[nsp-sec] compromised unix systems
Tim Wilde
twilde at cymru.com
Wed Aug 26 09:32:50 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 8/26/2009 1:44 AM, Rolf Gartmann wrote:
> ----------- nsp-security Confidential --------
>
> Hello nsp-sec,
>
> based on an incident report from one of our customers,
> there is a C&C at 69.163.33.101 port 8080 (yes Team Cymru,
> feel free to add it ;)
Rolf & NSP-SEC,
It looks like this may have been a small private network being abused
without the operators consent, I'm now seeing this when trying to connect:
Closing: (This is a private IRC network. Please request access
<solar at strawberrycupcak.es> before attempting to connect.)
Not exactly a good way to collect bots, if I do say so myself, unless
they're using another C&C mechanism to say "hey, I'm going to be
connecting" and open the ACL first (which I suppose might be possible
with the attack vectors you mentioned). Unfortunately, there's no way
we can tell the difference, so we would have to err on the side of not
listing this right now.
If anyone has malware pointing here, we'd love to see it though, it
might help enlighten us and allow us to list the C&C if appropriate.
Thanks,
Tim
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkqVOYIACgkQluRbRini9tj7VwCfYFbOYoW1/necMc2N1P9uQO6y
YxUAnj62t3cnxWYx7wjIl39dRMCX4UUv
=8ege
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list