Educause Security Discussion mailing list archives
FW: 1500+ client active botnet
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Fri, 30 Jan 2004 15:45:04 -0500
See this below. The organization who owns this IP agreed to have it distributed so other orgs could look for botted devices contacting (attempting to contact) the mothership there... M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Associate Director, Center for Applied Cybersecurity Research (http://cacr.iu.edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Dave Monnier [mailto:dmonnier () iu edu] Sent: Friday, January 30, 2004 3:18 PM To: first-teams () first org Subject: 1500+ client active botnet -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We've discovered a large GaoBot based botnet controlled from the following IP 131.252.116.139 from an IRCD running on port 44444 The IP owner has been notified. We have not yet determined the variant of GaoBot used. You may want to check your flows or logs for packets destined for that IP address. Cheers, - -Dave - -- | Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ | | Lead Security Engineer, Information Technology Security Office | | Office of the VP for Information Technology, Indiana University | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAGrwKBIf6jlONJjIRAm26AJ40jAV2beugeseVPlYY0vtlsNUOLACgnFzc ZZfeM3hK3hHN2F+Q8ENATKk= =mph6 -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- FW: 1500+ client active botnet Bruhn, Mark S. (Jan 30)
- <Possible follow-ups>
- Re: FW: 1500+ client active botnet Bruhn, Mark S. (Jan 30)
- Re: FW: 1500+ client active botnet H. Morrow Long (Jan 30)