[nsp-sec] Botnet controller gihan.sikwon.ch port 6969 - 29073 / Ecatel ... possibly another on 44042 / eSolutions
Rob Thomas
robt at cymru.com
Tue Feb 10 20:40:02 EST 2009
Hey, Matt.
Great stuff, thanks for sharing! The nicknames are particularly useful.
> AS | IP | AS Name
> 29073 | 94.102.55.188 | ECATEL-AS AS29073, Ecatel Network
We've got 94.102.55.188 in the ddos-rsv2.txt (and now again in the
ddos-rs!) as:
2009-02-02 00:14:41 UTC 94.102.55.188 6969/tcp bot ID:
suckmydick.supersyn.info DNSRR: imftw.no-ip.info
Note the imftw.no-ip.info DNS RR there.
Looks like it dates back to at least 2009-01-16 23:29:00 UTC.
Yep, Linux box.
timestamp | srcip | os | descr
---------------------------- --------------- --------- --------------------
2009-02-05 22:45:21.706886 | 94.102.55.188 | Linux | 2.6 (newer 2)
> suckmydick.sikwon.ch A 212.117.162.72
>
> AS | IP | AS Name
> 44042 | 212.117.162.72 | ROOT-AS root eSolutions
This one is in the ddos-rsv2.txt dating back to 2009-01-17 14:35:43 UTC.
212.117.162.72 6969/tcp bot ID: suckmydick.supersyn.info
It also shows up as a Linux box.
timestamp | srcip | os | descr
---------------------------- ---------------- ------- ----------------
2009-02-08 00:00:48.468873 | 212.117.162.72 | Linux | 2.6 (newer 2)
We see one sample in our malware menagerie that points to 212.117.162.72.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- ---------------- ----------
---------- ------
2009-02-07 00:55:17 | 84be05c9676049fba47b5ea92925bd05c8bfd7dd |
1f7a16aab7ccc35ffa6d83c019bd1caf | 212.117.162.72 | 6969 | 6
|
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list