Re: Botnet/Domains

From: Nathan W. Labadie (ab0781at_private)
Date: Mon Apr 15 2002 - 11:18:00 PDT
Next message: Ed Moyle: "RE: Strange scans"
Previous message: Kee Hinckley: "Re: <victim>server formmail.pl exploit in the wild"
In reply to: Blake Frantz: "Botnet/Domains"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Just found another one myself. Looks like the client is simply mIRC with a 
bunch of scripts. Haven't had much of a chance to go through it. The client 
can be viewed here:

http://security.wayne.edu/downloads/mIRC-dos-client.zip

Here's the list of hosts that were (are) in the channel:

--- #theprojects eva-01 long-253-C.resnet.emory.edu irc.daxnet.no eva-01 H :0 eva-01
--- #theprojects ruiner student6430.student.nau.edu irc.flamed.net oiuwekla H :6 ruiner
--- #theprojects hiob D-ADM-10y-160.Fullerton.EDU irc.flamed.net hiob H :6 hiob
--- #theprojects ovi pvil-d-204.resnet.purdue.edu irc.flamed.net ovi H :6 ovi
--- #theprojects sabotage host-168.subnet-244.amherst.edu irc.flamed.net shemr H :6 sabotage
--- #theprojects crawly h24-80-252-133.vc.shawcable.net irc.arcti.ca crawly H :5 crawly
--- #theprojects slunzie LaurelHalldyn148-pc.uncc.edu irc.daxnet.no kr1pton H :0 slunzie
--- #theprojects ripman29 hc6526f95.dhcp.vt.edu irc.daxnet.no ripman29 H :0 ripman29
--- #theprojects crematory dsl.78.130.networkiowa.com irc.flamed.net overtime H :6 crematory
--- #theprojects mark_uk dsl958.erie.net irc.flamed.net mark_uk H :6 mark_uk
--- #theprojects zabot hsevening.medicine.louisville.edu irc.flamed.net zabot H :6 zabot
--- #theprojects kodenine n2-196-188.resnet.drexel.edu irc.flamed.net kodenine H :6 kodenine
--- #theprojects lord_pk bing69.brandywine.binghamton.edu irc.homelien.no lord_pk H :2 lord_pk
--- #theprojects lukee LaurelHalldyn216-pc.uncc.edu irc.daxnet.no lukee H :0 lukee
--- #theprojects jajames PAKOLET.MIT.EDU irc.daxnet.no jajames H :0 jajames
--- #theprojects flang h24-85-76-154.wp.shawcable.net irc.flamed.net kojak H :6 flang
--- #theprojects shxpire hc6526f78.dhcp.vt.edu irc.flamed.net shxpire H :6 shxpire
--- #theprojects psilos--- DHCP-52-158.caltech.edu irc.flamed.net psilos--- H :6 psilos---
--- #theprojects pho_work_ d189-73.uoregon.edu irc.flamed.net pho[work] H :6 pho[work]
--- #theprojects prtx turman-5-B.resnet.emory.edu irc.daxnet.no prtx H :0 prtx
--- #theprojects halo maeeast.net irc.webgiro.se brkn`halo H@ :2 Zoey
--- #theprojects pce ip90084.wstcmp.ukans.edu irc.flamed.net pce H :6 pce
--- #theprojects chandra 0010a4183405.macr.resnet.iup.edu irc.flamed.net madtrev H :6 chandra
--- #theprojects bonjovi_r 141.217.70.102 irc.daxnet.no bonjovi_r H :0 bonjovi_r
--- #theprojects hoboftp ip89088.wstcmp.ukans.edu irc.flamed.net hoboftp H :6 hoboftp
--- #theprojects omblad0n couzens-198-211.reshall.umich.edu irc.flamed.net omblad0n H :6 omblad0n
--- #theprojects pain blingin.net irc.inet.tele.dk e H@ :2 smut
--- #theprojects kurrupt admin.unixstream.net irc.rt.ru kurrupt H@ :2 Old School
--- #theprojects jigganigg D-ADM-7x-184.Fullerton.EDU irc.flamed.net jigganigg H :6 jigganigg
--- #theprojects prototype cable159-190.remote.uwec.edu irc.daxnet.no prototype H :0 prototype
--- #theprojects gawd old-skewl.net irc.efnet.pl marky- H@ :2 hack the planet
--- #theprojects shaitaway dsl092-012-177.sfo1.dsl.speakeasy.net irc.daxnet.no shaitaway H :0 shaitaway
--- #theprojects jowag5 cable152-145.remote.uwec.edu irc.daxnet.no obositu H :0 jowag5
--- #theprojects guinness cvg-65-27-186-253.cinci.rr.com irc.daxnet.no towlie G@ :0 * I'm to lame to read BitchX.doc *
--- #theprojects mad3d cable157-116.remote.uwec.edu irc.daxnet.no mad3d H :0 mad3d
--- #theprojects scrim ns2.404labs.com irc.webgiro.se skrim H@ :2 * I'm to lame to read BitchX.doc *
--- #theprojects scrim has.noskillz.com irc.secsup.uu.net scrim H@ :4 scrim
--- #theprojects murtilizer r147.res2.stthomas.edu irc.daxnet.no murtilize H :0 murtilizer
--- #theprojects russw span.cc.emory.edu irc.daxnet.no k4 H :0 russw
--- #theprojects talent ominous.org irc.secsup.uu.net xmage H@ :4 *pimpslap*
--- #theprojects ingenio elite.bitch.net.nz irc.webgiro.se ingenio H@ :2 ingenious ingenio
--- #theprojects m3galith GFUNK2.MIT.EDU irc.daxnet.no marky H :0 m3galith

