[nsp-sec] known botnet controllers on IRC servers?
SURFcert - Peter
p.g.m.peters at utwente.nl
Wed Jan 28 07:27:38 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Our tracking system was triggered based on a connection from a local
host to 72.20.23.74:6667. After investigating the flows the local host
initiated we have found a few other possible controller.
Although these ones seem to run on legitimate IRC servers:
38.106.105.132:6667
209.20.75.209:6667
77.222.64.71:6667
The last one does not accept any traffic on 6667 (anymore) but we have
seen 6667 traffic coming from that host.
The local host has performed one other connection besides 6667 traffic
and that is to port 80 of 69.12.97.166 (This is a reCAPTCHA API
Server.). Is this botnet trying to solve reCAPTHA's?
- --
Peter Peters
SURFcert Officer off Duty
cert at surfnet.nl http://cert.surfnet.nl/
office-hours: +31 302 305 305 emergency (24/7): +31 622 923 564
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJgE85elLo80lrIdIRAo8pAJ4q1fOrwBLcWGryWyiNZalg+YSK1gCgp1Q0
h1KtQK1PI19CGKUJzKBC6F0=
=OL/x
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list