[nsp-sec] Botnet C&C at AS3764 and AS29131
Carles Fragoso
cfragoso at cesicat.cat
Wed Mar 10 10:55:22 EST 2010
Hi,
We have found a couple of IPs that are acting as an IRC C&C at 64.31.213.2 in AS3764 (EU) and 78.129.228.56 in AS29131 (AU) over tcp/6900:
> NICK {00-ESP-XP-TONI-0959}
>
> :{00-ESP-XP-TONI-0959}!blaze@?.?.?.? JOIN :##!woot
> :lost.the.land 332 {00-ESP-XP-TONI-0959} ##!woot :.scan SVRSVC_ESP 100 3 0 -e -b -r -s
> :lost.the.land 333 {00-ESP-XP-TONI-0959} ##!woot weeble 1268220786
> :lost.the.land 353 {00-ESP-XP-TONI-0959} @ ##!woot :{00-ESP-XP-TONI-0959} @weeble
> :lost.the.land 366 {00-ESP-XP-TONI-0959} ##!woot :End of /NAMES list.
> AS | IP | AS Name
> 3764 | 64.31.213.2 | IA-HOU-AS - Internet America, Inc.
> 29131 | 78.129.228.56 | RAPIDSWITCH-AS RapidSwitch
I have seen that one of them is quite close to this one on DDoS-RS list:
> irc.1andallirc.net BOTNET A 78.129.228.55 29131 2009-10-18 11:30:23 ACTIVE TCP 6668
Our SOC has notified that IPS signature describes it as related with Backdoor.Win32.Spyboter.g (but Knowledge Database of this entry is from 2005).
Regards,
-- Carlos
More information about the nsp-security
mailing list