[nsp-sec] ajax.whitehat.cc botnet
Gabriel Iovino
giovino at ren-isac.net
Tue Sep 1 14:01:37 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dirk Stander wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> please find attached a list of ips which were connected to an
> IRC based botnet. The controller was ajax.whitehead.cc /
> 87.106.24.105:9999 (which is now connected to 72.8.167.167).
>
> Most of the machines are cracked UNIX boxes -- I'm quite sure the
> intrusion vectors are outdated phpmyadmin installations.
>
> The herders nick is Jaffa at 81.181.17.71, he is also using
> server1.whitehat.cc / 67.159.34.131 as target for connect-back shells.
>
> The connections are from Tue Sep 1 14:54:17 2009 UTC
A sanitized notification will be sent to the following:
> 6128 | 192.107.39.2 | US | CABLE-NET-1 - Cablevision Systems Corp.
FYI..
> whois 192.107.39.2
> OrgName: Drew University
Thank you!
Gabe
- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkqdYYEACgkQwqygxIz+pTuA1gCgjO4BwGZFlAwzRLuK0d6UQY/I
stkAn3QaqMm6z/nmVGu5WYXL3xZrVsFm
=ar6m
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list