[nsp-sec] Apparent outbound DDoS attacks against: 79.116.2.258, 204.188.217.52, 60.247.126.128 and 202.79.7.22
Rob Thomas
robt at cymru.com
Fri Sep 16 17:11:50 EDT 2011
Hey, John.
> 74.55.36.105 tcp 3303 bot ID: safe.ircd.com DNSRR:
> safe.linuxsecured.net
> The host connected to the botnet at 2011-09-16 09:29:38.717 UTC.
That one has been around since at least 2011-09-05 UTC. We see it as an
open DNS resolver as well.
The malware is probably this:
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol
--------------------- ------------------------------------------
---------------------------------- -------------- ---------- ----------
2011-09-13 23:20:02 | 355ef585d689cb4b96f9a6b757deedf7e883c94d |
7b43368fb12143395075c0f754500d31 | 74.55.36.105 | 3303 | 6
This is a mirc-based bot for Windows hosts. You're likely to find it
installed here:
c:\windows\spoolv\spoolv.exe
Note that this malware also connects to the Undernet IRC network.
Another related DNS RR may include irc.nhg09.cjb.net. The port is TCP
3303 and the IRC channel was #moloz. There are circa 600 bots active on
the network presently, though in a different channel(s).
At least one of the attacked IP addresses is being used by another
Undernet IRC user. I agree with Chris: Hacker on hacker attacks,
perhaps? Based on some chatter, I'd say this might be crew v. crew. At
least one crew has been scanning some of the target IP addresses with
nmap, etc.
The attack against 60.247.126.128 is very likely to move to
219.142.79.57, since they're administered by the same person. Just a
heads-up.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15
More information about the nsp-security
mailing list