[nsp-sec] Attn Rackspace AS33070 - IRC C&C on 50.56.219.87 port 8080 #anonymous

Fri Dec 23 22:44:43 EST 2011

Inspector Sands to the white courtesy phone please.

This appears to be the C&C channel for the DoS mentioned in my post 
yesterday. Nicks present in the channel suggest a bunch of php bots.

Happy Christmas all

Cheers
James

Airbus-MA:~ jamesr$ telnet 50.56.219.87 6667
Trying 50.56.219.87...
telnet: connect to address 50.56.219.87: Connection refused
telnet: Unable to connect to remote host
Airbus-MA:~ jamesr$ telnet 50.56.219.87 8080
Trying 50.56.219.87...
Connected to ircd.undo.it.
Escape character is '^]'.
:irc.subzero.org NOTICE AUTH :*** Looking up your hostname...
:irc.subzero.org NOTICE AUTH :*** Found your hostname
NICK foo
UPING :69183B8A
SER ba r b bar
PONG :69183B8A
:irc.subzero.org 001 foo :Welcome to the subzero network IRC Network 
foo!ba at gw.jump.me.uk
:irc.subzero.org 002 foo :Your host is irc.subzero.org, running version 
Unreal3.2.9
:irc.subzero.org 003 foo :This server was created Wed Dec 21 2011 at 
19:22:07 UTC
:irc.subzero.org 004 foo irc.subzero.org Unreal3.2.9 
iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ
:irc.subzero.org 005 foo UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 
CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 
TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this 
server
:irc.subzero.org 005 foo WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 
MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ 
CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ NETWORK=subzero-network 
CASEMAPPING=ascii EXTBAN=~,qjncrR ELIST=MNUCT STATUSMSG=~&@%+ :are 
supported by this server
:irc.subzero.org 005 foo EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are 
supported by this server
:irc.subzero.org 251 foo :There are 1 users and 265 invisible on 1 servers
:irc.subzero.org 253 foo 2 :unknown connection(s)
:irc.subzero.org 254 foo 2 :channels formed
:irc.subzero.org 255 foo :I have 266 clients and 0 servers
:irc.subzero.org 265 foo :Current Local Users: 266  Max: 335
:irc.subzero.org 266 foo :Current Global Users: 266  Max: 335
:irc.subzero.org 422 foo :MOTD File is missing
:foo MODE foo :+iwx
who 0
:irc.subzero.org 352 foo * ba subzero-B596BB28.jump.me.uk irc.subzero.org 
foo H :0 bar
:irc.subzero.org 315 foo * :End of /WHO list.
list
:irc.subzero.org 321 foo Channel :Users  Name
:irc.subzero.org 322 foo * 253 :
:irc.subzero.org 322 foo #anonymous 13 :
:irc.subzero.org 323 foo :End of /LIST
join #anonymous
:foo!ba at subzero-B596BB28.jump.me.uk JOIN :#anonymous
:irc.subzero.org 353 foo = #anonymous :foo [A]php354869 [A]php459965 
[A]php403255 [A]php900761 [A]php979144 [A]php656913 [A]php643125 
anonymous|50047 [A]php682322 [A]php422070 anonymous|461840 anonymous| 
@[A]php189714
:irc.subzero.org 366 foo #anonymous :End of /NAMES list.
PING :irc.subzero.org
PONG :irc.subzero.org
PING :irc.subzero.org
PONG :irc.subzero.org
PING :irc.subzero.org
PONG :irc.subzero.org
PING :irc.subzero.org
ERROR :Closing Link: foo[gw.jump.me.uk] (Ping timeout)
Connection closed by foreign host.