[nsp-sec] Compromised hosts connecting to ircd c&c
Gabriel Iovino
giovino at ren-isac.net
Wed Feb 18 17:01:45 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings,
The REN-ISAC alerted a .edu of a ircd botnet C&C at their institution.
The .edu monitored some of the traffic on the host:port and concluded
that it indeed seemed to be botnet activity, they proceeded to block
traffic to said host.
Below are IPs seen connecting to the host:port that the ircd was
listening on.
Format:
AS | SrcIP | SrcPort | Timestamp GMT-5 | AS Name
http://www.ren-isac.net/data/bjibdutymeoknqe/2009-02-17.txt
http://www.ren-isac.net/data/bjibdutymeoknqe/2009-02-18.txt
Regards,
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmchUkACgkQwqygxIz+pTscEQCcCgDCdUDMi7C6LiQWT1XYEXI6
BmkAmwTPK5LBUYLRNPXoO24RCdKYXs6E
=FMH8
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list