177 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 02:00:41 	168.103.134.120 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#kis# 
2008-10-19 02:00:47 	168.103.134.120 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 02:04:04 	67.61.49.239 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 02:17:55 	217.216.195.119 	ES
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#kis# 
2008-10-19 02:18:07 	217.216.195.119 	ES
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 03:01:53 	71.72.73.163 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 03:38:21 	190.25.57.168 	CO
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 03:44:54 	99.227.92.249 	CA
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#kis# 
2008-10-19 03:44:59 	99.227.92.249 	CA
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 04:23:21 	75.15.223.40 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#kis# 
2008-10-19 04:23:28 	75.15.223.40 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 04:47:03 	98.113.34.86 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#kis# 
2008-10-19 04:47:09 	98.113.34.86 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 04:52:05 	63.147.152.124 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#kis# 
2008-10-19 04:52:12 	63.147.152.124 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#Cpp 
2008-10-19 05:12:34 	75.138.42.110 	US
66-249-128-230-btl.blacksun.net (66.249.128.230) 	6667 	#kis# 
2008-10-19 05:12:42 	75.138.42.110 	US


Botnets
C&C 	C&C Port 	Timestamp 	Active
66.249.128.230 (66.249.128.230) 	9890 	2008-10-22 07:25:15 
True
aw.ms6ol.net (66.249.128.230) 	6667 	2008-07-11 22:01:58 	False
66.249.128.230 (66.249.128.230) 	6667 	2008-10-22 07:25:15 
True
66.249.128.230 (66.249.128.230) 	9899 	2008-10-22 07:25:15 
True
66.249.128.230 (66.249.128.230) 	9899 	2008-10-22 07:25:15 
True
66.249.128.230 (66.249.128.230) 	7000 	2008-10-22 07:25:15 
True
66.249.128.230 (66.249.128.230) 	7000 	2008-10-22 07:25:15 
True
66.249.128.230 (66.249.128.230) 	9890 	2008-10-22 07:25:15 
True
66.249.128.230 (66.249.128.230) 	6667 	2008-10-22 07:25:15 
True


data sources include arbor and shadowserver.

-------------------------------------------------------------
jose nazario, ph.d.     	<jose at arbor.net>
manager of security research 	arbor networks
v: (734) 821 1427 	      	http://asert.arbornetworks.com/