[nsp-sec] C&C Server: Request for information

[Keith Schoenefeld]

We have a C&C Server on our campus (University of Illinois) at
72.36.112.141.  It's currently in a location on our network that I can
turn off, but I don't otherwise have detailed access or a reasonable
means to set up immediate flow or pcap gathering capability.  I'm
working on a span port, but because of our architecture in this
particular area it will take a bit of work (hopefully I'll start
pulling data tonight).

I'm looking for any intelligence that people may have with regard to
72.36.112.141, or the DNS name that's currently associated with it
backwards[dot]bounceme[dot]net.

In particular, I just need to know if this is a run of the mill "DDoS
for hire" botnet, or something more nefarious.  I'm (possibly
stupidly) assuming that since it currently runs on over tcp/6667 it's
not terribly sophisticated, but I'm trying to cover bases.

Once a span port is set up, I plan to feed data about potentially
compromised hosts back to nsp...

-- KS