Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Botnet/Domains

From: "Nathan W. Labadie" <ab0781 () wayne edu>
Date: Mon, 15 Apr 2002 14:18:00 -0400
Just found another one myself. Looks like the client is simply mIRC with a 
bunch of scripts. Haven't had much of a chance to go through it. The client 
can be viewed here:

http://security.wayne.edu/downloads/mIRC-dos-client.zip

Here's the list of hosts that were (are) in the channel:

--- #theprojects eva-01 long-253-C.resnet.emory.edu irc.daxnet.no eva-01 H :0 eva-01
--- #theprojects ruiner student6430.student.nau.edu irc.flamed.net oiuwekla H :6 ruiner
--- #theprojects hiob D-ADM-10y-160.Fullerton.EDU irc.flamed.net hiob H :6 hiob
--- #theprojects ovi pvil-d-204.resnet.purdue.edu irc.flamed.net ovi H :6 ovi
--- #theprojects sabotage host-168.subnet-244.amherst.edu irc.flamed.net shemr H :6 sabotage
--- #theprojects crawly h24-80-252-133.vc.shawcable.net irc.arcti.ca crawly H :5 crawly
--- #theprojects slunzie LaurelHalldyn148-pc.uncc.edu irc.daxnet.no kr1pton H :0 slunzie
--- #theprojects ripman29 hc6526f95.dhcp.vt.edu irc.daxnet.no ripman29 H :0 ripman29
--- #theprojects crematory dsl.78.130.networkiowa.com irc.flamed.net overtime H :6 crematory
--- #theprojects mark_uk dsl958.erie.net irc.flamed.net mark_uk H :6 mark_uk
--- #theprojects zabot hsevening.medicine.louisville.edu irc.flamed.net zabot H :6 zabot
--- #theprojects kodenine n2-196-188.resnet.drexel.edu irc.flamed.net kodenine H :6 kodenine
--- #theprojects lord_pk bing69.brandywine.binghamton.edu irc.homelien.no lord_pk H :2 lord_pk
--- #theprojects lukee LaurelHalldyn216-pc.uncc.edu irc.daxnet.no lukee H :0 lukee
--- #theprojects jajames PAKOLET.MIT.EDU irc.daxnet.no jajames H :0 jajames
--- #theprojects flang h24-85-76-154.wp.shawcable.net irc.flamed.net kojak H :6 flang
--- #theprojects shxpire hc6526f78.dhcp.vt.edu irc.flamed.net shxpire H :6 shxpire
--- #theprojects psilos--- DHCP-52-158.caltech.edu irc.flamed.net psilos--- H :6 psilos---
--- #theprojects pho_work_ d189-73.uoregon.edu irc.flamed.net pho[work] H :6 pho[work]
--- #theprojects prtx turman-5-B.resnet.emory.edu irc.daxnet.no prtx H :0 prtx
--- #theprojects halo maeeast.net irc.webgiro.se brkn`halo H@ :2 Zoey
--- #theprojects pce ip90084.wstcmp.ukans.edu irc.flamed.net pce H :6 pce
--- #theprojects chandra 0010a4183405.macr.resnet.iup.edu irc.flamed.net madtrev H :6 chandra
--- #theprojects bonjovi_r 141.217.70.102 irc.daxnet.no bonjovi_r H :0 bonjovi_r
--- #theprojects hoboftp ip89088.wstcmp.ukans.edu irc.flamed.net hoboftp H :6 hoboftp
--- #theprojects omblad0n couzens-198-211.reshall.umich.edu irc.flamed.net omblad0n H :6 omblad0n
--- #theprojects pain blingin.net irc.inet.tele.dk e H@ :2 smut
--- #theprojects kurrupt admin.unixstream.net irc.rt.ru kurrupt H@ :2 Old School
--- #theprojects jigganigg D-ADM-7x-184.Fullerton.EDU irc.flamed.net jigganigg H :6 jigganigg
--- #theprojects prototype cable159-190.remote.uwec.edu irc.daxnet.no prototype H :0 prototype
--- #theprojects gawd old-skewl.net irc.efnet.pl marky- H@ :2 hack the planet
--- #theprojects shaitaway dsl092-012-177.sfo1.dsl.speakeasy.net irc.daxnet.no shaitaway H :0 shaitaway
--- #theprojects jowag5 cable152-145.remote.uwec.edu irc.daxnet.no obositu H :0 jowag5
--- #theprojects guinness cvg-65-27-186-253.cinci.rr.com irc.daxnet.no towlie G@ :0 * I'm to lame to read BitchX.doc *
--- #theprojects mad3d cable157-116.remote.uwec.edu irc.daxnet.no mad3d H :0 mad3d
--- #theprojects scrim ns2.404labs.com irc.webgiro.se skrim H@ :2 * I'm to lame to read BitchX.doc *
--- #theprojects scrim has.noskillz.com irc.secsup.uu.net scrim H@ :4 scrim
--- #theprojects murtilizer r147.res2.stthomas.edu irc.daxnet.no murtilize H :0 murtilizer
--- #theprojects russw span.cc.emory.edu irc.daxnet.no k4 H :0 russw
--- #theprojects talent ominous.org irc.secsup.uu.net xmage H@ :4 *pimpslap*
--- #theprojects ingenio elite.bitch.net.nz irc.webgiro.se ingenio H@ :2 ingenious ingenio
--- #theprojects m3galith GFUNK2.MIT.EDU irc.daxnet.no marky H :0 m3galith

