[nsp-sec] ACK: Compromised hosts connecting to ircd c&c

Chisholm, Glenn L Glenn.L.Chisholm at team.telstra.com
Mon Feb 23 19:26:57 EST 2009 

AS 1221

Glenn Chisholm
General Manager, Network Security
This communication may contain CONFIDENTIAL information of Telstra Corporation Limited (ABN 33 051 775 556). It may also be the subject of LEGAL PROFESSIONAL PRIVILEGE and/or under copyright. If you are not an intended recipient, you MUST NOT keep, forward, copy, use, save or rely on this communication, and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.

-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Gabriel Iovino
Sent: Thursday, 19 February 2009 9:02 AM
To: NSP nsp-security
Subject: [nsp-sec] Compromised hosts connecting to ircd c&c

----------- nsp-security Confidential --------


* PGP Signed by an unknown key

Greetings,

The REN-ISAC alerted a .edu of a ircd botnet C&C at their institution.
The .edu monitored some of the traffic on the host:port and concluded
that it indeed seemed to be botnet activity, they proceeded to block
traffic to said host.

Below are IPs seen connecting to the host:port that the ircd was
listening on.

Format:

AS | SrcIP | SrcPort | Timestamp GMT-5 | AS Name

http://www.ren-isac.net/data/bjibdutymeoknqe/2009-02-17.txt
http://www.ren-isac.net/data/bjibdutymeoknqe/2009-02-18.txt

Regards,

Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630

* Unknown Key
* 0x8CFEA53B(L)



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 820 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090224/88a23ea4/attachment-0001.sig>

More information about the nsp-security mailing list