[nsp-sec] Possible C&C server at 213.251.184.85, port 6600
Darren Grabowski
drg at us.ntt.net
Tue Feb 1 14:02:11 EST 2011
I was dealing with that attack last night and lucky enough this morning as well...
Sent from my iPhone
On Feb 1, 2011, at 12:49 AM, Jason Chambers <jchambers at ucla.edu> wrote:
> ----------- nsp-security Confidential --------
>
> Hi all,
>
> We had a 1 Gbps DoS attack originate here to various targets, the latest
> being random TCP ports with SYN+PUSH flags set to 203.81.81.0/24 and
> 118.143.230.86/32. The attack used spoofed sources from a /24 in a
> downstream department. Based only on flow analysis and some follow-up
> testing, it seems 213.251.184.85 is the likely C&C server as it looks
> sketchy and has maintained communication to a single host in that subnet
> for some time now.
>
> Attached is a capture of the IRC server details and channels. The nicks
> are random 9 character with spoofed masks (asdlwosxd at i.love.debian.org).
>
> No idea on the malware.. if I'm lucky the staff will relay what they find.
>
> AS | IP | AS Name
> 16276 | 213.251.184.85 | OVH OVH
>
>
> Regards,
>
> --
>
> Jason Chambers
> UCLA
> jchambers at ucla.edu
> 310-206-5603
>
>
> <213.251.184.85--port-6600.txt>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list