[nsp-sec] malware site and C&C's on port 9191
Dave Monnier
dmonnier at cymru.com
Tue Jun 2 17:05:47 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 6/2/09 3:51 PM, SURFcert - Peter wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> I am helping somebody cleaning up a compromised host. At this moment I
> have found the host gets its malware from:
> hxxp://www .raindrip .com/cms/c.txt
>
> After compiling it runs the program and tries to connect to port 9191 on
> a number of hosts:
>
> 209-20-65-73.slicehost.net
> 207.213.245.215
> 76.9.0.102
> h-74-3-40-137-static.lsanca54.covad.net
>
Hi Peter,
This is a perl bot connecting to irc.momok.org, a racrew IRCD. There's
a few other IP in that RR.
irc.momok.org has address 76.9.0.102
irc.momok.org has address 207.213.245.215
irc.momok.org has address 74.3.40.137
irc.momok.org has address 209.20.65.73
irc.momok.org has address 213.219.244.85
TCP/9191 is listening on them all, but there's a number of "human"
channels on the network.
List: #help 4 [+ntrOC] ¤ [ Welcome #Help RaCrew and AUXnet
Network ] NickServ register: /ns register password email, ChanServ
register: /cs register #NameChannel password description |
http://racrew.us ¤ (jason) (jason) (jason)
List: #denpasar 1 [+ntr] welC0m3 to denpasar at raCrew.us have a
nice chat in here,,,!! ;-) (^SariteM^)
List: #nixplanet 1 [+ntr] Official channel server
nixplanet.racrew.us = /server irc.nixplanet.net = 202.59.201.99 : 6667
(Nixplanet) (Nixplanet)yoa (Nixplanet) (Nixplanet) (Nixplanet)
(Nixplanet) (Nixplanet) (Nixplanet) (Nixplanet)
List: #services 9 [+ntr] Welcome to #Services RaCrew Network |
[ Services status is GOOD ] Info source: wget
http://www.vshell.net/auxnet/unreal-racrew.tar.gz;tar xvzf
unreal-racrew.tar.gz; rm -rf unreal-racrew.tar.gz;mv Unreal3.2
sendmails;cd sendmails;./Config -nointro (Cryssant) (Cryssant)
List: * 10
List: #staff 2 [+ntr] http://RaCrew.us/ |
http://www.friendster.com/group/tabmain.php?gid=219863<-- GROUP FS..JOIN
YAKZ | Gathering daerah Cilacap, Kroya, Purwokerto, Ajibarang (SEGERA).
||Happy Valentine Day f0r aLL ^_* LuPh You aLL|| (NewBie_GirL)
(NewBie_GirL) (NewBie_GirL) (NewBie_GirL)
List: #Purwokerto 1 [+ntr] « [ Welcome to #Purwokerto @ RaCrew ]
» (Rizky) (Rizky) (Rizky) (Rizky) (Rizky) (Rizky) (Rizky) (Rizky)
(Rizky) (Rizky) (Rizky) (Rizky) (Rizky) (Rizky) (Rizky) (Rizky)
List: #forgot 1 [+ntr] ¯¯¯`*.`*. Welcome to #forgot, Need help
about your pass channel or pass nickname, ask with oper online
.*´.*´¯¯¯. Type !Forgot on here for staff/OPs help your problem | Need
help? /join #Help | Don't idle here! (arjuna) (arjuna) (arjuna)
List!: #racrew 184 [+ntr] http://www.racrew.us | Don't path the
dork! | Don't flood the bot! | Join #CCPower for trade !!
http://smkn1gorontalo.sch.id <<< siapa yg bisa jebol ini tak kasih
hadiah janji serius nih jadi ayo2 (MrOneX) (Anubias) (Anubias)
List: #SurabayaHackerLink 1 [+ntr] Welcome to
#SurabayaHackerLink -r at cReW have a nice chat (^SariteM^) (^SariteM^)
(^SariteM^) (^SariteM^) (^SariteM^)
List: * 172
List: #nuckek 1
List!: #ccpower 5 [+mntir] -= Welcome to #CCpower at
irc.racrew.us | RULES: @ % +v verify first | Note: To Report Any Ripper
Join #Rippers |' (Injected) (Injected) (Injected) (Injected) (Injected)
On connect, users autojoin #racrew.
With this high of a human/bot ratio, we'll have to take a little closer
look before making it part of the ddosrs. There's plenty of miscreant
activity going on though.
Cheers,
- -Dave
- --
Dave Monnier, Senior Systems Engineer, Team Cymru
http://www.cymru.com/ | +1 630 230 5442 | dmonnier at cymru.com
* See our Twitter feed at http://twitter.com/teamcymru
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkollCsACgkQ+29txnwarlXligCeJepWXg8lA+BN9M8tH905SVvY
q0UAnRl5KF3Zry9VO2DcI9+dD4JcAUSc
=en/d
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list