On Wednesday 03 April 2002 07:59 pm, Blake Frantz wrote:
> Hello,
>
> I recently discovered a machine that was infected with a version of the
> DarkIRC bot (http://www.tlsecurity.net/backdoor/DarkIrc.html)and had been
> participating in DDoS network. In an effort to save my self some time and
> help inform all the others that are participating in the same botnet I
> have listed the domains or class c address in which an infected computer
> resides.  If you are an admin of one of these networks please send me an
> email from within the posted network and I will provide you with the
> host(s).
>
> Thanks,
>
> -Blake
>
> # Hosts Domain/Network
>       1 128.163.23.x
>       1 128.163.50.x
>       1 128.226.38.x
>       1 128.238.53.x
>       1 128.252.32.
>       1 128.32.208.x
>       1 132.206.189.x
>       1 140.192.178.x
>       1 141.140.107.x
>       1 141.209.210.x
>       1 141.209.221.x
>       1 141.210.178.x
>       1 146.145.193.x
>       1 146.186.37.x
>       1 147.26.202.x
>       1 150.199.175.x
>       1 150.208.139.x
>       1 150.208.244.x
>       1 150.7.167.x
>       1 160.39.145.x
>       1 206.111.221.x
>       1 albany.edu
>       1 american.edu
>       1 avidi.no
>       1 Berkeley.EDU
>       1 calpoly.edu
>       1 cnc.net
>       1 creighton.edu
>       1 cvut.cz
>       1 emory.edu
>       1 ilstu.edu
>       1 imsa.edu
>       1 miami.edu
>       1 mu.edu
>       1 muohio.edu
>       1 ohio-state.edu
>       1 rmit.edu.au
>       1 telus.net
>       1 ucf.edu
>       1 UCLA.EDU
>       1 ucsd.edu
>       1 uiuc.edu
>       1 uky.edu
>       1 uncc.edu
>       1 unh.edu
>       1 unict.it
>       1 unl.edu
>       1 wm.edu
>       2 131.204.51.x
>       2 132.170.133.x
>       2 132.170.202.x
>       2 141.210.168.x
>       2 binghamton.edu
>       2 cornell.edu
>       2 criten.net
>       2 csupomona.edu
>       2 furman.edu
>       2 gatech.edu
>       2 gsu.edu
>       2 muskingum.edu
>       2 psu.edu
>       2 umich.edu
>       3 cmich.edu
>       3 sunysb.edu
>       3 umt.edu
>       3 wustl.edu
>       4 Stanford.EDU
>       4 ucdavis.edu
>       5 YSU.EDU
>       9 indiana.edu
>
>
>
>
>
>
> ---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
Nathan W. Labadie       | ab0781at_private	
Sr. Security Specialist | 313-577-2126
Wayne State University  | 313-577-1338 fax
C&IT Information Security Office: http://security.wayne.edu


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Ed Moyle: "RE: Strange scans"
Previous message: Kee Hinckley: "Re: <victim>server formmail.pl exploit in the wild"
In reply to: Blake Frantz: "Botnet/Domains"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Mon Apr 15 2002 - 12:21:27 PDT