On Wednesday 03 April 2002 07:59 pm, Blake Frantz wrote:

Hello,

I recently discovered a machine that was infected with a version of the
DarkIRC bot (http://www.tlsecurity.net/backdoor/DarkIrc.html)and had been
participating in DDoS network. In an effort to save my self some time and
help inform all the others that are participating in the same botnet I
have listed the domains or class c address in which an infected computer
resides.  If you are an admin of one of these networks please send me an
email from within the posted network and I will provide you with the
host(s).

Thanks,

-Blake

# Hosts Domain/Network
      1 128.163.23.x
      1 128.163.50.x
      1 128.226.38.x
      1 128.238.53.x
      1 128.252.32.
      1 128.32.208.x
      1 132.206.189.x
      1 140.192.178.x
      1 141.140.107.x
      1 141.209.210.x
      1 141.209.221.x
      1 141.210.178.x
      1 146.145.193.x
      1 146.186.37.x
      1 147.26.202.x
      1 150.199.175.x
      1 150.208.139.x
      1 150.208.244.x
      1 150.7.167.x
      1 160.39.145.x
      1 206.111.221.x
      1 albany.edu
      1 american.edu
      1 avidi.no
      1 Berkeley.EDU
      1 calpoly.edu
      1 cnc.net
      1 creighton.edu
      1 cvut.cz
      1 emory.edu
      1 ilstu.edu
      1 imsa.edu
      1 miami.edu
      1 mu.edu
      1 muohio.edu
      1 ohio-state.edu
      1 rmit.edu.au
      1 telus.net
      1 ucf.edu
      1 UCLA.EDU
      1 ucsd.edu
      1 uiuc.edu
      1 uky.edu
      1 uncc.edu
      1 unh.edu
      1 unict.it
      1 unl.edu
      1 wm.edu
      2 131.204.51.x
      2 132.170.133.x
      2 132.170.202.x
      2 141.210.168.x
      2 binghamton.edu
      2 cornell.edu
      2 criten.net
      2 csupomona.edu
      2 furman.edu
      2 gatech.edu
      2 gsu.edu
      2 muskingum.edu
      2 psu.edu
      2 umich.edu
      3 cmich.edu
      3 sunysb.edu
      3 umt.edu
      3 wustl.edu
      4 Stanford.EDU
      4 ucdavis.edu
      5 YSU.EDU
      9 indiana.edu






---------------------------------------------------------------------------
- This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


-- 
Nathan W. Labadie       | ab0781 () wayne edu   
Sr. Security Specialist | 313-577-2126
Wayne State University  | 313-577-1338 fax
C&IT Information Security Office: http://security.wayne.edu


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: