Security Incidents mailing list archives
Re: Botnet/Domains
From: "Nathan W. Labadie" <ab0781 () wayne edu>
Date: Mon, 15 Apr 2002 14:18:00 -0400
Just found another one myself. Looks like the client is simply mIRC with a bunch of scripts. Haven't had much of a chance to go through it. The client can be viewed here: http://security.wayne.edu/downloads/mIRC-dos-client.zip Here's the list of hosts that were (are) in the channel: --- #theprojects eva-01 long-253-C.resnet.emory.edu irc.daxnet.no eva-01 H :0 eva-01 --- #theprojects ruiner student6430.student.nau.edu irc.flamed.net oiuwekla H :6 ruiner --- #theprojects hiob D-ADM-10y-160.Fullerton.EDU irc.flamed.net hiob H :6 hiob --- #theprojects ovi pvil-d-204.resnet.purdue.edu irc.flamed.net ovi H :6 ovi --- #theprojects sabotage host-168.subnet-244.amherst.edu irc.flamed.net shemr H :6 sabotage --- #theprojects crawly h24-80-252-133.vc.shawcable.net irc.arcti.ca crawly H :5 crawly --- #theprojects slunzie LaurelHalldyn148-pc.uncc.edu irc.daxnet.no kr1pton H :0 slunzie --- #theprojects ripman29 hc6526f95.dhcp.vt.edu irc.daxnet.no ripman29 H :0 ripman29 --- #theprojects crematory dsl.78.130.networkiowa.com irc.flamed.net overtime H :6 crematory --- #theprojects mark_uk dsl958.erie.net irc.flamed.net mark_uk H :6 mark_uk --- #theprojects zabot hsevening.medicine.louisville.edu irc.flamed.net zabot H :6 zabot --- #theprojects kodenine n2-196-188.resnet.drexel.edu irc.flamed.net kodenine H :6 kodenine --- #theprojects lord_pk bing69.brandywine.binghamton.edu irc.homelien.no lord_pk H :2 lord_pk --- #theprojects lukee LaurelHalldyn216-pc.uncc.edu irc.daxnet.no lukee H :0 lukee --- #theprojects jajames PAKOLET.MIT.EDU irc.daxnet.no jajames H :0 jajames --- #theprojects flang h24-85-76-154.wp.shawcable.net irc.flamed.net kojak H :6 flang --- #theprojects shxpire hc6526f78.dhcp.vt.edu irc.flamed.net shxpire H :6 shxpire --- #theprojects psilos--- DHCP-52-158.caltech.edu irc.flamed.net psilos--- H :6 psilos--- --- #theprojects pho_work_ d189-73.uoregon.edu irc.flamed.net pho[work] H :6 pho[work] --- #theprojects prtx turman-5-B.resnet.emory.edu irc.daxnet.no prtx H :0 prtx --- #theprojects halo maeeast.net irc.webgiro.se brkn`halo H@ :2 Zoey --- #theprojects pce ip90084.wstcmp.ukans.edu irc.flamed.net pce H :6 pce --- #theprojects chandra 0010a4183405.macr.resnet.iup.edu irc.flamed.net madtrev H :6 chandra --- #theprojects bonjovi_r 141.217.70.102 irc.daxnet.no bonjovi_r H :0 bonjovi_r --- #theprojects hoboftp ip89088.wstcmp.ukans.edu irc.flamed.net hoboftp H :6 hoboftp --- #theprojects omblad0n couzens-198-211.reshall.umich.edu irc.flamed.net omblad0n H :6 omblad0n --- #theprojects pain blingin.net irc.inet.tele.dk e H@ :2 smut --- #theprojects kurrupt admin.unixstream.net irc.rt.ru kurrupt H@ :2 Old School --- #theprojects jigganigg D-ADM-7x-184.Fullerton.EDU irc.flamed.net jigganigg H :6 jigganigg --- #theprojects prototype cable159-190.remote.uwec.edu irc.daxnet.no prototype H :0 prototype --- #theprojects gawd old-skewl.net