[nsp-sec] Possible C&C server at 213.251.184.85, port 6600
Tim Wilde
twilde at cymru.com
Tue Feb 1 10:19:35 EST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2/1/2011 12:49 AM, Jason Chambers wrote:
> We had a 1 Gbps DoS attack originate here to various targets, the latest
> being random TCP ports with SYN+PUSH flags set to 203.81.81.0/24 and
> 118.143.230.86/32. The attack used spoofed sources from a /24 in a
> downstream department. Based only on flow analysis and some follow-up
> testing, it seems 213.251.184.85 is the likely C&C server as it looks
> sketchy and has maintained communication to a single host in that subnet
> for some time now.
>
> Attached is a capture of the IRC server details and channels. The nicks
> are random 9 character with spoofed masks (asdlwosxd at i.love.debian.org).
>
> No idea on the malware.. if I'm lucky the staff will relay what they find.
Thanks for the info Jason! We applied our special sauce to that IP and
it's now in the DDoS-RS. We see two POSSIBLE SHA1s with activity to
that IP, but they're both a bit old, so may not be the malware in play here:
bde1c7855906750e8e6f666dfa6954f6b6aec942 2010-09-20 12:56:40
1c74563db89056312a4b88eec62a6f9188dc07b2 2010-04-25 09:25:35
Regards,
Tim
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAk1IJIYACgkQluRbRini9titvACeN3Ud2PC8KcVf8Y646yvf2siS
3qUAn3r2zPWAaw8dMCT1J8eVQ/umWP08
=Hox/
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list