[nsp-sec] Possible C&C server at 213.251.184.85, port 6600
Jason Chambers
jchambers at ucla.edu
Tue Feb 1 00:49:57 EST 2011
Hi all,
We had a 1 Gbps DoS attack originate here to various targets, the latest
being random TCP ports with SYN+PUSH flags set to 203.81.81.0/24 and
118.143.230.86/32. The attack used spoofed sources from a /24 in a
downstream department. Based only on flow analysis and some follow-up
testing, it seems 213.251.184.85 is the likely C&C server as it looks
sketchy and has maintained communication to a single host in that subnet
for some time now.
Attached is a capture of the IRC server details and channels. The nicks
are random 9 character with spoofed masks (asdlwosxd at i.love.debian.org).
No idea on the malware.. if I'm lucky the staff will relay what they find.
AS | IP | AS Name
16276 | 213.251.184.85 | OVH OVH
Regards,
--
Jason Chambers
UCLA
jchambers at ucla.edu
310-206-5603
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 213.251.184.85--port-6600.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20110131/466f486f/attachment-0001.txt>
More information about the nsp-security
mailing list