FW: 1500+ client active botnet

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

See this below.  The organization who owns this IP agreed to have it
distributed so other orgs could look for botted devices contacting
(attempting to contact) the mothership there...
M.


-- 
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Associate Director, Center for Applied Cybersecurity Research
(http://cacr.iu.edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Dave Monnier [mailto:dmonnier () iu edu] 
Sent: Friday, January 30, 2004 3:18 PM
To: first-teams () first org
Subject: 1500+ client active botnet


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


We've discovered a large GaoBot based botnet controlled from the
following IP

131.252.116.139 

from an IRCD running on port 44444

The IP owner has been notified.  We have not yet determined the variant
of 
GaoBot used.

You may want to check your flows or logs for packets destined for that
IP 
address.

Cheers,
- -Dave
- -- 
| Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ |
|    Lead Security Engineer, Information Technology Security Office
|
|     Office of the VP for Information Technology, Indiana University
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAGrwKBIf6jlONJjIRAm26AJ40jAV2beugeseVPlYY0vtlsNUOLACgnFzc
ZZfeM3hK3hHN2F+Q8ENATKk=
=mph6
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.