[Intrusions] IRC Bot traffic?

eltra1n larry.wichman at gmail.com
Wed Mar 23 17:37:52 GMT 2005 

I found some IRC traffic on port 4500 with my IDS. I grabbed some
pcaps and it looks like an IRC bot...(?)
Has anyone seen something like this before?

Spoilare!Spoilare at 101Freedom-1737844C.cinci.rr.com JOIN :#101-FREEDOMXDCC

PING XDCC.101-Freedom
:XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667

:[CrooK]!killrbeats at 101Freedom-34DC74B3.sympatico.ca QUIT :Ping
timeout - Oxygen.101-Freedom

PING XDCC.101-Freedom
:XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667

PING XDCC.101-Freedom
:XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667

:loek!pol at 324EC007.42B23495.1CF33FDF.IP JOIN :#101-FREEDOMXDCC

:LastMetalWarrior!LastMetalWar at 101Freedom-3A40D27A.sunsh1.vic.optusnet.com.au
JOIN :#101-FREEDOMXDCC

:pipi!pipi at 101Freedom-2FCDBB21.adsl.highway.telekom.at QUIT
:Connection reset by peer

NICK [101]14667 
PING XDCC.101-Freedom
:XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667

:Clone_Kicker!gulf-vet at 101Freedom-3C80D61C.dsl.mindspring.com QUIT
:Ping timeout - Oxygen.101-Freedom

:loek!pol at 324EC007.42B23495.1CF33FDF.IP QUIT :loek

:chillbleezy!chillbleez at 101Freedom-15192390.client.comcast.net JOIN
:#101-FREEDOMXDCC

PING XDCC.101-Freedom
:XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667

:nojonesde!nojonesde at 101Freedom-30B85776.dip.t-dialin.net QUIT :Ping
timeout - Switch.Bladez.101-Freedom

PING XDCC.101-Freedom
:XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667

PING XDCC.101-Freedom
:XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667

NICK [101]14667 
PING XDCC.101-Freedom
:XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667

:MR_G!MR_G at 101Freedom-34194265.ipt.aol.com QUIT :Ping timeout -
Oxygen.101-Freedom

:saalbr!kev at 101Freedom-237F4E58.dyn.optonline.net QUIT :Ping timeout -
Oxygen.101-Freedom

PING XDCC.101-Freedom
:XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667

:[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-FREEDOMXDCC
:.**. ..15...14::: .8XDCC Bot Online .14:::.15.. .**.

:[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-FREEDOMXDCC
:.**. 1 pack .**.  0 of 2 slots open, Queue: 6/30, Record: 81.9KB/s

:[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-FREEDOMXDCC
:.**. Bandwidth Usage .**. Current: 77.4KB/s, Record: 89.0KB/s

:[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-FREEDOMXDCC
:.**. To request a file, type "/msg [101]00111 xdcc send #x" .**.

:[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-FREEDOMXDCC
:.**. To request details, type "/msg [101]00111 xdcc info #x" .**.

:[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-FREEDOMXDCC
:.#1 . 7x [1.1G] ..4,8 MoViE .1,1 .12,11 Hostage.TS-LRC

:[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-FREEDOMXDCC
:.**. ..15...14::: .4Rooted By The Best - Leeched By The Rest
.14:::.15.. .**.

PING XDCC.101-Freedom
:XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667

:[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-FREEDOMXDCC
:Total Offered: 1076.0 MB  Total Transferred: 12.45 GB

:Corleonne!rockwilder4e at 1BDEB49F.E95925FE.7B1EBDD6.IP JOIN :#101-FREEDOMXDCC

PING XDCC.101-Freedom
:XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667

:jackieee!jackie at 101Freedom-1403D636.danbry01.ct.comcast.net JOIN
:#101-FREEDOMXDCC

:u3!u3 at 101Freedom-1DC8D13C.dip.t-dialin.net QUIT :Ping timeout -
Switch.Bladez.101-Freedom

:Thirion!Thirion at 101Freedom-1595BE35.dip0.t-ipconnect.de JOIN :#101-FREEDOMXDCC

NICK [101]14667 
PING XDCC.101-Freedom


--

More information about the Intrusions mailing list