Security Incidents mailing list archives

Strange IRC behaviour, new DDoS network forming ?

From: Patrick Oonk <patrick () pine nl>
Date: Mon, 13 Nov 2000 23:39:11 +0100
Hi,

I have been seeing a sudden increase of suspicious connects to 
irc-servers belonging to the Kreynet network. Clients  with random
username and nicks seem to be joining the channel #luckystrikes in large
numbers. This might be the sign of some Trojan using irc as a gathering
place for infected hosts, possible to await for commands from a master.
A quick sample showed that the majority are Windows hosts with an open
port 139 (netbios/ssn). This might point to some Windows networking worm.

If you see traffic to either irc.studio12.com, irc.sux.nu or irc.melnet.co.uk      
please check out the involved clients.

A partial list of clients we noticed can be found below.

Any additional information on the nature of this behaviour is welcome.

*** User Class[14] ==> kusyqvyym[kusyqvyym () cs75113 pp htv fi]
*** User Class[14] ==> tqkidmklv[tqkidmklv@209.247.137.13]
*** User Class[14] ==> ldoqecmpp[~ldoqecmpp@137.150.29.191]
*** User Class[14] ==> ymwroelof[ymwroelof () a66b8n130client70 hawaii rr com]
*** User Class[14] ==> vthnsfpfx[vthnsfpfx () p3EE355F6 dip t-dialin net]
*** User Class[14] ==> igmegvqiu[igmegvqiu () we-24-130-70-250 we mediaone net]
*** User Class[14] ==> rtfkjtqjw[rtfkjtqjw () 209-240-6-44 tc stc1 dial 1st net]
*** User Class[14] ==> dlcndonlv[dlcndonlv () adsl-64-219-78-203 dsl hstntx swbell net]
*** User Class[14] ==> yndnswxgr[yndnswxgr () flt2-1e8 twcny rr com]
*** User Class[14] ==> ibkffriox[~ibkffriox@24.29.52.159]
*** User Class[14] ==> bdemppguh[bdemppguh () ae06180 powerup com au]
*** User Class[14] ==> dyincujgq[dyincujgq () nic-131-c235-221 mw mediaone net]
*** User Class[14] ==> fnjundevv[fnjundevv () ip244 atlanta11 ga pub-ip psi net]
*** User Class[14] ==> vqdsrgxkt[vqdsrgxkt@151.202.28.238]
*** User Class[14] ==> vdktcyybg[vdktcyybg () ppp219 sc centurytel net]
*** User Class[14] ==> uxqomxrdf[uxqomxrdf@63.206.120.47]
*** User Class[14] ==> lhukhpfmw[lhukhpfmw@200.33.177.158]
*** User Class[14] ==> ohsmmrenc[ohsmmrenc@203.45.166.244]
*** User Class[14] ==> pqkuxlqit[pqkuxlqit () ts023d37 phe-pa concentric net]
*** User Class[14] ==> wtpkkyohr[wtpkkyohr@24.12.111.15]
*** User Class[14] ==> bntbvdlvj[bntbvdlvj () cc751241-b hwrd1 md home com]
*** User Class[14] ==> vpdjlqgqm[vpdjlqgqm@212.187.139.85]
*** User Class[14] ==> pdmppguhn[~pdmppguhn@213.241.35.224]
*** User Class[14] ==> fsmiyytkn[fsmiyytkn () pul-p1a-65 netnet net]
*** User Class[14] ==> uiwuwqvck[uiwuwqvck@148.233.75.173]
*** User Class[14] ==> cglnnuqcw[cglnnuqcw@212.187.142.203]
*** User Class[14] ==> ynqrebhgm[ynqrebhgm () 1Cust4 tnt4 lynchburg va da uu net]
*** User Class[14] ==> ekyhnfwcr[ekyhnfwcr@24.5.185.73]
*** User Class[14] ==> kmskmmlbm[kmskmmlbm () c-b038 012-3-6e6b702 cust bredbandsbolaget se]
*** User Class[14] ==> qqpshfcht[qqpshfcht () 69-ALIC-X11 libre retevision es]
*** User Class[14] ==> tiwfyiupv[~tiwfyiupv@64.29.36.15]
*** User Class[14] ==> kwwlgmlvg[kwwlgmlvg () 1Cust6 tnt2 stk3 da uu net]
*** User Class[14] ==> pchfpyoiw[pchfpyoiw () mcn-cm2d2039 miyazaki-catv ne jp]
*** User Class[14] ==> dshxmukch[dshxmukch () adsl-78-207-52 dab bellsouth net]
*** User Class[14] ==> dhovhuveh[dhovhuveh () m77-mp1-cvx1b gui ntl com]
*** User Class[10] ==> gdiwrsrdl[gdiwrsrdl () dialup140-205 superweb nl]
*** User Class[14] ==> rcysjldpk[rcysjldpk () adsl-63-203-37-18 foxcars net]
*** User Class[11] ==> ofiyijtvw[ofiyijtvw () dialup49 verviers skynet be]
*** User Class[14] ==> bgxwpvvuo[~bgxwpvvuo@62.225.54.4]
*** User Class[14] ==> gglumvlly[gglumvlly () slcam1p25 ozemail com au]
*** User Class[14] ==> kfhhcewkb[kfhhcewkb () ool-18bd91dd dyn optonline net]
*** User Class[14] ==> hiwwpxlhv[hiwwpxlhv () roc-24-93-11-219 rochester rr com]
*** User Class[14] ==> ctexktmbi[ctexktmbi () h525405f040ef ne mediaone net]
*** User Class[14] ==> qoewlvrcb[qoewlvrcb () usr154-gil cableinet co uk]
*** User Class[14] ==> dlvsjvbii[dlvsjvbii () adsl-63-206-197-162 dsl snfc21 pacbell net]
*** User Class[14] ==> gkpxvrygf[gkpxvrygf () 1Cust171 tnt3 sherman tx da uu net]
*** User Class[14] ==> ujcbntsmw[~ujcbntsmw@144.132.53.227]
*** User Class[14] ==> ypormgwih[ypormgwih () stargate132 salzburg-online at]
*** User Class[14] ==> bsxtegkbg[bsxtegkbg () r-226 koln ipdial viaginterkom de]
*** User Class[14] ==> xuwodsxgn[xuwodsxgn () pool0094 cvx9-bradley dialup earthlink net]
*** User Class[14] ==> imeebhfkk[imeebhfkk () 1Cust24 tnt4 augusta ga da uu net]
*** User Class[14] ==> csqcynnbg[csqcynnbg () c390846-a jffsn1 mo home com]
*** User Class[14] ==> ldhlpkewj[ldhlpkewj@147.52.20.133]
*** User Class[14] ==> ltvrntvoc[ltvrntvoc () 64-66-202-75 stkn dial netzero com]

        Patrick Oonk

-- 
 Patrick Oonk -  PO1-6BONE -  patrick () pine nl -  www.pine.nl/~patrick
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk () my security nl
 Tel: +31-70-3111010  -   Fax: +31-70-3111011   -  http://security.nl
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
 Excuse of the day: the curls in your keyboard cord are losing
 electricity.
Attachment: _bin
Description:
Current thread:

Strange IRC behaviour, new DDoS network forming ? Patrick Oonk (Nov 14)
- <Possible follow-ups>
- Re: Strange IRC behaviour, new DDoS network forming ? Joost (Nov 16)