[nsp-sec] Botnet C&C at AS8447 (TELEKOM-AT) 188.20.127.51 ##!woot

Carles Fragoso cfragoso at cesicat.cat
Tue Mar 2 15:38:47 EST 2010 

Hi,

During an incident we identified a botnet C&C at AS8447 (TELEKOM-AT) 188.20.127.51.

[Querying v4.whois.cymru.com]
[v4.whois.cymru.com<http://v4.whois.cymru.com>]
AS      | IP               | AS Name
8447    | 188.20.127.51    | TELEKOM-AT Telekom Austria AutonomousSystem

Warm regards,

-- Carlos

aut-num:         AS8447
as-name:         TELEKOM-AT
descr:           Telekom Austria AutonomousSystem

inetnum:         188.20.127.48 - 188.20.127.55
netname:         HERBERTWANIA-HWY-AT
descr:           Herbert Wania Elektroinstallationsges.m.b.H.
descr:           Wachaustrasse
descr:           3631 Ottenschlag
country:         AT
admin-c:         HMH25-RIPE<https://www.db.ripe.net/whois?searchtext=HMH25-RIPE&inverse_attributes=admin-c&form_type=simple>
tech-c:          HMH25-RIPE<https://www.db.ripe.net/whois?searchtext=HMH25-RIPE&inverse_attributes=tech-c&form_type=simple>
status:          ASSIGNED PA
mnt-by:          AS8447-MNT<https://www.db.ripe.net/whois?searchtext=AS8447-MNT&inverse_attributes=mnt-by&form_type=simple>
mnt-lower:       AS8447-MNT<https://www.db.ripe.net/whois?searchtext=AS8447-MNT&inverse_attributes=mnt-lower&form_type=simple>
source:          RIPE # Filtered

NOTICE *** If you are having problems connecting due to ping timeouts, please type /quote pong 3B5B022E or /raw pong 3B5B022E now.
003: PING
PONG 3B5B022E
001: Welcome to the land.of.coon IRC Network {00-ESP-XP-PIMPAM-2549}!blaze@*
002: Your host is land.of.coon, running version Unreal3.2-beta19
003: This server was created Sun Feb  8 18:58:31 2004
004: land.of.coon Unreal3.2-beta19 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzN
005: MAP KNOCK SAFELIST HCN MAXCHANNELS=10 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 are supported by this server
005: WALLCHOPS WATCH=128 SILENCE=5 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSM NETWORK=land.of.coon CASEMAPPING=ascii are supported by this server
422: MOTD File is missing
{00-ESP-XP-PIMPAM-2549} MODE +i
JOIN ##!woot
JOIN ##!woot
332: ##!woot .scan SVRSVC_ESP 100 3 0 -e -b -r -s
333: ##!woot {l1nk} 1267555467
353: @ ##!woot {00-ESP-XP-PIMPAM-2549} @{l1nk} @{weeble}
366: ##!woot End of /NAMES list.
WHO ##!woot
MODE ##!woot b
367: ##!woot z* standby 1267133912
367: ##!woot y* standby 1267133912
367: ##!woot x* standby 1267133912
367: ##!woot w* standby 1267133912
367: ##!woot v* standby 1267133912
367: ##!woot u* standby 1267133912
367: ##!woot t* standby 1267133912
367: ##!woot s* standby 1267133912
367: ##!woot r* standby 1267133912
367: ##!woot q* standby 1267133912
367: ##!woot p* standby 1267133912
367: ##!woot o* standby 1267133912
367: ##!woot n* standby 1267133912
367: ##!woot m* standby 1267133912
367: ##!woot l* standby 1267133912
367: ##!woot k* standby 1267133912
367: ##!woot j* standby 1267133912
367: ##!woot i* standby 1267133912
367: ##!woot h* standby 1267133912
367: ##!woot g* standby 1267133912
367: ##!woot f* standby 1267133912
367: ##!woot e* standby 1267133912
367: ##!woot d* standby 1267133912
367: ##!woot c* standby 1267133912
367: ##!woot b* standby 1267133912
367: ##!woot a* standby 1267133912
368: ##!woot End of Channel Ban List
MODE ##!woot
324: ##!woot +smntu
329: ##!woot 1267103261
MODE ##!woot
-----

More information about the nsp-security mailing list