irc.efnet.pl marky- H@ :2 hack the planet --- #theprojects shaitaway dsl092-012-177.sfo1.dsl.speakeasy.net irc.daxnet.no shaitaway H :0 shaitaway --- #theprojects jowag5 cable152-145.remote.uwec.edu irc.daxnet.no obositu H :0 jowag5 --- #theprojects guinness cvg-65-27-186-253.cinci.rr.com irc.daxnet.no towlie G@ :0 * I'm to lame to read BitchX.doc * --- #theprojects mad3d cable157-116.remote.uwec.edu irc.daxnet.no mad3d H :0 mad3d --- #theprojects scrim ns2.404labs.com irc.webgiro.se skrim H@ :2 * I'm to lame to read BitchX.doc * --- #theprojects scrim has.noskillz.com irc.secsup.uu.net scrim H@ :4 scrim --- #theprojects murtilizer r147.res2.stthomas.edu irc.daxnet.no murtilize H :0 murtilizer --- #theprojects russw span.cc.emory.edu irc.daxnet.no k4 H :0 russw --- #theprojects talent ominous.org irc.secsup.uu.net xmage H@ :4 *pimpslap* --- #theprojects ingenio elite.bitch.net.nz irc.webgiro.se ingenio H@ :2 ingenious ingenio --- #theprojects m3galith GFUNK2.MIT.EDU irc.daxnet.no marky H :0 m3galith On Wednesday 03 April 2002 07:59 pm, Blake Frantz wrote:
Hello, I recently discovered a machine that was infected with a version of the DarkIRC bot (http://www.tlsecurity.net/backdoor/DarkIrc.html)and had been participating in DDoS network. In an effort to save my self some time and help inform all the others that are participating in the same botnet I have listed the domains or class c address in which an infected computer resides. If you are an admin of one of these networks please send me an email from within the posted network and I will provide you with the host(s). Thanks, -Blake # Hosts Domain/Network 1 128.163.23.x 1 128.163.50.x 1 128.226.38.x 1 128.238.53.x 1 128.252.32. 1 128.32.208.x 1 132.206.189.x 1 140.192.178.x 1 141.140.107.x 1 141.209.210.x 1 141.209.221.x 1 141.210.178.x 1 146.145.193.x 1 146.186.37.x 1 147.26.202.x 1 150.199.175.x 1 150.208.139.x 1 150.208.244.x 1 150.7.167.x 1 160.39.145.x 1 206.111.221.x 1 albany.edu 1 american.edu 1 avidi.no 1 Berkeley.EDU 1 calpoly.edu 1 cnc.net 1 creighton.edu 1 cvut.cz 1 emory.edu 1 ilstu.edu 1 imsa.edu 1 miami.edu 1 mu.edu 1 muohio.edu 1 ohio-state.edu 1 rmit.edu.au 1 telus.net 1 ucf.edu 1 UCLA.EDU 1 ucsd.edu 1 uiuc.edu 1 uky.edu 1 uncc.edu 1 unh.edu 1 unict.it 1 unl.edu 1 wm.edu 2 131.204.51.x 2 132.170.133.x 2 132.170.202.x 2 141.210.168.x 2 binghamton.edu 2 cornell.edu 2 criten.net 2 csupomona.edu 2 furman.edu 2 gatech.edu 2 gsu.edu 2 muskingum.edu 2 psu.edu 2 umich.edu 3 cmich.edu 3 sunysb.edu 3 umt.edu 3 wustl.edu 4 Stanford.EDU 4 ucdavis.edu 5 YSU.EDU 9 indiana.edu --------------------------------------------------------------------------- - This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Nathan W. Labadie | ab0781 () wayne edu Sr. Security Specialist | 313-577-2126 Wayne State University | 313-577-1338 fax C&IT Information Security Office: http://security.wayne.edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Botnet/Domains Blake Frantz (Apr 04)
- Re: Botnet/Domains Nathan W. Labadie (Apr 15)